Delegation Signer (DS) Resource Record (RR)
RFC 3658
Document | Type |
RFC - Proposed Standard
(December 2003; No errata)
Updated by RFC 3755
|
|
---|---|---|---|
Author | Ólafur Guðmundsson | ||
Last updated | 2015-10-14 | ||
Stream | Internent Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 3658 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Thomas Narten | ||
IESG note | Please start last call. | ||
Send notices to | <okolkman@ripe.net> |
Network Working Group O. Gudmundsson Request for Comments: 3658 December 2003 Updates: 3090, 3008, 2535, 1035 Category: Standards Track Delegation Signer (DS) Resource Record (RR) Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract The delegation signer (DS) resource record (RR) is inserted at a zone cut (i.e., a delegation point) to indicate that the delegated zone is digitally signed and that the delegated zone recognizes the indicated key as a valid zone key for the delegated zone. The DS RR is a modification to the DNS Security Extensions definition, motivated by operational considerations. The intent is to use this resource record as an explicit statement about the delegation, rather than relying on inference. This document defines the DS RR, gives examples of how it is used and describes the implications on resolvers. This change is not backwards compatible with RFC 2535. This document updates RFC 1035, RFC 2535, RFC 3008 and RFC 3090. Gudmundsson Standards Track [Page 1] RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 Table of Contents 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Reserved Words. . . . . . . . . . . . . . . . . . . . . 4 2. Specification of the Delegation key Signer. . . . . . . . . . 4 2.1. Delegation Signer Record Model. . . . . . . . . . . . . 4 2.2. Protocol Change . . . . . . . . . . . . . . . . . . . . 5 2.2.1. RFC 2535 2.3.4 and 3.4: Special Considerations at Delegation Points . . . . . . . . . . . . . 6 2.2.1.1. Special processing for DS queries. . . 6 2.2.1.2. Special processing when child and an ancestor share nameserver. . . . . . . 7 2.2.1.3. Modification on use of KEY RR in the construction of Responses. . . . . . . 8 2.2.2. Signer's Name (replaces RFC3008 section 2.7). . 9 2.2.3. Changes to RFC 3090 . . . . . . . . . . . . . . 9 2.2.3.1. RFC 3090: Updates to section 1: Introduction . . . . . . . . . . . . . 9 2.2.3.2. RFC 3090 section 2.1: Globally Secured. . . . . . . . . . . . . . . . 10 2.2.3.3. RFC 3090 section 3: Experimental Status . . . . . . . . . . . . . . . . 10 2.2.4. NULL KEY elimination. . . . . . . . . . . . . . 10 2.3. Comments on Protocol Changes. . . . . . . . . . . . . . 10 2.4. Wire Format of the DS record. . . . . . . . . . . . . . 11 2.4.1. Justifications for Fields . . . . . . . . . . . 12 2.5. Presentation Format of the DS Record. . . . . . . . . . 12 2.6. Transition Issues for Installed Base. . . . . . . . . . 12 2.6.1. Backwards compatibility with RFC 2535 and RFC 1035. . . . . . . . . . . . . . . . . . . . 12 2.7. KEY and corresponding DS record example . . . . . . . . 13 3. Resolver. . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.1. DS Example" . . . . . . . . . . . . . . . . . . . . . . 14 3.2. Resolver Cost Estimates for DS Records" . . . . . . . . 15 4. Security Considerations . . . . . . . . . . . . . . . . . . . 15 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 6. Intellectual Property Statement . . . . . . . . . . . . . . . 16 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 8. References. . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.1. Normative References. . . . . . . . . . . . . . . . . . 17 8.2. Informational References. . . . . . . . . . . . . . . . 17 9. Author's Address. . . . . . . . . . . . . . . . . . . . . . . 18 10. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 19 Gudmundsson Standards Track [Page 2] RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 1. Introduction Familiarity with the DNS system [RFC1035], DNS security extensions [RFC2535], and DNSSEC terminology [RFC3090] is important. Experience shows that when the same data can reside in two administratively different DNS zones, the data frequently gets out ofShow full document text