DNSSEC Operational Practices, Version 2
RFC 6781
Document | Type |
RFC
- Informational
(December 2012)
Errata
Obsoletes RFC 4641
|
|
---|---|---|---|
Authors | Olaf Kolkman , Matthijs Mekking , R. (Miek) Gieben | ||
Last updated | 2020-01-21 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
IESG | Responsible AD | Ron Bonica | |
Send notices to | (None) |
RFC 6781
gt; DS_K_1 -------------------------------------------------------> RRSIG_par(DS_K_1) --------------------------------------------> Child: SOA_0 SOA_1 SOA_2 RRSIG_Z_1(SOA) RRSIG_Z_1(SOA) RRSIG_Z_1(SOA) RRSIG_Z_2(SOA) RRSIG_Z_2(SOA) DNSKEY_K_1 DNSKEY_K_1 DNSKEY_K_1 DNSKEY_K_2 DNSKEY_Z_1 DNSKEY_Z_1 DNSKEY_Z_1 DNSKEY_Z_2 RRSIG_K_1(DNSKEY) RRSIG_K_1(DNSKEY) RRSIG_K_1(DNSKEY) RRSIG_K_2(DNSKEY) ---------------------------------------------------------------- new DS revoke DNSKEY DNSKEY removal ---------------------------------------------------------------- Parent: SOA_1 -------------------------------------------------------> RRSIG_par(SOA) ----------------------------------------------> DS_K_2 ------------------------------------------------------> RRSIG_par(DS_K_2) -------------------------------------------> Child: -------------------> SOA_3 SOA_4 -------------------> RRSIG_Z_1(SOA) RRSIG_Z_1(SOA) -------------------> RRSIG_Z_2(SOA) RRSIG_Z_2(SOA) -------------------> DNSKEY_K_1_REVOKED -------------------> DNSKEY_K_2 DNSKEY_K_2 -------------------> -------------------> DNSKEY_Z_2 DNSKEY_Z_2 -------------------> RRSIG_K_1(DNSKEY) -------------------> RRSIG_K_2(DNSKEY) RRSIG_K_2(DNSKEY) Kolkman, et al. Informational [Page 65] RFC 6781 DNSSEC Operational Practices, Version 2 December 2012 ---------------------------------------------------------------- RRSIGs removal ---------------------------------------------------------------- Parent: -------------------------------------> -------------------------------------> -------------------------------------> -------------------------------------> Child: SOA_5 RRSIG_Z_2(SOA) DNSKEY_K_2 DNSKEY_Z_2 RRSIG_K_2(DNSKEY) ---------------------------------------------------------------- Figure 13: RFC 5011 Style Algorithm Roll Also see Section 4.1.4.2. ---------------------------------------------------------------- initial new RRSIGs new DNSKEY ---------------------------------------------------------------- Parent: SOA_0 --------------------------------------------------------> RRSIG_par(SOA) -----------------------------------------------> DS_S_1 -------------------------------------------------------> RRSIG_par(DS_S_1) --------------------------------------------> Child: SOA_0 SOA_1 SOA_2 RRSIG_S_1(SOA) RRSIG_Z_10(SOA) RRSIG_Z_10(SOA) RRSIG_Z_10(SOA) RRSIG_S_2(SOA) RRSIG_S_2(SOA) DNSKEY_S_1 DNSKEY_S_1 DNSKEY_S_1 DNSKEY_Z_10 DNSKEY_Z_10 DNSKEY_Z_10 DNSKEY_S_2 RRSIG_S_1(DNSKEY) RRSIG_S_1(DNSKEY) RRSIG_S_1(DNSKEY) RRSIG_S_2(DNSKEY) RRSIG_S_2(DNSKEY) Kolkman, et al. Informational [Page 66] RFC 6781 DNSSEC Operational Practices, Version 2 December 2012 ---------------------------------------------------------------- new DS revoke DNSKEY DNSKEY removal ---------------------------------------------------------------- Parent: SOA_1 -------------------------------------------------------> RRSIG_par(SOA) ----------------------------------------------> DS_S_2 ------------------------------------------------------> RRSIG_par(DS_S_2) -------------------------------------------> Child: -------------------> SOA_3 SOA_4 -------------------> RRSIG_Z_10(SOA) -------------------> RRSIG_S_2(SOA) RRSIG_S_2(SOA) -------------------> DNSKEY_S_1_REVOKED -------------------> DNSKEY_Z_10 -------------------> DNSKEY_S_2 DNSKEY_S_2 -------------------> RRSIG_S_1(DNSKEY) RRSIG_S_1(DNSKEY) -------------------> RRSIG_S_2(DNSKEY) RRSIG_S_2(DNSKEY) ---------------------------------------------------------------- RRSIGs removal ---------------------------------------------------------------- Parent: -------------------------------------> -------------------------------------> -------------------------------------> -------------------------------------> Child: SOA_5 RRSIG_S_2(SOA) DNSKEY_S_2 RRSIG_S_2(DNSKEY) ---------------------------------------------------------------- Figure 14: RFC 5011 Algorithm Roll in a Single-Type Signing Scheme Environment Also see Section 4.1.4.3. Kolkman, et al. Informational [Page 67] RFC 6781 DNSSEC Operational Practices, Version 2 December 2012 Appendix D. Transition Figure for Changing DNS Operators The figure in this Appendix complements and illustrates the special case of changing DNS operators as described in Section 4.3.5.1. Kolkman, et al. Informational [Page 68] RFC 6781 DNSSEC Operational Practices, Version 2 December 2012 ------------------------------------------------------------ new DS | pre-publish | ------------------------------------------------------------ Parent: NS_A NS_A DS_A DS_B DS_A DS_B ------------------------------------------------------------ Child at A: Child at A: Child at B: SOA_A0 SOA_A1 SOA_B0 RRSIG_Z_A(SOA) RRSIG_Z_A(SOA) RRSIG_Z_B(SOA) NS_A NS_A NS_B RRSIG_Z_A(NS) NS_B RRSIG_Z_B(NS) RRSIG_Z_A(NS) DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_B DNSKEY_Z_B DNSKEY_K_A DNSKEY_K_A DNSKEY_K_B RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY) RRSIG_K_B(DNSKEY) RRSIG_K_B(DNSKEY) ------------------------------------------------------------ ------------------------------------------------------------ re-delegation | post-migration | ------------------------------------------------------------ Parent: NS_B NS_B DS_A DS_B DS_B ------------------------------------------------------------ Child at A: Child at B: Child at B: SOA_A1 SOA_B0 SOA_B1 RRSIG_Z_A(SOA) RRSIG_Z_B(SOA) RRSIG_Z_B(SOA) NS_A NS_B NS_B NS_B RRSIG_Z_B(NS) RRSIG_Z_B(NS) RRSIG_Z_A(NS) DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_B DNSKEY_Z_B DNSKEY_Z_B DNSKEY_K_A DNSKEY_K_B DNSKEY_K_B RRSIG_K_A(DNSKEY) RRSIG_K_B(DNSKEY) RRSIG_K_B(DNSKEY) ------------------------------------------------------------ Figure 15: An Alternative Rollover Approach for Cooperating Operators Kolkman, et al. Informational [Page 69] RFC 6781 DNSSEC Operational Practices, Version 2 December 2012 Appendix E. Summary of Changes from RFC 4641 This document differs from RFC 4641 [RFC4641] in the following ways: o Addressed the errata listed on <http://www.rfc-editor.org/errata_search.php?rfc=4641>. o Recommended RSA/SHA-256 in addition to RSA/SHA-1. o Did a complete rewrite of Section 3.5 of RFC 4641 (Section 3.4.2 of this document), removing the table and suggesting a key size of 1024 for keys in use for less than 8 years, issued up to at least 2015. o Removed the KSK for high-level zones consideration. o Added text on algorithm rollover. o Added text on changing (non-cooperating) DNS registrars. o Did a significant rewrite of Section 3, whereby the argument is made that the timescales for rollovers are made purely on operational arguments. o Added Section 5. o Introduced Single-Type Signing Scheme terminology and made the arguments for the choice of a Single-Type Signing Scheme more explicit. o Added a section about stand-by keys. Kolkman, et al. Informational [Page 70] RFC 6781 DNSSEC Operational Practices, Version 2 December 2012 Authors' Addresses Olaf M. Kolkman NLnet Labs Science Park 400 Amsterdam 1098 XH The Netherlands EMail: olaf@nlnetlabs.nl URI: http://www.nlnetlabs.nl W. (Matthijs) Mekking NLnet Labs Science Park 400 Amsterdam 1098 XH The Netherlands EMail: matthijs@nlnetlabs.nl URI: http://www.nlnetlabs.nl R. (Miek) Gieben SIDN Labs Meander 501 Arnhem 6825 MD The Netherlands EMail: miek.gieben@sidn.nl URI: http://www.sidn.nl Kolkman, et al. Informational [Page 71]