draft-ietf-dnsext-dnssec-bis-updates-19.txt   draft-ietf-dnsext-dnssec-bis-updates-20.txt 
Network Working Group S. Weiler Network Working Group S. Weiler
Internet-Draft SPARTA, Inc. Internet-Draft SPARTA, Inc.
Updates: 4033, 4034, 4035, 5155 D. Blacka Updates: 4033, 4034, 4035, 5155 D. Blacka
(if approved) Verisign, Inc. (if approved) Verisign, Inc.
Intended status: Standards Track July 13, 2012 Intended status: Standards Track September 28, 2012
Expires: January 14, 2013 Expires: April 1, 2013
Clarifications and Implementation Notes for DNSSEC Clarifications and Implementation Notes for DNSSEC
draft-ietf-dnsext-dnssec-bis-updates-19 draft-ietf-dnsext-dnssec-bis-updates-20
Abstract Abstract
This document is a collection of technical clarifications to the This document is a collection of technical clarifications to the
DNSSEC document set. It is meant to serve as a resource to DNSSEC document set. It is meant to serve as a resource to
implementors as well as a repository of DNSSEC errata. implementors as well as a repository of DNSSEC errata.
This document updates the core DNSSEC documents (RFC4033, RFC4034, This document updates the core DNSSEC documents (RFC4033, RFC4034,
and RFC4035) as well as the NSEC3 specification (RFC5155). It also and RFC4035) as well as the NSEC3 specification (RFC5155). It also
defines NSEC3 and SHA-2 as core parts of the DNSSEC specification. defines NSEC3 and SHA-2 as core parts of the DNSSEC specification.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 14, 2013. This Internet-Draft will expire on April 1, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 41 skipping to change at page 5, line 41
4. Security Concerns 4. Security Concerns
This section provides clarifications that, if overlooked, could lead This section provides clarifications that, if overlooked, could lead
to security issues. to security issues.
4.1. Clarifications on Non-Existence Proofs 4.1. Clarifications on Non-Existence Proofs
[RFC4035] Section 5.4 under-specifies the algorithm for checking non- [RFC4035] Section 5.4 under-specifies the algorithm for checking non-
existence proofs. In particular, the algorithm as presented would existence proofs. In particular, the algorithm as presented would
incorrectly allow an NSEC or NSEC3 RR from an ancestor zone to prove allow a validator to interpret an NSEC or NSEC3 RR from an ancestor
the non-existence of RRs in the child zone. zone as proving the non-existence of an RR in a child zone.
An "ancestor delegation" NSEC RR (or NSEC3 RR) is one with: An "ancestor delegation" NSEC RR (or NSEC3 RR) is one with:
o the NS bit set, o the NS bit set,
o the SOA bit clear, and o the SOA bit clear, and
o a signer field that is shorter than the owner name of the NSEC RR, o a signer field that is shorter than the owner name of the NSEC RR,
or the original owner name for the NSEC3 RR. or the original owner name for the NSEC3 RR.
Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume non- Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume non-
existence of any RRs below that zone cut, which include all RRs at existence of any RRs below that zone cut, which include all RRs at
 End of changes. 4 change blocks. 
6 lines changed or deleted 6 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/