599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Donald E. Eastlake 3rd
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffOBSOLETES RFC 2137 Transfinite Systems Company
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffExpires: February 1999 August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Secure Domain Name System (DNS) Dynamic Update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ------ ------ ---- ------ ----- ------- ------
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffStatus of This Document
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff This draft, file name draft-ietf-dnssec-update2-00.txt, is intended
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to become a Proposed Standard RFC obsoleting RFC 2137. Distribution
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff of this document is unlimited. Comments should be sent to the DNS
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff security mailing list <dns-security@tis.com> or the author.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff This document is an Internet-Draft. Internet-Drafts are working
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff documents of the Internet Engineering Task Force (IETF), its areas,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff and its working groups. Note that other groups may also distribute
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff working documents as Internet-Drafts.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Internet-Drafts are draft documents valid for a maximum of six
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff months. Internet-Drafts may be updated, replaced, or obsoleted by
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff other documents at any time. It is not appropriate to use Internet-
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Drafts as reference material or to cite them other than as a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ``working draft'' or ``work in progress.''
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff To view the entire list of current Internet-Drafts, please check the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 1]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Revised Domain Name System (DNS) protocol extensions to authenticate
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the data in DNS and provide key distribution services have been
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff defined in draft-ietf-dnssec-secext2-*.txt, which obsoletes the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff original DNS security protocol definition in RFC 2065. In addition,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff symetric key DNS transaction signatures have been defined in draft-
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ietf-dnsind-tsig-*.txt. Secure DNS Dynamic Update operations were
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff also been defined [RFC 2137] in connection RFC 2065. This document
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff updates secure dynamic update in light of draft-ietf-dnssec-secext2-
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff *.txt and draft-ietf-dnsind-tsig-*.txt. It describes how to use
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff digital signatures covering requests and data to secure updates and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff restrict updates to those authorized to perform them as indicated by
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the updater's possession of cryptographic keys.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 2]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffTable of Contents
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Status of This Document....................................1
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Abstract...................................................2
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Table of Contents..........................................3
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 1. Introduction............................................4
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 1.1. Overview of DNS Dynamic Update........................4
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 1.2. Overview of Public Key DNS Security...................4
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 1.3 Overview of Secret Key DNS Security....................5
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 2. Two Basic Modes.........................................6
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 2.1. Mode A................................................6
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 2.2. Mode B................................................7
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3. Keys....................................................8
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3.1. Update Keys...........................................8
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3.1.1. Public Update Key Name Scope........................8
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3.1.2. Public Update Key Class Scope.......................8
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3.1.3. Public Update Key Signatory Field...................9
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3.2. Zone Keys and Update Modes...........................10
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3.3. Wildcard Public Key Punch Through....................11
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 4. Update Signatures......................................13
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 4.1. Update Request Signatures............................13
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 4.2. Update Data Signatures...............................13
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 5. Security Considerations................................14
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 6. IANA Considerations....................................14
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff References................................................15
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Author's Address..........................................15
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Expiration and File Name..................................15
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 3]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff1. Introduction
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Dynamic update operations have been defined for the Domain Name
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff System (DNS) in RFC 2136 but that RFC does not include a description
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff of security for those updates. Public key means of securing DNS data
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff and transactions and using it for public key distribution were
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff defined in RFC 2065 which has been updated by draft-ietf-dnssec-
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff sexect2-*.txt, and secret key means of securing DNS transactions are
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff defined in draft-ietf-dnsind-tsig-*.txt.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff This document provides techniques based on the updated DNS security
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff RFC draft-ietf-dnssec-sexect2-*.txt and draft-ietf-dnsind-tsig-*.txt
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to authenticate DNS updates of secure zones. (Secret key signatures
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff could be used to authenticate updates on non-secured DNS zones. That
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff case In not considered in this document.)
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Familiarity with the DNS system [RFC 1034, 1035] is assumed.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Familiarity with the DNS security and dynamic update will be helpful.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff1.1. Overview of DNS Dynamic Update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff DNS dynamic update defines a new DNS opcode, new DNS request and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff response structure if that opcode is used, and new error codes. An
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff update can specify complex combinations of deletion and insertion
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (with or without pre-existence testing) of resource records (RRs)
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff with one or more owner names; however, all testing and changes for
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff any particular DNS update request are restricted to a single zone.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Updates occur at the primary server for a zone.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The primary server for a dynamic zone must increment the zone SOA
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff serial number when an update occurs or the next time the SOA is
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff retrieved if one or more updates have occurred since the previous SOA
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff retrieval and the updates themselves did not update the SOA.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff1.2. Overview of Public Key DNS Security
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff DNS security authenticates data in the DNS by also storing digital
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff signatures in the DNS as SIG resource records (RRs). A SIG RR
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff provides a digital signature on the set of all RRs with the same
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff owner name and class as the SIG and whose type is the type covered by
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the SIG. The SIG RR cryptographically binds the covered RR set to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the signer, signature inception and expiration date, etc. There are
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff one or more keys associated with every secure zone and all data in
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the secure zone is signed either by a zone key or by a dynamic update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff key tracing its authority to a zone key.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 4]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff DNS security also defines transaction SIGs and request SIGs.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Transaction SIGs appear at the end of a response. They authenticate
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the response and bind it to the corresponding request using the key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff of the host where the responding DNS server is.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Request SIGs appear at the end of a request and authenticate the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff request with the key of the submitting entity.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff DNS security also permits the storage of public keys in the DNS via
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff KEY RRs. These KEY RRs are also, of course, authenticated by SIG
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff RRs. KEY RRs for zones may be stored in their superzone and/or their
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authoritive subzone servers so that the secure DNS tree of zones can
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff be traversed by a security aware resolver.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff1.3 Overview of Secret Key DNS Security
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff draft-ietf-dnsind-tsig-*.txt provides a means for two processes that
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff share a secret key to authenticate DNS requests and responses sent
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff between them by appending TSIG digital signature RRs to those
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff requests and responses. Secret key digital signatures are generally
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff much faster to calculate and verify than public key digital
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff signatures. In addition, the need, in general, to cache KEY RRs and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff perform the KEY-SIG chain verifications is avoided.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff However, the cost for this speed and simplicity in TSIG use is the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff requirement to securely achieve key distribution or agreement between
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the communicating processes and to achieve agreement as to the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authority represented by a correct TSIG on a requested using a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff partciular key.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 5]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff2. Two Basic Modes
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff A dynamic secure zone is any secure DNS zone that
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (1) has a zone KEY RR signatory field indicates that updates are
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff implemented and either
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (2a) contains one or more KEY RRs that can authorize dynamic
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff updates, i.e., entity or user KEY RRs with the signatory field
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (2b) has a primary server with one or more secret keys configured
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to authorize updates requests and shared with one or more
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff update requesters.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Note: 2a and 2b can both be true for a zone.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff There are two basic modes of dynamic secure zone which relate to the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff update strategy, mode A and mode B. A summary comparison table is
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff given below and then each mode is described.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff SUMMARY OF DYNAMIC SECURE ZONE MODES
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff CRITERIA: | MODE A | MODE B
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff =========================+====================+===================
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Definition: | Zone Key Off line | Zone Key On line
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff =========================+====================+===================
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Server Workload | Medium | High
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff -------------------------+--------------------+-------------------
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Key Restrictions | Fine grain | Coarse grain
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff -------------------------+--------------------+-------------------
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Dynamic Data Temporality | Transient | Permanent
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff -------------------------+--------------------+-------------------
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Dynamic Key Rollover | No | Yes
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff -------------------------+--------------------+-------------------
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff NOTE: The Mode A / Mode B distinction only effects the validation
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff and performance of update requests. It has no effect on retrievals.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff For mode A, the zone owner private key and static zone master file
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff are kept off-line for maximum security of the static zone contents.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff As a consequence, any dynamicly added or changed RRs are signed in
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the secure zone by their authorizing dynamic update key and they are
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff backed up, along with this SIG RR, in a separate online dynamic
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff master file. In this type of zone, server computation is generally
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff reduced since the server need only check signatures on the update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff data and request, which have already been signed by the updater
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (generally a much faster operation than signing data) and update the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 6]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff NXT RRs which need to be changed, if any. Because the dynamicly
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff added RRs retain their update KEY signed SIG, finer grained control
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff of updates can be implemented via the KEY RR signatory field (unique
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff name restriction and weak update key restriction). Because dynamic
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff data is only stored in the online dynamic master file and only
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authenticated by dynamic keys which expire, updates are transient in
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff nature. Key rollover for an entity that can authorize dynamic
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff updates is more cumbersome since the authority of their key must be
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff traceable to a zone key and so, in general, they must securely
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff communicate a new key to the zone authority for manual transfer to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the off line static master file. NOTE: for this mode the zone SOA and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff NXT RRs must be signed by a dynamic update key, which will be an end
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff entity key with an owner name of the zone name, and that private key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff must be kept on line so that the SOA and NXTs can be changed for
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff For mode B, the zone owner private key and master file are kept on-
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff line at the zone primary server. When authenticated updates succeed,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff SIGs under the zone key for the resulting data (as well as possible
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff NXT and SOA changes) are calculated and these SIG (and possible
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff SOA/NXT) changes are entered into the zone and the unified on-line
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff As a consequence, this mode generally requires more computational
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff effort on the part of the server as it computes zone data signatures
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff in addition to verifying the signatures on requests. Because signing
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff generally takes more effort than verification, these signatures
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff generally will take more effort to calculate than it would take to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff verify the data signatures required in Mode A. Because the zone key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff is used to sign all the zone data, the information as to who
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff originated the current state of dynamic RR sets and even that data is
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the result of a dynamic update as opposed to coming from an original
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff master file, is lost, making unavailable the fine grain control of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff some values of the KEY RR signatory field. In addition, the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff incorporation of the updates into the primary master file and their
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authentication by the zone key makes them permanent in nature.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Maintaining the zone key on-line also means that dynamic update keys
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff which are signed by the zone key can be dynamically updated in real
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff time since the zone key is available to dynamically sign new values.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 7]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Dynamic update requests depend on update keys as described in section
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3.1 below. In addition, the zone secure dynamic update mode and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff availability of some options is indicated in the zone KEY(s).
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Finally, a special rule is used in searching for KEYs to validate
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff updates as described in section 3.3.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff3.1. Update Keys
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff All update requests to a secure zone must include signature(s) by one
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff or more private or secret keys that together can authorize that
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff update. In order for the Domain Name System (DNS) server executing
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the update request to confirm this (1) any secret keys must be know
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to it, along with the authority represented by the secret key, and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (2) any private key or keys must have the corresponding public key or
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff keys available to and authenticatable by that server as specially
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff flagged KEY Resource Records (RRs).
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The scope of authority of any secret keys is as configured at the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Server. Methods of describing and configuring such authority are not
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff discussed in this document.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The scope of authority of public update keys is indicated by their
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff KEY RR owner name, class, and signatory field flags as described
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff below. In addition, such KEY RRs MUST be entity or user keys and not
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff have the authentication use prohibited bit on.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff All parts of the actual update MUST be within the scope/authority of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff at least one of the keys used for a request SIG or TSIG on the update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff request as described in section 4.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff3.1.1. Public Update Key Name Scope
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The owner name of any update authorizing KEY RR must (1) be the same
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff as the owner name of any RRs being added or deleted or (2) a wildcard
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff name including within its extended scope (see section 3.3) the name
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff of any RRs being added or deleted and those RRs must be in the same
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff3.1.2. Public Update Key Class Scope
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The class of any update authorizing KEY RR must be the same as the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff class of any RR's being added or deleted.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 8]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff3.1.3. Public Update Key Signatory Field
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The four bit "signatory field" (see draft-ietf-dnssec-secext2-*.txt)
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff of any update authorizing KEY RR must be non-zero. The bits have the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff meanings described below for non-zone keys (see section 3.2 for zone
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff UPDATE KEY RR SIGNATORY FIELD BITS
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff +-----------+-----------+-----------+-----------+
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff | zone | strong | unique | general |
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff +-----------+-----------+-----------+-----------+
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Bit 0, zone control - If nonzero, this key is authorized to attach,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff detach, and move zones by creating and deleting NS, glue A, and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff zone KEY RR(s). If zero, the key can not authorize any update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff that would effect such RRs. This bit is meaningful for both
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff type A and type B dynamic secure zones. An update attempting to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff add an NS or zone KEY RR to a node (i.e., make the node a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff delegation point) is illegal if there are any deeper nodes in
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff NOTE: do not confuse the "zone" signatory field bit with the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff "zone" key type bit.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Bit 1, strong update - If zero, the key can only authorize updates
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff where any existing RRs of the same owner and class are
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authenticated by a SIG using the same key. If nonzero, this key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff is authorized to add and delete RRs even if there are other RRs
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff with the same owner name and class that are authenticated by a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff SIG signed with a different dynamic update KEY. This bit is
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff meaningful only for type A dynamic zones that have a zone KEY
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff advertising that the feature is available. It is ignored in
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff type B dynamic zones.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Keeping this bit zero on multiple KEY RRs with the same or
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff nested wild card owner names permits multiple entities to exist
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff that can create and delete names but can not effect RRs with
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff different owner names from any they created. In effect, this
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff creates two levels of dynamic update key, strong and weak, where
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff weak keys are prohibited from interfering with each other but a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff strong key can interfere with any weak keys or other strong
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Bit 2, unique name update - This bit is useful only if the owner name
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff is a wildcard. (Any dynamic update KEY with a non-wildcard name
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff is, in effect, a unique name update key.) If zero, this key is
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authorized to add and updates RRs for any number of names within
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff its wildcard scope. If nonzero, this key is authorized to add
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 9]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff and update RRs for only a single owner name. If there already
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff exist RRs with one or more names signed by this key, they may be
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff updated but no new name created until the number of existing
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff names is reduced to zero. This bit is meaningful only for mode
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff A dynamic zones that have a zone KEY advertising that the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff feature is available. It is ignored in mode B dynamic zones.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff This bit can be used to restrict a KEY from flooding a zone with
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff new names. In conjunction with a local administratively imposed
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff limit on the number of dynamic RRs with a particular name, it
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff can completely restrict a KEY from flooding a zone with RRs.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Bit 3, general update - The general update signatory field bit has no
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff special meaning. If the other three bits are all zero, it must
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff be one so that the field is non-zero to designate that the key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff is an update key. The meaning of all values of the signatory
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff field with the general bit on and one or more other signatory
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff field bits on is reserved.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff All the signatory bit update authorizations described above only
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff apply if the update is within the name and class scope as per
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff sections 3.1.1 and 3.1.2.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff3.2. Zone Keys and Update Modes
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Zone type keys are automatically authorized to sign anything in their
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff zone, of course, regardless of the value of their signatory field.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff For zone keys, the signatory field bits have different means than
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff they they do for update keys, as shown below. The signatory field
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff MUST be zero if dynamic update is not supported for a secure zone and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff MUST be non-zero if it is.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ZONE KEY RR SIGNATORY FIELD BITS
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff +-----------+-----------+-----------+-----------+
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff | mode | strong | unique | general |
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff +-----------+-----------+-----------+-----------+
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Bit 0, mode - This bit indicates the update mode for this zone. Zero
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff indicates mode A while a one indicates mode B.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Bit 1, strong update - If nonzero, this indicates that the "strong"
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff key feature described in section 3.1.3 above is implemented and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff enabled for this secure zone. If zero, the feature is not
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff available and all update keys are treated as strong. Has no
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff effect if the zone is a mode B secure update zone.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 10]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Bit 2, unique name update - If nonzero, this indicates that the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff "unique name" feature described in section 3.1.3 above is
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff implemented and enabled for this secure zone. If zero, this
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff feature is not available and no wildcard update key is treated
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff as restricted to a single name. Has no effect if the zone is a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff mode B secure update zone.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Bit 3, general - This bit has no special meaning. If dynamic update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff for a zone is supported and the other bits in the zone key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff signatory field are zero, it must be a one. The meaning of zone
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff keys where the signatory field has the general bit and one or
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff more other bits on is reserved.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff If there are multiple zone KEY RRs with non-zero signatory fields and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff zone policy is in transition, they might have different signatory
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff field values. In that case, strong and unique name restrictions MUST
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff be enforced as long as there is a non-expired zone key being
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff advertised that indicates mode A with the strong or unique name bit
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff on respectively. Mode B updates (i.e., no data signatures) MUST be
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff supported as long as there is a non-expired zone key that indicates
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff mode B. Mode A or mode ambiguous updates may be treated as mode B
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff updates at server option if non-expired zone keys indicate that both
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff are supported.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff A server that will be executing update operations on a zone, that is,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the primary master server, MUST NOT advertize a zone key that will
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff attract requests for a mode or features that it can not support.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff3.3. Wildcard Public Key Punch Through
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Just as a zone key is valid throughout the entire zone, public update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff keys with wildcard names are valid throughout their extended scope,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff within the zone. That is, they remain valid for any name that would
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff match them, even existing specific names within their apparent scope.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (If this were not so, then whenever a name within a wildcard scope
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff was created by dynamic update using a wildcard named public update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff key for authorization, it would be necessary to first create a copy
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff of the KEY RR with this name, because otherwise the existence of the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff more specific name would hide the authorizing KEY RR and would make
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff later updates impossible. An updater could create such a KEY RR but
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff could not zone sign it with their authorizing signer. They would
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff have to sign it with the same key using the wildcard name as signer.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (This would create update KEYs signed by update KEYs which was
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff permitted in RFC 2065 but, for simplicity, is prohibit in draft-
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ietf-dnssec-secext2-*.txt which requires all KEYs to be signed by
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff zone keys.) Thus in creating, for example, one hundred type A RRs
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authorized by a *.1.1.1.in-addr.arpa KEY RR, without key punch
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 11]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff through 100 As, 100 KEYs, and 200 SIGs would have to be created as
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff opposed to merely 100 As and 100 SIGs with wildcard key punch
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 12]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff4. Update Signatures
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Two kinds of signatures can appear in updates. Request signatures,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff which are always required, cover the entire request and authenticate
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the DNS header, including opcode, counts, etc., as well as the data.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Data signatures, on the other hand, appear only among the RRs to be
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff added and are only required for mode A operation. These two types of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff signatures are described further below.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff4.1. Update Request Signatures
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff An update can effect multiple owner names in a zone. It may be that
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff these different names are covered by different public or secret
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff dynamic update keys. For every owner name effected, the updater must
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff know a private or secret key valid to authorize updates for that name
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (and the zone's class) and must prove this by appending request SIG
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff and/or TSIG RRs under each such key.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Request signatures occur in the Additional Information section. As
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff specified in draft-ietf-dnssec-secext2-*.txt, a public request
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff signature is a SIG RR occurring at the end of a request with a type
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff covered field of zero. As specified in draft-ietf-dnsind-tsig-*.txt,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff a secret key request signature is a TSIG RR occuring at the end of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the request. Each request SIG or TSIG signs the entire request,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff including DNS header, but excluding any other request signatures and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff with the ARCOUNT in the DNS header set to what it would be without
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the request signatures.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff4.2. Update Data Signatures
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Mode A dynamic secure zones require that the update requester provide
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff SIG RRs that will authenticate the after-update state of all RR sets
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff that are changed by the update and are non-empty after the update.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff These SIG RRs appear in the request as RRs to be added and the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff request must delete any previous data SIG RRs that are invalidated by
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff In Mode B dynamic secure zones, all zone data is authenticated by
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff zone key SIG RRs. In this case, data signatures need not be included
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff with the update. A prospective updater can determine which mode an
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff updatable secure zone is using by examining the signatory field bits
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff of the zone KEY RR or RRs (see section 3.2).
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 13]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff5. Security Considerations
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Any secure zone permitting dynamic updates is inherently less secure
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff than a static secure zone maintained off line as recommended in
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff draft-ietf-dnssec-secops-*.txt. If nothing else, secure dynamic
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff update requires on line change to and re-signing of the zone SOA
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff resource record (RR) to increase the SOA serial number. This means
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff that compromise of the primary server host could lead to arbitrary
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff serial number changes.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Isolation of dynamic RRs to separate zones from those holding most
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff static RRs can limit the damage that could occur from breach of a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff dynamic zone's security.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff6. IANA Considerations
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Allocations of values of the KEY RR Signatory field described herein
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff as "reserved" requires an IETF consensus.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 14]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT Secure DNS Update August 1998
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC1035] - Domain Names - Implementation and Specifications, P.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Mockapetris, November 1987.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC1034] - Domain Names - Concepts and Facilities, P. Mockapetris,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff November 1987.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC2065] - Domain Name System Security Extensions. D. Eastlake, 3rd,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff C. Kaufman. January 1997
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC2136] - Dynamic Updates in the Domain Name System (DNS UPDATE).
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound. April 1997.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC2137] - Secure Domain Name System Dynamic Update. D. Eastlake.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff draft-ietf-dnsind-tsig-*.txt
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff draft-ietf-dnssec-secext2-*.txt.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff draft-ietf-dnssec-secops-*.txt.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffAuthor's Address
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Donald E. Eastlake, 3rd
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Transfinite Systems Company
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 318 Acton Street
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Carlisle, MA 01741 USA
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Telephone: +1 978-287-4877
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff +1 978-371-7148 (fax)
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff email: dee3@torque.pothole.com
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffExpiration and File Name
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff This draft expires February 1999.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Its file name is draft-ietf-dnssec-update2-00.txt.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffDonald E. Eastlake 3rd [Page 15]