| < draft-ietf-dnsop-negative-trust-anchors-11.txt | draft-ietf-dnsop-negative-trust-anchors-12.txt > | |||
|---|---|---|---|---|
| Domain Name System Operations P. Ebersman | Domain Name System Operations P. Ebersman | |||
| Internet-Draft Comcast | Internet-Draft Comcast | |||
| Intended status: Informational C. Griffiths | Intended status: Informational W. Kumari | |||
| Expires: January 15, 2016 | Expires: February 25, 2016 Google | |||
| W. Kumari | C. Griffiths | |||
| Nominet | ||||
| J. Livingood | J. Livingood | |||
| Comcast | Comcast | |||
| R. Weber | R. Weber | |||
| Nominum | Nominum | |||
| July 14, 2015 | August 24, 2015 | |||
| Definition and Use of DNSSEC Negative Trust Anchors | Definition and Use of DNSSEC Negative Trust Anchors | |||
| draft-ietf-dnsop-negative-trust-anchors-11 | draft-ietf-dnsop-negative-trust-anchors-12 | |||
| Abstract | Abstract | |||
| DNS Security Extensions (DNSSEC) is now entering widespread | DNS Security Extensions (DNSSEC) is now entering widespread | |||
| deployment. However, domain signing tools and processes are not yet | deployment. However, domain signing tools and processes are not yet | |||
| as mature and reliable as those for non-DNSSEC-related domain | as mature and reliable as those for non-DNSSEC-related domain | |||
| administration tools and processes. This document defines Negative | administration tools and processes. This document defines Negative | |||
| Trust Anchors which can be used to mitigate DNSSEC validation | Trust Anchors which can be used to mitigate DNSSEC validation | |||
| failures by disabling DNSSEC validation at specified domains. | failures by disabling DNSSEC validation at specified domains. | |||
| skipping to change at page 1, line 48 ¶ | skipping to change at page 1, line 48 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 15, 2016. | This Internet-Draft will expire on February 25, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 45 ¶ | skipping to change at page 2, line 45 ¶ | |||
| 7. Discovering broken domains . . . . . . . . . . . . . . . . . 9 | 7. Discovering broken domains . . . . . . . . . . . . . . . . . 9 | |||
| 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11 | 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 12.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 12.2. Informative References . . . . . . . . . . . . . . . . . 12 | 12.2. Informative References . . . . . . . . . . . . . . . . . 12 | |||
| Appendix A. Configuration Examples . . . . . . . . . . . . . . . 13 | Appendix A. Configuration Examples . . . . . . . . . . . . . . . 13 | |||
| A.1. NLNet Labs Unbound . . . . . . . . . . . . . . . . . . . 13 | A.1. NLNet Labs Unbound . . . . . . . . . . . . . . . . . . . 13 | |||
| A.2. ISC BIND . . . . . . . . . . . . . . . . . . . . . . . . 13 | A.2. ISC BIND . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| A.3. Nominum Vantio . . . . . . . . . . . . . . . . . . . . . 14 | A.3. Nominum Vantio . . . . . . . . . . . . . . . . . . . . . 14 | |||
| Appendix B. Document Change Log . . . . . . . . . . . . . . . . 14 | Appendix B. Document Change Log . . . . . . . . . . . . . . . . 14 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 1. Introduction and motivation | 1. Introduction and motivation | |||
| DNSSEC has now entered widespread deployment. However, the DNSSEC | DNSSEC has now entered widespread deployment. However, the DNSSEC | |||
| signing tools and processes are less mature and reliable than those | signing tools and processes are less mature and reliable than those | |||
| for non-DNSSEC-related administration. As a result, operators of DNS | for non-DNSSEC-related administration. As a result, operators of DNS | |||
| recursive resolvers, such as Internet Service Providers (ISPs), | recursive resolvers, such as Internet Service Providers (ISPs), | |||
| skipping to change at page 12, line 19 ¶ | skipping to change at page 12, line 19 ¶ | |||
| Edward Lewis, Evan Hunt, Andrew Sullivan and Tatuya Jinmei provided | Edward Lewis, Evan Hunt, Andrew Sullivan and Tatuya Jinmei provided | |||
| especially large amounts of text and / or detailed review. | especially large amounts of text and / or detailed review. | |||
| 12. References | 12. References | |||
| 12.1. Normative References | 12.1. Normative References | |||
| [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "DNS Security Introduction and Requirements", RFC | Rose, "DNS Security Introduction and Requirements", RFC | |||
| 4033, March 2005. | 4033, DOI 10.17487/RFC4033, March 2005, | |||
| <http://www.rfc-editor.org/info/rfc4033>. | ||||
| [RFC5914] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor | [RFC5914] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor | |||
| Format", RFC 5914, June 2010. | Format", RFC 5914, DOI 10.17487/RFC5914, June 2010, | |||
| <http://www.rfc-editor.org/info/rfc5914>. | ||||
| [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC | [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC | |||
| Operational Practices, Version 2", RFC 6781, December | Operational Practices, Version 2", RFC 6781, DOI 10.17487/ | |||
| 2012. | RFC6781, December 2012, | |||
| <http://www.rfc-editor.org/info/rfc6781>. | ||||
| 12.2. Informative References | 12.2. Informative References | |||
| [Alexa] Alexa, an Amazon.com Company, "Alexa "The top 500 sites on | [Alexa] Alexa, an Amazon.com Company, "Alexa "The top 500 sites on | |||
| the web. "", , May 2015, <http://www.alexa.com/topsites>. | the web. "", , May 2015, <http://www.alexa.com/topsites>. | |||
| [Disclosure-Example] | [Disclosure-Example] | |||
| Comcast, "faa.gov Failing DNSSEC Validation (Fixed)", | Comcast, "faa.gov Failing DNSSEC Validation (Fixed)", | |||
| Comcast , February 2013, | Comcast , February 2013, | |||
| <http://dns.comcast.net/index.php/entry/ | <http://dns.comcast.net/index.php/entry/ | |||
| skipping to change at page 14, line 39 ¶ | skipping to change at page 14, line 43 ¶ | |||
| _Command Channel_: resolver.update name=res1 negative-trust- | _Command Channel_: resolver.update name=res1 negative-trust- | |||
| anchors=(foo.example.com) | anchors=(foo.example.com) | |||
| *Description*: Disables DNSSEC validation for a domain, even if the | *Description*: Disables DNSSEC validation for a domain, even if the | |||
| domain is under an existing security root. | domain is under an existing security root. | |||
| Appendix B. Document Change Log | Appendix B. Document Change Log | |||
| [RFC Editor: This section is to be removed before publication] | [RFC Editor: This section is to be removed before publication] | |||
| -11 to -12" | ||||
| o Simply updated Chris' affiliation. | ||||
| -10.5 to 11 | -10.5 to 11 | |||
| Integrated Alissa Cooper's No Objection comments. Text from Suz | Integrated Alissa Cooper's No Objection comments. Text from Suz | |||
| and Evan. | and Evan. | |||
| -10.4 to 10.5 | -10.4 to 10.5 | |||
| Integrated some comments from Ben Campbell's No Objection IESG | Integrated some comments from Ben Campbell's No Objection IESG | |||
| review. | review. | |||
| -10.3 to 10.4 | -10.3 to 10.4 | |||
| s/personnel trained in the operation of DNS servers MUST confirm/ | s/personnel trained in the operation of DNS servers MUST confirm/ | |||
| personnel trained in the operation of DNS servers must confirm/ - | personnel trained in the operation of DNS servers must confirm/ - | |||
| Alissa Cooper, | Alissa Cooper, | |||
| -10.2 to 10.3 | -10.2 to 10.3 | |||
| o Integrated comments from Gen-ART review - Christer Holmberg. | o Integrated comments from Gen-ART review - Christer Holmberg. | |||
| o Offlist comment from Tony Finch. Made the "Negative Trust Anchors | o Offlist comment from Tony Finch. Made the "Negative Trust Anchors | |||
| are intended to be temporary," sentence much better. | are intended to be temporary," sentence much better. | |||
| skipping to change at page 18, line 16 ¶ | skipping to change at page 18, line 21 ¶ | |||
| Paul Ebersman | Paul Ebersman | |||
| Comcast | Comcast | |||
| One Comcast Center | One Comcast Center | |||
| 1701 John F. Kennedy Boulevard | 1701 John F. Kennedy Boulevard | |||
| Philadelphia, PA 19103 | Philadelphia, PA 19103 | |||
| US | US | |||
| Email: ebersman-ietf@dragon.net | Email: ebersman-ietf@dragon.net | |||
| Chris Griffiths | ||||
| Email: cgriffiths@gmail.com | ||||
| Warren Kumari | Warren Kumari | |||
| 1600 Amphitheatre Parkway | 1600 Amphitheatre Parkway | |||
| Mountain View, CA 94043 | Mountain View, CA 94043 | |||
| US | US | |||
| Email: warren@kumari.net | Email: warren@kumari.net | |||
| URI: http://www.google.com | URI: http://www.google.com | |||
| Chris Griffiths | ||||
| Nominet | ||||
| Minerva House | ||||
| Edmund Halley Road | ||||
| Oxford Science Park | ||||
| Oxford OX4 4DQ | ||||
| United Kingdom | ||||
| URI: http://www.nominet.org.uk/ | ||||
| Jason Livingood | Jason Livingood | |||
| Comcast | Comcast | |||
| One Comcast Center | One Comcast Center | |||
| 1701 John F. Kennedy Boulevard | 1701 John F. Kennedy Boulevard | |||
| Philadelphia, PA 19103 | Philadelphia, PA 19103 | |||
| US | US | |||
| Email: jason_livingood@cable.comcast.com | Email: jason_livingood@cable.comcast.com | |||
| URI: http://www.comcast.com | URI: http://www.comcast.com | |||
| Ralf Weber | Ralf Weber | |||
| Nominum | Nominum | |||
| Email: Ralf.Weber@nominum.com | Email: Ralf.Weber@nominum.com | |||
| URI: http://www.nominum.com | URI: http://www.nominum.com | |||
| End of changes. 14 change blocks. | ||||
| 18 lines changed or deleted | 30 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||