< draft-ietf-dnsext-keyrr-key-signing-flag-11.txt   draft-ietf-dnsext-keyrr-key-signing-flag-12.txt >
DNS Extensions O. Kolkman DNS Extensions O. Kolkman
Internet-Draft RIPE NCC Internet-Draft RIPE NCC
Expires: March 1, 2004 J. Schlyter Expires: June 17, 2004 J. Schlyter
E. Lewis E. Lewis
ARIN ARIN
September 2003 December 18, 2003
DNSKEY RR Secure Entry Point Flag DNSKEY RR Secure Entry Point Flag
draft-ietf-dnsext-keyrr-key-signing-flag-11 draft-ietf-dnsext-keyrr-key-signing-flag-12
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts. groups may also distribute working documents as Internet-Drafts.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http:// The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt. www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 1, 2004. This Internet-Draft will expire on June 17, 2004.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract Abstract
With the Delegation Signer (DS) resource record the concept of a With the Delegation Signer (DS) resource record the concept of a
public key acting as a secure entry point has been introduced. During public key acting as a secure entry point has been introduced. During
exchanges of public keys with the parent there is a need to exchanges of public keys with the parent there is a need to
skipping to change at page 5, line 5 skipping to change at page 5, line 5
| |E| | | | |E| | |
| |P| | | | |P| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| / | /
/ public key / / public key /
/ / / /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
DNSKEY RR Format DNSKEY RR Format
This document assigns the 15'th bit [4] in the flags field as the This document assigns the 15'th bit in the flags field as the secure
secure entry point (SEP) bit. If the the bit is set to 1 the key is entry point (SEP) bit. If the the bit is set to 1 the key is
intended to be used as secure entry point key. One SHOULD NOT assign intended to be used as secure entry point key. One SHOULD NOT assign
special meaning to the key if the bit is set to 0. Operators can special meaning to the key if the bit is set to 0. Operators can
recognize the secure entry point key by the even or odd-ness of the recognize the secure entry point key by the even or odd-ness of the
decimal representation of the flag field. decimal representation of the flag field.
3. DNSSEC Protocol Changes 3. DNSSEC Protocol Changes
The bit MUST NOT be used during the resolving and verification The bit MUST NOT be used during the resolving and verification
process. The SEP flag is only used to provide a hint about the process. The SEP flag is only used to provide a hint about the
different administrative properties of the key and therefore the use different administrative properties of the key and therefore the use
skipping to change at page 6, line 35 skipping to change at page 6, line 35
RR set with the existing trust relation and creates the new DS RR RR set with the existing trust relation and creates the new DS RR
from the DNSKEY RR that the current DS RR is not pointing to. This from the DNSKEY RR that the current DS RR is not pointing to. This
key exchange might be replayed. Parents are encouraged to implement a key exchange might be replayed. Parents are encouraged to implement a
replay defense. A simple defense can be based on a registry of keys replay defense. A simple defense can be based on a registry of keys
that have been used to generate DS RRs during the most recent roll that have been used to generate DS RRs during the most recent roll
over. These same considerations apply to entities that configure keys over. These same considerations apply to entities that configure keys
in resolvers. in resolvers.
6. IANA Considerations 6. IANA Considerations
IANA considerations: The flag bits in the DNSKEY RR are assigned by The flag bits in the DNSKEY RR are assigned by IETF consensus and
IETF consensus. This document assigns the 15th bit in the DNSKEY RR registered in the DNSKEY Flags registry (created by [4]). This
as the Secure Entry Point (SEP) bit. [Final text pending document assigns the 15th bit in the DNSKEY RR as the Secure Entry
clarification of the DNSKEY flag registry] Point (SEP) bit.
7. Internationalization Considerations 7. Internationalization Considerations
Although SEP is a popular acronym in many different languages, there Although SEP is a popular acronym in many different languages, there
are no internationalization considerations. are no internationalization considerations.
8. Acknowledgments 8. Acknowledgments
The ideas documented in this document are inspired by communications The ideas documented in this document are inspired by communications
we had with numerous people and ideas published by other folk. Among we had with numerous people and ideas published by other folk. Among
skipping to change at page 7, line 19 skipping to change at page 7, line 19
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[2] Eastlake, D., "Domain Name System Security Extensions", RFC [2] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999. 2535, March 1999.
[3] Lewis, E., "DNS Security Extension Clarification on Zone [3] Lewis, E., "DNS Security Extension Clarification on Zone
Status", RFC 3090, March 2001. Status", RFC 3090, March 2001.
[4] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource [4] Weiler, S., "Legacy Resolver Compatibility for Delegation
Record (RR)", RFC 3445, December 2002. Signer", draft-ietf-dnsext-dnssec-2535typecode-change-05 (work
in progress), October 2003.
Informative References Informative References
[5] Gudmundsson, O., "Delegation Signer Resource Record", [5] Gudmundsson, O., "Delegation Signer Resource Record",
draft-ietf-dnsext-delegation-signer-15 (work in progress), June draft-ietf-dnsext-delegation-signer-15 (work in progress), June
2003. 2003.
[6] Orwell, G. and R. Steadman (illustrator), "Animal Farm; a Fairy [6] Orwell, G. and R. Steadman (illustrator), "Animal Farm; a Fairy
Story", ISBN 0151002177 (50th anniversary edition), April 1996. Story", ISBN 0151002177 (50th anniversary edition), April 1996.
 End of changes. 7 change blocks. 
12 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/