Browse Prior Art Database

Delegation Signer (DS) Resource Record (RR) (RFC3658)

IP.com Disclosure Number: IPCOM000021042D
Original Publication Date: 2003-Dec-01
Included in the Prior Art Database: 2003-Dec-18
Document File: 20 page(s) / 42K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

O. Gudmundsson: AUTHOR

Abstract

The delegation signer (DS) resource record (RR) is inserted at a zone cut (i.e., a delegation point) to indicate that the delegated zone is digitally signed and that the delegated zone recognizes the indicated key as a valid zone key for the delegated zone. The DS RR is a modification to the DNS Security Extensions definition, motivated by operational considerations. The intent is to use this resource record as an explicit statement about the delegation, rather than relying on inference.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 9% of the total text.

Network Working Group O. Gudmundsson

Request for Comments: 3658 December 2003

Updates: 3090, 3008, 2535, 1035

Category: Standards Track

Delegation Signer (DS) Resource Record (RR)

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

The delegation signer (DS) resource record (RR) is inserted at a zone

cut (i.e., a delegation point) to indicate that the delegated zone is

digitally signed and that the delegated zone recognizes the indicated

key as a valid zone key for the delegated zone. The DS RR is a

modification to the DNS Security Extensions definition, motivated by

operational considerations. The intent is to use this resource

record as an explicit statement about the delegation, rather than

relying on inference.

This document defines the DS RR, gives examples of how it is used and

describes the implications on resolvers. This change is not

backwards compatible with RFC 2535. This document updates RFC 1035,

RFC 2535, RFC 3008 and RFC 3090.

Gudmundsson Standards Track [Page 1]

RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003

Table of Contents

1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2. Reserved Words. . . . . . . . . . . . . . . . . . . . . 4

2. Specification of the Delegation key Signer. . . . . . . . . . 4

2.1. Delegation Signer Record Model. . . . . . . . . . . . . 4

2.2. Protocol Change . . . . . . . . . . . . . . . . . . . . 5

2.2.1. RFC 2535 2.3.4 and 3.4: Special Considerations

at Delegation Points . . . . . . . . . . . . . 6

2.2.1.1. Special processing for DS queries. . . 6

2.2.1.2. Special processing when child and an

ancestor share nameserver. . . . . . . 7

2.2.1.3. Modification on use of KEY RR in the

construction of Responses. . . . . . . 8

2.2.2. Signer's Name (replaces RFC3008 section 2.7). . 9

2.2.3. Changes to RFC 3090 . . . . . . . . . . . . . . 9

2.2.3.1. RFC 3090: Updates to section 1:

Introduction . . . . . . . . . . . . . 9

2.2.3.2. RFC 3090 section 2.1: Globally

Secured. . . . . . . . . . . . . . . . 10

2.2.3.3. RFC 3090 section 3: Experimental

Status . . . . . . . . . . . . . . . . 10

2.2.4. NULL KEY elimination. . . . . . . . . . . . . . 10

2.3. Comments on Protocol Changes. . . . . . . . . . . . . . 10

2.4. Wire Format of the DS record. . . . . . . . . . . . . . 11

2.4.1. Justifications for Fields . . . . . . . . . . . 12

2.5. Presentation Format of the DS Record. . . . . . . . . . 12

2.6. Transition Issues for Installed Base. . . . . . . . . . 12

2.6.1. Backwards compatibility with RFC 2535 and

RFC 1035. . . . . . . . . . . . . . . . . . . . 12

2.7. KEY and corresponding DS record exa...