draft-ietf-dnsext-dnssec-bis-updates-15.txt   draft-ietf-dnsext-dnssec-bis-updates-16.txt 
Network Working Group S. Weiler Network Working Group S. Weiler
Internet-Draft SPARTA, Inc. Internet-Draft SPARTA, Inc.
Updates: 4033, 4034, 4035, 5155 D. Blacka Updates: 4033, 4034, 4035, 5155 D. Blacka
(if approved) VeriSign, Inc. (if approved) VeriSign, Inc.
Intended status: Standards Track January 13, 2012 Intended status: Standards Track January 14, 2012
Expires: July 16, 2012 Expires: July 17, 2012
Clarifications and Implementation Notes for DNSSECbis Clarifications and Implementation Notes for DNSSECbis
draft-ietf-dnsext-dnssec-bis-updates-15 draft-ietf-dnsext-dnssec-bis-updates-16
Abstract Abstract
This document is a collection of technical clarifications to the This document is a collection of technical clarifications to the
DNSSECbis document set. It is meant to serve as a resource to DNSSECbis document set. It is meant to serve as a resource to
implementors as well as a repository of DNSSECbis errata. implementors as well as a repository of DNSSECbis errata.
This document updates the core DNSSECbis documents (RFC4033, RFC4034, This document updates the core DNSSECbis documents (RFC4033, RFC4034,
and RFC4035) as well as the NSEC3 specification (RFC5155). It also and RFC4035) as well as the NSEC3 specification (RFC5155). It also
defines NSEC3 and SHA-2 as core parts of the DNSSECbis specification. defines NSEC3 and SHA-2 as core parts of the DNSSECbis specification.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 16, 2012. This Internet-Draft will expire on July 17, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 23 skipping to change at page 3, line 23
3. Scaling Concerns . . . . . . . . . . . . . . . . . . . . . . . 5 3. Scaling Concerns . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Implement a BAD cache . . . . . . . . . . . . . . . . . . 5 3.1. Implement a BAD cache . . . . . . . . . . . . . . . . . . 5
4. Security Concerns . . . . . . . . . . . . . . . . . . . . . . 5 4. Security Concerns . . . . . . . . . . . . . . . . . . . . . . 5
4.1. Clarifications on Non-Existence Proofs . . . . . . . . . . 5 4.1. Clarifications on Non-Existence Proofs . . . . . . . . . . 5
4.2. Validating Responses to an ANY Query . . . . . . . . . . . 6 4.2. Validating Responses to an ANY Query . . . . . . . . . . . 6
4.3. Check for CNAME . . . . . . . . . . . . . . . . . . . . . 6 4.3. Check for CNAME . . . . . . . . . . . . . . . . . . . . . 6
4.4. Insecure Delegation Proofs . . . . . . . . . . . . . . . . 6 4.4. Insecure Delegation Proofs . . . . . . . . . . . . . . . . 6
5. Interoperability Concerns . . . . . . . . . . . . . . . . . . 6 5. Interoperability Concerns . . . . . . . . . . . . . . . . . . 6
5.1. Errors in Canonical Form Type Code List . . . . . . . . . 7 5.1. Errors in Canonical Form Type Code List . . . . . . . . . 7
5.2. Unknown DS Message Digest Algorithms . . . . . . . . . . . 7 5.2. Unknown DS Message Digest Algorithms . . . . . . . . . . . 7
5.3. Private Algorithms . . . . . . . . . . . . . . . . . . . . 7 5.3. Private Algorithms . . . . . . . . . . . . . . . . . . . . 8
5.4. Caution About Local Policy and Multiple RRSIGs . . . . . . 8 5.4. Caution About Local Policy and Multiple RRSIGs . . . . . . 8
5.5. Key Tag Calculation . . . . . . . . . . . . . . . . . . . 8 5.5. Key Tag Calculation . . . . . . . . . . . . . . . . . . . 9
5.6. Setting the DO Bit on Replies . . . . . . . . . . . . . . 9 5.6. Setting the DO Bit on Replies . . . . . . . . . . . . . . 9
5.7. Setting the AD Bit on Queries . . . . . . . . . . . . . . 9 5.7. Setting the AD Bit on Queries . . . . . . . . . . . . . . 9
5.8. Setting the AD Bit on Replies . . . . . . . . . . . . . . 9 5.8. Setting the AD Bit on Replies . . . . . . . . . . . . . . 9
5.9. Always set the CD bit on Queries . . . . . . . . . . . . . 9 5.9. Always set the CD bit on Queries . . . . . . . . . . . . . 9
5.10. Nested Trust Anchors . . . . . . . . . . . . . . . . . . . 10 5.10. Nested Trust Anchors . . . . . . . . . . . . . . . . . . . 10
5.10.1. Closest Encloser . . . . . . . . . . . . . . . . . . 10 5.10.1. Closest Encloser . . . . . . . . . . . . . . . . . . 10
5.10.2. Accept Any Success . . . . . . . . . . . . . . . . . 11 5.10.2. Accept Any Success . . . . . . . . . . . . . . . . . 11
5.10.3. Preference Based on Source . . . . . . . . . . . . . 11 5.10.3. Preference Based on Source . . . . . . . . . . . . . 11
5.11. Mandatory Algorithm Rules . . . . . . . . . . . . . . . . 11 5.11. Mandatory Algorithm Rules . . . . . . . . . . . . . . . . 12
5.12. Expect Extra Signatures From Strange Keys . . . . . . . . 12 5.12. Expect Extra Signatures From Strange Keys . . . . . . . . 12
6. Minor Corrections and Clarifications . . . . . . . . . . . . . 12 6. Minor Corrections and Clarifications . . . . . . . . . . . . . 13
6.1. Finding Zone Cuts . . . . . . . . . . . . . . . . . . . . 12 6.1. Finding Zone Cuts . . . . . . . . . . . . . . . . . . . . 13
6.2. Clarifications on DNSKEY Usage . . . . . . . . . . . . . . 13 6.2. Clarifications on DNSKEY Usage . . . . . . . . . . . . . . 13
6.3. Errors in Examples . . . . . . . . . . . . . . . . . . . . 13 6.3. Errors in Examples . . . . . . . . . . . . . . . . . . . . 13
6.4. Errors in RFC 5155 . . . . . . . . . . . . . . . . . . . . 14 6.4. Errors in RFC 5155 . . . . . . . . . . . . . . . . . . . . 14
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
9.1. Normative References . . . . . . . . . . . . . . . . . . . 15 9.1. Normative References . . . . . . . . . . . . . . . . . . . 15
9.2. Informative References . . . . . . . . . . . . . . . . . . 15 9.2. Informative References . . . . . . . . . . . . . . . . . . 15
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 16 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 16
Appendix B. Discussion of Setting the CD Bit . . . . . . . . . . 16 Appendix B. Discussion of Setting the CD Bit . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction and Terminology 1. Introduction and Terminology
This document lists some additions, clarifications and corrections to This document lists some additions, clarifications and corrections to
the core DNSSECbis specification, as originally described in the core DNSSECbis specification, as originally described in
[RFC4033], [RFC4034], and [RFC4035], and later amended by [RFC5155]. [RFC4033], [RFC4034], and [RFC4035], and later amended by [RFC5155].
(See section Section 2 for more recent additions to that core (See section Section 2 for more recent additions to that core
document set.) document set.)
It is intended to serve as a resource for implementors and as a It is intended to serve as a resource for implementors and as a
skipping to change at page 7, line 6 skipping to change at page 7, line 6
needs to check for the presence of the NS bit in the matching NSEC needs to check for the presence of the NS bit in the matching NSEC
(or NSEC3) RR (proving that there is, indeed, a delegation), or (or NSEC3) RR (proving that there is, indeed, a delegation), or
alternately make sure that the delegation is covered by an NSEC3 RR alternately make sure that the delegation is covered by an NSEC3 RR
with the Opt-Out flag set. If this is not checked, spoofed unsigned with the Opt-Out flag set. If this is not checked, spoofed unsigned
delegations might be used to claim that an existing signed record is delegations might be used to claim that an existing signed record is
not signed. not signed.
5. Interoperability Concerns 5. Interoperability Concerns
5.1. Errors in Canonical Form Type Code List 5.1. Errors in Canonical Form Type Code List
When canonicalizing DNS names, DNS names in the RDATA section of NSEC When canonicalizing DNS names (for both ordering and signing), DNS
and RRSIG resource records are not downcased. names in the RDATA section of NSEC resource records are not
downcased. DNS names in the RDATA section of RRSIG resource records
are downcased.
[RFC4034] Section 6.2 item 3 has a list of resource record types for The guidance in the above paragraph differs from what has been
which DNS names in the RDATA are downcased for purposes of DNSSEC published before but is consistent with current common practice.
canonical form (for both ordering and signing). That list [RFC4034] Section 6.2 item 3 says that names in both of these RR
erroneously contains NSEC and RRSIG. According to [RFC3755], DNS types should be downcased. The earlier [RFC3755] says that they
names in the RDATA of NSEC and RRSIG should not be downcased. should not. Current practice follows neither document fully.
The same section also erroneously lists HINFO, and twice at that. Section 6.2 of RFC4034 also erroneously lists HINFO as a record that
Since HINFO records contain no domain names, they are not subject to needs downcasing, and twice at that. Since HINFO records contain no
downcasing. domain names, they are not subject to downcasing.
5.2. Unknown DS Message Digest Algorithms 5.2. Unknown DS Message Digest Algorithms
Section 5.2 of [RFC4035] includes rules for how to handle delegations Section 5.2 of [RFC4035] includes rules for how to handle delegations
to zones that are signed with entirely unsupported public key to zones that are signed with entirely unsupported public key
algorithms, as indicated by the key algorithms shown in those zone's algorithms, as indicated by the key algorithms shown in those zone's
DS RRsets. It does not explicitly address how to handle DS records DS RRsets. It does not explicitly address how to handle DS records
that use unsupported message digest algorithms. In brief, DS records that use unsupported message digest algorithms. In brief, DS records
using unknown or unsupported message digest algorithms MUST be using unknown or unsupported message digest algorithms MUST be
treated the same way as DS records referring to DNSKEY RRs of unknown treated the same way as DS records referring to DNSKEY RRs of unknown
 End of changes. 11 change blocks. 
21 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/