draft-kosters-dnsext-dnssec-opt-in-01.txt

bind-3.2.

   Setting the RS RCODE in a response indicates to the resolver that
   the resolver is retrying the query again without the DO bit set. The
   behavior of the authority and additional records section being
   populated should be the same using the RS RCODE as the RCODE being
   set to NXDOMAIN. Therefore, the resolver will be able to verify that
   the answer does not exist within the secure zone since the NXT RR
   will be sent in the Authority section. To avoid caching, the server
   SHOULD set the TTL on the NXT RR to 0. 

   2) If the client has been identified as not being
   RETRY-NO-SEC-AWARE, the server itself MUST consult the non-secure
   view to compile the answer and respond back to the client.  If the
   RR exists, the answer will show up normally with in the Answer and
   Additional sections and the NXT RR's within the Authority section
   along with the KEY RR and its SIG in the Additional section.  If the
   RR does not exist, RCODE will be set to NXDOMAIN with the NXT RR
   will be sent in the Authority section along with the KEY RR and its
   SIG in the Additional section . Again, to avoid caching, the server
   SHOULD set the TTL on the NXT RR to 0. 

   Note that latter case should be used during the transition of moving
   to clients that understand the RS RCODE only. It should not be


Kosters                 Expires August 31, 2001                 [Page 5]

Internet-Draft               DNSSEC Opt In                    March 2001


   viewed as a permanent solution and may deprecated in a short period
   of time. 

   Example: 

   Consider a zone with the secure names 3, 6, and 9, and unsecure
   names 2, 4, 5, 7, and 8. 

   Unsecured zone Contents: 

     @ SOA
     2 NS
     3 NS
     4 NS
     5 NS
     6 NS
     7 NS
     8 NS
     9 NS

   Secured zone Contents:
     @ SOA, SIG SOA, NXT(3), SIG NXT
     3 NS, SIG NS, NXT(6), SIG NXT
     6 NS, SIG NS, NXT(9), SIG NXT
     9 NS, SIG NS, NXT(@), SIG NXT

   1.  Query for 5 RR type A with EDNS0 DO bit set along with the
       RETRY-NO-SEC-AWARE option code, the response would return with
       the extended RCODE RS bit set: 


     RCODE=RS
     Authority Section:
       SOA, SIG SOA, 3 NXT(6), SIG NXT
     Additional Section:
       KEY, SIG KEY


        The source would then retry without the EDNS0 DO bit set which
       would return an answer as defined in RFC1035[2].

   2.  Query for 5 RR type A with EDNS0 DO bit only, the response would
       return with the following: 


     RCODE=NOERROR
     Answer Section:
       5 NS
     Authority Section:


Kosters                 Expires August 31, 2001                 [Page 6]

Internet-Draft               DNSSEC Opt In                    March 2001


       3 NXT(6), SIG NXT
     Additional Section:
       KEY, SIG KEY



   3.  Query for 55 RR type A with EDNS0 DO bit set along with the
       RETRY-NO-SEC-AWARE   option code, the response would return with
       the extended RCODE RS bit set: 


     RCODE=RS
     Authority Section:
       SOA, SIG SOA, 3 NXT(6), SIG NXT
     Additional Section:
       KEY, SIG KEY


        The source would then retry without the EDNS0 DO bit set which
       would return an answer as defined in RFC1035[2]. The subsequent
       1035 answer would contain a RCODE of NXDOMAIN since the domain
       55 does not exist. 

   4.  Query for 3 RR type KEY without EDNS DO bit set. The response
       would return with an answer as defined in RFC2535[4]. 

   5.  Query for 3 RR type A, with EDNS0 DO bit set, the response would
       be the same as defined in RFC2535[4]. 


4. Security Considerations

   This draft is different and separate from RFC2535[4] in that it
   allows for secured delegation paths to exist but does not allow for
   secure answers to unsecured delegations at the parent level.
   Increased exposure will be marginal given that the children are
   unsecure. 

5. IANA Considerations

   1) Allocation of a bit within the reserved portion of the KEY RR to
   indicate that the zone is an opt-in zone. 

   2) Allocation of the most significant bit of the RCODE field in the
   EDNS0 OPT meta-RR is required. 

   3) Allocation of an option-code within the OPT RR to indicate that
   the client can understand the new RCODE. 



Kosters                 Expires August 31, 2001                 [Page 7]

Internet-Draft               DNSSEC Opt In                    March 2001


6. Acknowledgements

   This document is based on a rough draft by Brian Wellington, and
   input from Olafur Gudmundsson. 

References

   [1]  Mockapetris, P.V., "Domain names - concepts and facilities",
        RFC 1034, STD 13, Nov 1987.

   [2]  Mockapetris, P.V., "Domain names - implementation and
        specification", RFC 1035, STD 13, Nov 1987.

   [3]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", RFC 2119, BCP 14, March 1997.

   [4]  Eastlake, D., "Domain Name System Security Extensions", RFC
        2535, March 1999.

   [5]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
        August 1999.

   [6]  Conrad, D. R., "Indicating Resolver Support of DNSSEC (work in
        progress)", August 2000.


Author's Address

   Mark Kosters
   Network Solutions, Inc.
   505 Huntmar Park Drive
   Herndon, VA  22070
   US

   Phone: +1 703 948-3362
   EMail: markk@netsol.com
   URI:   http://www.netsol.com














Kosters                 Expires August 31, 2001                 [Page 8]

Internet-Draft               DNSSEC Opt In                    March 2001


Full Copyright Statement

   Copyright (C) The Internet Society (2001). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC editor function is currently provided by the
   Internet Society.



















Kosters                 Expires August 31, 2001                 [Page 9]