rfc4033.txt

非常好的dns解析软件

   DNSSEC does not protect against tampering with unsigned zone data.
   Non-authoritative data at zone cuts (glue and NS RRs in the parent
   zone) are not signed.  This does not pose a problem when validating
   the authentication chain, but it does mean that the non-authoritative
   data itself is vulnerable to tampering during zone transfer
   operations.  Thus, while DNSSEC can provide data origin
   authentication and data integrity for RRsets, it cannot do so for
   zones, and other mechanisms (such as TSIG, SIG(0), or IPsec) must be
   used to protect zone transfer operations.



Arends, et al.              Standards Track                    [Page 16]

RFC 4033       DNS Security Introduction and Requirements     March 2005


   Please see [RFC4034] and [RFC4035] for additional security
   considerations.

13.  Acknowledgements

   This document was created from the input and ideas of the members of
   the DNS Extensions Working Group.  Although explicitly listing
   everyone who has contributed during the decade in which DNSSEC has
   been under development would be impossible, the editors would
   particularly like to thank the following people for their
   contributions to and comments on this document set: Jaap Akkerhuis,
   Mark Andrews, Derek Atkins, Roy Badami, Alan Barrett, Dan Bernstein,
   David Blacka, Len Budney, Randy Bush, Francis Dupont, Donald
   Eastlake, Robert Elz, Miek Gieben, Michael Graff, Olafur Gudmundsson,
   Gilles Guette, Andreas Gustafsson, Jun-ichiro Itojun Hagino, Phillip
   Hallam-Baker, Bob Halley, Ted Hardie, Walter Howard, Greg Hudson,
   Christian Huitema, Johan Ihren, Stephen Jacob, Jelte Jansen, Simon
   Josefsson, Andris Kalnozols, Peter Koch, Olaf Kolkman, Mark Kosters,
   Suresh Krishnaswamy, Ben Laurie, David Lawrence, Ted Lemon, Ed Lewis,
   Ted Lindgreen, Josh Littlefield, Rip Loomis, Bill Manning, Russ
   Mundy, Thomas Narten, Mans Nilsson, Masataka Ohta, Mike Patton, Rob
   Payne, Jim Reid, Michael Richardson, Erik Rozendaal, Marcos Sanz,
   Pekka Savola, Jakob Schlyter, Mike StJohns, Paul Vixie, Sam Weiler,
   Brian Wellington, and Suzanne Woolf.

   No doubt the above list is incomplete.  We apologize to anyone we
   left out.

14.  References

14.1.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, November 1987.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC2535]  Eastlake 3rd, D., "Domain Name System Security
              Extensions", RFC 2535, March 1999.

   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
              2671, August 1999.

   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
              3225, December 2001.





Arends, et al.              Standards Track                    [Page 17]

RFC 4033       DNS Security Introduction and Requirements     March 2005


   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
              message size requirements", RFC 3226, December 2001.

   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
              Resource Record (RR)", RFC 3445, December 2002.

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for DNS Security Extensions", RFC
              4034, March 2005.

   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", RFC 4035, March 2005.

14.2.  Informative References

   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
              RFC 2136, April 1997.

   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
              Specification", RFC 2181, July 1997.

   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
              NCACHE)", RFC 2308, March 1998.

   [RFC2538]  Eastlake 3rd, D. and O. Gudmundsson, "Storing Certificates
              in the Domain Name System (DNS)", RFC 2538, March 1999.

   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
              Wellington, "Secret Key Transaction Authentication for DNS
              (TSIG)", RFC 2845, May 2000.

   [RFC2931]  Eastlake 3rd, D., "DNS Request and Transaction Signatures
              ( SIG(0)s )", RFC 2931, September 2000.

   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
              Update", RFC 3007, November 2000.

   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
              Signing Authority", RFC 3008, November 2000.

   [RFC3090]  Lewis, E., "DNS Security Extension Clarification on Zone
              Status", RFC 3090, March 2001.

   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
              (RR) Types", RFC 3597, September 2003.




Arends, et al.              Standards Track                    [Page 18]

RFC 4033       DNS Security Introduction and Requirements     March 2005


   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
              Authenticated Data (AD) bit", RFC 3655, November 2003.

   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
              (RR)", RFC 3658, December 2003.

   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
              Signer (DS)", RFC 3755, May 2004.

   [RFC3757]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name
              System KEY (DNSKEY) Resource Record (RR) Secure Entry
              Point (SEP) Flag", RFC 3757, April 2004.

   [RFC3833]  Atkins, D. and R. Austein, "Threat Analysis of the Domain
              Name System (DNS)", RFC 3833, August 2004.

   [RFC3845]  Schlyter, J., "DNS Security (DNSSEC) NextSECure (NSEC)
              RDATA Format", RFC 3845, August 2004.

































Arends, et al.              Standards Track                    [Page 19]

RFC 4033       DNS Security Introduction and Requirements     March 2005


Authors' Addresses

   Roy Arends
   Telematica Instituut
   Brouwerijstraat 1
   7523 XC  Enschede
   NL

   EMail: roy.arends@telin.nl


   Rob Austein
   Internet Systems Consortium
   950 Charter Street
   Redwood City, CA  94063
   USA

   EMail: sra@isc.org


   Matt Larson
   VeriSign, Inc.
   21345 Ridgetop Circle
   Dulles, VA  20166-6503
   USA

   EMail: mlarson@verisign.com


   Dan Massey
   Colorado State University
   Department of Computer Science
   Fort Collins, CO 80523-1873

   EMail: massey@cs.colostate.edu


   Scott Rose
   National Institute for Standards and Technology
   100 Bureau Drive
   Gaithersburg, MD  20899-8920
   USA

   EMail: scott.rose@nist.gov







Arends, et al.              Standards Track                    [Page 20]

RFC 4033       DNS Security Introduction and Requirements     March 2005


Full Copyright Statement

   Copyright (C) The Internet Society (2005).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at ietf-
   ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.







Arends, et al.              Standards Track                    [Page 21]