rfc3130.txt

来自「RFC 的详细文档！」· 文本 代码 · 共 564 行 · 第 1/2 页

Network Working Group                                           E. Lewis
Request for Comments: 3130                                      NAI Labs
Category: Informational                                        June 2001


             Notes from the State-Of-The-Technology: DNSSEC

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   This is a memo of a DNSSEC (Domain Name System Security Extensions)
   status meeting.

1.0 Introduction

   A meeting of groups involved in the development of the DNS Security
   Extensions (DNSSEC) was held in conjunction with the 49th IETF.  The
   discussion covered the extent of current efforts, a discussion of
   what questions are being asked of DNSSEC, and what is needed by the
   IETF to progress the definition to the Draft Standard level.

   DNSSEC [RFC 2535] has been under consideration for quite a few years,
   with RFC 2535 being the core of the most recent definition.  DNSSEC
   is part of the charter of two working groups, DNSEXT and DNSOP.
   ISC's BIND v8.2 implemented part of the specification, BIND v9
   represents the first full implementation.  In 1999 and 2000, more
   than a half dozen workshops have been held to test the concepts and
   the earliest versions of implementations.  But to date, DNSSEC is not
   in common use.

   The current collective wisdom is that DNSSEC is 1) important, 2) a
   buzzword, 3) hard, 4) immature.  To capture the true state of the
   technology and identify where work is needed, an informal gathering
   of groups known to be involved in DNSSEC was held in conjunction with
   the 49th IETF.  The attendees represented NLnet Labs, The Foundation
   for Internet Infrastructure, RIPE NCC, ARIN, CAIRN (ISI and NAI
   Labs), NIST, DISA, RSSAC, Network Associates and Verisign
   (COM/NET/ORG TLDs).




Lewis                        Informational                      [Page 1]

RFC 3130              DNSSEC Status Meeting Report             June 2001


   The agenda of the meeting consisted of three items.  Reports from
   each group on their current research goals were followed by a
   discussion of questions being asked of DNSSEC.  Finally, with
   reaching Draft Standard status as a goal, what was needed to make
   this happen was considered.

   This report is not simply a transcript of the meeting, it is a
   summary.  Some of the information presented here was obtained in
   direct contact with participants after the meeting.

1.1 What does the term "DNSSEC" mean?

   One of the comments made during discussions is that DNSSEC does not
   refer to just one monolithic technology.  The term has come to refer
   to "toolbox" of techniques and methodologies, that when used properly
   can improve the integrity of the DNS.  Given this observation, it can
   be seen that some portions of DNSSEC are evolving much more rapidly
   than other portions.  In particular, TSIG [RFC 2845] has certainly
   reached a level "being deployable" for zone transfers.

   The following four components are considered to be part of DNSSEC.
   The concept of digital signature protection of DNS traffic as
   described in RFC 2535 and a few support documents (such as [RFC
   3008]), which is designed to protect the transfer of data on an
   Internet scale.  The concept of protecting queries and responses
   through the less-scalable but more efficient TSIG mechanism [RFC
   2845], which has applicability to zone transfers, DHCP registrations,
   and other resolver to name server traffic.  Secure dynamic updates
   [RFC 3007], by virtue of using TSIG, can be considered to be part of
   DNSSEC.  Finally, the definition of the CERT resource record [RFC
   2538] gives DNS the ability to become a distribution mechanism for
   security data.

   This definition of the components of DNSSEC is in no way definitive.
   To be honest, this is a somewhat artificial grouping.  DNSSEC does
   not encompass all of the security practiced in DNS today, for
   example, the redefinition of when and how data is cached [RFC 2181],
   plays a big role in hardening the DNS system.  The four elements of
   DNSSEC described in the previous paragraph are grouped together
   mostly because they do interrelate, but also they were developed at
   approximately the same time.

2.0 Group Reports

   The first part of the meeting consisted of reports of goals.  From
   this a taxonomy of efforts has been made to see if there are gaps in
   the work.




Lewis                        Informational                      [Page 2]

RFC 3130              DNSSEC Status Meeting Report             June 2001


2.1 NLnet Labs

   Efforts by NLnet Labs are directed towards yielding an understanding
   of the impact of DNSSEC on ccTLDs, specifically .de (Germany), .nl
   (The Netherlands), and .se (Sweden).  Work to date has studied the
   problem of applying digital signatures and NXT records to a zone.
   The conclusion drawn is that there are no real problems regarding
   memory or CPU speed when signing large zones, not even for ".com."
   NLnet Labs has offered to work with Verisign to examine this further.

   NLnet Labs is trying to define and document procedures for TLD
   registries, registrars and registrants to properly handle actions
   like zone-resigning and key-rollover at the root, TLD, and lower
   levels.  The outcome so far is that the DNSOP Roll Over proposal
   seems impractical or possibly even impossible to implement at large
   TLDs.  NLnet Labs will produce a draft on an alternative KEY+SIG
   handling scheme where SIGs are only kept in the zone where the
   corresponding zone-KEY is located.  This scheme reduces the necessary
   actions for resigning zones from 2 levels (current zone and all
   children) to 1 level (current zone), and for key-rollover from 3
   levels (parent, current zone and all children) to 2 levels (parent
   and current zone).

2.2 Verisign

   Verisign's registry operations and corporate components have been
   investigating what DNSSEC means to very large zones, not just from a
   hardware point of view, but from an institutional point of view.
   With the service of providing delegations already commercialized,
   they are attempting to define what it would take to provide a DNSSEC
   service.  An important issue is the parent validation of each
   delegated zone's keys.

2.3 The Foundation for Internet Infrastructure

   The Foundation for Internet Infrastructure, an organization in
   Sweden, is running a project with two parts.  One part is directed at
   the "topology" of the participants in DNSSEC, the other part of the
   project is directed towards general development of tools.

   The study is examining the administrative issues of running DNSSEC.
   One issue is the possible 4-party interaction in the use of DNSSEC.
   The four parties are the registry, the registrar, the registrant, and
   the DNS operator.  Of these four parties, any combination may occur
   within one entity, such as a registrant that operates their own DNS
   as part of their information technology department.





Lewis                        Informational                      [Page 3]

RFC 3130              DNSSEC Status Meeting Report             June 2001


   The other part of the study is looking at what happens in the
   resolver.  Goals include DNSSEC-enabling tools such as ISAKMPd (an
   IPSEC key negotiation software) secure NTP4, and e-mail.  Part of
   this effort is implemented in the sigz.net experiment, information on
   this exists at www.sigz.net.

2.4 RSSAC

   The RSSAC (Root Server System Advisory Committee) has come to the
   conclusion that TSIG is worthwhile and should be deployed.  There is
   no schedule for deployment, however.

   As for the rest of DNSSEC, there is a need to better understand the
   impact of the new features before being introduced into production.
   Currently issues regarding potential testbeds are being documented.
   Two fundamental assumptions are that a DNSSEC testbed involving the
   root servers is desirable and that such a testbed would allow for
   long term testing.  The latter assumption is based upon the need to
   understand how repeated zone key validations can occur at multiple
   independent levels of the DNS hierarchy.

2.5 CAIRN

   CAIRN (Collaborative Advanced Interagency Research Network) is a
   DARPA-sponsored network for collaborative research.  A funded
   activity that involves DNSSEC is FMESHD, shorthand for Fault-Tolerant
   Mesh of Trust in DNSSEC.  The effort of this activity is to determine
   a means of building a resolver's chain of trust when some of the DNS
   tree is unavailable or unsecured.  An early deliverable of this is an
   extension of secure shell to retrieve keys from DNSSEC.  As part of
   this activity, the use of DNSSEC in a non-major provider zone is
   being implemented and studied.

2.6 NIST

   NIST is collecting performance information regarding DNSSEC.  One of
   the fears in adopting DNSSEC is the workload it adds to existing DNS
   machine workload.  The hopes of this effort is to quantify the fear,
   to see if it is real or imagined.

   If time permits, there may be an effort to implement a zone integrity
   checking program (implemented in Java) that will look for missteps in
   the use of DNSSEC.  Base code exists, but needs work (beyond the
   current baseline).







Lewis                        Informational                      [Page 4]

RFC 3130              DNSSEC Status Meeting Report             June 2001


2.7 DISA

   The U.S. Defense Information Systems Agency is providing funds to
   have DNSSEC implemented in BIND.  Of particular interest is making
   sure that the DNSSEC specifications are correct, that BIND adheres to
   the specifications, and that BIND is available on the operating
   systems in use by the US Department of Defense.  DISA expects that
   every line of code developed through this effort be made publicly
   available as part of stock BIND releases.

2.8 RIPE NCC

   The RIPE NCC is looking at the impact of DNSSEC on IP-registries.
   The RIPE NCC is planning to coordinate and assist in the deployment
   of DNSSEC.  Because the RIPE NCC is the Regional Internet Registry
   for Europe the focus will be on the deployment of DNSSEC on the
   reverse map tree (in-addr.arpa for IPv4).

2.9 ARIN

   ARIN is investigating DNSSEC for use in signing its delegated zones
   under in-addr.arpa.  It participated in a dnssec workshop following
   NANOG 20 held in Washington, DC in October, 2000.  It also
   participated in an ipv6-dnssec workshop that followed IETF 49 in San
   Diego, California.  Additionally, ARIN has stood up a server
   dedicated to testing various dns experimentation, including dnssec
   and carrying out limited testing.

2.10 Network Associates

   NAI is pressing to get the tislabs.com zone running in accordance
   with DNSSEC.  This is an example of a non-Internet service provider
   (neither an IP transit, IP address allocation, nor a domain name
   managing entity) making use of DNSSEC within the normal operations of
   the Information Technology department.

2.11 ip6.int. domain

   The name servers authoritative for the ip6.int. domain are mostly
   upgraded to be able to support CERT records and TSIG.  Once this is
   fully accomplished and proposals are approved, TSIG and CERT records
   will be used.  Further DNSSEC work is unknown.

2.12 Topology Based Domain Search

   Topology Based Domain Search (TBDS), is a DARPA funded activity
   investigating how DNS may continue to run in disconnected parts of
   the Internet.  Topics of interest (either covered by this project, or



Lewis                        Informational                      [Page 5]