Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Legacy Resolver Compatibility for Delegation Signer (DS) (RFC3755)

IP.com Disclosure Number: IPCOM000028681D
Original Publication Date: 2004-May-01
Included in the Prior Art Database: 2004-May-27
Document File: 10 page(s) / 20K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

S. Weiler: AUTHOR

Abstract

As the DNS Security (DNSSEC) specifications have evolved, the syntax and semantics of the DNSSEC resource records (RRs) have changed. Many deployed nameservers understand variants of these semantics. Dangerous interactions can occur when a resolver that understands an earlier version of these semantics queries an authoritative server that understands the new delegation signer semantics, including at least one failure scenario that will cause an unsecured zone to be unresolvable. This document changes the type codes and mnemonics of the DNSSEC RRs (SIG, KEY, and NXT) to avoid those interactions.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 14% of the total text.

Network Working Group                                          S. Weiler

Request for Comments: 3755                                  SPARTA, Inc.

Updates: 3658, 2535                                             May 2004

Category: Standards Track

        Legacy Resolver Compatibility for Delegation Signer (DS)

Status of this Memo

   This document specifies an Internet standards track protocol for the

   Internet community, and requests discussion and suggestions for

   improvements.  Please refer to the current edition of the "Internet

   Official Protocol Standards" (STD 1) for the standardization state

   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   As the DNS Security (DNSSEC) specifications have evolved, the syntax

   and semantics of the DNSSEC resource records (RRs) have changed.

   Many deployed nameservers understand variants of these semantics.

   Dangerous interactions can occur when a resolver that understands an

   earlier version of these semantics queries an authoritative server

   that understands the new delegation signer semantics, including at

   least one failure scenario that will cause an unsecured zone to be

   unresolvable.  This document changes the type codes and mnemonics of

   the DNSSEC RRs (SIG, KEY, and NXT) to avoid those interactions.

1.  Introduction

   The DNSSEC protocol has been through many iterations whose syntax and

   semantics are not completely compatible.  This has occurred as part

   of the ordinary process of proposing a protocol, implementing it,

   testing it in the increasingly complex and diverse environment of the

   Internet, and refining the definitions of the initial Proposed

   Standard.  In the case of DNSSEC, the process has been complicated by

   DNS's criticality and wide deployment and the need to add security

   while minimizing daily operational complexity.

   A weak area for previous DNS specifications has been lack of detail

   in specifying resolver behavior, leaving implementors largely on

   their own to determine many details of resolver function.  This,

   combined with the number of iterations the DNSSEC specifications have

   been through, has resulted in fielded code with a wide variety of

Weiler                      Standards Track                     [Page 1]

RFC 3755          Legacy Resolver Compatibility for DS          May 2004

   behaviors.  This variety makes it difficult to predict how a protocol

   change will be handled by all deployed resolvers.  The risk that a

   change will cause unacceptable or even catastrophic failures makes it

   difficult to design and deploy a protocol change.  One...