idnits 2.17.1 draft-ietf-dnsext-keyrr-key-signing-flag-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 104: '...rative properties and MUST NOT be used...' RFC 2119 keyword, line 111: '...e administrators SHOULD set the bit on...' RFC 2119 keyword, line 115: '... resolver administrators MAY choose to...' RFC 2119 keyword, line 124: '...is key. The bit SHOULD NOT be modifie...' RFC 2119 keyword, line 129: '... The flag MUST NOT be used in the re...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be interpreted as described in RFC2119. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 3, 2002) is 7906 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-15) exists of draft-ietf-dnsext-delegation-signer-08 == Outdated reference: A later version (-04) exists of draft-ietf-dnsext-restrict-key-for-dnssec-03 Summary: 5 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNS Extentions O. Kolkman 3 Internet-Draft RIPE NCC 4 Expires: March 4, 2003 September 3, 2002 6 KEY RR Key Signing (KS) Flag 7 draft-ietf-dnsext-keyrr-key-signing-flag-00.txt 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at http:// 25 www.ietf.org/ietf/1id-abstracts.txt. 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 This Internet-Draft will expire on March 4, 2003. 32 Copyright Notice 34 Copyright (C) The Internet Society (2002). All Rights Reserved. 36 Abstract 38 The Introduction of the DS [1] record has introduced the concept of 39 KEY signing and zone signing keys. In general, KEY signing keys are 40 the keys that are pointed to by DS records and are the secure entry 41 points to a zone. The key signing keys only sign the KEY RRset at 42 the apex of a zone, zone signing keys sign all data in a zone. We 43 propose a flag to distinguish the KEY signing key from other keys in 44 the KEY RR set during DNSSEC operations. 46 The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", 47 "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be 48 interpreted as described in RFC2119. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. The Key Signing flag . . . . . . . . . . . . . . . . . . . . . . 3 54 3. DNSSEC Protocol changes . . . . . . . . . . . . . . . . . . . . 3 55 4. Operational Guidelines . . . . . . . . . . . . . . . . . . . . . 4 56 5. Security considerations . . . . . . . . . . . . . . . . . . . . 4 57 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 4 58 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 60 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 6 62 1. Introduction 64 The Introduction of the DS record has introduced the concept of KEY 65 signing keys. In general these are the keys that are pointed to by 66 DS records and are the secure entry points to a zone. These key 67 signing keys may also be configured in resolver systems that use 68 zones as a root for a secure island. 70 Early deployment tests have shown that during DNSSEC parent-child 71 interactions it is useful to indicate which keys are to be used as 72 the secure entry point to a zone. We introduce the Key Signing Key 73 flag to indicate this special 'administrative' status of the key. 75 During DNSSEC parent-child interactions it is useful to indicate 76 which keys are to be used as the secure entry point to a zone. 77 During key rollovers the KS-flag can be used by the parent to 78 determine from which key the DS RR is to be generated from. 80 2. The Key Signing flag 82 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 83 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 84 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 85 | flags |K| protocol | algorithm | 86 | |S| | | 87 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 88 | / 89 / public key / 90 / / 91 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 93 KEY RR Format 95 The bit 15th bit (TBD) in the flags field is assigned to be the key 96 signing flag. If set the key is intended to be used as key signing 97 key. If the bit is not set then no special meaning should be 98 assigned. The 15th bit is currently reserved [2]. 100 3. DNSSEC Protocol changes 102 The use of the KS flag does NOT change the DNS resolution and 103 resolution protocol. The KS flag is only used to provide a hint 104 about the different administrative properties and MUST NOT be used 105 during the resolving process. 107 4. Operational Guidelines 109 By setting the KS-flag on a particular key, zone administrators 110 indicate that that key should be used as the secure entry point for 111 their zone. Therefore zone administrators SHOULD set the bit only 112 for zone keys that are used to sign the KEY RRset and are intended to 113 act as the top of the chain of trust for their zone. 115 Parent zone administrators and resolver administrators MAY choose to 116 ignore the flag. 118 Even with the KS-flag there is no mechanism to distinguish between 119 keys that should be used by the parent to point DS records to or keys 120 to be used by resolver administrators as statically configured keys. 122 If the bit is modified during the lifetime of the key then this would 123 have impact on the keytag and on the hash data in the DS RRs 124 intending to point to this key. The bit SHOULD NOT be modified once 125 the key has been put into use. 127 5. Security considerations 129 The flag MUST NOT be used in the resolution protocol or to determine 130 the security status of a key. The flag is to be used for 131 administrative purposes only. 133 If the flag is used to determine which key is to be used as the 134 secure entry point then the trust in the key should be inferred from 135 an existing DNS chain of trust or by an out of band key exchange. 137 6. Acknowledgments 139 The ideas documented in this draft are inspired by communications we 140 had with numerous people and ideas published by other folk, Jakob 141 Schlyter and Olafur Gudmundsson and Dan Massey have been most 142 substantial in providing ideas and feedback. 144 This document saw the light during a workshop on DNSSEC operations 145 hosted by USC/ISI. 147 "Animal Farm; a Fairy Story" was first published by George Orwell in 148 1945, The version illustrated by Ralph Steadman is one we recommend ( 149 ISBN: 0151002177 ). 151 References 153 [1] Gudmundsson, "Delegation Signer Resource Record", work in 154 progress draft-ietf-dnsext-delegation-signer-08.txt, June 2002. 156 [2] Massey and Rose, "Limiting the Scope of the KEY Resource 157 Record", work in progress draft-ietf-dnsext-restrict-key-for- 158 dnssec-03, June 28 2002. 160 Author's Address 162 Olaf M. Kolkman 163 RIPE NCC 164 Singel 256 165 Amsterdam 1016 AB 166 NL 168 Phone: +31 20 535 4444 169 EMail: olaf@ripe.net 170 URI: http://www.ripe.net/ 172 Full Copyright Statement 174 Copyright (C) The Internet Society (2002). All Rights Reserved. 176 This document and translations of it may be copied and furnished to 177 others, and derivative works that comment on or otherwise explain it 178 or assist in its implementation may be prepared, copied, published 179 and distributed, in whole or in part, without restriction of any 180 kind, provided that the above copyright notice and this paragraph are 181 included on all such copies and derivative works. However, this 182 document itself may not be modified in any way, such as by removing 183 the copyright notice or references to the Internet Society or other 184 Internet organizations, except as needed for the purpose of 185 developing Internet standards in which case the procedures for 186 copyrights defined in the Internet Standards process must be 187 followed, or as required to translate it into languages other than 188 English. 190 The limited permissions granted above are perpetual and will not be 191 revoked by the Internet Society or its successors or assigns. 193 This document and the information contained herein is provided on an 194 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 195 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 196 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 197 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 198 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 200 Acknowledgement 202 Funding for the RFC Editor function is currently provided by the 203 Internet Society.