DNS Security (dnssec) Charter

NOTE: This charter is accurate as of the 31st IETF Meeting in San Jose. It may now be out-of-date. (Consider this a "snapshot" of the working group from that meeting.) Up-to-date charters for all active working groups can be found elsewhere in this Web server.


Security Area Director(s):

Mailing List Information

Description of Working Group

The Domain Name System Security Working Group (DNSSEC) will specify enhancements to the DNS protocol to protect the DNS against unauthorized modification of data and against masquerading of data origin. That is, it will add data integrity and authentication capabilities to the DNS. The specific mechanism to be added to the DNS protocol will be a digital signature.

The digital signature service will be added such that the DNS resource records will be signed and, by distributing the signatures with the records, remote sites can verify the signatures and thus have confidence in the accuracy of the records received.

There are at least two issues to be explored and resolved. First, should the records be signed by the primary or secondary (or both) servers distributing the resource records, or should they be signed by the start of authority for the zone of the records. This issue is relevant since there are servers for sites that are not IP connected. Second, the mechanism with which to distribute the public keys necessary to verify the digital signatures must be identified.

Two essential assumptions have been identified. First, backwards compatibility and co-existence with DNS servers and clients that do not support the proposed security services is required. Second, data in the DNS is considered public information. This latter assumption means that discussions and proposals involving data confidentiality and access control are explicitly outside the scope of this working group.

Goals and Milestones

Submit proposal for adding Security enhancements to DNS as an Internet-Draft
Update Internet-Draft on adding security enhancements to DNS
Nov 94
Submit proposal for adding security enhancements to the DNS to the IESG for consideration as a Proposed Standard

Current Internet-Drafts

No Request for Comments