draft-ietf-dnssec-ddi-05.txt   draft-ietf-dnssec-ddi-06.txt 
INTERNET-DRAFT Donald E. Eastlake 3rd INTERNET-DRAFT Donald E. Eastlake 3rd
CyberCash, Inc. IBM
Expires April 1999 October 1998
Detached Domain Name System (DNS) Information Detached Domain Name System (DNS) Information
-------- ------ ---- ------ ----- ----------- -------- ------ ---- ------ ----- -----------
Donald E. Eastlake 3rd Donald E. Eastlake 3rd
Status of This Document Status of This Document
This draft, file name draft-ietf-dnssec-ddi-05.txt, is intended to be This draft, file name draft-ietf-dnssec-ddi-06.txt, is intended to be
become a Proposed Standard RFC. Distribution of this document is become a Proposed Standard RFC. Distribution of this document is
unlimited. Comments should be sent to the DNS Security Working Group unlimited. Comments should be sent to the DNS Security Working Group
mailing list <dns-security@tis.com> or to the author. mailing list <dns-security@tis.com> or to the author.
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months. Internet-Drafts may be updated, replaced, or obsoleted by months. Internet-Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet- other documents at any time. It is not appropriate to use Internet-
Drafts as reference material or to cite them other than as a Drafts as reference material or to cite them other than as a
``working draft'' or ``work in progress.'' ``working draft'' or ``work in progress.''
To learn the current status of any Internet-Draft, please check the To view the entire list of current Internet-Drafts, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (East USA), ftp.isi.edu (West USA), Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
ftp.nordu.net (North Europe), ftp.nis.garr.it (South Europe), Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
munnari.oz.au (Pacific Rim), or ftp.is.co.za (Africa). Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
[Changes from last draft: change date, update author info, define 64
bit retrieval time format to avoid year 2106 problem, permit text
data format to have more than four digits of year, add IANA
Considerations section]
Abstract Abstract
A standard format is defined for representing detached DNS A standard format is defined for representing detached DNS
information. This is anticipated to be of use for storing information. This is anticipated to be of use for storing
information retrieved from the Domain Name System (DNS), including information retrieved from the Domain Name System (DNS), including
security information, in archival contexts or contexts not connected security information, in archival contexts or contexts not connected
to the Internet. to the Internet.
Table of Contents Table of Contents
Status of This Document....................................1 Status of This Document....................................1
Abstract...................................................2 Abstract...................................................2
Table of Contents..........................................2 Table of Contents..........................................2
1. Introduction............................................3 1. Introduction............................................3
2. General Format..........................................3
2. General Format..........................................4
2.1 Binary Format..........................................4 2.1 Binary Format..........................................4
2.2. Text Format...........................................6 2.2. Text Format...........................................5
3. Usage Example...........................................5
3. Usage Example...........................................7 4. IANA Considerations.....................................5
4. Security Considerations.................................7 5. Security Considerations.................................6
References.................................................8 References.................................................7
Author's Address...........................................8 Author's Address...........................................7
Expiration and File Name...................................8 Expiration and File Name...................................7
1. Introduction 1. Introduction
The Domain Name System (DNS) is a replicated hierarchical distributed The Domain Name System (DNS) is a replicated hierarchical distributed
database system [RFC 1034, 1035] that can provide highly available database system [RFC 1034, 1035] that can provide highly available
service. It provides the operational basis for Internet host name to service. It provides the operational basis for Internet host name to
address translation, automatic SMTP mail routing, and other basic address translation, automatic SMTP mail routing, and other basic
Internet functions. The DNS has been extended as described in Internet functions. The DNS has been extended as described in
[draft-ietf-dnssec-secext2-*.txt] to permit the general storage of [draft-ietf-dnssec-secext2-*.txt] to permit the general storage of
public cryptographic keys in the DNS and to enable the authentication public cryptographic keys in the DNS and to enable the authentication
skipping to change at page 5, line 31 skipping to change at page 4, line 36
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| hex 20 | | hex 20 |
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
Retrieval time - the time that the immediately following information Retrieval time - the time that the immediately following information
was obtained from the connected DNS system. It is an unsigned was obtained from the connected DNS system. It is an unsigned
number of seconds since the start of 1 January 1970, GMT, ignoring number of seconds since the start of 1 January 1970, GMT, ignoring
leap seconds, in network (big-endian) order. Note that this time leap seconds, in network (big-endian) order. Note that this time
can not be before the initial proposal of this standard. can not be before the initial proposal of this standard.
Therefore, the initial byte of an actual retrieval time, Therefore, the initial byte of an actual retrieval time,
considered as an unsigned quantity, will be larger than 20 hex. considered as a 32 bit unsigned quantity, would always be larger
The end of detached DNS information is indicated by a "retrieval than 20 hex. The end of detached DNS information is indicated by
time" field initial byte equal to 20 hex. Use of a "retrieval a "retrieval time" field initial byte equal to 0x20. Use of a
time" field with a leading unsigned byte less than 20 in binary "retrieval time" field with a leading unsigned byte of zero
detached DNS information is reserved for future use. It may indicates a 64 bit (actually 8 leading zero bits plus a 56 bit
indicate a different format. The present format will run out of quantity). This 64 bit format will be required when retrieval
bits during the year 2106. Retrieval times will not generally be time is larger than 0xFFFFFFFF, which is some time in the year
32 bit aligned with respect to each other due to the variable 2106. The meaning of retrieval times with an initial byte between
length nature of RRs. 0x01 and 0x1F is reserved (see section 5). Retrieval times will
not generally be 32 bit aligned with respect to each other due to
the variable length nature of RRs.
RR count - an unsigned integer number (with bytes in network order) RR count - an unsigned integer number (with bytes in network order)
of following resource records retrieved at the preceding retrieval of following resource records retrieved at the preceding retrieval
time. time.
Resource Records - the actual data which is in the same format as if Resource Records - the actual data which is in the same format as if
it were being transmitted in a DNS response. In particular, name it were being transmitted in a DNS response. In particular, name
compression via pointers is permitted with the origin at the compression via pointers is permitted with the origin at the
beginning of the particular detached information data section, beginning of the particular detached information data section,
just after the RR count. just after the RR count.
2.2. Text Format 2.2. Text Format
The standard text format for detached DNS information is as The standard text format for detached DNS information is as
prescribed for zone master files [RFC 1035] except that the $INCLUDE prescribed for zone master files [RFC 1035] except that the $INCLUDE
control entry is prohibited and the new $DATE entry is required control entry is prohibited and the new $DATE entry is required
(unless the information set is empty). $DATE is followed by the date (unless the information set is empty). $DATE is followed by the date
and time that the following information was obtained from the DNS and time that the following information was obtained from the DNS
system as described for retrieval time in section 2.1 above. It is system as described for retrieval time in section 2.1 above. It is
in the text format YYYYMMDDHHMMSS where YYYY is the year, the first in the text format YYYYMMDDHHMMSS where YYYY is the year (which may
MM is the month number (01-12), DD is the day of the month (01-31), be more than four digits to cover years after 9999), the first MM is
HH is the hour in 24 hours notation (00-23), the second MM is the the month number (01-12), DD is the day of the month (01-31), HH is
minute (00-59), and SS is the second (00-59). Thus a $DATE must the hour in 24 hours notation (00-23), the second MM is the minute
appear before the first RR and at every change in retrieval time (00-59), and SS is the second (00-59). Thus a $DATE must appear
through the detached information. before the first RR and at every change in retrieval time through the
detached information.
3. Usage Example 3. Usage Example
A document might be authenticated by a key retrieved from the DNS in A document might be authenticated by a key retrieved from the DNS in
a KEY resource record (RR). To later prove the authenticity of this a KEY resource record (RR). To later prove the authenticity of this
document, it would be desirable to preserve the KEY RR for that document, it would be desirable to preserve the KEY RR for that
public key, the SIG RR signing that KEY RR, the KEY RR for the key public key, the SIG RR signing that KEY RR, the KEY RR for the key
used to authenticate that SIG, and so on through SIG and KEY RRs used to authenticate that SIG, and so on through SIG and KEY RRs
until a well known trusted key is reached, perhaps the key for the until a well known trusted key is reached, perhaps the key for the
DNS root or some third party authentication service. (In some cases DNS root or some third party authentication service. (In some cases
these KEY RRs will actually be sets of KEY RRs with the same owner these KEY RRs will actually be sets of KEY RRs with the same owner
and class because SIGs actually sign such record sets.) and class because SIGs actually sign such record sets.)
This information could be preserved as a set of detached DNS This information could be preserved as a set of detached DNS
information blocks. information blocks.
4. Security Considerations 4. IANA Considerations
Allocation of meanings to retrieval time fields with a initial byte
of between 0x01 and 0x1F requires an IETF consensus.
5. Security Considerations
The entirety of this document concerns a means to represent detached The entirety of this document concerns a means to represent detached
DNS information. Such detached resource records may be security DNS information. Such detached resource records may be security
relevant and/or secured information as described in [draft-ietf- relevant and/or secured information as described in [draft-ietf-
dnssec-secext2-*.txt]. The detached format provides no overall dnssec-secext2-*.txt]. The detached format provides no overall
security for sets of detached information or for the association security for sets of detached information or for the association
between retrieval time and information. This can be provided by between retrieval time and information. This can be provided by
wrapping the detached information format with some other form of wrapping the detached information format with some other form of
signature. However, if the detached information is accompanied by signature. However, if the detached information is accompanied by
SIG RRs, its validity period is indicated in those SIG RRs so the SIG RRs, its validity period is indicated in those SIG RRs so the
skipping to change at page 8, line 14 skipping to change at page 7, line 14
References References
[RFC 1034] - Domain Names - Concepts and Facilities, P. Mockapetris, [RFC 1034] - Domain Names - Concepts and Facilities, P. Mockapetris,
November 1987. November 1987.
[RFC 1035] - Domain Names - Implementation and Specifications, P. [RFC 1035] - Domain Names - Implementation and Specifications, P.
Mockapetris, November 1987. Mockapetris, November 1987.
[draft-ietf-dnssec-secext2-*.txt] - Domain Name System Security [draft-ietf-dnssec-secext2-*.txt] - Domain Name System Security
Extensions, D. Eastlake. Extensions, Donald Eastlake 3rd.
Author's Address Author's Address
Donald E. Eastlake 3rd Donald E. Eastlake 3rd
CyberCash, Inc. IBM
318 Acton Street 318 Acton Street
Carlisle, MA 01741 USA Carlisle, MA 01741 USA
Telephone: +1 978 287 4877 Telephone: +1-978-287-4877
+1 703 620 4200 (main office, Reston, Virginia) +1-914-784-7913
Fax: +1 978 371 7148 Fax: +1-978-371-7148
email: dee@cybercash.com email: dee3@us.ibm.com
Expiration and File Name Expiration and File Name
This draft expires September 1998. This draft expires April 1999.
Its file name is draft-ietf-dnssec-ddi-05.txt. Its file name is draft-ietf-dnssec-ddi-06.txt.
 End of changes. 14 change blocks. 
39 lines changed or deleted 52 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/