HEREIS "draft-vixie-dnssec-ter-00.txt"
Paul Vixie <paul@vix.com> Wed, 02 June 2004 07:08 UTC
From: Paul Vixie <paul@vix.com>
Subject: HEREIS "draft-vixie-dnssec-ter-00.txt"
Date: Wed, 02 Jun 2004 07:08:59 +0000
Lines: 168
Sender: owner-namedroppers@ops.ietf.org
X-From: owner-namedroppers@ops.ietf.org Wed Jun 02 09:18:14 2004
Return-path: <owner-namedroppers@ops.ietf.org>
To: namedroppers@ops.ietf.org
X-Mailer: MH-E 7.4; nmh 1.0.4; GNU Emacs 21.3.1
Precedence: bulk
X-Message-ID:
Message-ID: <20140418071842.2560.65761.ARCHIVE@ietfa.amsl.com>
DNSEXT Working Group Paul Vixie INTERNET-DRAFT ISC <draft-vixie-dnssec-ter-00.txt> June 2004 Extending DNSSEC-BIS (DNSSEC-TER) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract As the DNSSEC-BIS document set goes to press, we find that the design goals for DNSSEC have shifted somewhat in the ten years of its preproduction. This memo lists some possible new directions for DNSSEC-TER, and also, some methods by which DNSSEC-TER could first coexist with, and possibly replace, DNSSEC-BIS. 1 - Rationale and Scope 1.1. DNSSEC-BIS, which took ten years to evolve, is widely considered to be a working solution for end to end DNS data authenticity. However, the threat model which drove the design of DNSSEC and DNSSEC-BIS fails to address issues of great interest to some members of the community, for example, domain name confidentiality. Expires December 2004 [Page 1] INTERNET-DRAFT DNSSEC-TER June 2004 1.2. Without proposing any specific new features, this memo will lay out an upgrade path whereby DNSSEC-TER could first coexist with, and then possibly replace DNSSEC-BIS, with no loss of functionality for DNSSEC- BIS adopters. The method used has been called a "type code roll" or TCR. 1.3. The goal of this memo is not to specify DNSSEC-TER itself, but rather, to describe the method by which it can be developed and deployed, compatibly with an existing DNSSEC-BIS installed base. 2 - New Signalling, New Metadata 2.1. Since DNSSEC-BIS already depends on EDNS due to message size increases, it is safe to depend on EDNS to carry a new DNSSEC-TER flag. The meaning of this flag would be, generally, "when I say I want DNSSEC metadata in the response to this query, I can handle, and prefer, DNSSEC-TER metadata." 2.2. DNSSEC-TER might define new metadata records (for example, DS2, NSEC2, RRSIG2, and/or DNSKEY2), but will not redefine the meaning or format of existing DNSSEC-BIS metadata records due to the risk of these records becoming separated from the DNSSEC-TER tag that tells how to interpret them. 2.3. EDNS is a hop by hop protocol, carrying meaning only between an initiator and a responder. A caching forwarder who can process both DNSSEC-TER and DNSSEC-BIS will "tag" its security metadata using the "DNSSEC-TER data is wanted" status of the query which causes that metadata to enter the cache. If cached data exists but was fetched without (or with) this tag, and a query arrives with (or without) the "DNSSEC-TER wanted" flag, then the new query will have to be forwarded upstream toward the authority servers, and the result (even if negative) will be cached and used separately. This behaviour has the effect of promoting the "DNSSEC-TER" wanted flag from hop-by-hop to end-to-end. 2.4. If an authority server or caching recursive server is asked for DNSSEC-TER metadata but only has DNSSEC-BIS metadata available, then DNSSEC-BIS data will be sent. Thus, a requestor who is capable of handling DNSSEC-TER metadata records should ask for DNSSEC-TER first, and then fall back to DNSSEC-BIS if necessary. This optimizes for the eventual case when the installed base of DNSSEC-BIS has completely upgraded to DNSSEC-TER. An initiator is not permitted to assume, from the lack of a DNSSEC-TER response, that either that server or that zone does not in general support DNSSEC-TER. Expires December 2004 [Page 2] INTERNET-DRAFT DNSSEC-TER June 2004 2.5. It is possible that DNSSEC-TER metadata could be synthesized using only DNSSEC-BIS metadata. For example, an NSEC2 RR which offers the benefit of domain name confidentiality might use name hashes rather than domain names to bracket a range of name nonexistence, and it might be possible to compute these hashes using an existing NSEC RR. Therefore, a DNSSEC-TER specification might permit caching forwarders to synthesize NSEC2 RRs using NSEC RRs, thus improving the number of round trips otherwise called for in section 2.3 above. 2.6. A zone signer and/or authority server might choose to support both DNSSEC-BIS and DNSSEC-TER, or only DNSSEC-BIS, or only DNSSEC-TER. It is expected that a validating recursive server, or a caching recursive server, will support either DNSSEC-BIS alone (as is the case today), or both DNSSEC-BIS and DNSSEC-TER, but never DNSSEC-TER alone. 3 - References [RFC1035] P. Mockapetris, ``Domain Names - Implementation and Specification,'' RFC 1035, USC/Information Sciences Institute, November 1987. [RFC2671] P. Vixie, ``Extension mechanisms for DNS (EDNS0),'' RFC 2671, IETF DNSIND, September 1998 4 - Author's Address Paul Vixie Internet Systems Consortium, Inc. 950 Charter Street Redwood City, CA 94063 +1.650.423.1301 <vixie@isc.org> 3557*VIX Expires December 2004 [Page 3] -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- HEREIS "draft-vixie-dnssec-ter-00.txt" Paul Vixie
- Re: HEREIS "draft-vixie-dnssec-ter-00.txt" Ben Laurie
- Re: HEREIS "draft-vixie-dnssec-ter-00.txt" David Blacka
- Re: HEREIS "draft-vixie-dnssec-ter-00.txt" Derek Atkins
- Re: HEREIS "draft-vixie-dnssec-ter-00.txt" roy
- Re: HEREIS "draft-vixie-dnssec-ter-00.txt" Ben Laurie
- Re: HEREIS "draft-vixie-dnssec-ter-00.txt" Ben Laurie