| < draft-ietf-dnsext-dnssec-bis-updates-15.txt | draft-ietf-dnsext-dnssec-bis-updates-16.txt > | |||
|---|---|---|---|---|
| Network Working Group S. Weiler | Network Working Group S. Weiler | |||
| Internet-Draft SPARTA, Inc. | Internet-Draft SPARTA, Inc. | |||
| Updates: 4033, 4034, 4035, 5155 D. Blacka | Updates: 4033, 4034, 4035, 5155 D. Blacka | |||
| (if approved) VeriSign, Inc. | (if approved) VeriSign, Inc. | |||
| Intended status: Standards Track January 13, 2012 | Intended status: Standards Track January 14, 2012 | |||
| Expires: July 16, 2012 | Expires: July 17, 2012 | |||
| Clarifications and Implementation Notes for DNSSECbis | Clarifications and Implementation Notes for DNSSECbis | |||
| draft-ietf-dnsext-dnssec-bis-updates-15 | draft-ietf-dnsext-dnssec-bis-updates-16 | |||
| Abstract | Abstract | |||
| This document is a collection of technical clarifications to the | This document is a collection of technical clarifications to the | |||
| DNSSECbis document set. It is meant to serve as a resource to | DNSSECbis document set. It is meant to serve as a resource to | |||
| implementors as well as a repository of DNSSECbis errata. | implementors as well as a repository of DNSSECbis errata. | |||
| This document updates the core DNSSECbis documents (RFC4033, RFC4034, | This document updates the core DNSSECbis documents (RFC4033, RFC4034, | |||
| and RFC4035) as well as the NSEC3 specification (RFC5155). It also | and RFC4035) as well as the NSEC3 specification (RFC5155). It also | |||
| defines NSEC3 and SHA-2 as core parts of the DNSSECbis specification. | defines NSEC3 and SHA-2 as core parts of the DNSSECbis specification. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 16, 2012. | This Internet-Draft will expire on July 17, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 23 ¶ | skipping to change at page 3, line 23 ¶ | |||
| 3. Scaling Concerns . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Scaling Concerns . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Implement a BAD cache . . . . . . . . . . . . . . . . . . 5 | 3.1. Implement a BAD cache . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Security Concerns . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Security Concerns . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. Clarifications on Non-Existence Proofs . . . . . . . . . . 5 | 4.1. Clarifications on Non-Existence Proofs . . . . . . . . . . 5 | |||
| 4.2. Validating Responses to an ANY Query . . . . . . . . . . . 6 | 4.2. Validating Responses to an ANY Query . . . . . . . . . . . 6 | |||
| 4.3. Check for CNAME . . . . . . . . . . . . . . . . . . . . . 6 | 4.3. Check for CNAME . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.4. Insecure Delegation Proofs . . . . . . . . . . . . . . . . 6 | 4.4. Insecure Delegation Proofs . . . . . . . . . . . . . . . . 6 | |||
| 5. Interoperability Concerns . . . . . . . . . . . . . . . . . . 6 | 5. Interoperability Concerns . . . . . . . . . . . . . . . . . . 6 | |||
| 5.1. Errors in Canonical Form Type Code List . . . . . . . . . 7 | 5.1. Errors in Canonical Form Type Code List . . . . . . . . . 7 | |||
| 5.2. Unknown DS Message Digest Algorithms . . . . . . . . . . . 7 | 5.2. Unknown DS Message Digest Algorithms . . . . . . . . . . . 7 | |||
| 5.3. Private Algorithms . . . . . . . . . . . . . . . . . . . . 7 | 5.3. Private Algorithms . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5.4. Caution About Local Policy and Multiple RRSIGs . . . . . . 8 | 5.4. Caution About Local Policy and Multiple RRSIGs . . . . . . 8 | |||
| 5.5. Key Tag Calculation . . . . . . . . . . . . . . . . . . . 8 | 5.5. Key Tag Calculation . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.6. Setting the DO Bit on Replies . . . . . . . . . . . . . . 9 | 5.6. Setting the DO Bit on Replies . . . . . . . . . . . . . . 9 | |||
| 5.7. Setting the AD Bit on Queries . . . . . . . . . . . . . . 9 | 5.7. Setting the AD Bit on Queries . . . . . . . . . . . . . . 9 | |||
| 5.8. Setting the AD Bit on Replies . . . . . . . . . . . . . . 9 | 5.8. Setting the AD Bit on Replies . . . . . . . . . . . . . . 9 | |||
| 5.9. Always set the CD bit on Queries . . . . . . . . . . . . . 9 | 5.9. Always set the CD bit on Queries . . . . . . . . . . . . . 9 | |||
| 5.10. Nested Trust Anchors . . . . . . . . . . . . . . . . . . . 10 | 5.10. Nested Trust Anchors . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.10.1. Closest Encloser . . . . . . . . . . . . . . . . . . 10 | 5.10.1. Closest Encloser . . . . . . . . . . . . . . . . . . 10 | |||
| 5.10.2. Accept Any Success . . . . . . . . . . . . . . . . . 11 | 5.10.2. Accept Any Success . . . . . . . . . . . . . . . . . 11 | |||
| 5.10.3. Preference Based on Source . . . . . . . . . . . . . 11 | 5.10.3. Preference Based on Source . . . . . . . . . . . . . 11 | |||
| 5.11. Mandatory Algorithm Rules . . . . . . . . . . . . . . . . 11 | 5.11. Mandatory Algorithm Rules . . . . . . . . . . . . . . . . 12 | |||
| 5.12. Expect Extra Signatures From Strange Keys . . . . . . . . 12 | 5.12. Expect Extra Signatures From Strange Keys . . . . . . . . 12 | |||
| 6. Minor Corrections and Clarifications . . . . . . . . . . . . . 12 | 6. Minor Corrections and Clarifications . . . . . . . . . . . . . 13 | |||
| 6.1. Finding Zone Cuts . . . . . . . . . . . . . . . . . . . . 12 | 6.1. Finding Zone Cuts . . . . . . . . . . . . . . . . . . . . 13 | |||
| 6.2. Clarifications on DNSKEY Usage . . . . . . . . . . . . . . 13 | 6.2. Clarifications on DNSKEY Usage . . . . . . . . . . . . . . 13 | |||
| 6.3. Errors in Examples . . . . . . . . . . . . . . . . . . . . 13 | 6.3. Errors in Examples . . . . . . . . . . . . . . . . . . . . 13 | |||
| 6.4. Errors in RFC 5155 . . . . . . . . . . . . . . . . . . . . 14 | 6.4. Errors in RFC 5155 . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 15 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 15 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 15 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 15 | |||
| Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 16 | Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 16 | |||
| Appendix B. Discussion of Setting the CD Bit . . . . . . . . . . 16 | Appendix B. Discussion of Setting the CD Bit . . . . . . . . . . 17 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 1. Introduction and Terminology | 1. Introduction and Terminology | |||
| This document lists some additions, clarifications and corrections to | This document lists some additions, clarifications and corrections to | |||
| the core DNSSECbis specification, as originally described in | the core DNSSECbis specification, as originally described in | |||
| [RFC4033], [RFC4034], and [RFC4035], and later amended by [RFC5155]. | [RFC4033], [RFC4034], and [RFC4035], and later amended by [RFC5155]. | |||
| (See section Section 2 for more recent additions to that core | (See section Section 2 for more recent additions to that core | |||
| document set.) | document set.) | |||
| It is intended to serve as a resource for implementors and as a | It is intended to serve as a resource for implementors and as a | |||
| skipping to change at page 7, line 6 ¶ | skipping to change at page 7, line 6 ¶ | |||
| needs to check for the presence of the NS bit in the matching NSEC | needs to check for the presence of the NS bit in the matching NSEC | |||
| (or NSEC3) RR (proving that there is, indeed, a delegation), or | (or NSEC3) RR (proving that there is, indeed, a delegation), or | |||
| alternately make sure that the delegation is covered by an NSEC3 RR | alternately make sure that the delegation is covered by an NSEC3 RR | |||
| with the Opt-Out flag set. If this is not checked, spoofed unsigned | with the Opt-Out flag set. If this is not checked, spoofed unsigned | |||
| delegations might be used to claim that an existing signed record is | delegations might be used to claim that an existing signed record is | |||
| not signed. | not signed. | |||
| 5. Interoperability Concerns | 5. Interoperability Concerns | |||
| 5.1. Errors in Canonical Form Type Code List | 5.1. Errors in Canonical Form Type Code List | |||
| When canonicalizing DNS names, DNS names in the RDATA section of NSEC | When canonicalizing DNS names (for both ordering and signing), DNS | |||
| and RRSIG resource records are not downcased. | names in the RDATA section of NSEC resource records are not | |||
| downcased. DNS names in the RDATA section of RRSIG resource records | ||||
| are downcased. | ||||
| [RFC4034] Section 6.2 item 3 has a list of resource record types for | The guidance in the above paragraph differs from what has been | |||
| which DNS names in the RDATA are downcased for purposes of DNSSEC | published before but is consistent with current common practice. | |||
| canonical form (for both ordering and signing). That list | [RFC4034] Section 6.2 item 3 says that names in both of these RR | |||
| erroneously contains NSEC and RRSIG. According to [RFC3755], DNS | types should be downcased. The earlier [RFC3755] says that they | |||
| names in the RDATA of NSEC and RRSIG should not be downcased. | should not. Current practice follows neither document fully. | |||
| The same section also erroneously lists HINFO, and twice at that. | Section 6.2 of RFC4034 also erroneously lists HINFO as a record that | |||
| Since HINFO records contain no domain names, they are not subject to | needs downcasing, and twice at that. Since HINFO records contain no | |||
| downcasing. | domain names, they are not subject to downcasing. | |||
| 5.2. Unknown DS Message Digest Algorithms | 5.2. Unknown DS Message Digest Algorithms | |||
| Section 5.2 of [RFC4035] includes rules for how to handle delegations | Section 5.2 of [RFC4035] includes rules for how to handle delegations | |||
| to zones that are signed with entirely unsupported public key | to zones that are signed with entirely unsupported public key | |||
| algorithms, as indicated by the key algorithms shown in those zone's | algorithms, as indicated by the key algorithms shown in those zone's | |||
| DS RRsets. It does not explicitly address how to handle DS records | DS RRsets. It does not explicitly address how to handle DS records | |||
| that use unsupported message digest algorithms. In brief, DS records | that use unsupported message digest algorithms. In brief, DS records | |||
| using unknown or unsupported message digest algorithms MUST be | using unknown or unsupported message digest algorithms MUST be | |||
| treated the same way as DS records referring to DNSKEY RRs of unknown | treated the same way as DS records referring to DNSKEY RRs of unknown | |||
| End of changes. 11 change blocks. | ||||
| 21 lines changed or deleted | 23 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||