draft-ietf-dnsop-maintain-ds-04.txt   draft-ietf-dnsop-maintain-ds-05.txt 
dnsop O. Gudmundsson dnsop O. Gudmundsson
Internet-Draft CloudFlare Internet-Draft CloudFlare
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: May 4, 2017 Red Hat Expires: July 14, 2017 Red Hat
October 31, 2016 January 10, 2017
Managing DS records from parent via CDS/CDNSKEY Managing DS records from parent via CDS/CDNSKEY
draft-ietf-dnsop-maintain-ds-04 draft-ietf-dnsop-maintain-ds-05
Abstract Abstract
RFC7344 specifies how DNS trust can be maintained across key RFC7344 specifies how DNS trust can be maintained across key
rollovers in-band between parent and child. This document elevates rollovers in-band between parent and child. This document elevates
RFC7344 from informational to standards track and adds a standard RFC7344 from informational to standards track and adds a standard
track method for initial trust setup and removal of secure entry track method for initial trust setup and removal of secure entry
point. point.
Changing a domain's DNSSEC status can be a complicated matter Changing a domain's DNSSEC status can be a complicated matter
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 4, 2017. This Internet-Draft will expire on July 14, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 7, line 33 skipping to change at page 7, line 33
is treated as unsigned unless there are other algorithms present. In is treated as unsigned unless there are other algorithms present. In
general the value 0 should never be used in the context of DNSKEY and general the value 0 should never be used in the context of DNSKEY and
DS records. DS records.
The CERT record [RFC4398] defines the value 0 similarly to mean the The CERT record [RFC4398] defines the value 0 similarly to mean the
algorithm in the CERT record is not defined in DNSSEC. algorithm in the CERT record is not defined in DNSSEC.
The contents of the CDS or CDNSKEY RRset MUST contain one RR and only The contents of the CDS or CDNSKEY RRset MUST contain one RR and only
contain the exactly the fields as shown below. contain the exactly the fields as shown below.
1 CDS 0 0 0 1 CDS 0 0 0 0
2 CDNSKEY 0 3 0 2 CDNSKEY 0 3 0 0
The keying material payload is represented by a single 0. This The keying material payload is represented by a single 0. This
record is signed in the same way as regular CDS/CDNSKEY RRsets are record is signed in the same way as regular CDS/CDNSKEY RRsets are
signed. This is a change in format from strict interpretation of signed. This is a change in format from strict interpretation of
[RFC7344] and may cause problems with some deployed software. [RFC7344] and may cause problems with some deployed software.
Strictly speaking the CDS record could be "CDS X 0 X" as only the Strictly speaking the CDS record could be "CDS X 0 X" as only the
DNSKEY algorithm is what signals the DELETE operation, but for DNSKEY algorithm is what signals the DELETE operation, but for
clarity the "0 0 0" notation is mandated - this is not a definition clarity the "0 0 0" notation is mandated - this is not a definition
of DS Digest algorithm 0. The same argument applies to "CDNSKEY 0 3 of DS Digest algorithm 0. The same argument applies to "CDNSKEY 0 3
skipping to change at page 9, line 40 skipping to change at page 9, line 40
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC4398] Josefsson, S., "Storing Certificates in the Domain Name [RFC4398] Josefsson, S., "Storing Certificates in the Domain Name
System (DNS)", RFC 4398, DOI 10.17487/RFC4398, March 2006, System (DNS)", RFC 4398, DOI 10.17487/RFC4398, March 2006,
<http://www.rfc-editor.org/info/rfc4398>. <http://www.rfc-editor.org/info/rfc4398>.
Appendix A. Acknowledgments Appendix A. Acknowledgments
This document is generated using the mmark tool that Miek Gieben has This document is generated using the mmark tool that Miek Gieben has
developed. We thank number of people that have provided feedback and developed. We thank number of people that have provided feedback and
useful comments including Bob Harold, John Levine, Matthijs Mekking, useful comments including Bob Harold, John Levine, Matthijs
Dan York, Shane Kerr, Jacques Latour. Mekking(!), Dan York, Shane Kerr, Jacques Latour.
Authors' Addresses Authors' Addresses
Olafur Gudmundsson Olafur Gudmundsson
CloudFlare CloudFlare
Email: olafur+ietf@cloudflare.com Email: olafur+ietf@cloudflare.com
Paul Wouters Paul Wouters
Red Hat Red Hat
 End of changes. 7 change blocks. 
9 lines changed or deleted 9 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/