draft-ietf-dnsext-dnssec-okbit-03.txt   rfc3225.txt 
INTERNET-DRAFT David Conrad Network Working Group D. Conrad
draft-ietf-dnsext-dnssec-okbit-03.txt Nominum, Inc. Request for Comments: 3225 Nominum, Inc.
October, 2001 Category: Standards Track December 2001
Indicating Resolver Support of DNSSEC Indicating Resolver Support of DNSSEC
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document specifies an Internet standards track protocol for the
all provisions of Section 10 of RFC2026. Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Internet-Drafts are working documents of the Internet Engineering Official Protocol Standards" (STD 1) for the standardization state
Task Force (IETF), its areas, and its working groups. Note that and status of this protocol. Distribution of this memo is unlimited.
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at Copyright Notice
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at Copyright (C) The Internet Society (2001). All Rights Reserved.
http://www.ietf.org/shadow.html.
Abstract Abstract
In order to deploy DNSSEC operationally, DNSSEC aware servers should In order to deploy DNSSEC (Domain Name System Security Extensions)
only perform automatic inclusion of DNSSEC RRs when there is an operationally, DNSSEC aware servers should only perform automatic
explicit indication that the resolver can understand those RRs. This inclusion of DNSSEC RRs when there is an explicit indication that the
document proposes the use of a bit in the EDNS0 header to provide resolver can understand those RRs. This document proposes the use of
that explicit indication and describes the necessary protocol changes a bit in the EDNS0 header to provide that explicit indication and
to implement that notification. describes the necessary protocol changes to implement that
notification.
1. Introduction 1. Introduction
DNSSEC [RFC2535] has been specified to provide data integrity and DNSSEC [RFC2535] has been specified to provide data integrity and
authentication to security aware resolvers and applications through authentication to security aware resolvers and applications through
the use of cryptographic digital signatures. However, as DNSSEC is the use of cryptographic digital signatures. However, as DNSSEC is
deployed, non-DNSSEC-aware clients will likely query DNSSEC-aware deployed, non-DNSSEC-aware clients will likely query DNSSEC-aware
servers. In such situations, the DNSSEC-aware server (responding to servers. In such situations, the DNSSEC-aware server (responding to
a request for data in a signed zone) will respond with SIG, KEY, a request for data in a signed zone) will respond with SIG, KEY,
and/or NXT records. For reasons described in the subsequent section, and/or NXT records. For reasons described in the subsequent section,
skipping to change at page 3, line 39 skipping to change at page 3, line 31
Setting the DO bit to one in a query indicates to the server that the Setting the DO bit to one in a query indicates to the server that the
resolver is able to accept DNSSEC security RRs. The DO bit cleared resolver is able to accept DNSSEC security RRs. The DO bit cleared
(set to zero) indicates the resolver is unprepared to handle DNSSEC (set to zero) indicates the resolver is unprepared to handle DNSSEC
security RRs and those RRs MUST NOT be returned in the response security RRs and those RRs MUST NOT be returned in the response
(unless DNSSEC security RRs are explicitly queried for). The DO bit (unless DNSSEC security RRs are explicitly queried for). The DO bit
of the query MUST be copied in the response. of the query MUST be copied in the response.
More explicitly, DNSSEC-aware nameservers MUST NOT insert SIG, KEY, More explicitly, DNSSEC-aware nameservers MUST NOT insert SIG, KEY,
or NXT RRs to authenticate a response as specified in [RFC2535] or NXT RRs to authenticate a response as specified in [RFC2535]
unless the DO bit was set on the request. Security records that match unless the DO bit was set on the request. Security records that
an explicit SIG, KEY, NXT, or ANY query, or are part of the zone data match an explicit SIG, KEY, NXT, or ANY query, or are part of the
for an AXFR or IXFR query, are included whether or not the DO bit was zone data for an AXFR or IXFR query, are included whether or not the
set. DO bit was set.
A recursive DNSSEC-aware server MUST set the DO bit on recursive A recursive DNSSEC-aware server MUST set the DO bit on recursive
requests, regardless of the status of the DO bit on the initiating requests, regardless of the status of the DO bit on the initiating
resolver request. If the initiating resolver request does not have resolver request. If the initiating resolver request does not have
the DO bit set, the recursive DNSSEC-aware server MUST remove DNSSEC the DO bit set, the recursive DNSSEC-aware server MUST remove DNSSEC
security RRs before returning the data to the client, however cached security RRs before returning the data to the client, however cached
data MUST NOT be modified. data MUST NOT be modified.
In the event a server returns a NOTIMP, FORMERR or SERVFAIL response In the event a server returns a NOTIMP, FORMERR or SERVFAIL response
to a query that has the DO bit set, the resolver SHOULD NOT expect to a query that has the DO bit set, the resolver SHOULD NOT expect
DNSSEC security RRs and SHOULD retry the query without EDNS0 in DNSSEC security RRs and SHOULD retry the query without EDNS0 in
accordance with section 5.3 of [RFC2671]. accordance with section 5.3 of [RFC2671].
Security Considerations Security Considerations
The absence of DNSSEC data in response to a query with the DO bit set The absence of DNSSEC data in response to a query with the DO bit set
MUST NOT be taken to mean no security information is available for MUST NOT be taken to mean no security information is available for
that zone as the response may be forged or a non-forged response of that zone as the response may be forged or a non-forged response of
an altered (DO bit cleared) query. an altered (DO bit cleared) query.
IANA considerations: IANA Considerations
EDNS0[RFC2671] defines 16 bits as extended flags in the OPT record, EDNS0 [RFC2671] defines 16 bits as extended flags in the OPT record,
these bits are encoded into the TTL field of the OPT record (RFC2671 these bits are encoded into the TTL field of the OPT record (RFC2671
section 4.6). section 4.6).
This document reserves one of these bits as the OK bit. It is This document reserves one of these bits as the OK bit. It is
requested that the left most bit be allocated. Thus the USE of the requested that the left most bit be allocated. Thus the USE of the
OPT record TTL field would look like OPT record TTL field would look like
+0 (MSB) +1 (LSB) +0 (MSB) +1 (LSB)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
0: | EXTENDED-RCODE | VERSION | 0: | EXTENDED-RCODE | VERSION |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
2: |DO| Z | 2: |DO| Z |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Acknowledgements Acknowledgements
This document is based on a rough draft by Bob Halley with input from This document is based on a rough draft by Bob Halley with input from
Olafur Gudmundsson, Andreas Gustafsson, Brian Wellington, Randy Bush, Olafur Gudmundsson, Andreas Gustafsson, Brian Wellington, Randy Bush,
Rob Austein, Steve Bellovin, and Erik Nordmark. Rob Austein, Steve Bellovin, and Erik Nordmark.
References References
[RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities", [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain Names - Implementation and [RFC1035] Mockapetris, P., "Domain Names - Implementation and
Specifications", RFC 1035, November 1987. Specifications", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999. 2535, March 1999.
[RFC2671] Vixie, P., Extension Mechanisms for DNS (EDNS0)", RFC 2671, [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
August 1999 2671, August 1999.
Author's Address Author's Address
David Conrad David Conrad
Nominum Inc. Nominum Inc.
950 Charter Street 950 Charter Street
Redwood City, CA 94063 Redwood City, CA 94063
USA USA
Phone: +1 650 381 6003 Phone: +1 650 381 6003
EMail: david.conrad@nominum.com
Email: david.conrad@nominum.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and or assist in its implementation may be prepared, copied, published
distributed, in whole or in part, without restriction of any kind, and distributed, in whole or in part, without restriction of any
provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than followed, or as required to translate it into languages other than
English. English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
 End of changes. 18 change blocks. 
45 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/