| < draft-ietf-dnsop-maintain-ds-04.txt | draft-ietf-dnsop-maintain-ds-05.txt > | |||
|---|---|---|---|---|
| dnsop O. Gudmundsson | dnsop O. Gudmundsson | |||
| Internet-Draft CloudFlare | Internet-Draft CloudFlare | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: May 4, 2017 Red Hat | Expires: July 14, 2017 Red Hat | |||
| October 31, 2016 | January 10, 2017 | |||
| Managing DS records from parent via CDS/CDNSKEY | Managing DS records from parent via CDS/CDNSKEY | |||
| draft-ietf-dnsop-maintain-ds-04 | draft-ietf-dnsop-maintain-ds-05 | |||
| Abstract | Abstract | |||
| RFC7344 specifies how DNS trust can be maintained across key | RFC7344 specifies how DNS trust can be maintained across key | |||
| rollovers in-band between parent and child. This document elevates | rollovers in-band between parent and child. This document elevates | |||
| RFC7344 from informational to standards track and adds a standard | RFC7344 from informational to standards track and adds a standard | |||
| track method for initial trust setup and removal of secure entry | track method for initial trust setup and removal of secure entry | |||
| point. | point. | |||
| Changing a domain's DNSSEC status can be a complicated matter | Changing a domain's DNSSEC status can be a complicated matter | |||
| skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 4, 2017. | This Internet-Draft will expire on July 14, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 7, line 33 ¶ | skipping to change at page 7, line 33 ¶ | |||
| is treated as unsigned unless there are other algorithms present. In | is treated as unsigned unless there are other algorithms present. In | |||
| general the value 0 should never be used in the context of DNSKEY and | general the value 0 should never be used in the context of DNSKEY and | |||
| DS records. | DS records. | |||
| The CERT record [RFC4398] defines the value 0 similarly to mean the | The CERT record [RFC4398] defines the value 0 similarly to mean the | |||
| algorithm in the CERT record is not defined in DNSSEC. | algorithm in the CERT record is not defined in DNSSEC. | |||
| The contents of the CDS or CDNSKEY RRset MUST contain one RR and only | The contents of the CDS or CDNSKEY RRset MUST contain one RR and only | |||
| contain the exactly the fields as shown below. | contain the exactly the fields as shown below. | |||
| 1 CDS 0 0 0 | 1 CDS 0 0 0 0 | |||
| 2 CDNSKEY 0 3 0 | 2 CDNSKEY 0 3 0 0 | |||
| The keying material payload is represented by a single 0. This | The keying material payload is represented by a single 0. This | |||
| record is signed in the same way as regular CDS/CDNSKEY RRsets are | record is signed in the same way as regular CDS/CDNSKEY RRsets are | |||
| signed. This is a change in format from strict interpretation of | signed. This is a change in format from strict interpretation of | |||
| [RFC7344] and may cause problems with some deployed software. | [RFC7344] and may cause problems with some deployed software. | |||
| Strictly speaking the CDS record could be "CDS X 0 X" as only the | Strictly speaking the CDS record could be "CDS X 0 X" as only the | |||
| DNSKEY algorithm is what signals the DELETE operation, but for | DNSKEY algorithm is what signals the DELETE operation, but for | |||
| clarity the "0 0 0" notation is mandated - this is not a definition | clarity the "0 0 0" notation is mandated - this is not a definition | |||
| of DS Digest algorithm 0. The same argument applies to "CDNSKEY 0 3 | of DS Digest algorithm 0. The same argument applies to "CDNSKEY 0 3 | |||
| skipping to change at page 9, line 40 ¶ | skipping to change at page 9, line 40 ¶ | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4398] Josefsson, S., "Storing Certificates in the Domain Name | [RFC4398] Josefsson, S., "Storing Certificates in the Domain Name | |||
| System (DNS)", RFC 4398, DOI 10.17487/RFC4398, March 2006, | System (DNS)", RFC 4398, DOI 10.17487/RFC4398, March 2006, | |||
| <http://www.rfc-editor.org/info/rfc4398>. | <http://www.rfc-editor.org/info/rfc4398>. | |||
| Appendix A. Acknowledgments | Appendix A. Acknowledgments | |||
| This document is generated using the mmark tool that Miek Gieben has | This document is generated using the mmark tool that Miek Gieben has | |||
| developed. We thank number of people that have provided feedback and | developed. We thank number of people that have provided feedback and | |||
| useful comments including Bob Harold, John Levine, Matthijs Mekking, | useful comments including Bob Harold, John Levine, Matthijs | |||
| Dan York, Shane Kerr, Jacques Latour. | Mekking(!), Dan York, Shane Kerr, Jacques Latour. | |||
| Authors' Addresses | Authors' Addresses | |||
| Olafur Gudmundsson | Olafur Gudmundsson | |||
| CloudFlare | CloudFlare | |||
| Email: olafur+ietf@cloudflare.com | Email: olafur+ietf@cloudflare.com | |||
| Paul Wouters | Paul Wouters | |||
| Red Hat | Red Hat | |||
| End of changes. 7 change blocks. | ||||
| 9 lines changed or deleted | 9 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||