draft-ietf-dnsext-nsec3-02.txt

bind 源码 最新实现 linux/unix/windows平台

                              20050612112304 62699 example.
                              QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
                              BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
                              nWWLepz1PjjShQ== )
   ns2.example.   3600 IN A   192.0.2.2
   ns2.example.   3600 IN RRSIG  A 5 2 3600 20050712112304 (
                              20050612112304 62699 example.
                              UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
                              P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
                              AkeTJu3J3auUiA== )




Laurie, et al.          Expires December 3, 2005               [Page 24]

Internet-Draft                    nsec3                        june 2005


   The query returned an MX RRset for "x.w.example".  The corresponding
   RRSIG RR indicates that the MX RRset was signed by an "example"
   DNSKEY with algorithm 5 and key tag 62699.  The resolver needs the
   corresponding DNSKEY RR in order to authenticate this answer.  The
   discussion below describes how a resolver might obtain this DNSKEY
   RR.

   The RRSIG RR indicates the original TTL of the MX RRset was 3600,
   and, for the purpose of authentication, the current TTL is replaced
   by 3600.  The RRSIG RR's labels field value of 3 indicates that the
   answer was not the result of wildcard expansion.  The "x.w.example"
   MX RRset is placed in canonical form, and, assuming the current time
   falls between the signature inception and expiration dates, the
   signature is authenticated.

B.1.1  Authenticating the Example DNSKEY RRset

   This example shows the logical authentication process that starts
   from a configured root DNSKEY RRset (or DS RRset) and moves down the
   tree to authenticate the desired "example" DNSKEY RRset.  Note that
   the logical order is presented for clarity.  An implementation may
   choose to construct the authentication as referrals are received or
   to construct the authentication chain only after all RRsets have been
   obtained, or in any other combination it sees fit.  The example here
   demonstrates only the logical process and does not dictate any
   implementation rules.

   We assume the resolver starts with a configured DNSKEY RRset for the
   root zone (or a configured DS RRset for the root zone).  The resolver
   checks whether this configured DNSKEY RRset is present in the root
   DNSKEY RRset (or whether a DS RR in the DS RRset matches some DNSKEY
   RR in the root DNSKEY RRset), whether this DNSKEY RR has signed the
   root DNSKEY RRset, and whether the signature lifetime is valid.  If
   all these conditions are met, all keys in the DNSKEY RRset are
   considered authenticated.  The resolver then uses one (or more) of
   the root DNSKEY RRs to authenticate the "example" DS RRset.  Note
   that the resolver may have to query the root zone to obtain the root
   DNSKEY RRset or "example" DS RRset.

   Once the DS RRset has been authenticated using the root DNSKEY, the
   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
   RR that matches one of the authenticated "example" DS RRs.  If such a
   matching "example" DNSKEY is found, the resolver checks whether this
   DNSKEY RR has signed the "example" DNSKEY RRset and the signature
   lifetime is valid.  If these conditions are met, all keys in the
   "example" DNSKEY RRset are considered authenticated.

   Finally, the resolver checks that some DNSKEY RR in the "example"



Laurie, et al.          Expires December 3, 2005               [Page 25]

Internet-Draft                    nsec3                        june 2005


   DNSKEY RRset uses algorithm 5 and has a key tag of 62699.  This
   DNSKEY is used to authenticate the RRSIG included in the response.
   If multiple "example" DNSKEY RRs match this algorithm and key tag,
   then each DNSKEY RR is tried, and the answer is authenticated if any
   of the matching DNSKEY RRs validate the signature as described above.

B.2  Name Error

   An authoritative name error.  The NSEC3 RRs prove that the name does
   not exist and that no covering wildcard exists.









































Laurie, et al.          Expires December 3, 2005               [Page 26]

Internet-Draft                    nsec3                        june 2005


   ;; Header: QR AA DO RCODE=3
   ;;
   ;; Question
   a.c.x.w.example.         IN A

   ;; Answer
   ;; (empty)

   ;; Authority
   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
                              1
                              3600
                              300
                              3600000
                              3600
                              )
   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
                              20050612112304 62699 example.
                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
                              qYIt90txzE/4+g== )
   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN NSEC3  0 1 1 (
                              deadbeaf
                              dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
                              MX NSEC3 RRSIG )
   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN RRSIG  NSEC3 (
                              5 2 3600 20050712112304
                              20050612112304 62699 example.
                              YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
                              ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
                              MEFQmc/gEuxojA== )
   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN NSEC3  0 1 1 (
                              deadbeaf
                              vhgwr2qgykdkf4m6iv6vkagbxozphazr
                              HINFO A AAAA NSEC3 RRSIG )
   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN RRSIG  NSEC3 (
                              5 2 3600 20050712112304
                              20050612112304 62699 example.
                              c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
                              z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
                              jL33Wm1p07TBdw== )
   ;; Additional
   ;; (empty)

   The query returned two NSEC3 RRs that prove that the requested data
   does not exist and no wildcard applies.  The negative reply is
   authenticated by verifying both NSEC3 RRs.  The NSEC3 RRs are
   authenticated in a manner identical to that of the MX RRset discussed



Laurie, et al.          Expires December 3, 2005               [Page 27]

Internet-Draft                    nsec3                        june 2005


   above.  At least one of the owner names of the NSEC3 RRs will match
   the closest encloser.  At least one of the NSEC3 RRs prove that there
   exists no longer name.  At least one of the NSEC3 RRs prove that
   there exists no wildcard RRsets that should have been expanded.  The
   closest encloser can be found by hasing the apex ownername (The SOA
   RR's ownername, or the ownername of the DNSKEY RRset referred by an
   RRSIG RR), matching it to the ownername of one of the NSEC3 RRs, and
   if that fails, continue by adding labels.

   In the above example, the name 'x.w.example' hashes to
   '7nomf47k3vlidh4vxahhpp47l3tgv7a2'.  This indicates that this might
   be the closest encloser.  To prove that 'c.x.w.example' and
   '*.x.w.example' do not exists, these names are hashed to respectively
   'qsgoxsf2lanysajhtmaylde4tqwnqppl' and
   'cvljzyf6nsckjowghch4tt3nohocpdka'.  The two NSEC3 records prove that
   these hashed ownernames do not exists, since the names are within the
   given intervals.

B.3  No Data Error

   A "no data" response.  The NSEC3 RR proves that the name exists and
   that the requested RR type does not.





























Laurie, et al.          Expires December 3, 2005               [Page 28]

Internet-Draft                    nsec3                        june 2005


   ;; Header: QR AA DO RCODE=0
   ;;
   ;; Question
   ns1.example.        IN MX

   ;; Answer
   ;; (empty)

   ;; Authority
   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
                              1
                              3600
                              300
                              3600000
                              3600
                              )
   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
                              20050612112304 62699 example.
                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
                              qYIt90txzE/4+g== )
   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN NSEC3  0 1 1 (
                              deadbeaf
                              zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
                              A NSEC3 RRSIG )
   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN RRSIG  NSEC3 (
                              5 2 3600 20050712112304
                              20050612112304 62699 example.
                              ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
                              ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
                              oorBv4xkb0flXw== )
   ;; Additional
   ;; (empty)

   The query returned an NSEC3 RR that proves that the requested name
   exists ("ns1.example." hashes to "wbyijvpnyj33pcpi3i44ecnibnaj7eiw"),
   but the requested RR type does not exist (type MX is absent in the
   type code list of the NSEC RR).  The negative reply is authenticated
   by verifying the NSEC3 RR.  The NSEC3 RR is authenticated in a manner
   identical to that of the MX RRset discussed above.

B.3.1  No Data Error, Empty Non-Terminal

   A "no data" response because of an empty non-terminal.  The NSEC3 RR
   proves that the name exists and that the requested RR type does not.






Laurie, et al.          Expires December 3, 2005               [Page 29]

Internet-Draft                    nsec3                        june 2005


   ;; Header: QR AA DO RCODE=0
   ;;
   ;; Question
   y.w.example.        IN A

   ;; Answer
   ;; (empty)

   ;; Authority
   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
                              1
                              3600
                              300
                              3600000
                              3600
                              )
   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
                              20050612112304 62699 example.
                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
                              qYIt90txzE/4+g== )
   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN NSEC3  0 1 1 (
                              deadbeaf
                              kcll7fqfnisuhfekckeeqnmbbd4maanu
                              NSEC3 RRSIG )
   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN RRSIG  NSEC3 (
                              5 2 3600 20050712112304
                              20050612112304 62699 example.
                              FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
                              IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
                              94Zbq3k8lgdpZA== )

   The query returned an NSEC3 RR that proves that