Browse Prior Art Database

Notes from the State-Of-The-Technology: DNSSEC (RFC3130)

IP.com Disclosure Number: IPCOM000005314D
Original Publication Date: 2001-Jun-01
Included in the Prior Art Database: 2001-Aug-21
Document File: 11 page(s) / 22K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

E. Lewis: AUTHOR

Abstract

This is a memo of a DNSSEC (Domain Name System Security Extensions) status meeting.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 15% of the total text.

Network Working Group E. Lewis Request for Comments: 3130 NAI Labs Category: Informational June 2001

Notes from the State-Of-The-Technology: DNSSEC

Status of this Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2001). All Rights Reserved.

Abstract

This is a memo of a DNSSEC (Domain Name System Security Extensions) status meeting.

1.0 Introduction

A meeting of groups involved in the development of the DNS Security Extensions (DNSSEC) was held in conjunction with the 49th IETF. The discussion covered the extent of current efforts, a discussion of what questions are being asked of DNSSEC, and what is needed by the IETF to progress the definition to the Draft Standard level.

DNSSEC [RFC 2535] has been under consideration for quite a few years, with RFC 2535 being the core of the most recent definition. DNSSEC is part of the charter of two working groups, DNSEXT and DNSOP. ISC's BIND v8.2 implemented part of the specification, BIND v9 represents the first full implementation. In 1999 and 2000, more than a half dozen workshops have been held to test the concepts and the earliest versions of implementations. But to date, DNSSEC is not in common use.

The current collective wisdom is that DNSSEC is 1) important, 2) a buzzword, 3) hard, 4) immature. To capture the true state of the technology and identify where work is needed, an informal gathering of groups known to be involved in DNSSEC was held in conjunction with the 49th IETF. The attendees represented NLnet Labs, The Foundation for Internet Infrastructure, RIPE NCC, ARIN, CAIRN (ISI and NAI Labs), NIST, DISA, RSSAC, Network Associates and Verisign (COM/NET/ORG TLDs).

Lewis Informational [Page 1]

RFC 3130 DNSSEC Status Meeting Report June 2001

The agenda of the meeting consisted of three items. Reports from each group on their current research goals were followed by a discussion of questions being asked of DNSSEC. Finally, with reaching Draft Standard status as a goal, what was needed to make this happen was considered.

This report is not simply a transcript of the meeting, it is a summary. Some of the information presented here was obtained in direct contact with participants after the meeting.

1.1 What does the term "DNSSEC" mean?

One of the comments made during discussions is that DNSSEC does not refer to just one monolithic technology. The term has come to refer to "toolbox" of techniques and methodologies, that when used properly can improve the integrity of the DNS. Given this observation, it can be seen that some portions of DNSSEC are evolving much more rapidly than other portions. In particular, TSIG [RFC 2845] has certainly reached a level "being deployable" for zone transfers.

The following four components are considered to be part of DNSSEC. The concept of digital signature protection of DNS traffic as described in RFC 2535 and a few support docum...