| < draft-ietf-dnsext-dnssec-bis-updates-17.txt | draft-ietf-dnsext-dnssec-bis-updates-18.txt > | |||
|---|---|---|---|---|
| Network Working Group S. Weiler | Network Working Group S. Weiler | |||
| Internet-Draft SPARTA, Inc. | Internet-Draft SPARTA, Inc. | |||
| Updates: 4033, 4034, 4035, 5155 D. Blacka | Updates: 4033, 4034, 4035, 5155 D. Blacka | |||
| (if approved) Verisign, Inc. | (if approved) Verisign, Inc. | |||
| Intended status: Standards Track March 12, 2012 | Intended status: Standards Track April 30, 2012 | |||
| Expires: September 13, 2012 | Expires: November 1, 2012 | |||
| Clarifications and Implementation Notes for DNSSECbis | Clarifications and Implementation Notes for DNSSECbis | |||
| draft-ietf-dnsext-dnssec-bis-updates-17 | draft-ietf-dnsext-dnssec-bis-updates-18 | |||
| Abstract | Abstract | |||
| This document is a collection of technical clarifications to the | This document is a collection of technical clarifications to the | |||
| DNSSECbis document set. It is meant to serve as a resource to | DNSSECbis document set. It is meant to serve as a resource to | |||
| implementors as well as a repository of DNSSECbis errata. | implementors as well as a repository of DNSSECbis errata. | |||
| This document updates the core DNSSECbis documents (RFC4033, RFC4034, | This document updates the core DNSSECbis documents (RFC4033, RFC4034, | |||
| and RFC4035) as well as the NSEC3 specification (RFC5155). It also | and RFC4035) as well as the NSEC3 specification (RFC5155). It also | |||
| defines NSEC3 and SHA-2 as core parts of the DNSSECbis specification. | defines NSEC3 and SHA-2 as core parts of the DNSSECbis specification. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 13, 2012. | This Internet-Draft will expire on November 1, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 44 ¶ | skipping to change at page 3, line 44 ¶ | |||
| 6.1. Finding Zone Cuts . . . . . . . . . . . . . . . . . . . . 12 | 6.1. Finding Zone Cuts . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6.2. Clarifications on DNSKEY Usage . . . . . . . . . . . . . . 12 | 6.2. Clarifications on DNSKEY Usage . . . . . . . . . . . . . . 12 | |||
| 6.3. Errors in Examples . . . . . . . . . . . . . . . . . . . . 12 | 6.3. Errors in Examples . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6.4. Errors in RFC 5155 . . . . . . . . . . . . . . . . . . . . 13 | 6.4. Errors in RFC 5155 . . . . . . . . . . . . . . . . . . . . 13 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 14 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 14 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 14 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 14 | |||
| Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 15 | Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 15 | |||
| Appendix B. Discussion of Setting the CD Bit . . . . . . . . . . 16 | Appendix B. Discussion of Setting the CD Bit . . . . . . . . . . 15 | |||
| Appendix C. Discussion of Trust Anchor Preference Options . . . . 18 | Appendix C. Discussion of Trust Anchor Preference Options . . . . 18 | |||
| C.1. Closest Encloser . . . . . . . . . . . . . . . . . . . . . 19 | C.1. Closest Encloser . . . . . . . . . . . . . . . . . . . . . 18 | |||
| C.2. Accept Any Success . . . . . . . . . . . . . . . . . . . . 19 | C.2. Accept Any Success . . . . . . . . . . . . . . . . . . . . 19 | |||
| C.3. Preference Based on Source . . . . . . . . . . . . . . . . 19 | C.3. Preference Based on Source . . . . . . . . . . . . . . . . 19 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 1. Introduction and Terminology | 1. Introduction and Terminology | |||
| This document lists some additions, clarifications and corrections to | This document lists some additions, clarifications and corrections to | |||
| the core DNSSECbis specification, as originally described in | the core DNSSECbis specification, as originally described in | |||
| [RFC4033], [RFC4034], and [RFC4035], and later amended by [RFC5155]. | [RFC4033], [RFC4034], and [RFC4035], and later amended by [RFC5155]. | |||
| (See section Section 2 for more recent additions to that core | (See section Section 2 for more recent additions to that core | |||
| skipping to change at page 10, line 7 ¶ | skipping to change at page 10, line 7 ¶ | |||
| Section 3.2.3 of [RFC4035] describes under which conditions a | Section 3.2.3 of [RFC4035] describes under which conditions a | |||
| validating resolver should set or clear the AD bit in a response. In | validating resolver should set or clear the AD bit in a response. In | |||
| order to interoperate with legacy stub resolvers and middleboxes that | order to interoperate with legacy stub resolvers and middleboxes that | |||
| neither understand nor ignore the AD bit, validating resolvers SHOULD | neither understand nor ignore the AD bit, validating resolvers SHOULD | |||
| only set the AD bit when a response both meets the conditions listed | only set the AD bit when a response both meets the conditions listed | |||
| in RFC 4035, section 3.2.3, and the request contained either a set DO | in RFC 4035, section 3.2.3, and the request contained either a set DO | |||
| bit or a set AD bit. | bit or a set AD bit. | |||
| 5.9. Always set the CD bit on Queries | 5.9. Always set the CD bit on Queries | |||
| This section does not apply to stub resolvers. | ||||
| When processing a request with the CD bit set, a resolver SHOULD | When processing a request with the CD bit set, a resolver SHOULD | |||
| attempt to return all response data, even data that has failed DNSSEC | attempt to return all response data, even data that has failed DNSSEC | |||
| validation. RFC4035 section 3.2.2 requires a resolver processing a | validation. RFC4035 section 3.2.2 requires a resolver processing a | |||
| request with the CD bit set to set the CD bit on its upstream | request with the CD bit set to set the CD bit on its upstream | |||
| queries. | queries. | |||
| This document further specifies that validating resolvers SHOULD set | This document further specifies that validating resolvers SHOULD set | |||
| the CD bit on every upstream query. This is regardless of whether | the CD bit on every upstream query. This is regardless of whether | |||
| the CD bit was set on the incoming query or whether it has a trust | the CD bit was set on the incoming query or whether it has a trust | |||
| anchor at or above the QNAME. | anchor at or above the QNAME. | |||
| End of changes. 6 change blocks. | ||||
| 8 lines changed or deleted | 6 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||