draft-ietf-dnsext-dnssec-roadmap-07.txt

bind-3.2.

DNS Extensions                                                   S. Rose
Internet-Draft                                                      NIST
Expires: August 5, 2003                                 February 4, 2003


                     DNS Security Document Roadmap
                  draft-ietf-dnsext-dnssec-roadmap-07

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 5, 2003.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   DNS Security (DNSSEC) technology is composed of extensions to the
   Domain Name System (DNS) protocol that provide data integrity and
   authentication to security aware resolvers and applications through
   the use of cryptographic digital signatures.  Several documents exist
   to describe these extensions and the implementation-specific details
   regarding specific digital signing schemes.  The interrelationship
   between these different documents is discussed here.  A brief
   overview of what to find in which document and author guidelines for
   what to include in new DNS Security documents, or revisions to
   existing documents, is described.





Rose                     Expires August 5, 2003                 [Page 1]

Internet-Draft          DNSSEC Document Roadmap            February 2003


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Interrelationship of DNS Security Documents  . . . . . . . . .  4
   3.  Relationship of DNS Security Documents to other DNS
       Documents  . . . . . . . . . . . . . . . . . . . . . . . . . .  8
   4.  Recommended Content for new DNS Security Documents . . . . . .  9
   4.1 Security Related Resource Records  . . . . . . . . . . . . . .  9
   4.2 Digital Signature Algorithm Implementations  . . . . . . . . .  9
   4.3 Refinement of Security Procedures  . . . . . . . . . . . . . . 10
   4.4 The Use of DNS Security Extensions with Other Protocols  . . . 10
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
       Normative References . . . . . . . . . . . . . . . . . . . . . 13
       Informative References . . . . . . . . . . . . . . . . . . . . 15
       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 15
       Full Copyright Statement . . . . . . . . . . . . . . . . . . . 16


































Rose                     Expires August 5, 2003                 [Page 2]

Internet-Draft          DNSSEC Document Roadmap            February 2003


1. Introduction

   This document is intended to provide guidelines for the development
   of supplemental documents describing security extensions to the
   Domain Name System (DNS).

   The main goal of the DNS Security (DNSSEC) extensions is to add data
   authentication and integrity services to the DNS protocol.  These
   protocol extensions should be differentiated from DNS operational
   security issues, which are beyond the scope of this effort.  DNS
   Security documents fall into one or possibly more of the following
   sub-categories: new DNS security resource records, implementation
   details of specific digital signing algorithms for use in DNS
   Security and DNS transaction authentication.  Since the goal of DNS
   Security extensions is to become part of the DNS protocol standard,
   additional documents that seek to refine a portion of the security
   extensions will be introduced as the specifications progress along
   the IETF standards track.

   There is a set of basic guidelines for each sub-category of documents
   that explains what should be included, what should be considered a
   protocol extension, and what should be considered an operational
   issue.  Currently, there are at least two documents that fall under
   operational security considerations that deal specifically with the
   DNS security extensions: the first is RFC 2541 [6] which deals with
   the operational side of implementing the security extensions; the
   other is the CAIRN DNSSEC testbed Internet draft [CAIRN].  These
   documents should be considered part of the operational side of DNS,
   but will be addressed as a supplemental part of the DNS Security
   roadmap.  That is not to say that these two documents are not
   important to securing a DNS zone, but they do not directly address
   the proposed DNS security extensions.  Authors of documents that seek
   to address the operational concerns of DNS security should be aware
   of the structure of DNS Security documentation.

   It is assumed the reader has some knowledge of the Domain Name System
   [2] and the Domain Name System Security Extensions.














Rose                     Expires August 5, 2003                 [Page 3]

Internet-Draft          DNSSEC Document Roadmap            February 2003


2. Interrelationship of DNS Security Documents

   The DNSSEC set of documents can be partitioned into five main groups
   as depicted in Figure 1.  All of these documents in turn are under
   the larger umbrella group of DNS base protocol documents.  It is
   possible that some documents fall into more than one of these
   categories, such as RFC 2535, and should follow the guidelines for
   the all of the document groups it falls into.  However, it is wise to
   limit the number of "uberdocuments" that try to be everything to
   everyone.  The documents listed in each category are current as to
   the time of writing.








































Rose                     Expires August 5, 2003                 [Page 4]

Internet-Draft          DNSSEC Document Roadmap            February 2003


   ---------------------------------------------------------------------



                    +--------------------------------+
                    |                                |
                    |    Base DNS Protocol Docs.     |
                    |   [RFC1035, RFC2181, etc.]     |
                    |                                |
                    +--------------------------------+
                                    |
                                    |
                                    |
      +------------+          +-----------+          +-------------+
      |  New       |          |  DNSSEC   |          |  New        |
      |  Security  |----------|  protocol |----------|  Security   |
      |  RRs       |          |           |          |  Uses       |
      +------------+          |           |          +-------------+
                              +-----------+
                                    |
                                    |
             +----------------------+***********************
             |                      *                      *
             |                      *                      *
       +------------+       +---------------+      +-*-*-*-*-*-*-*-*-+
       |  DS        |       |               |      | Implementation  |
       |  Algorithm |       |  Transactions |      * Notes           *
       |  Impl.     |       |               |      |                 |
       +------------+       +---------------+      +-*-*-*-*-*-*-*-*-+




                        DNSSEC Document Roadmap

   ---------------------------------------------------------------------

   The "DNSSEC protocol" document set refers to the document that makes
   up the groundwork for adding security to the DNS protocol [1]and
   updates to this document.  RFC 2535 laid out the goals and
   expectations of DNS Security and the new security-related Resource
   Records KEY, SIG, DS, and NXT [23].  Expanding from this document,
   related document groups include the implementation documents of
   various digital signature algorithms with DNSSEC, and documents
   further refining the transaction of messages.  It is expected that
   RFC 2535 will be obsoleted by one or more documents that refine the
   set of security extensions [22], [23], [24].  Documents that seek to
   modify or clarify the base protocol documents should state so clearly



Rose                     Expires August 5, 2003                 [Page 5]

Internet-Draft          DNSSEC Document Roadmap            February 2003


   in the introduction of the document (as well as proscribe to the IETF
   guidelines of RFC/Internet Draft author guidelines).  Also, the
   portions of the specification to be modified should be synopsized in
   the new document for the benefit of the reader.  The "DNSSEC
   protocol" set includes the documents [1], [11], [12], [9], [14],
   [15], [21], [16], [OPTIN], [17] and their derivative documents.

   The "New Security RRs" set refers to the group of documents that seek
   to add additional Resource Records to the set of base DNS Record
   types.  These new records can be related to securing the DNS protocol
   [1], [8], or using DNS security for other purposes such as storing
   certificates [5].  Another related document is [26].  While not
   detailing a new RR type, it defines a flag bit in the existing KEY
   RR.  This flag bit does not affect the protocol interpretation of the
   RR, only a possible operational difference.  Therefore, this draft is
   place here and not with the protocol document set.

   The "DS Algorithm Impl" document set refers to the group of documents
   that describe how a specific digital signature algorithm is
   implemented to fit the DNSSEC Resource Record format.  Each one of
   these documents deals with one specific digital signature algorithm.
   Examples of this set include [4], [5], [25], [19][18] and [13].

   The "Transactions" document set refers to the group of documents that
   deal with the message transaction sequence of security-related DNS
   operations.  The contents and sequence for operations such as dynamic
   update [3], [11] and transaction signatures [10] are described in
   this document category.  Additional message transaction schemes to
   support DNSSEC operation would also fall under this group, including
   secret key establishment [7], [RENEW], and verification.

   The final document set, "New Security Uses", refers to documents that
   seek to use proposed DNS Security extensions for other security
   related purposes.  Documents that fall in this category include the
   use of DNS in the storage and distribution of certificates and
   individual user public keys (PGP, e-mail, etc.)  Some documents in
   this group may fall beyond the DNSEXT WG scope, but they are included
   because of their use of the security extensions.  The documents in
   this group should not propose any changes to the DNS protocol to
   support other protocols; only how existing DNS security records and
   transactions can be used to support other protocols.  Such documents
   include [SSH-DNS] and [IPSEC-DNS] which deals with storing SSH and
   IPSec keying information the DNS using new records and utilizing
   DNSSEC to provide authentication and integrity checking.

   Lastly, there is a set of documents that should be classified as
   "Implementation Notes".  Because the DNS security extensions are
   still in the developmental stage, there is an audience for documents



Rose                     Expires August 5, 2003                 [Page 6]

Internet-Draft          DNSSEC Document Roadmap            February 2003


   that detail the transition and implementation of the security
   extensions.  These have more to do with the practical side of DNS
   operations, but can also point to places in the protocol
   specifications that need improvement.  An example of this type is the
   report on the CAIRN DNSSEC testbed [CAIRN] This document was
   submitted through the DNSOP Working Group at the time of this
   writing, however the main concern of this document is the
   implementation and limitations of the DNS security extensions, hence
   their interest to the DNS security community.  The CAIRN draft deals
   with the implementation of a secure DNS.  Authors of documents that
   deal with the implementation and operational side of the DNSSEC
   specifications would be advised/encouraged to submit their documents
   to any other relevant DNS related WG meeting in the problem space.






































Rose                     Expires August 5, 2003                 [Page 7]

Internet-Draft          DNSSEC Document Roadmap            February 2003


3.  Relationship of DNS Security Documents to other DNS Documents

   The DNS security-related extensions should be considered a subset of
   the DNS protocol.  Therefore, all DNS security-related documents
   should be seen as a subset of the main DNS architecture documents.
   It is a good idea for authors of future DNS security documents to be
   familiar with the contents of these base protocol documents.












































Rose                     Expires August 5, 2003                 [Page 8]

Internet-Draft          DNSSEC Document Roadmap            February 2003