mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 07:35:26 +00:00
Code Issues Releases Wiki Activity

new rev

Browse Source
This commit is contained in:
Mark Andrews
2002-03-27 13:21:08 +00:00
parent 75e184e4b8
commit a95fcd4314
2 changed files with 549 additions and 301 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
doc/draft/draft-ietf-dnsext-ad-is-secure-04.txt → doc/draft/draft-ietf-dnsext-ad-is-secure-05.txt
View File

@@ -1,8 +1,12 @@
DNSEXT Working Group Brian Wellington DNSEXT Working Group Brian Wellington
INTERNET-DRAFT Olafur Gudmundsson INTERNET-DRAFT Olafur Gudmundsson
<draft-ietf-dnsext-ad-is-secure-04.txt> February 2002 <draft-ietf-dnsext-ad-is-secure-05.txt> March 2002
Updates: RFC 2535 Updates: RFC 2535
@@ -33,7 +37,7 @@ Status of this Memo
Comments should be sent to the authors or the DNSEXT WG mailing list Comments should be sent to the authors or the DNSEXT WG mailing list
namedroppers@ops.ietf.org namedroppers@ops.ietf.org
This draft expires on July 10, 2002. This draft expires on September 25, 2002.
Copyright Notice Copyright Notice
@@ -53,9 +57,9 @@ Abstract
Expires August 2002 [Page 1] Expires September 2002 [Page 1]
INTERNET-DRAFT AD bit set on secure answers February 2002 INTERNET-DRAFT AD bit set on secure answers March 2002
1 - Introduction 1 - Introduction
@@ -66,10 +70,9 @@ INTERNET-DRAFT AD bit set on secure answers February 2002
As specified in RFC 2535 (section 6.1), the AD bit indicates in a As specified in RFC 2535 (section 6.1), the AD bit indicates in a
response that all data included in the answer and authority sections response that all data included in the answer and authority sections
of the response have been authenticated by the server according to of the response have been authenticated by the server according to
the policies of that server. This is not especially to the policies the policies of that server. This is not especially useful in
of that server. This is not especially useful in practice, since a practice, since a conformant server should never reply with data that
conformant server should never reply with data that failed its failed its security policy.
security policy.
This draft proposes to redefine the AD bit such that it is only set This draft proposes to redefine the AD bit such that it is only set
if all data in the response has been cryptographically verified or if all data in the response has been cryptographically verified or
@@ -111,9 +114,10 @@ INTERNET-DRAFT AD bit set on secure answers February 2002
Expires August 2002 [Page 2]
INTERNET-DRAFT AD bit set on secure answers February 2002 Expires September 2002 [Page 2]
INTERNET-DRAFT AD bit set on secure answers March 2002
"The AD bit MUST NOT be set on a response unless all of the RRsets in "The AD bit MUST NOT be set on a response unless all of the RRsets in
@@ -127,9 +131,9 @@ INTERNET-DRAFT AD bit set on secure answers February 2002
only set the AD bit when it has cryptographically verified the data only set the AD bit when it has cryptographically verified the data
in the answer. in the answer.
2.2 - Setting of AD bit by authorative servers 2.2 - Setting of AD bit by authoritative servers
A primary server for a secure zone the data MAY have a policy of Primary server for a secure zone the data, MAY have the policy of
treating authoritative secure zones as Authenticated. Secondary treating authoritative secure zones as Authenticated. Secondary
servers MAY have the same policy, but SHOULD NOT consider zone data servers MAY have the same policy, but SHOULD NOT consider zone data
Authenticated unless the zone was transfered securely and/or the data Authenticated unless the zone was transfered securely and/or the data
@@ -142,11 +146,11 @@ INTERNET-DRAFT AD bit set on secure answers February 2002
The setting of the AD bit by authoritative servers affects only a The setting of the AD bit by authoritative servers affects only a
small set of resolvers that are configured to directly query and small set of resolvers that are configured to directly query and
trust authoritative servers. This only affects servers that function trust authoritative servers. This only affects servers that function
as both recursive and authorative. All recursive resolvers SHOULD as both recursive and authoritative. All recursive resolvers SHOULD
ignore the AD bit. ignore the AD bit.
The cost of verifying all signatures on load by an authoritative The cost of verifying all signatures on load by an authoritative
server can be high and increases the delay before it can answer begin server can be high and increases the delay before it can begin
answering queries. Verifying signatures at query time is also answering queries. Verifying signatures at query time is also
expensive and could lead to resolvers timing out on many queries expensive and could lead to resolvers timing out on many queries
after the server reloads zones. after the server reloads zones.
@@ -169,9 +173,9 @@ INTERNET-DRAFT AD bit set on secure answers February 2002
Expires August 2002 [Page 3] Expires September 2002 [Page 3]
INTERNET-DRAFT AD bit set on secure answers February 2002 INTERNET-DRAFT AD bit set on secure answers March 2002
configured to trust the server. configured to trust the server.
@@ -190,11 +194,11 @@ INTERNET-DRAFT AD bit set on secure answers February 2002
servers that act both as authoritative servers and recursive servers that act both as authoritative servers and recursive
resolver. resolver.
Authorative servers that set the AD bit on answers without doing Authoritative servers that set the AD bit on answers without doing
cryptographic checks must only do so on explicit zone by zone cryptographic checks must only do so on explicit zone by zone
enablement. This only affects resolvers that trust the server and enablement. This only affects resolvers that trust the server and
this functionality should only be used on servers that act both as this functionality should only be used on servers that act both as
authorative servers and recursive resolver. authoritative servers and recursive resolver.
Resolvers (full or stub) that blindly trust the AD bit without Resolvers (full or stub) that blindly trust the AD bit without
knowing the security policy of the server generating the answer can knowing the security policy of the server generating the answer can
@@ -202,7 +206,7 @@ INTERNET-DRAFT AD bit set on secure answers February 2002
5 - IANA Considerations: 5 - IANA Considerations:
None None.
6 - Internationalization Considerations: 6 - Internationalization Considerations:
@@ -227,9 +231,9 @@ References:
Expires August 2002 [Page 4] Expires September 2002 [Page 4]
INTERNET-DRAFT AD bit set on secure answers February 2002 INTERNET-DRAFT AD bit set on secure answers March 2002
2845, May 2000. 2845, May 2000.
@@ -254,7 +258,7 @@ Authors Addresses
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2002>. All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
@@ -285,5 +289,5 @@ Full Copyright Statement
Expires August 2002 [Page 5] Expires September 2002 [Page 5]

800
doc/draft/draft-ietf-dnsext-mdns-09.txt → doc/draft/draft-ietf-dnsext-mdns-10.txt
View File

File diff suppressed because it is too large Load Diff