draft-ietf-dnsop-delegation-trust-maintainance-05.txt   draft-ietf-dnsop-delegation-trust-maintainance-06.txt 
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational O. Gudmundsson Intended status: Informational O. Gudmundsson
Expires: October 13, 2014 Shinkuro Inc. Expires: October 16, 2014 Shinkuro Inc.
G. Barwood G. Barwood
April 11, 2014 April 14, 2014
Automating DNSSEC Delegation Trust Maintenance Automating DNSSEC Delegation Trust Maintenance
draft-ietf-dnsop-delegation-trust-maintainance-05 draft-ietf-dnsop-delegation-trust-maintainance-06
Abstract Abstract
This document describes a method to allow DNS operators to more This document describes a method to allow DNS operators to more
easily update DNSSEC Key Signing Keys using the DNS as communication easily update DNSSEC Key Signing Keys using the DNS as communication
channel. This document does not address the initial configuration of channel. This document does not address the initial configuration of
trust anchors for a domain. The technique described is aimed at trust anchors for a domain. The technique described is aimed at
delegations in which it is currently hard to move information from delegations in which it is currently hard to move information from
the child to parent. the child to parent.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 13, 2014. This Internet-Draft will expire on October 16, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4 1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4 2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4
2.2. Relationship Between Parent and Child DNS Operator . . . 5 2.2. Relationship Between Parent and Child DNS Operator . . . 5
2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6
2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions . . 7 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions . . 7
3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8
3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8
4. Automating DS Maintainance With CDS/CDNSKEY records . . . . . 8 4. Automating DS Maintainance With CDS/CDNSKEY records . . . . . 8
4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 9 4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 8
5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9 5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9
6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9 6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9
6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 10 6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 9
6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10
6.1.2. Other Mechanisms . . . . . . . . . . . . . . . . . . 10 6.1.2. Other Mechanisms . . . . . . . . . . . . . . . . . . 10
6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 11 6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 11
6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11 6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12
9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 14 11.1. Normative References . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 15 11.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15
Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16 Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
When a DNS operator first signs their zone, they need to communicate When a DNS operator first signs their zone, they need to communicate
their DS record(s) (or DNSKEY(s)) to their parent through some out- their DS record(s) (or DNSKEY(s)) to their parent through some out-
of-band method to complete the chain of trust. of-band method to complete the chain of trust.
Each time the child changes/rolls the key that is represented in the Each time the child changes the key that is represented in the
parent, the new and/or deleted key information has to be communicated parent, the updated and/or deleted key information has to be
to the parent and in the parent's zone. How this information is sent communicated to the parent and published in the parent's zone. How
to the parent depends on the relationship the child has with the this information is sent to the parent depends on the relationship
parent. In many cases this is a manual process, and not an easy one. the child has with the parent. In many cases this is a manual
For each key roll, there may be up to two interactions with the process, and not an easy one. For each key roll, there may be up to
parent. Any manual process is susceptible to mistakes and/or errors. two interactions with the parent. Any manual process is susceptible
In addition, due to the annoyance factor of the process, operators to mistakes and/or errors. In addition, due to the annoyance factor
may avoid performing key rollovers or skip needed steps to publish of the process, operators may avoid performing key rollovers or skip
the new DS at the parent. needed steps to publish the new DS at the parent.
DNSSEC provides data integrity to information published in DNS; thus DNSSEC provides data integrity to information published in DNS; thus
DNS publication can be used to automate maintenance of delegation DNS publication can be used to automate maintenance of delegation
information. This document describes a method to automate information. This document describes a method to automate
publication of subsequent DS records, after the initial one has been publication of subsequent DS records, after the initial one has been
published. published.
Readers are expected to be familiar with DNSSEC, including [RFC4033], Readers are expected to be familiar with DNSSEC, including [RFC4033],
[RFC4034], [RFC4035], [RFC5011] and [RFC6781]. [RFC4034], [RFC4035], [RFC5011] and [RFC6781].
skipping to change at page 7, line 4 skipping to change at page 7, line 4
Parent's Provisioning system. The techniques described below are not Parent's Provisioning system. The techniques described below are not
needed in the case when Parental Agent is the DNS operator. needed in the case when Parental Agent is the DNS operator.
In the case of a third party DNS operator, the Child either needs to In the case of a third party DNS operator, the Child either needs to
relay changes in DNS delegation or give the Child DNS Operator access relay changes in DNS delegation or give the Child DNS Operator access
to its delegation/registration account. to its delegation/registration account.
Some parents want the child to express their DNSKEYS in the form of Some parents want the child to express their DNSKEYS in the form of
DS records, while others want to receive the DNSKEY records and DS records, while others want to receive the DNSKEY records and
calculate the DS records themselves. There is no consensus on which calculate the DS records themselves. There is no consensus on which
method is better; both have good reasons to exist. The proposal method is better; both have good reasons to exist. This solution is
below can operate with both models, but the child needs to be aware DS vs DNSKEY agnostic, and allows operation with either.
of the parental policies.
2.2.2. DNSSEC key change process 2.2.2. DNSSEC key change process
After a Child DNS Operator first signs the zone, there is a need to After a Child DNS Operator first signs the zone, there is a need to
interact with the Parent, for example via the delegation account interact with the Parent, for example via the delegation account
interface, to "upload / paste-in the zone's DS information". The interface, to "upload / paste-in the zone's DS information". The
action of logging in through the delegation account user interface action of logging in through the delegation account user interface
authenticates that the user is authorized to change delegation authenticates that the user is authorized to change delegation
information for the child published in the parent zone. In the case information for the child published in the parent zone. In the case
where the "Child DNS Operator" does not have access to the where the "Child DNS Operator" does not have access to the
skipping to change at page 7, line 31 skipping to change at page 7, line 30
because they want to publish a stand-by key. This involves because they want to publish a stand-by key. This involves
performing the same process as before. Furthermore when this is a performing the same process as before. Furthermore when this is a
manual process with cut and paste, operational mistakes will happen manual process with cut and paste, operational mistakes will happen
-- or worse, the update action is not performed at all. -- or worse, the update action is not performed at all.
The Child DNS Operator may also introduce new keys, and can do so The Child DNS Operator may also introduce new keys, and can do so
when old keys exist and can be used. The Child may also remove old when old keys exist and can be used. The Child may also remove old
keys, but this document does not support removing all keys. This is keys, but this document does not support removing all keys. This is
to avoid making signed zones unsigned. The Child may not enroll the to avoid making signed zones unsigned. The Child may not enroll the
initial key or introduce a new key when there are no old keys that initial key or introduce a new key when there are no old keys that
can be used, because there is no way to validate the information. can be used (without some additional, out of band, validation of the
keys), because there is no way to validate the information.
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions
This document specifies two new resource records, CDS and CDNSKEY. This document specifies two new resource records, CDS and CDNSKEY.
These records are used to convey, from one zone to it's parent, the These records are used to convey, from one zone to its parent, the
desired contents of the zone's DS resource record set residing in the desired contents of the zone's DS resource record set residing in the
parent zone. parent zone.
The CDS / CDNSKEY records are published in the child zone and gives The CDS / CDNSKEY records are published in the child zone and gives
the child control of what is published for it in the parental zone. the child control of what is published for it in the parental zone.
The CDS / CDNSKEY RRset expresses what the child would like the DS The CDS / CDNSKEY RRset expresses what the child would like the DS
RRset to look like after the change; it is a "replace" operation, and RRset to look like after the change; it is a "replace" operation, and
it is up to the consumer of the records to translate that into the it is up to the consumer of the records to translate that into the
appropriate add/delete operations in the registration systems (and in appropriate add/delete operations in the registration systems (and in
the case of CDNSKEY, to generate the DS from the DNSKEY). If no CDS the case of CDNSKEY, to generate the DS from the DNSKEY). If no CDS
skipping to change at page 8, line 23 skipping to change at page 8, line 23
for the CDS record via expert review [I-D.ds-publish]. CDS uses the for the CDS record via expert review [I-D.ds-publish]. CDS uses the
same registries as DS for its fields. same registries as DS for its fields.
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes CDS revolvers, when serving or resolving. For all practical purposes CDS
is a regular RR type. is a regular RR type.
3.2. CDNSKEY Resource Record Format 3.2. CDNSKEY Resource Record Format
The wire and presentation format of the CDNSKEY ("Child DNSKEY") The wire and presentation format of the CDNSKEY ("Child DNSKEY")
record is identical to the DNSKEY record. CDNSKEY uses the same record is identical to the DNSKEY record. IANA has allocated RR code
TBA1 for the CDS record via expert review. CDNSKEY uses the same
registries as DNSKEY for its fields. registries as DNSKEY for its fields.
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes revolvers, when serving or resolving. For all practical purposes
CDNSKEY is a regular RR type. CDNSKEY is a regular RR type.
4. Automating DS Maintainance With CDS/CDNSKEY records 4. Automating DS Maintainance With CDS/CDNSKEY records
CDS/CDNSKEY records are intended to be "consumed" by delegation trust CDS/CDNSKEY records are intended to be "consumed" by delegation trust
maintainers. The use of CDS/CDNSKEY is optional. maintainers. The use of CDS/CDNSKEY is optional.
Some parents prefer to accept DNSSEC key information in DS format,
some parents prefer to accept it in DNSKEY format, and calculate the
DS record on the child's behalf. Each method has pros and cons, both
technical and policy. This solution is DS vs DNSKEY agnostic, and
allows operation with either.
The child SHOULD publish both CDS and CDNSKEY records. If the child The child SHOULD publish both CDS and CDNSKEY records. If the child
knows which the parent consumes, it MAY choose to only publish that knows which the parent consumes, it MAY choose to only publish that
record type (for example, some children wish the parent to publish a record type (for example, some children wish the parent to publish a
DS, but they wish to keep the DNSKEY "hidden" until needed). If the DS, but they wish to keep the DNSKEY "hidden" until needed). If the
child publishes both, the two RRsets MUST match in content. The child publishes both, the two RRsets MUST match in content. The
parent should use whichever one they choose, but MUST NOT query for parent should use whichever one they choose, but MUST NOT query for
both and perform consistency checks between the CDS and CDNSKEY both and perform consistency checks between the CDS and CDNSKEY
records. records.
4.1. CDS / CDNSKEY Processing Rules 4.1. CDS / CDNSKEY Processing Rules
If there are no CDS / CDNSKEY resource records in the child, this If there are no CDS / CDNSKEY resource records in the child, this
signals that no change should be made to the current DS set. This signals that no change should be made to the current DS set. This
means that, once the child and parent are in sync, the child DNS means that, once the child and parent are in sync, the child DNS
operator SHOULD remove all CDS records from the zone. operator MAY remove all CDS records from the zone.
Following acceptance rules are placed on the CDS / CDNSKEY records as Following acceptance rules are placed on the CDS / CDNSKEY records as
follows: follows:
o Location: "the CDS / CDNSKEY record MUST be at the child zone o Location: "the CDS / CDNSKEY record MUST be at the child zone
apex". apex".
o Signer: "MUST be signed with a key that is represented in both the o Signer: "MUST be signed with a key that is represented in both the
current DNSKEY and DS RRset's." current DNSKEY and DS RRset's."
o Continuity: "MUST NOT break the current delegation if applied to o Continuity: "MUST NOT break the current delegation if applied to
DS RRset" DS RRset"
If any these conditions fail the CDS / CDNSKEY record MUST be If any these conditions fail the CDS / CDNSKEY record MUST be
ignored. ignored.
5. CDS / CDNSKEY Publication 5. CDS / CDNSKEY Publication
Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it Child DNS Operator publishes a CDS and / or CDNSKEY RRset. In order
wants to make a change to the DS RRset in the Parent. In order to be to be valid, the CDS / CDNSKEY RRset MUST be compliant with the rules
valid, the CDS / CDNSKEY RRset MUST be compliant with the rules in in Section 4.1. When the Parent DS is "in-sync" with the CDS /
Section 4.1. When the Parent DS is "in-sync" with the CDS / CDNSKEY, CDNSKEY, the Child DNS Operator MAY delete the CDS / CDNSKEY
the Child DNS Operator SHOULD delete the CDS / CDNSKEY RRset(s). RRset(s); the child can determine if this is the case by quering for
Note that if the child has published a CDNSKEY RR, the Parent will DS records in the parent. Note that if the child has published a
have to calculate the DS (using the requested digest algorithm) to do CDNSKEY RR, the Parent will have to calculate the DS (using the
the comparison. requested digest algorithm) to do the comparison.
6. Parent Side CDS / CDNSKEY Consumption 6. Parent Side CDS / CDNSKEY Consumption
The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to
update the DS RRset in the parent zone. The Parental Agent for this update the DS RRset in the parent zone. The Parental Agent for this
uses a tool that understands the CDS / CDNSKEY signing rules from uses a tool that understands the CDS / CDNSKEY signing rules from
Section 4.1 so it may not be able to use a standard validator. Section 4.1 so it may not be able to use a standard validator.
The parent MUST choose to accept either CDS or CDNSKEY records (based The parent MUST choose to accept either CDS or CDNSKEY records (based
upon local policy), and MUST NOT expect there to be both. A parent upon local policy), and MUST NOT expect there to be both. A parent
skipping to change at page 10, line 33 skipping to change at page 10, line 24
In either case the Parental Agent MAY apply additional rules that In either case the Parental Agent MAY apply additional rules that
defer the acceptance of a CDS / CDNSKEY change, these rules may defer the acceptance of a CDS / CDNSKEY change, these rules may
include a condition that the CDS / CDNSKEY remains in place and valid include a condition that the CDS / CDNSKEY remains in place and valid
for some time period before it is accepted. It may be appropriate in for some time period before it is accepted. It may be appropriate in
the "Pushing" case to assume that the Child is ready and thus accept the "Pushing" case to assume that the Child is ready and thus accept
changes without delay. changes without delay.
6.1.1. CDS / CDNSKEY Polling 6.1.1. CDS / CDNSKEY Polling
This is the only defined use of CDS / CDNSKEY in this document. This is the only defined use of CDS / CDNSKEY in this document.
There are limits to the saleability of polling techniques, thus some There are limits to the scaleability of polling techniques, thus some
other mechanism is likely to be specified later that addresses CDS / other mechanism is likely to be specified later that addresses CDS /
CDNSKEY usage in the situation where polling does not scale to. CDNSKEY usage in the situation where polling does not scale to.
Having said that Polling will work in many important cases like Having said that Polling will work in many important cases like
enterprises, universities, small TLDs etc. In many regulatory enterprises, universities, small TLDs etc. In many regulatory
environments the registry is prohibited from talking to the environments the registry is prohibited from talking to the
registrant. In most of these cases the registrant has a business registrant. In most of these cases the registrant has a business
relationship with the registrar, and so the registrar can offer this relationship with the registrar, and so the registrar can offer this
as a service. as a service.
If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST
skipping to change at page 11, line 13 skipping to change at page 11, line 8
unauthenticated (for example, a child could telephone its parent and unauthenticated (for example, a child could telephone its parent and
request that they process the new CDS or CDNSKEY record, an request that they process the new CDS or CDNSKEY record, an
unauthenticated POST could be made to a webserver (with rate- unauthenticated POST could be made to a webserver (with rate-
limiting), etc.) limiting), etc.)
Other documents can specify the trigger conditions. Other documents can specify the trigger conditions.
6.2. Using the New CDS / CDNSKEY Records 6.2. Using the New CDS / CDNSKEY Records
Regardless of how the Parental Agent detected changes to a CDS / Regardless of how the Parental Agent detected changes to a CDS /
CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain CDNSKEY RR, the Parental Agent SHOULD use a DNSSEC validator to
a validated CDS / CDNSKEY RRset from the Child zone. obtain a validated CDS / CDNSKEY RRset from the Child zone. The only
exception to this is if the parent perfoms some additional validation
on the data to confirm that it is the "correct" ket. This behavior
is NOT RECOMMENDED.
The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY
RRset do not overwrite newer versions. This MAY be accomplished by RRset do not overwrite newer versions. This MAY be accomplished by
checking that the signature inception in the RRSIG for CDS / CDNSKEY checking that the signature inception in the RRSIG for CDS / CDNSKEY
is newer and/or the serial number on the child's SOA is greater. is newer and/or the serial number on the child's SOA is greater.
This may require the Parental Agent to maintain some state This may require the Parental Agent to maintain some state
information. information.
The Parental Agent MAY take extra security measures. For example, to The Parental Agent MAY take extra security measures. For example, to
mitigate the possibility that a Child's key signing key has been mitigate the possibility that a Child's key signing key has been
skipping to change at page 12, line 15 skipping to change at page 12, line 15
In the case the parent fetch the CDNSKEY and calculate the DS it MAY In the case the parent fetch the CDNSKEY and calculate the DS it MAY
be the case that the DS published in the parent zone is not identical be the case that the DS published in the parent zone is not identical
with the data in the CDS record made available by the child. with the data in the CDS record made available by the child.
7. IANA Considerations 7. IANA Considerations
IANA has assigned RR Type code 59 for CDS. This was done for an IANA has assigned RR Type code 59 for CDS. This was done for an
earlier version of this document[I-D.ds-publish] This document is to earlier version of this document[I-D.ds-publish] This document is to
become the reference for CDS RRtype. become the reference for CDS RRtype.
IANA is requested to assign another RR Type for the CDNSKEY. IANA is requested to assign another RR Type for the CDNSKEY, and to
replace TBA1 with this value (currntly 60 is still free, it would be
nice if that were assigned...)
8. Privacy Considerations 8. Privacy Considerations
All of the information handled / transmitted by this protocol is All of the information handled / transmitted by this protocol is
public information published in the DNS. public information published in the DNS.
9. Security Considerations 9. Security Considerations
This work is for the normal case; when things go wrong there is only This work is for the normal case; when things go wrong there is only
so much that automation can fix. so much that automation can fix.
skipping to change at page 13, line 24 skipping to change at page 13, line 26
registrar may assume that it is maintaining the DNSSEC key registrar may assume that it is maintaining the DNSSEC key
information in the registry, and may have this cached. If the information in the registry, and may have this cached. If the
registry is fetching the CDS / CDNSKEY then the registry and registry is fetching the CDS / CDNSKEY then the registry and
registrar may have different views of the DNSSEC key material and the registrar may have different views of the DNSSEC key material and the
result of such a situation is unclear. Because of this, this result of such a situation is unclear. Because of this, this
mechanism SHOULD NOT be use to bypass intermediaries that might cache mechanism SHOULD NOT be use to bypass intermediaries that might cache
information and because of that get the wrong state. information and because of that get the wrong state.
If there is a failure in applying changes in child zone to all DNS If there is a failure in applying changes in child zone to all DNS
servers listed in either parent or child NS set it is possible that servers listed in either parent or child NS set it is possible that
the Parental agent may get confused either not perform action because the Parental agent may get confused, either because it gets different
it gets different answers on different checks or CDS validation answers on different checks or CDS validation fails. In the worst
fails. In the worst case, Parental Agent performs an action case, the Parental Agent performs an action reversing a prior action
reversing a prior action but after the child signing system decides but after the child signing system decides to take the next step in
to take the next step in rollover, resulting in a broken delegation. rollover, resulting in a broken delegation.
DNS is a loosely coherent distributed database with local caching; DNS is a loosely coherent distributed database with local caching;
therefore, it is important to allow old information to expire from therefore, it is important to allow old information to expire from
caches before deleting DS or DNSKEY records. Similarly, it is caches before deleting DS or DNSKEY records. Similarly, it is
important to allow new records to propagate through the DNS before important to allow new records to propagate through the DNS before
use, see [RFC6781] and [I-D.key-time] use, see [RFC6781] and [I-D.key-time]
It is common practice for users to outsource their DNS hosting to a It is common practice for users to outsource their DNS hosting to a
3rd party DNS provider. In order for that provider to be able to 3rd party DNS provider. In order for that provider to be able to
maintain the DNSSEC information some users give the provider their maintain the DNSSEC information some users give the provider their
skipping to change at page 16, line 18 skipping to change at page 16, line 18
In many RRR cases the Registrar and Registry communicate via In many RRR cases the Registrar and Registry communicate via
EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number
of ccTLDs there are other mechanisms in use as well as EPP, but in of ccTLDs there are other mechanisms in use as well as EPP, but in
general there seems to be a movement towards EPP usage when DNSSEC is general there seems to be a movement towards EPP usage when DNSSEC is
enabled in the TLD. enabled in the TLD.
Appendix B. Changes / Author Notes. Appendix B. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
WG-05 to WG-06
o Consensus (according to me!) was that mail thread said "Child MAY
remove the CDS record". Changed to accomodate.
o "The proposal below can operate with both models, but the child
needs to be aware of the parental policies." - removed "but the
child needs to be aware of the parental policies.". This is no
longer true, as we suggest publishing both CDS and CDSNKEY.
o Added: "without some additional out of band process" to "The Child
may not enroll the initial key or introduce a new key when there
are no old keys that can be used (without some additional, out of
band, validation of the keys), because there is no way to validate
the information."
o Added a bit to the IANA section, requesting that TBA1 be replaced
with the IANA allocated code.
o Removed" Some parents prefer to accept DNSSEC key information in
DS format, some parents prefer to accept it in DNSKEY format, and
calculate the DS record on the child's behalf. Each method has
pros and cons, both technical and policy. This solution is DS vs
DNSKEY agnostic, and allows operation with either." from Section 4
as it is covered in Section 2.2.1
o Remove a bunch of comments from the XML. I was getting tired of
scrolling past them. If the authors need them back, they are in
SVN commit 47.
WG-04 to WG-05 WG-04 to WG-05
o More comments from Patrik, Paul and Ed. o More comments from Patrik, Paul and Ed.
o Many nits and fixes from Matthijs Mekking. o Many nits and fixes from Matthijs Mekking.
o Outstanding question: Should we remove the "Child SHOULD remove o Outstanding question: Should we remove the "Child SHOULD remove
the CDS record" text? Mail sent to list. the CDS record" text? Mail sent to list.
WG-03 to WG-04 WG-03 to WG-04
 End of changes. 20 change blocks. 
47 lines changed or deleted 77 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/