mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 06:55:30 +00:00
Code Issues Releases Wiki Activity

new draft

Browse Source
This commit is contained in:
Mark Andrews
2005-12-14 00:14:31 +00:00
parent 272ccfe977
commit 15909e3040
1 changed files with 43 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
doc/draft/draft-ietf-dnsext-ds-sha256-01.txt → doc/draft/draft-ietf-dnsext-ds-sha256-02.txt
View File

@@ -3,11 +3,11 @@
Network Working Group W. Hardaker Network Working Group W. Hardaker
Internet-Draft Sparta Internet-Draft Sparta
Expires: June 2, 2006 November 29, 2005 Expires: June 12, 2006 December 9, 2005
Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
draft-ietf-dnsext-ds-sha256-01.txt draft-ietf-dnsext-ds-sha256-02.txt
Status of this Memo Status of this Memo
@@ -32,7 +32,7 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 2, 2006. This Internet-Draft will expire on June 12, 2006.
Copyright Notice Copyright Notice
@@ -52,9 +52,9 @@ Abstract
Hardaker Expires June 2, 2006 [Page 1] Hardaker Expires June 12, 2006 [Page 1]
Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005 Internet-Draft Use of SHA-256 in DNSSEC DS RRs December 2005
Table of Contents Table of Contents
@@ -108,18 +108,20 @@ Table of Contents
Hardaker Expires June 2, 2006 [Page 2] Hardaker Expires June 12, 2006 [Page 2]
Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005 Internet-Draft Use of SHA-256 in DNSSEC DS RRs December 2005
1. Introduction 1. Introduction
The DNSSEC [RFC4033] [RFC4034] [RFC4035] DS RR is published in parent The DNSSEC [RFC4033] [RFC4034] [RFC4035] DS RR is published in parent
zones to distribute a cryptographic digest of a child's Key Signing zones to distribute a cryptographic digest of a child's Key Signing
Key (KSK) DNSKEY RR. This DS RR is signed using the parent zone's Key (KSK) DNSKEY RR. The DS RRset is signed by at least one of the
private half of it's DNSKEY and the signature is published in a RRSIG parent zone's private zone data signing keys for each algorithm in
record. use by the parent. Each signature is published in an RRSIG resource
record, owned by the same domain as the DS RRset and with a type
covered of DS.
2. Implementing the SHA-256 algorithm for DS record support 2. Implementing the SHA-256 algorithm for DS record support
@@ -153,8 +155,8 @@ Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005
2.2. DS Record with SHA-256 Wire Format 2.2. DS Record with SHA-256 Wire Format
The resulting packet format for the resulting DS record will be [XXX: The resulting on-the-wire format for the resulting DS record will be
IANA assignment should replace the 2 below]: [XXX: IANA assignment should replace the 2 below]:
@@ -162,11 +164,9 @@ Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005
Hardaker Expires June 12, 2006 [Page 3]
Hardaker Expires June 2, 2006 [Page 3]
Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005 Internet-Draft Use of SHA-256 in DNSSEC DS RRs December 2005
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
@@ -181,7 +181,7 @@ Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005
2.3. Example DS Record Using SHA-256 2.3. Example DS Record Using SHA-256
The following is an example DSKEY and matching DS record. This The following is an example DNSKEY and matching DS record. This
DNSKEY record comes from the example DNSKEY/DS records found in DNSKEY record comes from the example DNSKEY/DS records found in
section 5.4 of [RFC4034]. section 5.4 of [RFC4034].
@@ -211,18 +211,18 @@ Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005
Implementations MUST support the use of the SHA-256 algorithm in DS Implementations MUST support the use of the SHA-256 algorithm in DS
RRs. RRs.
Validator implementations MUST be able to prefer DS records Validator implementations MUST, by default, ignore DS RRs containing
containing SHA-256 digests over those containing SHA-1 digests. This SHA-1 digests if DS RRs with SHA-256 digests are present in the DS
behavior SHOULD by the default. Validator implementations MAY RRset. This behavior SHOULD be the default. Validator
provide configuration settings that allow network operators to implementations MAY provide configuration settings that allow network
specify preference policy when validating multiple DS records operators to specify preference policy when validating multiple DS
containing different digest types. records containing different digest types.
Hardaker Expires June 2, 2006 [Page 4] Hardaker Expires June 12, 2006 [Page 4]
Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005 Internet-Draft Use of SHA-256 in DNSSEC DS RRs December 2005
4. Deployment Considerations 4. Deployment Considerations
@@ -234,12 +234,13 @@ Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005
the case of an authenticated NSEC RRset proving that no DS RRset the case of an authenticated NSEC RRset proving that no DS RRset
exists, as described in [RFC4035], section 5.2. exists, as described in [RFC4035], section 5.2.
Because zone administrators can not control the deployment support of Because zone administrators can not control the deployment speed of
SHA-256 in deployed validators that may referencing any given zone, support for SHA-256 in validators that may be referencing any of
deployments should consider publishing both SHA-1 and SHA-256 based their zones, zone operators should consider deploying both SHA-1 and
DS records for a while. Whether to publish both digest types SHA-256 based DS records. This should be done for every DNSKEY for
together and for how long is a policy decision that extends beyond which DS records are being generated. Whether to make use of both
the scope of this document. digest types and for how long is a policy decision that extends
beyond the scope of this document.
5. IANA Considerations 5. IANA Considerations
@@ -272,15 +273,15 @@ Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005
scope of this document to speculate extensively on the cryptographic scope of this document to speculate extensively on the cryptographic
strength of the SHA-256 digest algorithm. strength of the SHA-256 digest algorithm.
Likewise, it is also beyond the scope of this document to specify
Hardaker Expires June 2, 2006 [Page 5] Hardaker Expires June 12, 2006 [Page 5]
Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005 Internet-Draft Use of SHA-256 in DNSSEC DS RRs December 2005
Likewise, it is also beyond the scope of this document to specify
whether or for how long SHA-1 based DS records should be whether or for how long SHA-1 based DS records should be
simultaneously published alongside SHA-256 based DS records. simultaneously published alongside SHA-256 based DS records.
@@ -291,9 +292,9 @@ Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005
and those authors are gratefully appreciated for the hard work that and those authors are gratefully appreciated for the hard work that
went into the base documents. went into the base documents.
The following people contributed to valuable technical content of The following people contributed to portions of this document in some
this document: Roy Arends, Olafur Gudmundsson, Olaf M. Kolkman, Scott fashion: Mark Andrews, Roy Arends, Olafur Gudmundsson, Olaf M.
Rose, Sam Weiler. Kolkman, Edward Lewis, Scott Rose, Sam Weiler.
8. References 8. References
@@ -331,10 +332,9 @@ Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005
Hardaker Expires June 12, 2006 [Page 6]
Hardaker Expires June 2, 2006 [Page 6]
Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005 Internet-Draft Use of SHA-256 in DNSSEC DS RRs December 2005
Author's Address Author's Address
@@ -388,9 +388,9 @@ Author's Address
Hardaker Expires June 2, 2006 [Page 7] Hardaker Expires June 12, 2006 [Page 7]
Internet-Draft Use of SHA-256 in DNSSEC DS RRs November 2005 Internet-Draft Use of SHA-256 in DNSSEC DS RRs December 2005
Intellectual Property Statement Intellectual Property Statement
@@ -444,5 +444,5 @@ Acknowledgment
Hardaker Expires June 2, 2006 [Page 8] Hardaker Expires June 12, 2006 [Page 8]