| < draft-ietf-dnsop-negative-trust-anchors-03.txt | draft-ietf-dnsop-negative-trust-anchors-04.txt > | |||
|---|---|---|---|---|
| skipping to change at page 1, line 16 ¶ | skipping to change at page 1, line 16 ¶ | |||
| Expires: October 24, 2015 Dyn | Expires: October 24, 2015 Dyn | |||
| W. Kumari | W. Kumari | |||
| J. Livingood | J. Livingood | |||
| Comcast | Comcast | |||
| R. Weber | R. Weber | |||
| Nominum | Nominum | |||
| April 22, 2015 | April 22, 2015 | |||
| Definition and Use of DNSSEC Negative Trust Anchors | Definition and Use of DNSSEC Negative Trust Anchors | |||
| draft-ietf-dnsop-negative-trust-anchors-03 | draft-ietf-dnsop-negative-trust-anchors-04 | |||
| Abstract | Abstract | |||
| DNS Security Extensions (DNSSEC) is now entering widespread | DNS Security Extensions (DNSSEC) is now entering widespread | |||
| deployment. However, domain signing tools and processes are not yet | deployment. However, domain signing tools and processes are not yet | |||
| as mature and reliable as those for non-DNSSEC-related domain | as mature and reliable as those for non-DNSSEC-related domain | |||
| administration tools and processes. Negative Trust Anchors | administration tools and processes. Negative Trust Anchors | |||
| (described in this document) can be used to mitigate DNSSEC | (described in this document) can be used to mitigate DNSSEC | |||
| validation failures. | validation failures. | |||
| skipping to change at page 8, line 13 ¶ | skipping to change at page 8, line 13 ¶ | |||
| lead to extensive operational instability and/or variation. | lead to extensive operational instability and/or variation. | |||
| 6. Intentionally Broken Domains | 6. Intentionally Broken Domains | |||
| Some domains, such as dnssec-failed.org, have been intentionally | Some domains, such as dnssec-failed.org, have been intentionally | |||
| broken for testing purposes | broken for testing purposes | |||
| [Measuring-DNSSEC-Validation-of-Website-Visitors] [Netalyzr]. For | [Measuring-DNSSEC-Validation-of-Website-Visitors] [Netalyzr]. For | |||
| example, dnssec-failed.org is a DNSSEC-signed domain that is broken. | example, dnssec-failed.org is a DNSSEC-signed domain that is broken. | |||
| If an end user is querying a validating DNS recursive resolver, then | If an end user is querying a validating DNS recursive resolver, then | |||
| this or other similarly intentionally broken domains should fail to | this or other similarly intentionally broken domains should fail to | |||
| resolve and should result in a SERVFAIL error. If such a domain | resolve and should result in a "Server Failure" error (RCODE 2, also | |||
| resolved successfully, then it is a sign that the DNS recursive | known as 'SERVFAIL'). If such a domain resolved successfully, then | |||
| resolver is not fully validating. | it is a sign that the DNS recursive resolver is not fully validating. | |||
| Organizations that utilize Negative Trust Anchors should not add a | Organizations that utilize Negative Trust Anchors should not add a | |||
| Negative Trust Anchor for any intentionally broken domain. | Negative Trust Anchor for any intentionally broken domain. | |||
| Organizations operating an intentionally broken domain may wish to | Organizations operating an intentionally broken domain may wish to | |||
| consider adding a TXT record for the domain to the effect of "This | consider adding a TXT record for the domain to the effect of "This | |||
| domain is purposely DNSSEC broken for testing purposes". | domain is purposely DNSSEC broken for testing purposes". | |||
| 7. Other Considerations | 7. Other Considerations | |||
| skipping to change at page 10, line 12 ¶ | skipping to change at page 10, line 12 ¶ | |||
| - Warren Kumari | - Warren Kumari | |||
| - Rick Lamb | - Rick Lamb | |||
| - Marc Lampo | - Marc Lampo | |||
| - Ted Lemon | - Ted Lemon | |||
| - Ed Lewis | - Ed Lewis | |||
| - Jinmei Tatuya | ||||
| - Antoin Verschuren | - Antoin Verschuren | |||
| - Paul Vixie | - Paul Vixie | |||
| - Patrik Wallstrom | - Patrik Wallstrom | |||
| - Nick Weaver | - Nick Weaver | |||
| - Ralf Weber | ||||
| Edward Lewis, Evan Hunt and Andew Sullivan provided especially large | Edward Lewis, Evan Hunt and Andew Sullivan provided especially large | |||
| amounts of text and / or detailed review. | amounts of text and / or detailed review. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "DNS Security Introduction and Requirements", RFC | Rose, "DNS Security Introduction and Requirements", RFC | |||
| 4033, March 2005. | 4033, March 2005. | |||
| skipping to change at page 11, line 29 ¶ | skipping to change at page 11, line 29 ¶ | |||
| The section contains example configurations to achieve Negative Trust | The section contains example configurations to achieve Negative Trust | |||
| Anchor functionality for the zone foo.example.com. | Anchor functionality for the zone foo.example.com. | |||
| Please note: These are simply examples - nameserver operators are | Please note: These are simply examples - nameserver operators are | |||
| expected to test and understand the implications of these operations. | expected to test and understand the implications of these operations. | |||
| A.1. NLNet Labs Unbound | A.1. NLNet Labs Unbound | |||
| Unbound lets us simply disable validation checking for a specific | Unbound lets us simply disable validation checking for a specific | |||
| zone. See: <http://unbound.net/documentation/ | zone. See: <http://unbound.net/documentation/ | |||
| howto_turnoff_dnssec.html> [ TODO(WK): Make this a "real" reference ] | howto_turnoff_dnssec.html> | |||
| server: | server: | |||
| domain-insecure: "foo.example.com" | domain-insecure: "foo.example.com" | |||
| A.2. ISC BIND | A.2. ISC BIND | |||
| Use the "rndc" command: | Use the "rndc" command: | |||
| nta -dump | nta -dump | |||
| List all negative trust anchors. | List all negative trust anchors. | |||
| skipping to change at page 14, line 29 ¶ | skipping to change at page 14, line 29 ¶ | |||
| possible to give a checklist just to run through to decide if a | possible to give a checklist just to run through to decide if a | |||
| domain is broken because of an attack or an operator error. | domain is broken because of an attack or an operator error. | |||
| All of the above is just a starting point for consideration when | All of the above is just a starting point for consideration when | |||
| having to decide to deploy or not deploy a trust anchor. | having to decide to deploy or not deploy a trust anchor. | |||
| Appendix C. Document Change Log | Appendix C. Document Change Log | |||
| [RFC Editor: This section is to be removed before publication] | [RFC Editor: This section is to be removed before publication] | |||
| -03 to -04: | ||||
| o Addressed some comment from an email from Jinmei that I had | ||||
| missed. Turns out others had made many of the same comments, and | ||||
| so most had already been addressed. | ||||
| -02 to -03: | -02 to -03: | |||
| o Included text from Ralph into Appendix B | o Included text from Ralph into Appendix B | |||
| o A bunch of comments from Andrew Sullivan ('[DNSOP] negative-trust- | o A bunch of comments from Andrew Sullivan ('[DNSOP] negative-trust- | |||
| anchors-02" - Mar 18th) | anchors-02" - Mar 18th) | |||
| o Updated keywords | o Updated keywords | |||
| -01 to -02: | -01 to -02: | |||
| End of changes. 6 change blocks. | ||||
| 7 lines changed or deleted | 13 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||