DNSSEC Trust Anchor Publication for the Root Zone
draft-jabley-dnssec-trust-anchor-07
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7958.
|
|
---|---|---|---|
Authors | Joe Abley , Jakob Schlyter , Guillaume Bailey | ||
Last updated | 2013-06-10 | ||
RFC stream | (None) | ||
Formats | |||
IETF conflict review | conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor | ||
Additional resources | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Became RFC 7958 (Informational) | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-jabley-dnssec-trust-anchor-07
Appendix A. Trust Anchor Publication Document Schema A Relax NG Compact Schema for the documents used to publish trust anchors can be found in Figure 1. datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes" start = element TrustAnchor { attribute id { xsd:string }, attribute source { xsd:string }, element Zone { xsd:string }, keydigest+ } keydigest = element KeyDigest { attribute id { xsd:string }, attribute validFrom { xsd:dateTime }, attribute validUntil { xsd:dateTime }?, element KeyTag { xsd:nonNegativeInteger { maxInclusive = "65535" } }, element Algorithm { xsd:nonNegativeInteger { maxInclusive = "255" } }, element DigestType { xsd:nonNegativeInteger { maxInclusive = "255" } }, element Digest { xsd:hexBinary }, element Certificate { attribute source { xsd:string }, empty }+ } Figure 1 Abley, et al. Expires December 13, 2013 [Page 14] Internet-Draft Root Zone Trust Anchor Publication June 2013 Appendix B. Example Signed Trust Anchor Set Figure 2 describes two trust anchors for the root zone such as might be retrieved using the URL <https://data.iana.org/root-anchors/root-anchors.xml>. <?xml version="1.0" encoding="UTF-8"?> <TrustAnchor id="AD42165F-B099-4778-8F42-D34A1D41FD93" source="http://data.iana.org/root-anchors/root-anchors.xml"> <Zone>.</Zone> <KeyDigest id="42" validFrom="2010-07-01T00:00:00-00:00" validUntil="2010-08-01T00:00:00-00:00"> <KeyTag>34291</KeyTag> <Algorithm>5</Algorithm> <DigestType>1</DigestType> <Digest>c8cb3d7fe518835490af8029c23efbce6b6ef3e2</Digest> </KeyDigest> <KeyDigest id="53" validFrom="2010-08-01T00:00:00-00:00"> <KeyTag>12345</KeyTag> <Algorithm>5</Algorithm> <DigestType>1</DigestType> <Digest>a3cf809dbdbc835716ba22bdc370d2efa50f21c7</Digest> <Certificate source="http://data.iana.org/root-anchors/Kexample1.crt"/> <Certificate source="http://data.iana.org/root-anchors/Kexample2.crt"/> </KeyDigest> </TrustAnchor> Figure 2 Abley, et al. Expires December 13, 2013 [Page 15] Internet-Draft Root Zone Trust Anchor Publication June 2013 Appendix C. ASN.1 Module for DNS Resource Record ResourceRecord { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-dns-resource-record(70) } DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- IMPORTS caseIgnoreMatch FROM SelectedAttributeTypes { joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 4 } ; iana OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) 1000 } iana-dns OBJECT IDENTIFIER ::= { iana 53 } resourceRecord ATTRIBUTE ::= { WITH SYNTAX IA5String EQUALITY MATCHING RULE caseIgnoreIA5Match ID iana-dns } END Abley, et al. Expires December 13, 2013 [Page 16] Internet-Draft Root Zone Trust Anchor Publication June 2013 Appendix D. Historical Note The first KSK for use in the root zone of the DNS was generated at a key ceremony at an ICANN Key Management Facility (KMF) in Culpeper, Virginia, USA on 2010-06-16. This key entered production during a second key ceremony held at an ICANN KMF in El Segundo, California, USA on 2010-07-12. The resulting trust anchor was first published on 2010-07-15. Abley, et al. Expires December 13, 2013 [Page 17] Internet-Draft Root Zone Trust Anchor Publication June 2013 Appendix E. About this Document [RFC Editor: please remove this section, including all subsections, prior to publication.] E.1. Discussion This document is not the product of any IETF working group. However, communities interested in similar technical work can be found at the IETF in the DNSOP and DNSEXT working groups. The team responsible for deployment of DNSSEC in the root zone can be reached at rootsign@icann.org. The authors also welcome feedback sent to them directly. E.2. Document History E.2.1. draft-jabley-dnssec-trust-anchor-00 This document is based on earlier documentation used within and published by the team responsible for DNSSEC deployment in the root zone. This is the first revision circulated with the intention of publication in the RFC series. E.2.2. draft-jabley-dnssec-trust-anchor-01 Incorporated initial community suggestions. Editorial improvements. Allocate OID and clean up syntax of ASN.1 module. E.2.3. draft-jabley-dnssec-trust-anchor-02 Draft expired. E.2.4. draft-jabley-dnssec-trust-anchor-04 Added the optional <Certificate> element to the XML schema to provide a mechanism for locating external X.509 certificates relating to a particular key. E.2.5. draft-jabley-dnssec-trust-anchor-05 Update author address. E.2.6. draft-jabley-dnssec-trust-anchor-06 Update references. Abley, et al. Expires December 13, 2013 [Page 18] Internet-Draft Root Zone Trust Anchor Publication June 2013 E.2.7. draft-jabley-dnssec-trust-anchor-07 Minor changes based on review by Paul Hoffman. Abley, et al. Expires December 13, 2013 [Page 19] Internet-Draft Root Zone Trust Anchor Publication June 2013 Authors' Addresses Joe Abley ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094-2536 US Phone: +1 519 670 9327 Email: joe.abley@icann.org Jakob Schlyter Kirei AB Email: jakob@kirei.se Guy Bailey Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Phone: +1 425 538 6153 x86153 Email: gubailey@microsoft.com Abley, et al. Expires December 13, 2013 [Page 20]