draft-ietf-dnsext-ad-is-secure
Erik Nordmark <Erik.Nordmark@sun.com> Thu, 10 July 2003 18:18 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA15229 for <dnsext-archive@lists.ietf.org>; Thu, 10 Jul 2003 14:18:10 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 4.14) id 19afv7-000BLA-Sf for namedroppers-data@psg.com; Thu, 10 Jul 2003 18:13:29 +0000
Received: from [192.18.98.43] (helo=brmea-mail-2.sun.com) by psg.com with esmtp (Exim 4.14) id 19afuM-000BII-2Q for namedroppers@ops.ietf.org; Thu, 10 Jul 2003 18:12:42 +0000
Received: from bebop.France.Sun.COM ([129.157.174.15]) by brmea-mail-2.sun.com (8.12.9/8.12.9) with ESMTP id h6AICec8007112 for <namedroppers@ops.ietf.org>; Thu, 10 Jul 2003 12:12:41 -0600 (MDT)
Received: from lillen (punchin-nordmark.Eng.Sun.COM [192.9.61.11]) by bebop.France.Sun.COM (8.11.6+Sun/8.10.2/ENSMAIL, v2.2) with SMTP id h6AICbQ25715 for <namedroppers@ops.ietf.org>; Thu, 10 Jul 2003 20:12:37 +0200 (MEST)
Date: Thu, 10 Jul 2003 20:11:14 +0200
From: Erik Nordmark <Erik.Nordmark@sun.com>
Reply-To: Erik Nordmark <Erik.Nordmark@sun.com>
Subject: draft-ietf-dnsext-ad-is-secure
To: namedroppers@ops.ietf.org
In-Reply-To: "Your message with ID" <Roam.SIMC.2.0.6.1057859670.9398.nordmark@bebop.france>
Message-ID: <Roam.SIMC.2.0.6.1057860674.8288.nordmark@bebop.france>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET="US-ASCII"
X-Spam-Status: No, hits=-6.3 required=5.0 tests=BAYES_20,IN_REP_TO autolearn=ham version=2.53
X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
The document was approved by the IESG today with some changes as an RFC editor
note. Mostly what I sent to the list earlier but some rewording in the first
item, and the addition of the last item. (I know the last item is largely a
repeat of existing text elsewhere in the draft, but in the interest of time
and knowing that 2535bis will fold all this into one document I cut some
corners.)
If these tweaks are problematic let me know and I'll stop the presses.
Erik
RFC Editor note:
Please add the standard IPR section to the document.
Before the last paragraph in section 4 add this paragraph:
In the latter two cases, the end consumer must also completely
trust the network path to the trusted resolvers or a secure
transport is employed to protect the traffic.
Add this paragraph to the end of section 2.2:
Note that having the AD bit clear on an authoritative answer is
normal and expected behavior.
The draft also has an odd "MUST" in section 2.2.1:
Organisations that require that all DNS responses contain
cryptographically verified data MUST separate the functions of
authoritative and recursive servers, as authoritative servers are not
required to validate local secure data.
This introduces a new concept "local secure data", w/o defining it.
Replace that paragraph with:
Organisations which require that all DNS responses contain
cryptographically verified data will need to separate the
authoritative name server and signature verification functions, since
name servers are not required to validate signatures of data for which
they are authoritative.
Add this paragraph at the end of the security considerations section:
A resolver MUST NOT blindly trust the AD bit unless it communicates
with the full function resolver over a secure transport mechanism, such as
IPsec, or using message authentication such as TSIG [RFC2845] or SIG(0)
[RFC2931]. In addition, the resolver must have been explicitly configured
to trust this resolver.
---
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
- draft-ietf-dnsext-ad-is-secure Erik Nordmark