Dismiss
The IQ application will be briefly unavailable on Sunday, March 31st, starting at 10:00am ET. Access will be restored as quickly as possible.
Browse Prior Art Database

Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag (RFC3757)

IP.com Disclosure Number: IPCOM000028682D
Original Publication Date: 2004-Apr-01
Included in the Prior Art Database: 2019-Feb-11
Document File: 8 page(s) / 13K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

O. Kolkman: AUTHOR [+2]

Related Documents

10.17487/RFC3757: DOI

Abstract

With the Delegation Signer (DS) resource record (RR), the concept of a public key acting as a secure entry point (SEP) has been introduced. During exchanges of public keys with the parent there is a need to differentiate SEP keys from other public keys in the Domain Name System KEY (DNSKEY) resource record set. A flag bit in the DNSKEY RR is defined to indicate that DNSKEY is to be used as a SEP. The flag bit is intended to assist in operational procedures to correctly generate DS resource records, or to indicate what DNSKEYs are intended for static configuration. The flag bit is not to be used in the DNS verification protocol. This document updates RFC 2535 and RFC 3755. [STANDARDS-TRACK]

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 22% of the total text.

Network Working Group O. Kolkman Request for Comments: 3757 RIPE NCC Updates: 3755, 2535 J. Schlyter Category: Standards Track NIC-SE E. Lewis ARIN April 2004

Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag

Status of this Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2004). All Rights Reserved.

Abstract

With the Delegation Signer (DS) resource record (RR), the concept of a public key acting as a secure entry point (SEP) has been introduced. During exchanges of public keys with the parent there is a need to differentiate SEP keys from other public keys in the Domain Name System KEY (DNSKEY) resource record set. A flag bit in the DNSKEY RR is defined to indicate that DNSKEY is to be used as a SEP. The flag bit is intended to assist in operational procedures to correctly generate DS resource records, or to indicate what DNSKEYs are intended for static configuration. The flag bit is not to be used in the DNS verification protocol. This document updates RFC 2535 and RFC 3755.

Kolkman, et al. Standard Track [Page 1]

RFC 3757 DNSKEY RR SEP Flag April 2004

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. The Secure Entry Point (SEP) Flag. . . . . . . . . . . . . . . 4 3. DNSSEC Protocol Changes. . . . . . . . . . . . . . . . . . . . 4 4. Operational Guidelines . . . . . . . . . . . . . . . . . . . . 4 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 5 6. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 6 7. Internationalization Considerations. . . . . . . . . . . . . . 6 8. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 6 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 9.1. Normative References . . . . . . . . . . . . . . . . . . 6 9.2. Informative References . . . . . . . . . . . . . . . . . 6 10. Authors’ Addresses . . . . . . . . . . . . . . . . . . . . . . 7 11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 8

1. Introduction

"All keys are equal but some keys are more equal than others" [6].

With the definition of the Delegation Signer Resource Record (DS RR) [5], it has become important to differentiate between the keys in the DNSKEY RR set that are (to be) pointed to by parental DS RRs and the other keys in the DNSKEY RR set. We refer to these public keys as Secure Entry Point (SEP) keys. A SEP key either used to generate a DS RR or is distributed to resolvers that use the key as the root of a trusted subtree [3].

In early deployment tests, the use of two (kinds of) key pairs for each zone has been prevalent. For one kind of key pair the private ke...

Processing...
Loading...