summaryrefslogtreecommitdiffstats
path: root/contrib/bind9/doc/rfc/rfc3008.txt
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind9/doc/rfc/rfc3008.txt')
-rw-r--r--contrib/bind9/doc/rfc/rfc3008.txt395
1 files changed, 0 insertions, 395 deletions
diff --git a/contrib/bind9/doc/rfc/rfc3008.txt b/contrib/bind9/doc/rfc/rfc3008.txt
deleted file mode 100644
index 08a4a8f..0000000
--- a/contrib/bind9/doc/rfc/rfc3008.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group B. Wellington
-Request for Comments: 3008 Nominum
-Updates: 2535 November 2000
-Category: Standards Track
-
-
- Domain Name System Security (DNSSEC) Signing Authority
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2000). All Rights Reserved.
-
-Abstract
-
- This document proposes a revised model of Domain Name System Security
- (DNSSEC) Signing Authority. The revised model is designed to clarify
- earlier documents and add additional restrictions to simplify the
- secure resolution process. Specifically, this affects the
- authorization of keys to sign sets of records.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [RFC2119].
-
-1 - Introduction
-
- This document defines additional restrictions on DNSSEC signatures
- (SIG) records relating to their authority to sign associated data.
- The intent is to establish a standard policy followed by a secure
- resolver; this policy can be augmented by local rules. This builds
- upon [RFC2535], updating section 2.3.6 of that document.
-
- The most significant change is that in a secure zone, zone data is
- required to be signed by the zone key.
-
- Familiarity with the DNS system [RFC1034, RFC1035] and the DNS
- security extensions [RFC2535] is assumed.
-
-
-
-
-
-
-Wellington Standards Track [Page 1]
-
-RFC 3008 DNSSEC Signing Authority November 2000
-
-
-2 - The SIG Record
-
- A SIG record is normally associated with an RRset, and "covers" (that
- is, demonstrates the authenticity and integrity of) the RRset. This
- is referred to as a "data SIG". Note that there can be multiple SIG
- records covering an RRset, and the same validation process should be
- repeated for each of them. Some data SIGs are considered "material",
- that is, relevant to a DNSSEC capable resolver, and some are
- "immaterial" or "extra-DNSSEC", as they are not relevant to DNSSEC
- validation. Immaterial SIGs may have application defined roles. SIG
- records may exist which are not bound to any RRset; these are also
- considered immaterial. The validation process determines which SIGs
- are material; once a SIG is shown to be immaterial, no other
- validation is necessary.
-
- SIGs may also be used for transaction security. In this case, a SIG
- record with a type covered field of 0 is attached to a message, and
- is used to protect message integrity. This is referred to as a
- SIG(0) [RFC2535, RFC2931].
-
- The following sections define requirements for all of the fields of a
- SIG record. These requirements MUST be met in order for a DNSSEC
- capable resolver to process this signature. If any of these
- requirements are not met, the SIG cannot be further processed.
- Additionally, once a KEY has been identified as having generated this
- SIG, there are requirements that it MUST meet.
-
-2.1 - Type Covered
-
- For a data SIG, the type covered MUST be the same as the type of data
- in the associated RRset. For a SIG(0), the type covered MUST be 0.
-
-2.2 - Algorithm Number
-
- The algorithm specified in a SIG MUST be recognized by the client,
- and it MUST be an algorithm that has a defined SIG rdata format.
-
-2.3 - Labels
-
- The labels count MUST be less than or equal to the number of labels
- in the SIG owner name, as specified in [RFC2535, section 4.1.3].
-
-2.4 - Original TTL
-
- The original TTL MUST be greater than or equal to the TTL of the SIG
- record itself, since the TTL cannot be increased by intermediate
- servers. This field can be ignored for SIG(0) records.
-
-
-
-
-Wellington Standards Track [Page 2]
-
-RFC 3008 DNSSEC Signing Authority November 2000
-
-
-2.5 - Signature Expiration and Inception
-
- The current time at the time of validation MUST lie within the
- validity period bounded by the inception and expiration times.
-
-2.6 - Key Tag
-
- There are no restrictions on the Key Tag field, although it is
- possible that future algorithms will impose constraints.
-
-2.7 - Signer's Name
-
- The signer's name field of a data SIG MUST contain the name of the
- zone to which the data and signature belong. The combination of
- signer's name, key tag, and algorithm MUST identify a zone key if the
- SIG is to be considered material. The only exception that the
- signer's name field in a SIG KEY at a zone apex SHOULD contain the
- parent zone's name, unless the KEY set is self-signed. This document
- defines a standard policy for DNSSEC validation; local policy may
- override the standard policy.
-
- There are no restrictions on the signer field of a SIG(0) record.
- The combination of signer's name, key tag, and algorithm MUST
- identify a key if this SIG(0) is to be processed.
-
-2.8 - Signature
-
- There are no restrictions on the signature field. The signature will
- be verified at some point, but does not need to be examined prior to
- verification unless a future algorithm imposes constraints.
-
-3 - The Signing KEY Record
-
- Once a signature has been examined and its fields validated (but
- before the signature has been verified), the resolver attempts to
- locate a KEY that matches the signer name, key tag, and algorithm
- fields in the SIG. If one is not found, the SIG cannot be verified
- and is considered immaterial. If KEYs are found, several fields of
- the KEY record MUST have specific values if the SIG is to be
- considered material and authorized. If there are multiple KEYs, the
- following checks are performed on all of them, as there is no way to
- determine which one generated the signature until the verification is
- performed.
-
-
-
-
-
-
-
-
-Wellington Standards Track [Page 3]
-
-RFC 3008 DNSSEC Signing Authority November 2000
-
-
-3.1 - Type Flags
-
- The signing KEY record MUST have a flags value of 00 or 01
- (authentication allowed, confidentiality optional) [RFC2535, 3.1.2].
- A DNSSEC resolver MUST only trust signatures generated by keys that
- are permitted to authenticate data.
-
-3.2 - Name Flags
-
- The interpretation of this field is considerably different for data
- SIGs and SIG(0) records.
-
-3.2.1 - Data SIG
-
- If the SIG record covers an RRset, the name type of the associated
- KEY MUST be 01 (zone) [RFC2535, 3.1.2]. This updates RFC 2535,
- section 2.3.6. The DNSSEC validation process performed by a resolver
- MUST ignore all keys that are not zone keys unless local policy
- dictates otherwise.
-
- The primary reason that RFC 2535 allows host and user keys to
- generate material DNSSEC signatures is to allow dynamic update
- without online zone keys; that is, avoid storing private keys in an
- online server. The desire to avoid online signing keys cannot be
- achieved, though, because they are necessary to sign NXT and SOA sets
- [RFC3007]. These online zone keys can sign any incoming data.
- Removing the goal of having no online keys removes the reason to
- allow host and user keys to generate material signatures.
-
- Limiting material signatures to zone keys simplifies the validation
- process. The length of the verification chain is bounded by the
- name's label depth. The authority of a key is clearly defined; a
- resolver does not need to make a potentially complicated decision to
- determine whether a key has the proper authority to sign data.
-
- Finally, there is no additional flexibility granted by allowing
- host/user key generated material signatures. As long as users and
- hosts have the ability to authenticate update requests to the primary
- zone server, signatures by zone keys are sufficient to protect the
- integrity of the data to the world at large.
-
-3.2.2 - SIG(0)
-
- If the SIG record is a SIG(0) protecting a message, the name type of
- the associated KEY SHOULD be 00 (user) or 10 (host/entity).
- Transactions are initiated by a host or user, not a zone, so zone
- keys SHOULD not generate SIG(0) records.
-
-
-
-
-Wellington Standards Track [Page 4]
-
-RFC 3008 DNSSEC Signing Authority November 2000
-
-
- A client is either explicitly executed by a user or on behalf of a
- host, therefore the name type of a SIG(0) generated by a client
- SHOULD be either user or host. A nameserver is associated with a
- host, and its use of SIG(0) is not associated with a particular zone,
- so the name type of a SIG(0) generated by a nameserver SHOULD be
- host.
-
-3.3 - Signatory Flags
-
- This document does not assign any values to the signatory field, nor
- require any values to be present.
-
-3.4 - Protocol
-
- The signing KEY record MUST have a protocol value of 3 (DNSSEC) or
- 255 (ALL). If a key is not specified for use with DNSSEC, a DNSSEC
- resolver MUST NOT trust any signature that it generates.
-
-3.5 - Algorithm Number
-
- The algorithm field MUST be identical to that of the generated SIG
- record, and MUST meet all requirements for an algorithm value in a
- SIG record.
-
-4 - Security Considerations
-
- This document defines a standard baseline for a DNSSEC capable
- resolver. This is necessary for a thorough security analysis of
- DNSSEC, if one is to be done.
-
- Specifically, this document places additional restrictions on SIG
- records that a resolver must validate before the signature can be
- considered worthy of DNSSEC trust. This simplifies the protocol,
- making it more robust and able to withstand scrutiny by the security
- community.
-
-5 - Acknowledgements
-
- The author would like to thank the following people for review and
- informative comments (in alphabetical order):
-
- Olafur Gudmundsson
- Ed Lewis
-
-
-
-
-
-
-
-
-Wellington Standards Track [Page 5]
-
-RFC 3008 DNSSEC Signing Authority November 2000
-
-
-6 - References
-
- [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
- STD 13, RFC 1034, November 1987.
-
- [RFC1035] Mockapetris, P., "Domain Names - Implementation and
- Specification", STD 13, RFC 1035, November 1987.
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2136] Vixie (Ed.), P., Thomson, S., Rekhter, Y. and J. Bound,
- "Dynamic Updates in the Domain Name System", RFC 2136,
- April 1997.
-
- [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
- RFC 2535, March 1999.
-
- [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures
- (SIG(0)s )", RFC 2931, September 2000.
-
- [RFC3007] Wellington, B., "Simple Secure Domain Name System
- (DNS) Dynamic Update", RFC 3007, November 2000.
-
-7 - Author's Address
-
- Brian Wellington
- Nominum, Inc.
- 950 Charter Street
- Redwood City, CA 94063
-
- Phone: +1 650 381 6022
- EMail: Brian.Wellington@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wellington Standards Track [Page 6]
-
-RFC 3008 DNSSEC Signing Authority November 2000
-
-
-8 Full Copyright Statement
-
- Copyright (C) The Internet Society (2000). All Rights Reserved.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
-
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wellington Standards Track [Page 7]
-
OpenPOWER on IntegriCloud