| < draft-ietf-dnsop-delegation-trust-maintainance-02.txt | draft-ietf-dnsop-delegation-trust-maintainance-03.txt > | |||
|---|---|---|---|---|
| dnsop W. Kumari | dnsop W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Informational O. Gudmundsson | Intended status: Informational O. Gudmundsson | |||
| Expires: August 9, 2014 Shinkuro Inc. | Expires: August 12, 2014 Shinkuro Inc. | |||
| G. Barwood | G. Barwood | |||
| February 5, 2014 | February 8, 2014 | |||
| Automating DNSSEC delegation trust maintenance | Automating DNSSEC delegation trust maintenance | |||
| draft-ietf-dnsop-delegation-trust-maintainance-02 | draft-ietf-dnsop-delegation-trust-maintainance-03 | |||
| Abstract | Abstract | |||
| This document describes a method to allow DNS operators to more | This document describes a method to allow DNS operators to more | |||
| easily update DNSSEC Key Signing Keys using DNS as communication | easily update DNSSEC Key Signing Keys using DNS as communication | |||
| channel. This document does not address the initial configuration of | channel. This document does not address the initial configuration of | |||
| trust anchors for a domain. The technique described is aimed at | trust anchors for a domain. The technique described is aimed at | |||
| delegations in which it is currently hard to move information from | delegations in which it is currently hard to move information from | |||
| the child to parent. | the child to parent. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 9, 2014. | This Internet-Draft will expire on August 12, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 29 ¶ | skipping to change at page 3, line 29 ¶ | |||
| [RFC4034], [RFC4035], [RFC5011] and [RFC6781]. | [RFC4034], [RFC4035], [RFC5011] and [RFC6781]. | |||
| This document is a compilation of two earlier drafts: draft-barwood- | This document is a compilation of two earlier drafts: draft-barwood- | |||
| dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll. | dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll. | |||
| This document outlines a technique in which the parent periodically | This document outlines a technique in which the parent periodically | |||
| (or upon request) polls its signed children and automatically publish | (or upon request) polls its signed children and automatically publish | |||
| new DS records. To a large extent, the procedures this document | new DS records. To a large extent, the procedures this document | |||
| follows are as described in [RFC6781] section 4.1.2. | follows are as described in [RFC6781] section 4.1.2. | |||
| This technique is in some ways similar to RFC 5011 style rollovers, | This technique is in some ways similar to [RFC5011] style rollovers, | |||
| but for sub-domains DS records, instead of trust anchors. | but for sub-domains DS records, instead of trust anchors. | |||
| This technique is designed to be friendly both to fully automated | This technique is designed to be friendly both to fully automated | |||
| tools and humans. Fully automated tools can perform all the actions | tools and humans. Fully automated tools can perform all the actions | |||
| needed without human intervention, and thus can monitor when it is | needed without human intervention, and thus can monitor when it is | |||
| safe to move to the next step. | safe to move to the next step. | |||
| The solution described in this document only allows transferring | The solution described in this document only allows transferring | |||
| information about DNSSEC keys (DS and DNSKEY) from the child to the | information about DNSSEC keys (DS and DNSKEY) from the child to the | |||
| parental agent. It lists exactly what the parent should publish, and | parental agent. It lists exactly what the parent should publish, and | |||
| skipping to change at page 7, line 33 ¶ | skipping to change at page 7, line 33 ¶ | |||
| -- or worse, the update action is not performed at all. | -- or worse, the update action is not performed at all. | |||
| 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions | 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions | |||
| This document specifies two new DNS RRtypes (CDS and CDNSKEY) that | This document specifies two new DNS RRtypes (CDS and CDNSKEY) that | |||
| indicates what the Child wants the parent's DS RRset to contain. It | indicates what the Child wants the parent's DS RRset to contain. It | |||
| allows the Child to present DS records and / or DNSKEY records (for | allows the Child to present DS records and / or DNSKEY records (for | |||
| those parents who would rather generate the DS records for their | those parents who would rather generate the DS records for their | |||
| children). | children). | |||
| The CDS / CDNSKEY record is published in the child zone and gives the | The CDS / CDNSKEY records are published in the child zone and gives | |||
| child control of what is published for it in the parental zone. The | the child control of what is published for it in the parental zone. | |||
| CDS / CDNSKEY RRset expresses what the child would like the DS RRset | The CDS / CDNSKEY RRset expresses what the child would like the DS | |||
| to look like after the change; it is a "replace" operation, and it is | RRset to look like after the change; it is a "replace" operation, and | |||
| up to the consumer of the records to translate that into the | it is up to the consumer of the records to translate that into the | |||
| appropriate add/delete operations in the registration systems (and in | appropriate add/delete operations in the registration systems (and in | |||
| the case of CDNSKEY, to generate the DS from the DNSKEY). | the case of CDNSKEY, to generate the DS from the DNSKEY). If no CDS | |||
| / CDNSKEY RRset is present in child, this means that no change is | ||||
| needed. | ||||
| [[RFC Editor: Please remove this paragraph before publication] | [[RFC Editor: Please remove this paragraph before publication] | |||
| Version -04 of the ID that became this document (http:// | Version -04 of the ID that became this working group document (http:/ | |||
| tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new | /tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new | |||
| record (CTA) that could hold either a DS or a DNSKEY record (with a | record (CTA) that could hold either a DS or a DNSKEY record (with a | |||
| selector to differentiate between them). In a shocking development, | selector to differentiate between them). In a shocking development, | |||
| there was almost full consensus that this was horrid :-) ] | there was almost full consensus that this was horrid :-) ] | |||
| 3.1. CDS Resource Record Format | 3.1. CDS Resource Record Format | |||
| The wire and presentation format of the CDS ("Child DS") record is | The wire and presentation format of the CDS ("Child DS") record is | |||
| identical to the DS record [RFC4034]. IANA has allocated RR code 59 | identical to the DS record [RFC4034]. IANA has allocated RR code 59 | |||
| for the CDS record via expert review [I-D.ds-publish]. | for the CDS record via expert review [I-D.ds-publish]. CDS uses the | |||
| same registries as DS for its fields | ||||
| No special processing is performed by authoritative servers or by | No special processing is performed by authoritative servers or by | |||
| revolvers, when serving or resolving. For all practical purposes CDS | revolvers, when serving or resolving. For all practical purposes CDS | |||
| is a regular RR type. | is a regular RR type. | |||
| 3.2. CDNSKEY Resource Record Format | 3.2. CDNSKEY Resource Record Format | |||
| The wire and presentation format of the CDNSKEY ("Child DNSKEY") | The wire and presentation format of the CDNSKEY ("Child DNSKEY") | |||
| record is identical to the DNSKEY record. | record is identical to the DNSKEY record. CDNSKEY uses the same | |||
| registries as DNSKEY for its fields. | ||||
| No special processing is performed by authoritative servers or by | No special processing is performed by authoritative servers or by | |||
| revolvers, when serving or resolving. For all practical purposes | revolvers, when serving or resolving. For all practical purposes | |||
| CDNSKEY is a regular RR type. | CDNSKEY is a regular RR type. | |||
| 4. Automating DS maintainance with CDS/CDNSKEY records | 4. Automating DS maintainance with CDS/CDNSKEY records | |||
| CDS/CDNSKEY records are intended to be "consumed" by delegation trust | CDS/CDNSKEY records are intended to be "consumed" by delegation trust | |||
| maintainers. The use of CDS/CDNSKEY is optional. | maintainers. The use of CDS/CDNSKEY is optional. | |||
| Some parents prefer to accept DNSSEC key information in DS format, | Some parents prefer to accept DNSSEC key information in DS format, | |||
| some parents prefer to accept it in DNSKEY format, and calculate the | some parents prefer to accept it in DNSKEY format, and calculate the | |||
| DS record on the child's behalf. Each method has pros and cons, both | DS record on the child's behalf. Each method has pros and cons, both | |||
| technical and policy. This solution is DS vs DNSKEY agnostic, and | technical and policy. This solution is DS vs DNSKEY agnostic, and | |||
| allows operation with either. | allows operation with either. | |||
| If the child knows what the parent prefers, they can publish the | If the child knows what the parent prefers, they can publish the | |||
| parent's preferred record type. If the child does not know (or | parent's preferred record type. If the child does not know (or | |||
| simply chooses to), they can publish both CDS and CDNSKEY. If the | simply chooses to), they can publish both CDS and CDNSKEY. If the | |||
| child publishes both, they SHOULD have matching CDS records for each | child publishes both, the two RRsets they SHOULD match in content. | |||
| CDNSKEY record. The parent should use whichever one they choose, but | The parent should use whichever one they choose, but SHOULD NOT query | |||
| SHOULD NOT query for both and perform consistency checks between the | for both and perform consistency checks between the CDS and CDNSKEY | |||
| CDS and CDNSKEY records. | records. | |||
| [Editor note: It is not an error for a child to have published CDS | [Editor note: It is not an error for a child to have published CDS | |||
| records and not have CDNSKEYs that hash to those records, nor for | records and not have CDNSKEYs that hash to those records, nor for | |||
| there to be CDNSKEY records without matching DS records. This is | there to be CDNSKEY records without matching DS records. This is | |||
| because a child might have been publishing CDS records and then the | because a child might have been publishing CDS records and then the | |||
| parent's policy changes to require CDNSKEY records. The child might | parent's policy changes to require CDNSKEY records. The child might | |||
| forget to remove the CDS, etc. This avoids all sorts of error | forget to remove the CDS, etc. This avoids all sorts of error | |||
| conditions / complexity, etc.] | conditions / complexity, etc.] | |||
| 4.1. CDS / CDNSKEY processing rules | 4.1. CDS / CDNSKEY processing rules | |||
| Absence of CDS / CDNSKEY in child signals "No change" to the current | If there are no CDS / CDNSKEY resource records in the child, this | |||
| DS set. Following acceptance rules are placed on the CDS / CDNSKEY | signals that no change should be made to the current DS set. This | |||
| records as follows: | means that, once the child and parent are in sync, the child DNS | |||
| operator MAY remove all CDS records from the zone. | ||||
| Following acceptance rules are placed on the CDS / CDNSKEY records as | ||||
| follows: | ||||
| o Location: "the CDS / CDNSKEY record MUST be at the child zone | o Location: "the CDS / CDNSKEY record MUST be at the child zone | |||
| apex". | apex". | |||
| o Signer: "MUST be signed with a key that is represented in both the | o Signer: "MUST be signed with a key that is represented in both the | |||
| current DNSKEY and DS RRset's." | current DNSKEY and DS RRset's." | |||
| o Continuity: "SHOULD NOT break the current delegation if applied to | o Continuity: "SHOULD NOT break the current delegation if applied to | |||
| DS RRset" | DS RRset" | |||
| If any these conditions fail the CDS / CDNSKEY record MUST be | If any these conditions fail the CDS / CDNSKEY record MUST be | |||
| ignored. | ignored. | |||
| 5. Child's CDS / CDNSKEY Publication | 5. Child's CDS / CDNSKEY Publication | |||
| Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it | Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it | |||
| wants to make a change to the DS RRset in the Parent. The CDS / | wants to make a change to the DS RRset in the Parent. The CDS / | |||
| CDNSKEY RRset SHOULD be compliant with the rules in Section 4.1. | CDNSKEY RRset SHOULD be compliant with the rules in Section 4.1. | |||
| When the Parent DS is "in-sync" with the CDS, the Child DNS Operator | When the Parent DS is "in-sync" with the CDS / CDNSKEY, the Child DNS | |||
| MAY delete the CDS RRset. Note that if the child has published a | Operator MAY delete the CDS / CDNSKEY RRset(s). Note that if the | |||
| DNSKEY RR in the CDS, it will have to calculate the DS (using the | child has published a DNSKEY RR in the CDS, it will have to calculate | |||
| requested digest algorithm) to do the comparison. | the DS (using the requested digest algorithm) to do the comparison. | |||
| A child MAY publish both CDS and CDNSKEY. If a child chooses to | A child MAY publish both CDS and CDNSKEY. If a child chooses to | |||
| publish both, it SHOULD attempt to maintain consistency (a matching | publish both, it SHOULD attempt to maintain consistency (a matching | |||
| CDS for each CDNSKEY) | CDS for each CDNSKEY) | |||
| 6. Parent side CDS / CDNSKEY Consumption | 6. Parent side CDS / CDNSKEY Consumption | |||
| The CDS / CDNSKEY RRset MAY be used by the Parental Agent to update | The CDS / CDNSKEY RRset MAY be used by the Parental Agent to update | |||
| the DS RRset in the parent zone. The Parental Agent for this uses a | the DS RRset in the parent zone. The Parental Agent for this uses a | |||
| tool that understands the CDS / CDNSKEY signing rules from | tool that understands the CDS / CDNSKEY signing rules from | |||
| skipping to change at page 11, line 12 ¶ | skipping to change at page 11, line 12 ¶ | |||
| unauthenticated POST could be made to a webserver (with rate- | unauthenticated POST could be made to a webserver (with rate- | |||
| limiting), etc.) | limiting), etc.) | |||
| Other documents can specify the trigger conditions. | Other documents can specify the trigger conditions. | |||
| 6.2. Using the new CDS / CDNSKEY records | 6.2. Using the new CDS / CDNSKEY records | |||
| Regardless of how the Parental Agent detected changes to a CDS / | Regardless of how the Parental Agent detected changes to a CDS / | |||
| CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain | CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain | |||
| a validated CDS / CDNSKEY RRset from the Child zone. It would be a | a validated CDS / CDNSKEY RRset from the Child zone. It would be a | |||
| good idea if the Parental Agent checked all NS RRs listed at the | good idea if the Parental Agent checked all NS RRs listed at the | |||
| delegation. However, due to the use of technologies such as load | delegation. | |||
| balancing and anycast, this should not be taken as proof that the new | ||||
| CDS / CDNSKEY is present on all nodes serving the Child zone. | ||||
| The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY | The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY | |||
| RRset do not overwrite newer versions. This MAY be accomplished by | RRset do not overwrite newer versions. This MAY be accomplished by | |||
| checking that the signature inception in the RRSIG for CDS / CDNSKEY | checking that the signature inception in the RRSIG for CDS / CDNSKEY | |||
| is newer and/or the serial number on the child's SOA is greater. | is newer and/or the serial number on the child's SOA is greater. | |||
| This may require the Parental Agent to maintain some state | This may require the Parental Agent to maintain some state | |||
| information. | information. | |||
| The Parental Agent MAY take extra security measures. For example, to | The Parental Agent MAY take extra security measures. For example, to | |||
| mitigate the possibility that a Child's key signing key has been | mitigate the possibility that a Child's key signing key has been | |||
| skipping to change at page 12, line 44 ¶ | skipping to change at page 12, line 42 ¶ | |||
| If child breaks DNSSEC validation by removing all the DNSKEYs that | If child breaks DNSSEC validation by removing all the DNSKEYs that | |||
| are represented in the DS set its only repair actions are to contact | are represented in the DS set its only repair actions are to contact | |||
| the parent or restore the DNSKEYs in the DS set. | the parent or restore the DNSKEYs in the DS set. | |||
| In the event of a compromise of the server or system generating | In the event of a compromise of the server or system generating | |||
| signatures for a zone, an attacker might be able to generate and | signatures for a zone, an attacker might be able to generate and | |||
| publish new CDS records. The modified CDS records will be picked up | publish new CDS records. The modified CDS records will be picked up | |||
| by this technique and so may allow the attacker to extend the | by this technique and so may allow the attacker to extend the | |||
| effective time of his attack. If there a delay in accepting changes | effective time of his attack. If there a delay in accepting changes | |||
| to DS, as in RFC5011, then the attacker needs to hope his activity is | to DS, as in [RFC5011], then the attacker needs to hope his activity | |||
| not detected before the DS in parent is changed. If this type of | is not detected before the DS in parent is changed. If this type of | |||
| change takes place, the child needs to contact the parent (possibly | change takes place, the child needs to contact the parent (possibly | |||
| via a registrar web interface) and remove any compromised DS keys. | via a registrar web interface) and remove any compromised DS keys. | |||
| A compromise of the account with the parent (e.g. registrar) will not | A compromise of the account with the parent (e.g. registrar) will not | |||
| be mitigated by this technique, as the "new registrant" can delete/ | be mitigated by this technique, as the "new registrant" can delete/ | |||
| modify the DS records at will. | modify the DS records at will. | |||
| While it may be tempting, this SHOULD NOT be used for initial | While it may be tempting, this SHOULD NOT be used for initial | |||
| enrollment of keys since there is no way to ensure that the initial | enrollment of keys since there is no way to ensure that the initial | |||
| key is the correct one. If is used, strict rules for inclusion of | key is the correct one. If is used, strict rules for inclusion of | |||
| keys like hold down times, challenge data inclusion etc., ought to be | keys like hold down times, challenge data inclusion etc., ought to be | |||
| used, along with some kind of challenge mechanism. | used, along with some kind of challenge mechanism. A child cannot | |||
| use this mechanism to go from signed to unsigned (publishing an empty | ||||
| CDS / CDNSKEY RRset means no-change should be made in the parent). | ||||
| The CDS RR type should allow for enhanced security by simplifying | The CDS RR type should allow for enhanced security by simplifying | |||
| process. Since rollover is automated, updating a DS RRset by other | process. Since rollover is automated, updating a DS RRset by other | |||
| means may be regarded as unusual and subject to extra security | means may be regarded as unusual and subject to extra security | |||
| checks. | checks. | |||
| If there is a failure in applying changes in child zone to all DNS | If there is a failure in applying changes in child zone to all DNS | |||
| servers listed in either parent or child NS set it is possible that | servers listed in either parent or child NS set it is possible that | |||
| the Parental agent may get confused either not perform action because | the Parental agent may get confused either not perform action because | |||
| it gets different answers on different checks or CDS validation | it gets different answers on different checks or CDS validation | |||
| skipping to change at page 13, line 48 ¶ | skipping to change at page 13, line 47 ¶ | |||
| By automating the maintenance of the DNSSEC key information (and | By automating the maintenance of the DNSSEC key information (and | |||
| removing humans from the process) we expect to decrease the number of | removing humans from the process) we expect to decrease the number of | |||
| DNSSEC related outages, which should increase DNSSEC deployment. | DNSSEC related outages, which should increase DNSSEC deployment. | |||
| 10. Acknowledgements | 10. Acknowledgements | |||
| We would like to thank a large number of folk, including: Mark | We would like to thank a large number of folk, including: Mark | |||
| Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian | Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian | |||
| Dickinson, Paul Ebersman, Tony Finch, Patrik Faltsrom, Jim Galvin, | Dickinson, Paul Ebersman, Tony Finch, Patrik Faltsrom, Jim Galvin, | |||
| Paul Hoffman, Olaf Kolkman, Cricket Liu, Stephan Lagerholm, Matt | Paul Hoffman, Samir Hussain, Tatuya Jinmei, Olaf Kolkman, Cricket | |||
| Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul Wouters, | Liu, Stephan Lagerholm, Matt Larson, Marco Sanz, Antoin Verschuren, | |||
| Matthijs Meeking, John Dickinson, Timothe Litt and Edward Lewis. | Suzanne Woolf, Paul Wouters, Matthijs Meeking, John Dickinson, | |||
| Timothe Litt and Edward Lewis. | ||||
| Special thanks to Wes Hardaker for contributing significant text and | Special thanks to Wes Hardaker for contributing significant text and | |||
| creating the complementary (CSYNC) solution, and to Paul Hoffman and | creating the complementary (CSYNC) solution, and to Paul Hoffman and | |||
| Mukund Sivaraman for text and review. | Mukund Sivaraman for text and review. | |||
| There were a number of other folk with whom we discussed this, | There were a number of other folk with whom we discussed this, | |||
| apologies for not remembering everyone. | apologies for not remembering everyone. | |||
| 11. References | 11. References | |||
| skipping to change at page 16, line 9 ¶ | skipping to change at page 16, line 9 ¶ | |||
| In many RRR cases the Registrar and Registry communicate via | In many RRR cases the Registrar and Registry communicate via | |||
| EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number | EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number | |||
| of ccTLDs there are other mechanisms in use as well as EPP, but in | of ccTLDs there are other mechanisms in use as well as EPP, but in | |||
| general there seems to be a movement towards EPP usage when DNSSEC is | general there seems to be a movement towards EPP usage when DNSSEC is | |||
| enabled in the TLD. | enabled in the TLD. | |||
| Appendix B. Changes / Author Notes. | Appendix B. Changes / Author Notes. | |||
| [RFC Editor: Please remove this section before publication ] | [RFC Editor: Please remove this section before publication ] | |||
| WG-02 to WG-03 | ||||
| o Fixed some references to RFC 5011 - from Samir Hussain. | ||||
| o Fixed some spelling / typos - from Samir Hussain. | ||||
| o A number of clarifiations on the meaning on an empty / non- | ||||
| existant CDS RRset - thanks to JINMEI, Tatuya | ||||
| o Be consistent in mentioning both CDS and CDNSKEY throughout the | ||||
| document. | ||||
| WG-01 to WG-02 | WG-01 to WG-02 | |||
| o Many nits and suggestions from Mukund. | o Many nits and suggestions from Mukund. | |||
| o Matthijs: " I still think that it is too strong that the Child DNS | o Matthijs: " I still think that it is too strong that the Child DNS | |||
| Operator SHOULD/MUST delete the CDS RRset when the Parent DS is | Operator SHOULD/MUST delete the CDS RRset when the Parent DS is | |||
| "in-sync". This should be a MAY" | "in-sync". This should be a MAY" | |||
| WG-00 to WG-01 | WG-00 to WG-01 | |||
| skipping to change at page 16, line 31 ¶ | skipping to change at page 16, line 43 ¶ | |||
| strategies." Thanks to Paul for providing text. | strategies." Thanks to Paul for providing text. | |||
| From -05 to WG-00: | From -05 to WG-00: | |||
| o Nothing rchanged, resubmit under new name. | o Nothing rchanged, resubmit under new name. | |||
| From 04 to 05 | From 04 to 05 | |||
| o Renamed the record back to CDS. | o Renamed the record back to CDS. | |||
| o | ||||
| From 03 to 04. | From 03 to 04. | |||
| o Added text explaining that CDS and CSYNC complement each other, | o Added text explaining that CDS and CSYNC complement each other, | |||
| not replace or compete. | not replace or compete. | |||
| o Changed format of record to be <selector> <data> to allow the | o Changed format of record to be <selector> <data> to allow the | |||
| publication of DS **or** DNSKEY. | publication of DS **or** DNSKEY. | |||
| o Bunch of text changed to cover the above. | o Bunch of text changed to cover the above. | |||
| o Added a bit more text on the polling scaling stuff, expecation | o Added a bit more text on the polling scaling stuff, expectation | |||
| that other triggers will be documented, | that other triggers will be documented. | |||
| From 02 to 03 | From 02 to 03 | |||
| o Applied comments by Matthijs Mekking | o Applied comments by Matthijs Mekking | |||
| o Incorporated suggestions from Edward Lewis about structure | o Incorporated suggestions from Edward Lewis about structure | |||
| o Reworked structure to be easier for implementors to follow | o Reworked structure to be easier for implementors to follow | |||
| o Applied many suggestions from a wonderful thorough review by John | o Applied many suggestions from a wonderful thorough review by John | |||
| Dickinson | Dickinson | |||
| o Removed the going Unsigned option | o Removed the going Unsigned option | |||
| From 01 to 02 | From 01 to 02 | |||
| o Major restructuring to facilitate easier discussion | o Major restructuring to facilitate easier discussion | |||
| o Lots of comments from DNSOP mailing list incorporated, including | o Lots of comments from DNSOP mailing list incorporated, including | |||
| End of changes. 21 change blocks. | ||||
| 39 lines changed or deleted | 59 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||