idnits 2.17.1 

draft-ietf-dnsext-ad-is-secure-02.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about 6 months
     document validity -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an Introduction section.

  ** The document seems to lack a Security Considerations section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 79: '...   "The AD bit MUST NOT be set on a re...'
     RFC 2119 keyword, line 88: '...   "The AD bit MUST NOT be set on a re...'
     RFC 2119 keyword, line 94: '...   The AD bit MUST NOT be set on a res...'
     RFC 2119 keyword, line 96: '...   A resolver MUST NOT blindly trust t...'
     RFC 2119 keyword, line 103: '...ver for a secure zone, the data MAY be...'
     (2 more instances...)

  == The 'Updates: ' line in the draft header should list only the _numbers_
     of the RFCs which will be updated by this document (if approved); it
     should not include the word 'RFC' in the list.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == The "Author's Address" (or "Authors' Addresses") section title is
     misspelled.

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (June 2001) is 8351 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Missing reference section? 'RFC1035' on line 132 looks like a reference

  -- Missing reference section? 'RFC2535' on line 135 looks like a reference

  -- Missing reference section? 'RFC2845' on line 138 looks like a reference

  -- Missing reference section? 'RFC2931' on line 142 looks like a reference


     Summary: 6 errors (**), 0 flaws (~~), 4 warnings (==), 6 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	DNSEXT Working Group                                    Brian Wellington
2	INTERNET-DRAFT                                        Olafur Gudmundsson
3	<draft-ietf-dnsext-ad-is-secure-02.txt>                        June 2001

5	Updates: RFC 2535

7	                       Redefinition of DNS AD bit

9	Status of this Memo

11	   This document is an Internet-Draft and is in full conformance with
12	   all provisions of Section 10 of RFC2026.

14	   Internet-Drafts are working documents of the Internet Engineering
15	   Task Force (IETF), its areas, and its working groups.  Note that
16	   other groups may also distribute working documents as Internet-
17	   Drafts.

19	   Internet-Drafts are draft documents valid for a maximum of six months
20	   and may be updated, replaced, or obsoleted by other documents at any
21	   time.  It is inappropriate to use Internet-Drafts as reference
22	   material or to cite them other than as ``work in progress.''

24	   The list of current Internet-Drafts can be accessed at
25	   http://www.ietf.org/ietf/1id-abstracts.txt

27	   The list of Internet-Draft Shadow Directories can be accessed at
28	   http://www.ietf.org/shadow.html

30	   Comments should be sent to the authors or the DNSEXT WG mailing list
31	   namedroppers@ops.ietf.org

33	   This draft expires on December 18, 2001.

35	   Copyright Notice

37	   Copyright (C) The Internet Society (2001).  All rights reserved.

39	Abstract

41	   Based on implementation experience, the current definition of the AD
42	   bit in the DNS header is not useful.  This draft changes the
43	   specification so that the AD bit is only set on answers where
44	   signatures have been cryptographically verified.

46	1 - Introduction

48	   Familiarity with the DNS system [RFC1035] and DNS security extensions
49	   [RFC2535] is helpful but not necessary.

51	   As specified in RFC 2535 (section 6.1), the AD bit indicates in a
52	   response that all the data included in the answer and authority
53	   portion of the response has been authenticated by the server
54	   according to the policies of that server. This is not especially
55	   useful in practice, since a conformant server should never reply with
56	   data that failed its security policy.

58	   This draft proposes to redefine the AD bit such that it is only set
59	   if all data in the response has been cryptographically verified.
60	   Thus, a response containing properly delegated insecure data will not
61	   have AD set, as will a response from a server configured without
62	   DNSSEC keys.  As before, data which failed to verify will not be
63	   returned.  An application can then use the value of the AD bit to
64	   determine if the data is secure or not.

66	1.1 - Requirements

68	   The key words "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this
69	   document are to be interpreted as described in RFC2119.

71	1.2 - Updated documents and sections

73	   The definition of the AD bit in RFC2535, Section 6.1, is changed.

75	2 - Setting of AD bit

77	   Section 6.1 of RFC2535 says:

79	   "The AD bit MUST NOT be set on a response unless all of the RRs in
80	   the answer and authority sections of the response are either
81	   Authenticated or Insecure."

83	   The changes are to delete the words "either" and "or Insecure" from
84	   the sentence.

86	   The replacement text reads:

88	   "The AD bit MUST NOT be set on a response unless all of the RRsets in
89	   the answer and authority sections of the response are Authenticated."
90	   AD should be set if and only if all RRs in the answer section, and
91	   any relevant negative response RRs in the authority section are
92	   Authenticated.

94	   The AD bit MUST NOT be set on a response unless all of the RRsets in
95	   the answer and authority sections are Authenticated.
96	   A resolver MUST NOT blindly trust the AD bit unless it communicates
97	   with the server over secure transport mechanism or using message
98	   authentication such as TSIG[RFC2845] or SIG(0)[RFC2931], and the
99	   resolver policy is that it can trust the server.

101	   A DNS server following this modified specification will only set the
102	   AD bit when it has cryptographically verified the data in the answer.
103	   In the case of a primary server for a secure zone, the data MAY be
104	   considered Authenticated, depending on local policy.  Secondary
105	   servers SHOULD NOT consider data Authenticated unless the zone was
106	   transfered securely or the data was verified.

108	3 - Interpretation of the AD bit

110	   A response containing data marked Insecure in the answer or authority
111	   section will never have the AD bit set.  In this case, the resolver
112	   SHOULD treat the data as Insecure whether or not SIG records are
113	   present.

115	4 - Security Considerations:

117	   This document redefines a bit in the DNS header.  If a resolver
118	   trusts the value of the AD bit, it must be sure that the server is
119	   using the updated definition.

121	5 - IANA Considerations:

123	   None

125	6 - Acknowledgments:

127	   The following people have provided input on this document: Andreas
128	   Gustafsson, Bob Halley, Steven Jacob.

130	References:

132	[RFC1035]  P. Mockapetris, ``Domain Names - Implementation and
133	           Specification'', STD 13, RFC 1035, November 1987.

135	[RFC2535]  D. Eastlake, ``Domain Name System Security Extensions'', RFC
136	           2535, March 1999.

138	[RFC2845]  P. Vixie, O. Gudmundsson, D. Eastlake, B. Wellington,
139	           ``Secret Key Transaction Authentication for DNS (TSIG)'', RFC
140	           2845, May 2000.

142	[RFC2931]  D. Eastlake, ``DNS Request and Transaction Signatures
143	           (SIG(0))'', RFC 2931, September 2000.

145	Authors Addresses

147	      Brian Wellington                        Olafur Gudmundsson
148	      Nominum Inc.
149	      950 Charter Street                      3826 Legation Street, NW
150	      Redwood City, CA, 94063                 Washington, DC, 20015
151	      USA                                     USA
152	      <Brian.Wellington@nominum.com>          <ogud@ogud.com>

154	Full Copyright Statement

156	   Copyright (C) The Internet Society (2001).  All Rights Reserved.

158	   This document and translations of it may be copied and furnished to
159	   others, and derivative works that comment on or otherwise explain it
160	   or assist in its implementation may be prepared, copied, published
161	   and distributed, in whole or in part, without restriction of any
162	   kind, provided that the above copyright notice and this paragraph are
163	   included on all such copies and derivative works.  However, this
164	   document itself may not be modified in any way, such as by removing
165	   the copyright notice or references to the Internet Society or other
166	   Internet organizations, except as needed for the purpose of
167	   developing Internet standards in which case the procedures for
168	   copyrights defined in the Internet Standards process must be
169	   followed, or as required to translate it into languages other than
170	   English.

172	   The limited permissions granted above are perpetual and will not be
173	   revoked by the Internet Society or its successors or assigns.

175	   This document and the information contained herein is provided on an
176	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
177	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
178	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
179	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
180	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."