idnits 2.17.1 draft-ietf-dnssec-ddi-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. ** Bad filename characters: the document name given in the document, 'draft-ietf-dnssec-ddi-03.txt,', contains other characters than digits, lowercase letters and dash. ** Missing revision: the document name given in the document, 'draft-ietf-dnssec-ddi-03.txt,', does not give the document revision number ~~ Missing draftname component: the document name given in the document, 'draft-ietf-dnssec-ddi-03.txt,', does not seem to contain all the document name components required ('draft' prefix, document source, document name, and revision) -- see https://www.ietf.org/id-info/guidelines#naming for more information. == Mismatching filename: the document gives the document name as 'draft-ietf-dnssec-ddi-03.txt,', but the file name used is 'draft-ietf-dnssec-ddi-03' == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 161 has weird spacing: '...ollowed by th...' == Couldn't figure out when the document was first submitted -- there may comments or warnings related to the use of a disclaimer for pre-RFC5378 work that could not be issued because of this. Please check the Legal Provisions document at https://trustee.ietf.org/license-info to determine if you need the pre-RFC5378 disclaimer. -- The document date (January 1998) is 9598 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1035' on line 65 ** Obsolete normative reference: RFC 2065 (Obsoleted by RFC 2535) Summary: 11 errors (**), 1 flaw (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT Donald E. Eastlake 3rd 2 CyberCash, Inc. 3 Expires July 1998 January 1998 5 Detached Domain Name System (DNS) Information 6 -------- ------ ---- ------ ----- ----------- 8 Donald E. Eastlake 3rd 10 Status of This Document 12 This draft, file name draft-ietf-dnssec-ddi-03.txt, is intended to be 13 become a Proposed Standard RFC. Distribution of this document is 14 unlimited. Comments should be sent to the DNS Security Working Group 15 mailing list or to the author. 17 This document is an Internet-Draft. Internet-Drafts are working 18 documents of the Internet Engineering Task Force (IETF), its areas, 19 and its working groups. Note that other groups may also distribute 20 working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six 23 months. Internet-Drafts may be updated, replaced, or obsoleted by 24 other documents at any time. It is not appropriate to use Internet- 25 Drafts as reference material or to cite them other than as a 26 ``working draft'' or ``work in progress.'' 28 To learn the current status of any Internet-Draft, please check the 29 1id-abstracts.txt listing contained in the Internet-Drafts Shadow 30 Directories on ds.internic.net (East USA), ftp.isi.edu (West USA), 31 nic.nordu.net (North Europe), ftp.nis.garr.it (South Europe), 32 munnari.oz.au (Pacific Rim), or ftp.is.co.za (Africa). 34 Abstract 36 A standard format is defined for representing detached DNS 37 information. This is anticipated to be of use for storing 38 information retrieved from the Domain Name System (DNS), including 39 security information, in archival contexts or contexts not connected 40 to the Internet. 42 Table of Contents 44 Status of This Document....................................1 46 Abstract...................................................2 47 Table of Contents..........................................2 49 1. Introduction............................................3 51 2. General Format..........................................4 52 2.1 Binary Format..........................................4 53 2.2. Text Format...........................................6 55 3. Usage Example...........................................7 56 4. Security Considerations.................................7 58 References.................................................8 59 Author's Address...........................................8 60 Expiration and File Name...................................8 62 1. Introduction 64 The Domain Name System (DNS) is a replicated hierarchical distributed 65 database system [RFC 1034, 1035] that can provide highly available 66 service. It provides the operational basis for Internet host name to 67 address translation, automatic SMTP mail routing, and other basic 68 Internet functions. The DNS has recently been extended as described 69 in [RFC 2065] to permit the general storage of public cryptographic 70 keys in the DNS and to enable the authentication of information 71 retrieved from the DNS though digital signatures. 73 The DNS was not originally designed for storage of information 74 outside of the active zones and authoritative master files that are 75 part of the connected DNS. However there may be cases where this is 76 useful, particularly in connection with security information. 78 2. General Format 80 The formats used for detached Domain Name System (DNS) information 81 are similar to those used for connected DNS information. The primary 82 difference is that elements of the connected DNS system (unless they 83 are an authoritative server for the zone containing the information) 84 are required to count down the Time To Live (TTL) associated with 85 each DNS Resource Record (RR) and discard them (possibly fetching a 86 fresh copy) when the TTL reaches zero. In contrast to this, detached 87 information may be stored in a off-line file, where it can not be 88 updated, and perhaps used to authenticate historic data or it might 89 be received via non-DNS protocols long after it was retrieved from 90 the DNS. Therefore, it is not practical to count down detached DNS 91 information TTL and it may be necessary to keep the data beyond the 92 point where the TTL (which is defined as an unsigned field) would 93 underflow. To preserve information as to the freshness of this 94 detached data, it is accompanied by its retrieval time. 96 Whatever retrieves the information from the DNS must associate this 97 retrieval time with it. The retrieval time remains fixed thereafter. 98 When the current time minus the retrieval time exceeds the TTL for 99 any particular detached RR, it is no longer a valid copy within the 100 normal connected DNS scheme. This may make it invalid in context for 101 some detached purposes as well. If the RR is a SIG (signature) RR it 102 also has an expiration time. Regardless of the TTL, it and any RRs 103 it signs can not be considered authenticated after the signature 104 expiration time. 106 2.1 Binary Format 108 The standard binary format for detached DNS information is as 109 follows: 111 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 112 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 113 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 114 | first retrieval time | 115 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 116 | RR count | | 117 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Resource Records (RRs) | 118 / / 119 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| 120 | next retrieval time | 121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 122 | RR count | | 123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Resource Records (RRs) | 124 / / 125 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 126 / ... / 127 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 128 | hex 80 | 129 +-+-+-+-+-+-+-+-+ 131 Retrieval time - the time that the immediately following information 132 was obtained from the connected DNS system. It is an unsigned 133 number of seconds since the start of 1 January 1970, GMT, ignoring 134 leap seconds, in network (big-endian) order. Note that this time 135 can not be before the initial proposal of this standard. 136 Therefore, the initial byte of an actual retrieval time, 137 considered as an unsigned quantity, will be larger than 80 hex. 138 The end of detached DNS information is indicated by a "retrieval 139 time" field initial byte equal to 80 hex. Use of a "retrieval 140 time" field with a leading zero bit in binary detached DNS 141 information is reserved for future use. It may indicate a 142 different format. Retrieval times will not generally be 32 bit 143 aligned with respect to each other due to the variable length 144 nature of RRs. 146 RR count - an unsigned integer number (with bytes in network order) 147 of following resource records retrieved at the preceding retrieval 148 time. 150 Resource Records - the actual data which is in the same format as if 151 it were being transmitted in a DNS response. In particular, name 152 compression via pointers is permitted with the origin at the 153 beginning of the particular detached information data section, 154 just after the RR count. 156 2.2. Text Format 158 The standard text format for detached DNS information is as 159 prescribed for zone master files [RFC 1035] except that the $INCLUDE 160 control entry is prohibited and the new $DATE entry is required 161 (unless the information set is empty). $DATE is followed by the date 162 and time that the following information was obtained from the DNS 163 system as described for retrieval time in section 2.1 above. It is 164 in the text format YYYYMMDDHHMMSS where YYYY is the year, the first 165 MM is the month number (01-12), DD is the day of the month (01-31), 166 HH is the hour in 24 hours notation (00-23), the second MM is the 167 minute (00-59), and SS is the second (00-59). Thus a $DATE must 168 appear before the first RR and at every change in retrieval time 169 through the detached information. 171 3. Usage Example 173 A document might be authenticated by a key retrieved from the DNS in 174 a KEY resource record (RR). To later prove the authenticity of this 175 document, it would be desirable to preserve the KEY RR for that 176 public key, the SIG RR signing that KEY RR, the KEY RR for the key 177 used to authenticate that SIG, and so on through SIG and KEY RRs 178 until a well known trusted key is reached, perhaps the key for the 179 DNS root or some third party authentication service. (In some cases 180 these KEY RRs will actually be sets of KEY RRs with the same owner 181 and class because SIGs actually sign such record sets.) 183 This information could be preserved as a set of detached DNS 184 information blocks. 186 4. Security Considerations 188 The entirety of this document concerns a means to represent detached 189 DNS information. Such detached resource records may be security 190 relevant and/or secured information as described in RFC 2065. The 191 detached format provides no overall security for sets of detached 192 information or for the association between retrieval time and 193 information. This can be provided by wrapping the detached 194 information format with some other form of signature. However, if 195 the detached information is accompanied by SIG RRs, its validity 196 period is indicated in those SIG RRs so the retrieval time might be 197 of secondary importance. 199 References 201 [RFC 1034] - Domain Names - Concepts and Facilities, P. Mockapetris, 202 November 1987. 204 [RFC 1035] - Domain Names - Implementation and Specifications, P. 205 Mockapetris, November 1987. 207 [RFC 2065] - Domain Name System Security Extensions, D. Eastlake, C. 208 Kaufman, January 1997. 210 Author's Address 212 Donald E. Eastlake 3rd 213 CyberCash, Inc. 214 318 Acton Street 215 Carlisle, MA 01741 USA 217 Telephone: +1 978 287 4877 218 +1 703 620 4200 (main office, Reston, Virginia) 219 Fax: +1 978 371 7148 220 EMail: dee@cybercash.com 222 Expiration and File Name 224 This draft expires July 1998. 226 Its file name is draft-ietf-dnssec-ddi-03.txt.