draft-ietf-dnsext-signed-nonexistence-requirements-01.txt

bind 源码 最新实现 linux/unix/windows平台

   (Editor comment: the current version of NSEC2 also has the salt in
   every NSEC2 record)


11.  DNSSEC-Adoption and Zone-Growth Relationship


   Background:  Currently with NSEC, when a delegation centric zone
   deploys DNSSEC, the zone-size multiplies by a non-trivial factor even
   when the DNSSEC-adoption rate of the subzones remains low--because
   each delegation point creates at least one NSEC record and
   corresponding signature in the parent even if the child is not
   signed.





Laurie & Loomis          Expires March 2, 2005                  [Page 6]
Internet-Draft      signed-nonexistence-requirements      September 2004



   Requirements:  A delegation-only (or delegation-mostly) zone that is
   signed but which has no signed child zones should initially need only
   to add SIG(SOA), DNSKEY, and SIG(DNSKEY) at the apex, along with some
   minimal set of NSEC++ records to cover zone contents.  Further,
   during the transition of a delegation-only zone from 0% signed
   children to 100% signed children, the growth in the delegation-only
   zone should be roughly proportional to the percentage of signed child
   zones.


   Additional Discussion: This is why DNSNR has the Authoritative Only
   bit.  This is similar to opt-in for delegations only.  This (bit) is
   currently the only method to help delegation-centric zone cope with
   zone-growth due to DNSSEC adoption.  As an example, A delegation only
   zone which deploys DNSSEC with the help of this bit, needs to add
   SIG(SOA), DNSKEY, SIG(DNSKEY), DNSNR, SIG(DNSNR) at the apex.  No
   more than that.


   Contributor: Roy Arends.


12.  Non-overlap of denial records with possible zone records


   Requirement:  NSEC++ records should in some way be differentiated
   from regular zone records, so that there is no possibility that a
   record in the zone could be duplicated by a non-existence proof
   (NSEC++) record.


   Additional discussion:  This requirement is derived from a discussion
   on the DNSEXT mailing list related to copyrights and domain names.
   As was outlined there, one solution is to put NSEC++ records in a
   separate namespace, e.g.: $ORIGIN co.uk.
   873bcdba87401b485022b8dcd4190e3e IN NS jim.rfc1035.com ; your
   delegation 873bcdba87401b485022b8dcd4190e3e._no IN NSEC++ 881345...
   ; for amazon.co.uk.


   Contributor: various


   (Editor comment:  One of us still does not see why a conflict
   matters.  Even if there is an apparent conflict or overlap, the
   "conflicting" NSEC2 name _only_ appears in NSEC2 records, and the
   other name _never_ appears in NSEC2 records.)


13.  Exposure of Private Keys


   Private keys associated with the public keys in the DNS should be
   exposed as little as possible.  It is highly undesirable for private
   keys to be distributed to nameservers, or to otherwise be available
   in the run-time environment of nameservers.





Laurie & Loomis          Expires March 2, 2005                  [Page 7]
Internet-Draft      signed-nonexistence-requirements      September 2004



   Contributors: Nominet, Olaf Kolkman, Ed Lewis


14.  Minimisation of Zone Signing Cost


   The additional cost of creating an NSEC++ signed zone should not
   significantly exceed the cost of creating an ordinary signed zone.


   Contributor: Nominet


15.  Minimisation of Asymmetry


   Nameservers should have to do as little additional work as necessary.
   More precisely, it is desirable for any increase in cost incurred by
   the nameservers to be offset by a proportionate increase in cost to
   DNS `clients', e.g.  stub and/or `full-service' resolvers.


   Contributor: Nominet


16.  Minimisation of Client Complexity


   Caching, wildcards, CNAMEs, DNAMEs should continue to work without
   adding too much complexity at the client side.


   Contributor: Olaf Kolkman


17.  Completeness


   A proof of nonexistence should be possible for all nonexistent data
   in the zone.


   Contributor: Olaf Kolkman


18.  Purity of Namespace


   The name space should not be muddied with fake names or data sets.


   Contributor: Ed Lewis


19.  Replay Attacks


   NSEC++ should not allow a replay to be used to deny existence of an
   RR that actually exists.


   Contributor: Ed Lewis


20.  Compatibility with NSEC


   NSEC++ should not introduce changes incompatible with NSEC.




Laurie & Loomis          Expires March 2, 2005                  [Page 8]
Internet-Draft      signed-nonexistence-requirements      September 2004



   Contributor: Ed Lewis


21.  Compatibility with NSEC II


   NSEC++ should differ from NSEC in a way that is transparent to the
   resolver or validator.


   Contributor: Ed Lewis


22.  Compatibility with NSEC III


   NSEC++ should differ from NSEC as little as possible whilst achieving
   other requirements.


   Contributor: Alex Bligh


23.  Coexistence with NSEC


   NSEC++ should be optional, allowing NSEC to be used instead.


   Contributor: Ed Lewis, Alex Bligh


24.  Coexistence with NSEC II


   NSEC++ should not impose extra work on those content with NSEC.


   Contributor: Ed Lewis


25.  Protocol Design


   A good security protocol would allow signing the nonexistence of some
   selected names without revealing anything about other names.


   Contributor: Dan Bernstein


26.  Process


   Clearly not all of these requirements can be met.  Therefore the next
   phase of this document will be to either prioritise them or narrow
   them down to a non-contradictory set, which should then allow us to
   judge proposals on the basis of their fit.


27.  Acknowledgements


28.  Requirements notation


   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this




Laurie & Loomis          Expires March 2, 2005                  [Page 9]
Internet-Draft      signed-nonexistence-requirements      September 2004



   document are to be interpreted as            described in [RFC2119].


29.  Security Considerations


   There are currently no security considerations called out in this
   draft.  There will be security considerations in the choice of which
   requirements will be implemented, but there are no specific security
   requirements during the requirements collection process.


30.  References


30.1  Normative References


   [dnssecbis-protocol]
              "DNSSECbis Protocol Definitions", BCP XX, RFC XXXX, Some
              Month 2004.


30.2  Informative References


   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
              3", BCP 9, RFC 2026, October 1996.


   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.


   [RFC2418]  Bradner, S., "IETF Working Group Guidelines and
              Procedures", BCP 25, RFC 2418, September 1998.



Authors' Addresses


   Ben Laurie
   Nominet
   17 Perryn Road
   London  W3 7LR
   England


   Phone: +44 (20) 8735 0686
   EMail: ben@algroup.co.uk



   Rip Loomis
   Science Applications International Corporation
   7125 Columbia Gateway Drive, Suite 300
   Columbia, MD  21046
   US


   EMail: gilbert.r.loomis@saic.com




Laurie & Loomis          Expires March 2, 2005                 [Page 10]
Internet-Draft      signed-nonexistence-requirements      September 2004



Intellectual Property Statement


   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.


   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.


   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.



Disclaimer of Validity


   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.



Copyright Statement


   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.



Acknowledgment


   Funding for the RFC Editor function is currently provided by the
   Internet Society.





Laurie & Loomis          Expires March 2, 2005                 [Page 11]