mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-18 10:35:55 +00:00
Remove files from the vendor branch that are no longer present
in BIND 9.3.2 that were mistakenly removed from HEAD.
This commit is contained in:
parent
b824835191
commit
16cf7c033f
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/vendor/bind9/dist/; revision=154334
@ -1,113 +0,0 @@
|
||||
.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: dnssec-makekeyset.8,v 1.16.2.2.4.1 2004/03/06 07:41:39 marka Exp $
|
||||
.\"
|
||||
.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" ""
|
||||
.SH NAME
|
||||
dnssec-makekeyset \- DNSSEC zone signing tool
|
||||
.SH SYNOPSIS
|
||||
.sp
|
||||
\fBdnssec-makekeyset\fR [ \fB-a\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fIttl\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkey\fR\fI...\fR
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBdnssec-makekeyset\fR generates a key set from one
|
||||
or more keys created by \fBdnssec-keygen\fR. It creates
|
||||
a file containing a KEY record for each key, and self-signs the key
|
||||
set with each zone key. The output file is of the form
|
||||
\fIkeyset-nnnn.\fR, where \fInnnn\fR
|
||||
is the zone name.
|
||||
.SH "OPTIONS"
|
||||
.TP
|
||||
\fB-a\fR
|
||||
Verify all generated signatures.
|
||||
.TP
|
||||
\fB-s \fIstart-time\fB\fR
|
||||
Specify the date and time when the generated SIG records
|
||||
become valid. This can be either an absolute or relative
|
||||
time. An absolute start time is indicated by a number
|
||||
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
|
||||
14:45:00 UTC on May 30th, 2000. A relative start time is
|
||||
indicated by +N, which is N seconds from the current time.
|
||||
If no \fBstart-time\fR is specified, the current
|
||||
time is used.
|
||||
.TP
|
||||
\fB-e \fIend-time\fB\fR
|
||||
Specify the date and time when the generated SIG records
|
||||
expire. As with \fBstart-time\fR, an absolute
|
||||
time is indicated in YYYYMMDDHHMMSS notation. A time relative
|
||||
to the start time is indicated with +N, which is N seconds from
|
||||
the start time. A time relative to the current time is
|
||||
indicated with now+N. If no \fBend-time\fR is
|
||||
specified, 30 days from the start time is used as a default.
|
||||
.TP
|
||||
\fB-h\fR
|
||||
Prints a short summary of the options and arguments to
|
||||
\fBdnssec-makekeyset\fR.
|
||||
.TP
|
||||
\fB-p\fR
|
||||
Use pseudo-random data when signing the zone. This is faster,
|
||||
but less secure, than using real random data. This option
|
||||
may be useful when signing large zones or when the entropy
|
||||
source is limited.
|
||||
.TP
|
||||
\fB-r \fIrandomdev\fB\fR
|
||||
Specifies the source of randomness. If the operating
|
||||
system does not provide a \fI/dev/random\fR
|
||||
or equivalent device, the default source of randomness
|
||||
is keyboard input. \fIrandomdev\fR specifies
|
||||
the name of a character device or file containing random
|
||||
data to be used instead of the default. The special value
|
||||
\fIkeyboard\fR indicates that keyboard
|
||||
input should be used.
|
||||
.TP
|
||||
\fB-t \fIttl\fB\fR
|
||||
Specify the TTL (time to live) of the KEY and SIG records.
|
||||
The default is 3600 seconds.
|
||||
.TP
|
||||
\fB-v \fIlevel\fB\fR
|
||||
Sets the debugging level.
|
||||
.TP
|
||||
\fBkey\fR
|
||||
The list of keys to be included in the keyset file. These keys
|
||||
are expressed in the form \fIKnnnn.+aaa+iiiii\fR
|
||||
as generated by \fBdnssec-keygen\fR.
|
||||
.SH "EXAMPLE"
|
||||
.PP
|
||||
The following command generates a keyset containing the DSA key for
|
||||
\fBexample.com\fR generated in the
|
||||
\fBdnssec-keygen\fR man page.
|
||||
.PP
|
||||
\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR
|
||||
.PP
|
||||
In this example, \fBdnssec-makekeyset\fR creates
|
||||
the file \fIkeyset-example.com.\fR. This file
|
||||
contains the specified key and a self-generated signature.
|
||||
.PP
|
||||
The DNS administrator for \fBexample.com\fR could
|
||||
send \fIkeyset-example.com.\fR to the DNS
|
||||
administrator for \fB.com\fR for signing, if the
|
||||
\&.com zone is DNSSEC-aware and the administrators of the two zones
|
||||
have some mechanism for authenticating each other and exchanging
|
||||
the keys and signatures securely.
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
\fBdnssec-keygen\fR(8),
|
||||
\fBdnssec-signkey\fR(8),
|
||||
\fIBIND 9 Administrator Reference Manual\fR,
|
||||
\fIRFC 2535\fR.
|
||||
.SH "AUTHOR"
|
||||
.PP
|
||||
Internet Software Consortium
|
@ -1,401 +0,0 @@
|
||||
/*
|
||||
* Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Portions Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
|
||||
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
|
||||
* WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
|
||||
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
|
||||
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dnssec-makekeyset.c,v 1.52.2.1.10.7 2004/08/28 06:25:27 marka Exp $ */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <isc/commandline.h>
|
||||
#include <isc/entropy.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/string.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
#include <dns/db.h>
|
||||
#include <dns/diff.h>
|
||||
#include <dns/dnssec.h>
|
||||
#include <dns/fixedname.h>
|
||||
#include <dns/log.h>
|
||||
#include <dns/rdata.h>
|
||||
#include <dns/rdataset.h>
|
||||
#include <dns/result.h>
|
||||
#include <dns/secalg.h>
|
||||
#include <dns/time.h>
|
||||
|
||||
#include <dst/dst.h>
|
||||
|
||||
#include "dnssectool.h"
|
||||
|
||||
const char *program = "dnssec-makekeyset";
|
||||
int verbose;
|
||||
|
||||
typedef struct keynode keynode_t;
|
||||
struct keynode {
|
||||
dst_key_t *key;
|
||||
ISC_LINK(keynode_t) link;
|
||||
};
|
||||
typedef ISC_LIST(keynode_t) keylist_t;
|
||||
|
||||
static isc_stdtime_t starttime = 0, endtime = 0, now;
|
||||
static int ttl = -1;
|
||||
|
||||
static isc_mem_t *mctx = NULL;
|
||||
static isc_entropy_t *ectx = NULL;
|
||||
|
||||
static keylist_t keylist;
|
||||
|
||||
static void
|
||||
usage(void) {
|
||||
fprintf(stderr, "Usage:\n");
|
||||
fprintf(stderr, "\t%s [options] keys\n", program);
|
||||
|
||||
fprintf(stderr, "\n");
|
||||
|
||||
fprintf(stderr, "Version: %s\n", VERSION);
|
||||
|
||||
fprintf(stderr, "Options: (default value in parenthesis) \n");
|
||||
fprintf(stderr, "\t-a\n");
|
||||
fprintf(stderr, "\t\tverify generated signatures\n");
|
||||
fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
|
||||
fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n");
|
||||
fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
|
||||
fprintf(stderr, "\t\tSIG end time - "
|
||||
"absolute|from start|from now (now + 30 days)\n");
|
||||
fprintf(stderr, "\t-t ttl\n");
|
||||
fprintf(stderr, "\t-p\n");
|
||||
fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
|
||||
fprintf(stderr, "\t-r randomdev:\n");
|
||||
fprintf(stderr, "\t\ta file containing random data\n");
|
||||
fprintf(stderr, "\t-v level:\n");
|
||||
fprintf(stderr, "\t\tverbose level (0)\n");
|
||||
|
||||
fprintf(stderr, "\n");
|
||||
|
||||
fprintf(stderr, "keys:\n");
|
||||
fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
|
||||
|
||||
fprintf(stderr, "\n");
|
||||
|
||||
fprintf(stderr, "Output:\n");
|
||||
fprintf(stderr, "\tkeyset (keyset-<name>)\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
static isc_boolean_t
|
||||
zonekey_on_list(dst_key_t *key) {
|
||||
keynode_t *keynode;
|
||||
for (keynode = ISC_LIST_HEAD(keylist);
|
||||
keynode != NULL;
|
||||
keynode = ISC_LIST_NEXT(keynode, link))
|
||||
{
|
||||
if (dst_key_compare(keynode->key, key))
|
||||
return (ISC_TRUE);
|
||||
}
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char *argv[]) {
|
||||
int i, ch;
|
||||
char *startstr = NULL, *endstr = NULL;
|
||||
dns_fixedname_t fdomain;
|
||||
dns_name_t *domain = NULL;
|
||||
char *output = NULL;
|
||||
char *endp;
|
||||
unsigned char data[65536];
|
||||
dns_db_t *db;
|
||||
dns_dbversion_t *version;
|
||||
dns_diff_t diff;
|
||||
dns_difftuple_t *tuple;
|
||||
dns_fixedname_t tname;
|
||||
dst_key_t *key = NULL;
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
dns_rdataset_t rdataset;
|
||||
dns_rdataclass_t rdclass;
|
||||
isc_result_t result;
|
||||
isc_buffer_t b;
|
||||
isc_region_t r;
|
||||
isc_log_t *log = NULL;
|
||||
keynode_t *keynode;
|
||||
unsigned int eflags;
|
||||
isc_boolean_t pseudorandom = ISC_FALSE;
|
||||
isc_boolean_t tryverify = ISC_FALSE;
|
||||
|
||||
result = isc_mem_create(0, 0, &mctx);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("failed to create memory context: %s",
|
||||
isc_result_totext(result));
|
||||
|
||||
dns_result_register();
|
||||
|
||||
while ((ch = isc_commandline_parse(argc, argv, "as:e:t:r:v:ph")) != -1)
|
||||
{
|
||||
switch (ch) {
|
||||
case 'a':
|
||||
tryverify = ISC_TRUE;
|
||||
break;
|
||||
case 's':
|
||||
startstr = isc_commandline_argument;
|
||||
break;
|
||||
|
||||
case 'e':
|
||||
endstr = isc_commandline_argument;
|
||||
break;
|
||||
|
||||
case 't':
|
||||
endp = NULL;
|
||||
ttl = strtol(isc_commandline_argument, &endp, 0);
|
||||
if (*endp != '\0')
|
||||
fatal("TTL must be numeric");
|
||||
break;
|
||||
|
||||
case 'r':
|
||||
setup_entropy(mctx, isc_commandline_argument, &ectx);
|
||||
break;
|
||||
|
||||
case 'v':
|
||||
endp = NULL;
|
||||
verbose = strtol(isc_commandline_argument, &endp, 0);
|
||||
if (*endp != '\0')
|
||||
fatal("verbose level must be numeric");
|
||||
break;
|
||||
|
||||
case 'p':
|
||||
pseudorandom = ISC_TRUE;
|
||||
break;
|
||||
|
||||
case 'h':
|
||||
default:
|
||||
usage();
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
argc -= isc_commandline_index;
|
||||
argv += isc_commandline_index;
|
||||
|
||||
if (argc < 1)
|
||||
usage();
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
eflags = ISC_ENTROPY_BLOCKING;
|
||||
if (!pseudorandom)
|
||||
eflags |= ISC_ENTROPY_GOODONLY;
|
||||
result = dst_lib_init(mctx, ectx, eflags);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("could not initialize dst: %s",
|
||||
isc_result_totext(result));
|
||||
|
||||
isc_stdtime_get(&now);
|
||||
|
||||
if (startstr != NULL)
|
||||
starttime = strtotime(startstr, now, now);
|
||||
else
|
||||
starttime = now;
|
||||
|
||||
if (endstr != NULL)
|
||||
endtime = strtotime(endstr, now, starttime);
|
||||
else
|
||||
endtime = starttime + (30 * 24 * 60 * 60);
|
||||
|
||||
if (ttl == -1) {
|
||||
ttl = 3600;
|
||||
fprintf(stderr, "%s: TTL not specified, assuming 3600\n",
|
||||
program);
|
||||
}
|
||||
|
||||
setup_logging(verbose, mctx, &log);
|
||||
|
||||
dns_diff_init(mctx, &diff);
|
||||
rdclass = 0;
|
||||
|
||||
ISC_LIST_INIT(keylist);
|
||||
|
||||
for (i = 0; i < argc; i++) {
|
||||
char namestr[DNS_NAME_FORMATSIZE];
|
||||
isc_buffer_t namebuf;
|
||||
|
||||
key = NULL;
|
||||
result = dst_key_fromnamedfile(argv[i], DST_TYPE_PUBLIC,
|
||||
mctx, &key);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("error loading key from %s: %s", argv[i],
|
||||
isc_result_totext(result));
|
||||
if (rdclass == 0)
|
||||
rdclass = dst_key_class(key);
|
||||
|
||||
isc_buffer_init(&namebuf, namestr, sizeof(namestr));
|
||||
result = dns_name_tofilenametext(dst_key_name(key),
|
||||
ISC_FALSE,
|
||||
&namebuf);
|
||||
check_result(result, "dns_name_tofilenametext");
|
||||
isc_buffer_putuint8(&namebuf, 0);
|
||||
|
||||
if (domain == NULL) {
|
||||
dns_fixedname_init(&fdomain);
|
||||
domain = dns_fixedname_name(&fdomain);
|
||||
dns_name_copy(dst_key_name(key), domain, NULL);
|
||||
} else if (!dns_name_equal(domain, dst_key_name(key))) {
|
||||
char str[DNS_NAME_FORMATSIZE];
|
||||
dns_name_format(domain, str, sizeof(str));
|
||||
fatal("all keys must have the same owner - %s "
|
||||
"and %s do not match", str, namestr);
|
||||
}
|
||||
|
||||
if (output == NULL) {
|
||||
output = isc_mem_allocate(mctx,
|
||||
strlen("keyset-") +
|
||||
strlen(namestr) + 1);
|
||||
if (output == NULL)
|
||||
fatal("out of memory");
|
||||
sprintf(output, "keyset-%s", namestr);
|
||||
}
|
||||
|
||||
if (dst_key_iszonekey(key)) {
|
||||
dst_key_t *zonekey = NULL;
|
||||
result = dst_key_fromnamedfile(argv[i],
|
||||
DST_TYPE_PUBLIC |
|
||||
DST_TYPE_PRIVATE,
|
||||
mctx, &zonekey);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("failed to read private key %s: %s",
|
||||
argv[i], isc_result_totext(result));
|
||||
if (!zonekey_on_list(zonekey)) {
|
||||
keynode = isc_mem_get(mctx, sizeof(keynode_t));
|
||||
if (keynode == NULL)
|
||||
fatal("out of memory");
|
||||
keynode->key = zonekey;
|
||||
ISC_LIST_INITANDAPPEND(keylist, keynode, link);
|
||||
} else
|
||||
dst_key_free(&zonekey);
|
||||
}
|
||||
dns_rdata_reset(&rdata);
|
||||
isc_buffer_init(&b, data, sizeof(data));
|
||||
result = dst_key_todns(key, &b);
|
||||
dst_key_free(&key);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("failed to convert key %s to a DNS KEY: %s",
|
||||
argv[i], isc_result_totext(result));
|
||||
isc_buffer_usedregion(&b, &r);
|
||||
dns_rdata_fromregion(&rdata, rdclass, dns_rdatatype_dnskey, &r);
|
||||
tuple = NULL;
|
||||
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
|
||||
domain, ttl, &rdata, &tuple);
|
||||
check_result(result, "dns_difftuple_create");
|
||||
dns_diff_append(&diff, &tuple);
|
||||
}
|
||||
|
||||
db = NULL;
|
||||
result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
|
||||
rdclass, 0, NULL, &db);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("failed to create a database");
|
||||
|
||||
version = NULL;
|
||||
dns_db_newversion(db, &version);
|
||||
|
||||
result = dns_diff_apply(&diff, db, version);
|
||||
check_result(result, "dns_diff_apply");
|
||||
dns_diff_clear(&diff);
|
||||
|
||||
dns_fixedname_init(&tname);
|
||||
dns_rdataset_init(&rdataset);
|
||||
result = dns_db_find(db, domain, version, dns_rdatatype_dnskey, 0, 0,
|
||||
NULL, dns_fixedname_name(&tname), &rdataset,
|
||||
NULL);
|
||||
check_result(result, "dns_db_find");
|
||||
|
||||
if (ISC_LIST_EMPTY(keylist))
|
||||
fprintf(stderr,
|
||||
"%s: no private zone key found; not self-signing\n",
|
||||
program);
|
||||
for (keynode = ISC_LIST_HEAD(keylist);
|
||||
keynode != NULL;
|
||||
keynode = ISC_LIST_NEXT(keynode, link))
|
||||
{
|
||||
dns_rdata_reset(&rdata);
|
||||
isc_buffer_init(&b, data, sizeof(data));
|
||||
result = dns_dnssec_sign(domain, &rdataset, keynode->key,
|
||||
&starttime, &endtime, mctx, &b,
|
||||
&rdata);
|
||||
isc_entropy_stopcallbacksources(ectx);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
char keystr[KEY_FORMATSIZE];
|
||||
key_format(keynode->key, keystr, sizeof(keystr));
|
||||
fatal("failed to sign keyset with key %s: %s",
|
||||
keystr, isc_result_totext(result));
|
||||
}
|
||||
if (tryverify) {
|
||||
result = dns_dnssec_verify(domain, &rdataset,
|
||||
keynode->key, ISC_TRUE,
|
||||
mctx, &rdata);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
char keystr[KEY_FORMATSIZE];
|
||||
key_format(keynode->key, keystr, sizeof(keystr));
|
||||
fatal("signature from key '%s' failed to "
|
||||
"verify: %s",
|
||||
keystr, isc_result_totext(result));
|
||||
}
|
||||
}
|
||||
tuple = NULL;
|
||||
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
|
||||
domain, ttl, &rdata, &tuple);
|
||||
check_result(result, "dns_difftuple_create");
|
||||
dns_diff_append(&diff, &tuple);
|
||||
}
|
||||
|
||||
result = dns_diff_apply(&diff, db, version);
|
||||
check_result(result, "dns_diff_apply");
|
||||
dns_diff_clear(&diff);
|
||||
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
|
||||
dns_db_closeversion(db, &version, ISC_TRUE);
|
||||
result = dns_db_dump(db, version, output);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
char domainstr[DNS_NAME_FORMATSIZE];
|
||||
dns_name_format(domain, domainstr, sizeof(domainstr));
|
||||
fatal("failed to write database for %s to %s",
|
||||
domainstr, output);
|
||||
}
|
||||
|
||||
printf("%s\n", output);
|
||||
|
||||
dns_db_detach(&db);
|
||||
|
||||
while (!ISC_LIST_EMPTY(keylist)) {
|
||||
keynode = ISC_LIST_HEAD(keylist);
|
||||
ISC_LIST_UNLINK(keylist, keynode, link);
|
||||
dst_key_free(&keynode->key);
|
||||
isc_mem_put(mctx, keynode, sizeof(keynode_t));
|
||||
}
|
||||
|
||||
cleanup_logging(&log);
|
||||
cleanup_entropy(&ectx);
|
||||
|
||||
isc_mem_free(mctx, output);
|
||||
dst_lib_destroy();
|
||||
if (verbose > 10)
|
||||
isc_mem_stats(mctx, stdout);
|
||||
isc_mem_destroy(&mctx);
|
||||
return (0);
|
||||
}
|
@ -1,233 +0,0 @@
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
|
||||
<!--
|
||||
- Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2001, 2003 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-makekeyset.docbook,v 1.2.2.3.4.2 2004/06/03 02:24:55 marka Exp $ -->
|
||||
|
||||
<refentry>
|
||||
<refentryinfo>
|
||||
<date>June 30, 2000</date>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle><application>dnssec-makekeyset</application></refentrytitle>
|
||||
<manvolnum>8</manvolnum>
|
||||
<refmiscinfo>BIND9</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname><application>dnssec-makekeyset</application></refname>
|
||||
<refpurpose>DNSSEC zone signing tool</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>dnssec-makekeyset</command>
|
||||
<arg><option>-a</option></arg>
|
||||
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
|
||||
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
|
||||
<arg><option>-h</option></arg>
|
||||
<arg><option>-p</option></arg>
|
||||
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
|
||||
<arg><option>-t</option><replaceable class="parameter">ttl</replaceable></arg>
|
||||
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
|
||||
<arg choice="req" rep="repeat">key</arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
<command>dnssec-makekeyset</command> generates a key set from one
|
||||
or more keys created by <command>dnssec-keygen</command>. It creates
|
||||
a file containing a KEY record for each key, and self-signs the key
|
||||
set with each zone key. The output file is of the form
|
||||
<filename>keyset-nnnn.</filename>, where <filename>nnnn</filename>
|
||||
is the zone name.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>OPTIONS</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>-a</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Verify all generated signatures.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-s <replaceable class="parameter">start-time</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specify the date and time when the generated SIG records
|
||||
become valid. This can be either an absolute or relative
|
||||
time. An absolute start time is indicated by a number
|
||||
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
|
||||
14:45:00 UTC on May 30th, 2000. A relative start time is
|
||||
indicated by +N, which is N seconds from the current time.
|
||||
If no <option>start-time</option> is specified, the current
|
||||
time is used.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-e <replaceable class="parameter">end-time</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specify the date and time when the generated SIG records
|
||||
expire. As with <option>start-time</option>, an absolute
|
||||
time is indicated in YYYYMMDDHHMMSS notation. A time relative
|
||||
to the start time is indicated with +N, which is N seconds from
|
||||
the start time. A time relative to the current time is
|
||||
indicated with now+N. If no <option>end-time</option> is
|
||||
specified, 30 days from the start time is used as a default.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-h</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Prints a short summary of the options and arguments to
|
||||
<command>dnssec-makekeyset</command>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-p</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Use pseudo-random data when signing the zone. This is faster,
|
||||
but less secure, than using real random data. This option
|
||||
may be useful when signing large zones or when the entropy
|
||||
source is limited.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the source of randomness. If the operating
|
||||
system does not provide a <filename>/dev/random</filename>
|
||||
or equivalent device, the default source of randomness
|
||||
is keyboard input. <filename>randomdev</filename> specifies
|
||||
the name of a character device or file containing random
|
||||
data to be used instead of the default. The special value
|
||||
<filename>keyboard</filename> indicates that keyboard
|
||||
input should be used.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-t <replaceable class="parameter">ttl</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specify the TTL (time to live) of the KEY and SIG records.
|
||||
The default is 3600 seconds.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-v <replaceable class="parameter">level</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the debugging level.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>key</term>
|
||||
<listitem>
|
||||
<para>
|
||||
The list of keys to be included in the keyset file. These keys
|
||||
are expressed in the form <filename>Knnnn.+aaa+iiiii</filename>
|
||||
as generated by <command>dnssec-keygen</command>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>EXAMPLE</title>
|
||||
<para>
|
||||
The following command generates a keyset containing the DSA key for
|
||||
<userinput>example.com</userinput> generated in the
|
||||
<command>dnssec-keygen</command> man page.
|
||||
</para>
|
||||
<para>
|
||||
<userinput>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</userinput>
|
||||
</para>
|
||||
<para>
|
||||
In this example, <command>dnssec-makekeyset</command> creates
|
||||
the file <filename>keyset-example.com.</filename>. This file
|
||||
contains the specified key and a self-generated signature.
|
||||
</para>
|
||||
<para>
|
||||
The DNS administrator for <userinput>example.com</userinput> could
|
||||
send <filename>keyset-example.com.</filename> to the DNS
|
||||
administrator for <userinput>.com</userinput> for signing, if the
|
||||
.com zone is DNSSEC-aware and the administrators of the two zones
|
||||
have some mechanism for authenticating each other and exchanging
|
||||
the keys and signatures securely.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>SEE ALSO</title>
|
||||
<para>
|
||||
<citerefentry>
|
||||
<refentrytitle>dnssec-keygen</refentrytitle>
|
||||
<manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>dnssec-signkey</refentrytitle>
|
||||
<manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
|
||||
<citetitle>RFC 2535</citetitle>.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>AUTHOR</title>
|
||||
<para>
|
||||
<corpauthor>Internet Systems Consortium</corpauthor>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
||||
|
||||
<!--
|
||||
- Local variables:
|
||||
- mode: sgml
|
||||
- End:
|
||||
-->
|
@ -1,407 +0,0 @@
|
||||
<!--
|
||||
- Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2001, 2003 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-makekeyset.html,v 1.4.2.2.4.1 2004/03/06 10:21:15 marka Exp $ -->
|
||||
|
||||
<HTML
|
||||
><HEAD
|
||||
><TITLE
|
||||
>dnssec-makekeyset</TITLE
|
||||
><META
|
||||
NAME="GENERATOR"
|
||||
CONTENT="Modular DocBook HTML Stylesheet Version 1.73
|
||||
"></HEAD
|
||||
><BODY
|
||||
CLASS="REFENTRY"
|
||||
BGCOLOR="#FFFFFF"
|
||||
TEXT="#000000"
|
||||
LINK="#0000FF"
|
||||
VLINK="#840084"
|
||||
ALINK="#0000FF"
|
||||
><H1
|
||||
><A
|
||||
NAME="AEN1"
|
||||
><SPAN
|
||||
CLASS="APPLICATION"
|
||||
>dnssec-makekeyset</SPAN
|
||||
></A
|
||||
></H1
|
||||
><DIV
|
||||
CLASS="REFNAMEDIV"
|
||||
><A
|
||||
NAME="AEN9"
|
||||
></A
|
||||
><H2
|
||||
>Name</H2
|
||||
><SPAN
|
||||
CLASS="APPLICATION"
|
||||
>dnssec-makekeyset</SPAN
|
||||
> -- DNSSEC zone signing tool</DIV
|
||||
><DIV
|
||||
CLASS="REFSYNOPSISDIV"
|
||||
><A
|
||||
NAME="AEN13"
|
||||
></A
|
||||
><H2
|
||||
>Synopsis</H2
|
||||
><P
|
||||
><B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-makekeyset</B
|
||||
> [<TT
|
||||
CLASS="OPTION"
|
||||
>-a</TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-s <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>start-time</I
|
||||
></TT
|
||||
></TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-e <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>end-time</I
|
||||
></TT
|
||||
></TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-h</TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-p</TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-r <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>randomdev</I
|
||||
></TT
|
||||
></TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-t</TT
|
||||
><TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>ttl</I
|
||||
></TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-v <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>level</I
|
||||
></TT
|
||||
></TT
|
||||
>] {key...}</P
|
||||
></DIV
|
||||
><DIV
|
||||
CLASS="REFSECT1"
|
||||
><A
|
||||
NAME="AEN38"
|
||||
></A
|
||||
><H2
|
||||
>DESCRIPTION</H2
|
||||
><P
|
||||
> <B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-makekeyset</B
|
||||
> generates a key set from one
|
||||
or more keys created by <B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-keygen</B
|
||||
>. It creates
|
||||
a file containing a KEY record for each key, and self-signs the key
|
||||
set with each zone key. The output file is of the form
|
||||
<TT
|
||||
CLASS="FILENAME"
|
||||
>keyset-nnnn.</TT
|
||||
>, where <TT
|
||||
CLASS="FILENAME"
|
||||
>nnnn</TT
|
||||
>
|
||||
is the zone name.
|
||||
</P
|
||||
></DIV
|
||||
><DIV
|
||||
CLASS="REFSECT1"
|
||||
><A
|
||||
NAME="AEN45"
|
||||
></A
|
||||
><H2
|
||||
>OPTIONS</H2
|
||||
><P
|
||||
></P
|
||||
><DIV
|
||||
CLASS="VARIABLELIST"
|
||||
><DL
|
||||
><DT
|
||||
>-a</DT
|
||||
><DD
|
||||
><P
|
||||
> Verify all generated signatures.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-s <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>start-time</I
|
||||
></TT
|
||||
></DT
|
||||
><DD
|
||||
><P
|
||||
> Specify the date and time when the generated SIG records
|
||||
become valid. This can be either an absolute or relative
|
||||
time. An absolute start time is indicated by a number
|
||||
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
|
||||
14:45:00 UTC on May 30th, 2000. A relative start time is
|
||||
indicated by +N, which is N seconds from the current time.
|
||||
If no <TT
|
||||
CLASS="OPTION"
|
||||
>start-time</TT
|
||||
> is specified, the current
|
||||
time is used.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-e <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>end-time</I
|
||||
></TT
|
||||
></DT
|
||||
><DD
|
||||
><P
|
||||
> Specify the date and time when the generated SIG records
|
||||
expire. As with <TT
|
||||
CLASS="OPTION"
|
||||
>start-time</TT
|
||||
>, an absolute
|
||||
time is indicated in YYYYMMDDHHMMSS notation. A time relative
|
||||
to the start time is indicated with +N, which is N seconds from
|
||||
the start time. A time relative to the current time is
|
||||
indicated with now+N. If no <TT
|
||||
CLASS="OPTION"
|
||||
>end-time</TT
|
||||
> is
|
||||
specified, 30 days from the start time is used as a default.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-h</DT
|
||||
><DD
|
||||
><P
|
||||
> Prints a short summary of the options and arguments to
|
||||
<B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-makekeyset</B
|
||||
>.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-p</DT
|
||||
><DD
|
||||
><P
|
||||
> Use pseudo-random data when signing the zone. This is faster,
|
||||
but less secure, than using real random data. This option
|
||||
may be useful when signing large zones or when the entropy
|
||||
source is limited.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-r <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>randomdev</I
|
||||
></TT
|
||||
></DT
|
||||
><DD
|
||||
><P
|
||||
> Specifies the source of randomness. If the operating
|
||||
system does not provide a <TT
|
||||
CLASS="FILENAME"
|
||||
>/dev/random</TT
|
||||
>
|
||||
or equivalent device, the default source of randomness
|
||||
is keyboard input. <TT
|
||||
CLASS="FILENAME"
|
||||
>randomdev</TT
|
||||
> specifies
|
||||
the name of a character device or file containing random
|
||||
data to be used instead of the default. The special value
|
||||
<TT
|
||||
CLASS="FILENAME"
|
||||
>keyboard</TT
|
||||
> indicates that keyboard
|
||||
input should be used.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-t <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>ttl</I
|
||||
></TT
|
||||
></DT
|
||||
><DD
|
||||
><P
|
||||
> Specify the TTL (time to live) of the KEY and SIG records.
|
||||
The default is 3600 seconds.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-v <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>level</I
|
||||
></TT
|
||||
></DT
|
||||
><DD
|
||||
><P
|
||||
> Sets the debugging level.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>key</DT
|
||||
><DD
|
||||
><P
|
||||
> The list of keys to be included in the keyset file. These keys
|
||||
are expressed in the form <TT
|
||||
CLASS="FILENAME"
|
||||
>Knnnn.+aaa+iiiii</TT
|
||||
>
|
||||
as generated by <B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-keygen</B
|
||||
>.
|
||||
</P
|
||||
></DD
|
||||
></DL
|
||||
></DIV
|
||||
></DIV
|
||||
><DIV
|
||||
CLASS="REFSECT1"
|
||||
><A
|
||||
NAME="AEN98"
|
||||
></A
|
||||
><H2
|
||||
>EXAMPLE</H2
|
||||
><P
|
||||
> The following command generates a keyset containing the DSA key for
|
||||
<TT
|
||||
CLASS="USERINPUT"
|
||||
><B
|
||||
>example.com</B
|
||||
></TT
|
||||
> generated in the
|
||||
<B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-keygen</B
|
||||
> man page.
|
||||
</P
|
||||
><P
|
||||
> <TT
|
||||
CLASS="USERINPUT"
|
||||
><B
|
||||
>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
|
||||
></TT
|
||||
>
|
||||
</P
|
||||
><P
|
||||
> In this example, <B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-makekeyset</B
|
||||
> creates
|
||||
the file <TT
|
||||
CLASS="FILENAME"
|
||||
>keyset-example.com.</TT
|
||||
>. This file
|
||||
contains the specified key and a self-generated signature.
|
||||
</P
|
||||
><P
|
||||
> The DNS administrator for <TT
|
||||
CLASS="USERINPUT"
|
||||
><B
|
||||
>example.com</B
|
||||
></TT
|
||||
> could
|
||||
send <TT
|
||||
CLASS="FILENAME"
|
||||
>keyset-example.com.</TT
|
||||
> to the DNS
|
||||
administrator for <TT
|
||||
CLASS="USERINPUT"
|
||||
><B
|
||||
>.com</B
|
||||
></TT
|
||||
> for signing, if the
|
||||
.com zone is DNSSEC-aware and the administrators of the two zones
|
||||
have some mechanism for authenticating each other and exchanging
|
||||
the keys and signatures securely.
|
||||
</P
|
||||
></DIV
|
||||
><DIV
|
||||
CLASS="REFSECT1"
|
||||
><A
|
||||
NAME="AEN112"
|
||||
></A
|
||||
><H2
|
||||
>SEE ALSO</H2
|
||||
><P
|
||||
> <SPAN
|
||||
CLASS="CITEREFENTRY"
|
||||
><SPAN
|
||||
CLASS="REFENTRYTITLE"
|
||||
>dnssec-keygen</SPAN
|
||||
>(8)</SPAN
|
||||
>,
|
||||
<SPAN
|
||||
CLASS="CITEREFENTRY"
|
||||
><SPAN
|
||||
CLASS="REFENTRYTITLE"
|
||||
>dnssec-signkey</SPAN
|
||||
>(8)</SPAN
|
||||
>,
|
||||
<I
|
||||
CLASS="CITETITLE"
|
||||
>BIND 9 Administrator Reference Manual</I
|
||||
>,
|
||||
<I
|
||||
CLASS="CITETITLE"
|
||||
>RFC 2535</I
|
||||
>.
|
||||
</P
|
||||
></DIV
|
||||
><DIV
|
||||
CLASS="REFSECT1"
|
||||
><A
|
||||
NAME="AEN123"
|
||||
></A
|
||||
><H2
|
||||
>AUTHOR</H2
|
||||
><P
|
||||
> Internet Software Consortium
|
||||
</P
|
||||
></DIV
|
||||
></BODY
|
||||
></HTML
|
||||
>
|
@ -1,108 +0,0 @@
|
||||
.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
||||
.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
.\" copyright notice and this permission notice appear in all copies.
|
||||
.\"
|
||||
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
.\" PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.\" $Id: dnssec-signkey.8,v 1.18.2.1.4.1 2004/03/06 07:41:39 marka Exp $
|
||||
.\"
|
||||
.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" ""
|
||||
.SH NAME
|
||||
dnssec-signkey \- DNSSEC key set signing tool
|
||||
.SH SYNOPSIS
|
||||
.sp
|
||||
\fBdnssec-signkey\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkeyset\fR \fBkey\fR\fI...\fR
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
\fBdnssec-signkey\fR signs a keyset. Typically
|
||||
the keyset will be for a child zone, and will have been generated
|
||||
by \fBdnssec-makekeyset\fR. The child zone's keyset
|
||||
is signed with the zone keys for its parent zone. The output file
|
||||
is of the form \fIsignedkey-nnnn.\fR, where
|
||||
\fInnnn\fR is the zone name.
|
||||
.SH "OPTIONS"
|
||||
.TP
|
||||
\fB-a\fR
|
||||
Verify all generated signatures.
|
||||
.TP
|
||||
\fB-c \fIclass\fB\fR
|
||||
Specifies the DNS class of the key sets.
|
||||
.TP
|
||||
\fB-s \fIstart-time\fB\fR
|
||||
Specify the date and time when the generated SIG records
|
||||
become valid. This can be either an absolute or relative
|
||||
time. An absolute start time is indicated by a number
|
||||
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
|
||||
14:45:00 UTC on May 30th, 2000. A relative start time is
|
||||
indicated by +N, which is N seconds from the current time.
|
||||
If no \fBstart-time\fR is specified, the current
|
||||
time is used.
|
||||
.TP
|
||||
\fB-e \fIend-time\fB\fR
|
||||
Specify the date and time when the generated SIG records
|
||||
expire. As with \fBstart-time\fR, an absolute
|
||||
time is indicated in YYYYMMDDHHMMSS notation. A time relative
|
||||
to the start time is indicated with +N, which is N seconds from
|
||||
the start time. A time relative to the current time is
|
||||
indicated with now+N. If no \fBend-time\fR is
|
||||
specified, 30 days from the start time is used as a default.
|
||||
.TP
|
||||
\fB-h\fR
|
||||
Prints a short summary of the options and arguments to
|
||||
\fBdnssec-signkey\fR.
|
||||
.TP
|
||||
\fB-p\fR
|
||||
Use pseudo-random data when signing the zone. This is faster,
|
||||
but less secure, than using real random data. This option
|
||||
may be useful when signing large zones or when the entropy
|
||||
source is limited.
|
||||
.TP
|
||||
\fB-r \fIrandomdev\fB\fR
|
||||
Specifies the source of randomness. If the operating
|
||||
system does not provide a \fI/dev/random\fR
|
||||
or equivalent device, the default source of randomness
|
||||
is keyboard input. \fIrandomdev\fR specifies
|
||||
the name of a character device or file containing random
|
||||
data to be used instead of the default. The special value
|
||||
\fIkeyboard\fR indicates that keyboard
|
||||
input should be used.
|
||||
.TP
|
||||
\fB-v \fIlevel\fB\fR
|
||||
Sets the debugging level.
|
||||
.TP
|
||||
\fBkeyset\fR
|
||||
The file containing the child's keyset.
|
||||
.TP
|
||||
\fBkey\fR
|
||||
The keys used to sign the child's keyset.
|
||||
.SH "EXAMPLE"
|
||||
.PP
|
||||
The DNS administrator for a DNSSEC-aware \fB.com\fR
|
||||
zone would use the following command to sign the
|
||||
\fIkeyset\fR file for \fBexample.com\fR
|
||||
created by \fBdnssec-makekeyset\fR with a key generated
|
||||
by \fBdnssec-keygen\fR:
|
||||
.PP
|
||||
\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR
|
||||
.PP
|
||||
In this example, \fBdnssec-signkey\fR creates
|
||||
the file \fIsignedkey-example.com.\fR, which
|
||||
contains the \fBexample.com\fR keys and the
|
||||
signatures by the \fB.com\fR keys.
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
\fBdnssec-keygen\fR(8),
|
||||
\fBdnssec-makekeyset\fR(8),
|
||||
\fBdnssec-signzone\fR(8).
|
||||
.SH "AUTHOR"
|
||||
.PP
|
||||
Internet Software Consortium
|
@ -1,448 +0,0 @@
|
||||
/*
|
||||
* Portions Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
||||
* Portions Copyright (C) 2000-2003 Internet Software Consortium.
|
||||
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
|
||||
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
|
||||
* WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
|
||||
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
|
||||
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: dnssec-signkey.c,v 1.50.2.2.2.7 2004/08/28 06:25:28 marka Exp $ */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <isc/string.h>
|
||||
#include <isc/commandline.h>
|
||||
#include <isc/entropy.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
#include <dns/db.h>
|
||||
#include <dns/dbiterator.h>
|
||||
#include <dns/diff.h>
|
||||
#include <dns/dnssec.h>
|
||||
#include <dns/fixedname.h>
|
||||
#include <dns/log.h>
|
||||
#include <dns/rdata.h>
|
||||
#include <dns/rdataclass.h>
|
||||
#include <dns/rdataset.h>
|
||||
#include <dns/rdatasetiter.h>
|
||||
#include <dns/rdatastruct.h>
|
||||
#include <dns/result.h>
|
||||
#include <dns/secalg.h>
|
||||
|
||||
#include <dst/dst.h>
|
||||
|
||||
#include "dnssectool.h"
|
||||
|
||||
const char *program = "dnssec-signkey";
|
||||
int verbose;
|
||||
|
||||
typedef struct keynode keynode_t;
|
||||
struct keynode {
|
||||
dst_key_t *key;
|
||||
isc_boolean_t verified;
|
||||
ISC_LINK(keynode_t) link;
|
||||
};
|
||||
typedef ISC_LIST(keynode_t) keylist_t;
|
||||
|
||||
static isc_stdtime_t starttime = 0, endtime = 0, now;
|
||||
|
||||
static isc_mem_t *mctx = NULL;
|
||||
static isc_entropy_t *ectx = NULL;
|
||||
static keylist_t keylist;
|
||||
|
||||
static void
|
||||
usage(void) {
|
||||
fprintf(stderr, "Usage:\n");
|
||||
fprintf(stderr, "\t%s [options] keyset keys\n", program);
|
||||
|
||||
fprintf(stderr, "\n");
|
||||
|
||||
fprintf(stderr, "Version: %s\n", VERSION);
|
||||
|
||||
fprintf(stderr, "Options: (default value in parenthesis) \n");
|
||||
fprintf(stderr, "\t-a\n");
|
||||
fprintf(stderr, "\t\tverify generated signatures\n");
|
||||
fprintf(stderr, "\t-c class (IN)\n");
|
||||
fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
|
||||
fprintf(stderr, "\t\tSIG start time - absolute|offset (from keyset)\n");
|
||||
fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
|
||||
fprintf(stderr, "\t\tSIG end time - absolute|from start|from now "
|
||||
"(from keyset)\n");
|
||||
fprintf(stderr, "\t-v level:\n");
|
||||
fprintf(stderr, "\t\tverbose level (0)\n");
|
||||
fprintf(stderr, "\t-p\n");
|
||||
fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
|
||||
fprintf(stderr, "\t-r randomdev:\n");
|
||||
fprintf(stderr, "\t\ta file containing random data\n");
|
||||
|
||||
fprintf(stderr, "\n");
|
||||
|
||||
fprintf(stderr, "keyset:\n");
|
||||
fprintf(stderr, "\tfile with keyset to be signed (keyset-<name>)\n");
|
||||
fprintf(stderr, "keys:\n");
|
||||
fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
|
||||
|
||||
fprintf(stderr, "\n");
|
||||
fprintf(stderr, "Output:\n");
|
||||
fprintf(stderr, "\tsigned keyset (signedkey-<name>)\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
static void
|
||||
loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) {
|
||||
dst_key_t *key;
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
keynode_t *keynode;
|
||||
isc_result_t result;
|
||||
|
||||
ISC_LIST_INIT(keylist);
|
||||
result = dns_rdataset_first(rdataset);
|
||||
check_result(result, "dns_rdataset_first");
|
||||
for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) {
|
||||
dns_rdata_reset(&rdata);
|
||||
dns_rdataset_current(rdataset, &rdata);
|
||||
key = NULL;
|
||||
result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
continue;
|
||||
if (!dst_key_iszonekey(key)) {
|
||||
dst_key_free(&key);
|
||||
continue;
|
||||
}
|
||||
keynode = isc_mem_get(mctx, sizeof(keynode_t));
|
||||
if (keynode == NULL)
|
||||
fatal("out of memory");
|
||||
keynode->key = key;
|
||||
keynode->verified = ISC_FALSE;
|
||||
ISC_LIST_INITANDAPPEND(keylist, keynode, link);
|
||||
}
|
||||
if (result != ISC_R_NOMORE)
|
||||
fatal("failure traversing key list");
|
||||
}
|
||||
|
||||
static dst_key_t *
|
||||
findkey(dns_rdata_rrsig_t *sig) {
|
||||
keynode_t *keynode;
|
||||
for (keynode = ISC_LIST_HEAD(keylist);
|
||||
keynode != NULL;
|
||||
keynode = ISC_LIST_NEXT(keynode, link))
|
||||
{
|
||||
if (dst_key_id(keynode->key) == sig->keyid &&
|
||||
dst_key_alg(keynode->key) == sig->algorithm) {
|
||||
keynode->verified = ISC_TRUE;
|
||||
return (keynode->key);
|
||||
}
|
||||
}
|
||||
fatal("signature generated by non-zone or missing key");
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char *argv[]) {
|
||||
int i, ch;
|
||||
char *startstr = NULL, *endstr = NULL, *classname = NULL;
|
||||
char tdomain[1025];
|
||||
dns_fixedname_t fdomain;
|
||||
dns_name_t *domain;
|
||||
char *output = NULL;
|
||||
char *endp;
|
||||
unsigned char data[65536];
|
||||
dns_db_t *db;
|
||||
dns_dbnode_t *node;
|
||||
dns_dbversion_t *version;
|
||||
dns_diff_t diff;
|
||||
dns_difftuple_t *tuple;
|
||||
dns_dbiterator_t *dbiter;
|
||||
dns_rdatasetiter_t *rdsiter;
|
||||
dst_key_t *key = NULL;
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
dns_rdata_t sigrdata = DNS_RDATA_INIT;
|
||||
dns_rdataset_t rdataset, sigrdataset;
|
||||
dns_rdata_rrsig_t sig;
|
||||
isc_result_t result;
|
||||
isc_buffer_t b;
|
||||
isc_log_t *log = NULL;
|
||||
keynode_t *keynode;
|
||||
isc_boolean_t pseudorandom = ISC_FALSE;
|
||||
unsigned int eflags;
|
||||
dns_rdataclass_t rdclass;
|
||||
isc_boolean_t tryverify = ISC_FALSE;
|
||||
isc_boolean_t settime = ISC_FALSE;
|
||||
|
||||
result = isc_mem_create(0, 0, &mctx);
|
||||
check_result(result, "isc_mem_create()");
|
||||
|
||||
dns_result_register();
|
||||
|
||||
while ((ch = isc_commandline_parse(argc, argv, "ac:s:e:pr:v:h")) != -1)
|
||||
{
|
||||
switch (ch) {
|
||||
case 'a':
|
||||
tryverify = ISC_TRUE;
|
||||
break;
|
||||
case 'c':
|
||||
classname = isc_commandline_argument;
|
||||
break;
|
||||
|
||||
case 's':
|
||||
startstr = isc_commandline_argument;
|
||||
break;
|
||||
|
||||
case 'e':
|
||||
endstr = isc_commandline_argument;
|
||||
break;
|
||||
|
||||
case 'p':
|
||||
pseudorandom = ISC_TRUE;
|
||||
break;
|
||||
|
||||
case 'r':
|
||||
setup_entropy(mctx, isc_commandline_argument, &ectx);
|
||||
break;
|
||||
|
||||
case 'v':
|
||||
endp = NULL;
|
||||
verbose = strtol(isc_commandline_argument, &endp, 0);
|
||||
if (*endp != '\0')
|
||||
fatal("verbose level must be numeric");
|
||||
break;
|
||||
|
||||
case 'h':
|
||||
default:
|
||||
usage();
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
argc -= isc_commandline_index;
|
||||
argv += isc_commandline_index;
|
||||
|
||||
if (argc < 2)
|
||||
usage();
|
||||
|
||||
rdclass = strtoclass(classname);
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
eflags = ISC_ENTROPY_BLOCKING;
|
||||
if (!pseudorandom)
|
||||
eflags |= ISC_ENTROPY_GOODONLY;
|
||||
result = dst_lib_init(mctx, ectx, eflags);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("could not initialize dst: %s",
|
||||
isc_result_totext(result));
|
||||
|
||||
isc_stdtime_get(&now);
|
||||
|
||||
if ((startstr == NULL || endstr == NULL) &&
|
||||
!(startstr == NULL && endstr == NULL))
|
||||
fatal("if -s or -e is specified, both must be");
|
||||
|
||||
if (startstr != NULL) {
|
||||
starttime = strtotime(startstr, now, now);
|
||||
endtime = strtotime(endstr, now, starttime);
|
||||
settime = ISC_TRUE;
|
||||
}
|
||||
|
||||
setup_logging(verbose, mctx, &log);
|
||||
|
||||
if (strlen(argv[0]) < 8U || strncmp(argv[0], "keyset-", 7) != 0)
|
||||
fatal("keyset file '%s' must start with keyset-", argv[0]);
|
||||
|
||||
db = NULL;
|
||||
result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
|
||||
rdclass, 0, NULL, &db);
|
||||
check_result(result, "dns_db_create()");
|
||||
|
||||
result = dns_db_load(db, argv[0]);
|
||||
if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
|
||||
fatal("failed to load database from '%s': %s", argv[0],
|
||||
isc_result_totext(result));
|
||||
|
||||
dns_fixedname_init(&fdomain);
|
||||
domain = dns_fixedname_name(&fdomain);
|
||||
|
||||
dbiter = NULL;
|
||||
result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
|
||||
check_result(result, "dns_db_createiterator()");
|
||||
|
||||
result = dns_dbiterator_first(dbiter);
|
||||
check_result(result, "dns_dbiterator_first()");
|
||||
while (result == ISC_R_SUCCESS) {
|
||||
node = NULL;
|
||||
dns_dbiterator_current(dbiter, &node, domain);
|
||||
rdsiter = NULL;
|
||||
result = dns_db_allrdatasets(db, node, NULL, 0, &rdsiter);
|
||||
check_result(result, "dns_db_allrdatasets()");
|
||||
result = dns_rdatasetiter_first(rdsiter);
|
||||
dns_rdatasetiter_destroy(&rdsiter);
|
||||
if (result == ISC_R_SUCCESS)
|
||||
break;
|
||||
dns_db_detachnode(db, &node);
|
||||
result = dns_dbiterator_next(dbiter);
|
||||
}
|
||||
dns_dbiterator_destroy(&dbiter);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("failed to find data in keyset file");
|
||||
|
||||
isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
|
||||
result = dns_name_tofilenametext(domain, ISC_FALSE, &b);
|
||||
check_result(result, "dns_name_tofilenametext()");
|
||||
isc_buffer_putuint8(&b, 0);
|
||||
|
||||
output = isc_mem_allocate(mctx,
|
||||
strlen("signedkey-") + strlen(tdomain) + 1);
|
||||
if (output == NULL)
|
||||
fatal("out of memory");
|
||||
sprintf(output, "signedkey-%s", tdomain);
|
||||
|
||||
version = NULL;
|
||||
dns_db_newversion(db, &version);
|
||||
|
||||
dns_rdataset_init(&rdataset);
|
||||
dns_rdataset_init(&sigrdataset);
|
||||
result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
|
||||
0, &rdataset, &sigrdataset);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
char domainstr[DNS_NAME_FORMATSIZE];
|
||||
dns_name_format(domain, domainstr, sizeof(domainstr));
|
||||
fatal("failed to find rdataset '%s KEY': %s",
|
||||
domainstr, isc_result_totext(result));
|
||||
}
|
||||
|
||||
loadkeys(domain, &rdataset);
|
||||
|
||||
dns_diff_init(mctx, &diff);
|
||||
|
||||
if (!dns_rdataset_isassociated(&sigrdataset))
|
||||
fatal("no SIG KEY set present");
|
||||
|
||||
result = dns_rdataset_first(&sigrdataset);
|
||||
check_result(result, "dns_rdataset_first()");
|
||||
do {
|
||||
dns_rdataset_current(&sigrdataset, &sigrdata);
|
||||
result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
|
||||
check_result(result, "dns_rdata_tostruct()");
|
||||
key = findkey(&sig);
|
||||
result = dns_dnssec_verify(domain, &rdataset, key,
|
||||
ISC_TRUE, mctx, &sigrdata);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
char keystr[KEY_FORMATSIZE];
|
||||
key_format(key, keystr, sizeof(keystr));
|
||||
fatal("signature by key '%s' did not verify: %s",
|
||||
keystr, isc_result_totext(result));
|
||||
}
|
||||
if (!settime) {
|
||||
starttime = sig.timesigned;
|
||||
endtime = sig.timeexpire;
|
||||
settime = ISC_TRUE;
|
||||
}
|
||||
dns_rdata_freestruct(&sig);
|
||||
dns_rdata_reset(&sigrdata);
|
||||
result = dns_rdataset_next(&sigrdataset);
|
||||
} while (result == ISC_R_SUCCESS);
|
||||
|
||||
for (keynode = ISC_LIST_HEAD(keylist);
|
||||
keynode != NULL;
|
||||
keynode = ISC_LIST_NEXT(keynode, link))
|
||||
if (!keynode->verified)
|
||||
fatal("not all zone keys self signed the key set");
|
||||
|
||||
argc -= 1;
|
||||
argv += 1;
|
||||
|
||||
for (i = 0; i < argc; i++) {
|
||||
key = NULL;
|
||||
result = dst_key_fromnamedfile(argv[i],
|
||||
DST_TYPE_PUBLIC |
|
||||
DST_TYPE_PRIVATE,
|
||||
mctx, &key);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("failed to read key %s from disk: %s",
|
||||
argv[i], isc_result_totext(result));
|
||||
|
||||
dns_rdata_reset(&rdata);
|
||||
isc_buffer_init(&b, data, sizeof(data));
|
||||
result = dns_dnssec_sign(domain, &rdataset, key,
|
||||
&starttime, &endtime,
|
||||
mctx, &b, &rdata);
|
||||
isc_entropy_stopcallbacksources(ectx);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
char keystr[KEY_FORMATSIZE];
|
||||
key_format(key, keystr, sizeof(keystr));
|
||||
fatal("key '%s' failed to sign data: %s",
|
||||
keystr, isc_result_totext(result));
|
||||
}
|
||||
if (tryverify) {
|
||||
result = dns_dnssec_verify(domain, &rdataset, key,
|
||||
ISC_TRUE, mctx, &rdata);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
char keystr[KEY_FORMATSIZE];
|
||||
key_format(key, keystr, sizeof(keystr));
|
||||
fatal("signature from key '%s' failed to "
|
||||
"verify: %s",
|
||||
keystr, isc_result_totext(result));
|
||||
}
|
||||
}
|
||||
tuple = NULL;
|
||||
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
|
||||
domain, rdataset.ttl,
|
||||
&rdata, &tuple);
|
||||
check_result(result, "dns_difftuple_create");
|
||||
dns_diff_append(&diff, &tuple);
|
||||
dst_key_free(&key);
|
||||
}
|
||||
|
||||
result = dns_db_deleterdataset(db, node, version, dns_rdatatype_rrsig,
|
||||
dns_rdatatype_dnskey);
|
||||
check_result(result, "dns_db_deleterdataset");
|
||||
|
||||
result = dns_diff_apply(&diff, db, version);
|
||||
check_result(result, "dns_diff_apply");
|
||||
dns_diff_clear(&diff);
|
||||
|
||||
dns_db_detachnode(db, &node);
|
||||
dns_db_closeversion(db, &version, ISC_TRUE);
|
||||
result = dns_db_dump(db, version, output);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("failed to write database to '%s': %s",
|
||||
output, isc_result_totext(result));
|
||||
|
||||
printf("%s\n", output);
|
||||
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
dns_rdataset_disassociate(&sigrdataset);
|
||||
|
||||
dns_db_detach(&db);
|
||||
|
||||
while (!ISC_LIST_EMPTY(keylist)) {
|
||||
keynode = ISC_LIST_HEAD(keylist);
|
||||
ISC_LIST_UNLINK(keylist, keynode, link);
|
||||
dst_key_free(&keynode->key);
|
||||
isc_mem_put(mctx, keynode, sizeof(keynode_t));
|
||||
}
|
||||
|
||||
cleanup_logging(&log);
|
||||
|
||||
isc_mem_free(mctx, output);
|
||||
cleanup_entropy(&ectx);
|
||||
dst_lib_destroy();
|
||||
if (verbose > 10)
|
||||
isc_mem_stats(mctx, stdout);
|
||||
isc_mem_destroy(&mctx);
|
||||
return (0);
|
||||
}
|
@ -1,237 +0,0 @@
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
|
||||
<!--
|
||||
- Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2001, 2003 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-signkey.docbook,v 1.2.2.2.4.2 2004/06/03 02:24:55 marka Exp $ -->
|
||||
|
||||
<refentry>
|
||||
<refentryinfo>
|
||||
<date>June 30, 2000</date>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle><application>dnssec-signkey</application></refentrytitle>
|
||||
<manvolnum>8</manvolnum>
|
||||
<refmiscinfo>BIND9</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname><application>dnssec-signkey</application></refname>
|
||||
<refpurpose>DNSSEC key set signing tool</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>dnssec-signkey</command>
|
||||
<arg><option>-a</option></arg>
|
||||
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
|
||||
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
|
||||
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
|
||||
<arg><option>-h</option></arg>
|
||||
<arg><option>-p</option></arg>
|
||||
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
|
||||
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
|
||||
<arg choice="req">keyset</arg>
|
||||
<arg choice="req" rep="repeat">key</arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>DESCRIPTION</title>
|
||||
<para>
|
||||
<command>dnssec-signkey</command> signs a keyset. Typically
|
||||
the keyset will be for a child zone, and will have been generated
|
||||
by <command>dnssec-makekeyset</command>. The child zone's keyset
|
||||
is signed with the zone keys for its parent zone. The output file
|
||||
is of the form <filename>signedkey-nnnn.</filename>, where
|
||||
<filename>nnnn</filename> is the zone name.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>OPTIONS</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>-a</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Verify all generated signatures.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-c <replaceable class="parameter">class</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the DNS class of the key sets.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-s <replaceable class="parameter">start-time</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specify the date and time when the generated SIG records
|
||||
become valid. This can be either an absolute or relative
|
||||
time. An absolute start time is indicated by a number
|
||||
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
|
||||
14:45:00 UTC on May 30th, 2000. A relative start time is
|
||||
indicated by +N, which is N seconds from the current time.
|
||||
If no <option>start-time</option> is specified, the current
|
||||
time is used.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-e <replaceable class="parameter">end-time</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specify the date and time when the generated SIG records
|
||||
expire. As with <option>start-time</option>, an absolute
|
||||
time is indicated in YYYYMMDDHHMMSS notation. A time relative
|
||||
to the start time is indicated with +N, which is N seconds from
|
||||
the start time. A time relative to the current time is
|
||||
indicated with now+N. If no <option>end-time</option> is
|
||||
specified, 30 days from the start time is used as a default.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-h</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Prints a short summary of the options and arguments to
|
||||
<command>dnssec-signkey</command>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-p</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Use pseudo-random data when signing the zone. This is faster,
|
||||
but less secure, than using real random data. This option
|
||||
may be useful when signing large zones or when the entropy
|
||||
source is limited.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the source of randomness. If the operating
|
||||
system does not provide a <filename>/dev/random</filename>
|
||||
or equivalent device, the default source of randomness
|
||||
is keyboard input. <filename>randomdev</filename> specifies
|
||||
the name of a character device or file containing random
|
||||
data to be used instead of the default. The special value
|
||||
<filename>keyboard</filename> indicates that keyboard
|
||||
input should be used.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-v <replaceable class="parameter">level</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the debugging level.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>keyset</term>
|
||||
<listitem>
|
||||
<para>
|
||||
The file containing the child's keyset.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>key</term>
|
||||
<listitem>
|
||||
<para>
|
||||
The keys used to sign the child's keyset.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>EXAMPLE</title>
|
||||
<para>
|
||||
The DNS administrator for a DNSSEC-aware <userinput>.com</userinput>
|
||||
zone would use the following command to sign the
|
||||
<filename>keyset</filename> file for <userinput>example.com</userinput>
|
||||
created by <command>dnssec-makekeyset</command> with a key generated
|
||||
by <command>dnssec-keygen</command>:
|
||||
</para>
|
||||
<para>
|
||||
<userinput>dnssec-signkey keyset-example.com. Kcom.+003+51944</userinput>
|
||||
</para>
|
||||
<para>
|
||||
In this example, <command>dnssec-signkey</command> creates
|
||||
the file <filename>signedkey-example.com.</filename>, which
|
||||
contains the <userinput>example.com</userinput> keys and the
|
||||
signatures by the <userinput>.com</userinput> keys.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>SEE ALSO</title>
|
||||
<para>
|
||||
<citerefentry>
|
||||
<refentrytitle>dnssec-keygen</refentrytitle>
|
||||
<manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>dnssec-makekeyset</refentrytitle>
|
||||
<manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
<citerefentry>
|
||||
<refentrytitle>dnssec-signzone</refentrytitle>
|
||||
<manvolnum>8</manvolnum>
|
||||
</citerefentry>.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>AUTHOR</title>
|
||||
<para>
|
||||
<corpauthor>Internet Systems Consortium</corpauthor>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
||||
|
||||
<!--
|
||||
- Local variables:
|
||||
- mode: sgml
|
||||
- End:
|
||||
-->
|
@ -1,407 +0,0 @@
|
||||
<!--
|
||||
- Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
||||
- Copyright (C) 2001, 2003 Internet Software Consortium.
|
||||
-
|
||||
- Permission to use, copy, modify, and distribute this software for any
|
||||
- purpose with or without fee is hereby granted, provided that the above
|
||||
- copyright notice and this permission notice appear in all copies.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
- PERFORMANCE OF THIS SOFTWARE.
|
||||
-->
|
||||
|
||||
<!-- $Id: dnssec-signkey.html,v 1.4.2.1.4.1 2004/03/06 10:21:15 marka Exp $ -->
|
||||
|
||||
<HTML
|
||||
><HEAD
|
||||
><TITLE
|
||||
>dnssec-signkey</TITLE
|
||||
><META
|
||||
NAME="GENERATOR"
|
||||
CONTENT="Modular DocBook HTML Stylesheet Version 1.73
|
||||
"></HEAD
|
||||
><BODY
|
||||
CLASS="REFENTRY"
|
||||
BGCOLOR="#FFFFFF"
|
||||
TEXT="#000000"
|
||||
LINK="#0000FF"
|
||||
VLINK="#840084"
|
||||
ALINK="#0000FF"
|
||||
><H1
|
||||
><A
|
||||
NAME="AEN1"
|
||||
><SPAN
|
||||
CLASS="APPLICATION"
|
||||
>dnssec-signkey</SPAN
|
||||
></A
|
||||
></H1
|
||||
><DIV
|
||||
CLASS="REFNAMEDIV"
|
||||
><A
|
||||
NAME="AEN9"
|
||||
></A
|
||||
><H2
|
||||
>Name</H2
|
||||
><SPAN
|
||||
CLASS="APPLICATION"
|
||||
>dnssec-signkey</SPAN
|
||||
> -- DNSSEC key set signing tool</DIV
|
||||
><DIV
|
||||
CLASS="REFSYNOPSISDIV"
|
||||
><A
|
||||
NAME="AEN13"
|
||||
></A
|
||||
><H2
|
||||
>Synopsis</H2
|
||||
><P
|
||||
><B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-signkey</B
|
||||
> [<TT
|
||||
CLASS="OPTION"
|
||||
>-a</TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-c <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>class</I
|
||||
></TT
|
||||
></TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-s <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>start-time</I
|
||||
></TT
|
||||
></TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-e <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>end-time</I
|
||||
></TT
|
||||
></TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-h</TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-p</TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-r <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>randomdev</I
|
||||
></TT
|
||||
></TT
|
||||
>] [<TT
|
||||
CLASS="OPTION"
|
||||
>-v <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>level</I
|
||||
></TT
|
||||
></TT
|
||||
>] {keyset} {key...}</P
|
||||
></DIV
|
||||
><DIV
|
||||
CLASS="REFSECT1"
|
||||
><A
|
||||
NAME="AEN39"
|
||||
></A
|
||||
><H2
|
||||
>DESCRIPTION</H2
|
||||
><P
|
||||
> <B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-signkey</B
|
||||
> signs a keyset. Typically
|
||||
the keyset will be for a child zone, and will have been generated
|
||||
by <B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-makekeyset</B
|
||||
>. The child zone's keyset
|
||||
is signed with the zone keys for its parent zone. The output file
|
||||
is of the form <TT
|
||||
CLASS="FILENAME"
|
||||
>signedkey-nnnn.</TT
|
||||
>, where
|
||||
<TT
|
||||
CLASS="FILENAME"
|
||||
>nnnn</TT
|
||||
> is the zone name.
|
||||
</P
|
||||
></DIV
|
||||
><DIV
|
||||
CLASS="REFSECT1"
|
||||
><A
|
||||
NAME="AEN46"
|
||||
></A
|
||||
><H2
|
||||
>OPTIONS</H2
|
||||
><P
|
||||
></P
|
||||
><DIV
|
||||
CLASS="VARIABLELIST"
|
||||
><DL
|
||||
><DT
|
||||
>-a</DT
|
||||
><DD
|
||||
><P
|
||||
> Verify all generated signatures.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-c <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>class</I
|
||||
></TT
|
||||
></DT
|
||||
><DD
|
||||
><P
|
||||
> Specifies the DNS class of the key sets.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-s <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>start-time</I
|
||||
></TT
|
||||
></DT
|
||||
><DD
|
||||
><P
|
||||
> Specify the date and time when the generated SIG records
|
||||
become valid. This can be either an absolute or relative
|
||||
time. An absolute start time is indicated by a number
|
||||
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
|
||||
14:45:00 UTC on May 30th, 2000. A relative start time is
|
||||
indicated by +N, which is N seconds from the current time.
|
||||
If no <TT
|
||||
CLASS="OPTION"
|
||||
>start-time</TT
|
||||
> is specified, the current
|
||||
time is used.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-e <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>end-time</I
|
||||
></TT
|
||||
></DT
|
||||
><DD
|
||||
><P
|
||||
> Specify the date and time when the generated SIG records
|
||||
expire. As with <TT
|
||||
CLASS="OPTION"
|
||||
>start-time</TT
|
||||
>, an absolute
|
||||
time is indicated in YYYYMMDDHHMMSS notation. A time relative
|
||||
to the start time is indicated with +N, which is N seconds from
|
||||
the start time. A time relative to the current time is
|
||||
indicated with now+N. If no <TT
|
||||
CLASS="OPTION"
|
||||
>end-time</TT
|
||||
> is
|
||||
specified, 30 days from the start time is used as a default.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-h</DT
|
||||
><DD
|
||||
><P
|
||||
> Prints a short summary of the options and arguments to
|
||||
<B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-signkey</B
|
||||
>.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-p</DT
|
||||
><DD
|
||||
><P
|
||||
> Use pseudo-random data when signing the zone. This is faster,
|
||||
but less secure, than using real random data. This option
|
||||
may be useful when signing large zones or when the entropy
|
||||
source is limited.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-r <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>randomdev</I
|
||||
></TT
|
||||
></DT
|
||||
><DD
|
||||
><P
|
||||
> Specifies the source of randomness. If the operating
|
||||
system does not provide a <TT
|
||||
CLASS="FILENAME"
|
||||
>/dev/random</TT
|
||||
>
|
||||
or equivalent device, the default source of randomness
|
||||
is keyboard input. <TT
|
||||
CLASS="FILENAME"
|
||||
>randomdev</TT
|
||||
> specifies
|
||||
the name of a character device or file containing random
|
||||
data to be used instead of the default. The special value
|
||||
<TT
|
||||
CLASS="FILENAME"
|
||||
>keyboard</TT
|
||||
> indicates that keyboard
|
||||
input should be used.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>-v <TT
|
||||
CLASS="REPLACEABLE"
|
||||
><I
|
||||
>level</I
|
||||
></TT
|
||||
></DT
|
||||
><DD
|
||||
><P
|
||||
> Sets the debugging level.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>keyset</DT
|
||||
><DD
|
||||
><P
|
||||
> The file containing the child's keyset.
|
||||
</P
|
||||
></DD
|
||||
><DT
|
||||
>key</DT
|
||||
><DD
|
||||
><P
|
||||
> The keys used to sign the child's keyset.
|
||||
</P
|
||||
></DD
|
||||
></DL
|
||||
></DIV
|
||||
></DIV
|
||||
><DIV
|
||||
CLASS="REFSECT1"
|
||||
><A
|
||||
NAME="AEN101"
|
||||
></A
|
||||
><H2
|
||||
>EXAMPLE</H2
|
||||
><P
|
||||
> The DNS administrator for a DNSSEC-aware <TT
|
||||
CLASS="USERINPUT"
|
||||
><B
|
||||
>.com</B
|
||||
></TT
|
||||
>
|
||||
zone would use the following command to sign the
|
||||
<TT
|
||||
CLASS="FILENAME"
|
||||
>keyset</TT
|
||||
> file for <TT
|
||||
CLASS="USERINPUT"
|
||||
><B
|
||||
>example.com</B
|
||||
></TT
|
||||
>
|
||||
created by <B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-makekeyset</B
|
||||
> with a key generated
|
||||
by <B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-keygen</B
|
||||
>:
|
||||
</P
|
||||
><P
|
||||
> <TT
|
||||
CLASS="USERINPUT"
|
||||
><B
|
||||
>dnssec-signkey keyset-example.com. Kcom.+003+51944</B
|
||||
></TT
|
||||
>
|
||||
</P
|
||||
><P
|
||||
> In this example, <B
|
||||
CLASS="COMMAND"
|
||||
>dnssec-signkey</B
|
||||
> creates
|
||||
the file <TT
|
||||
CLASS="FILENAME"
|
||||
>signedkey-example.com.</TT
|
||||
>, which
|
||||
contains the <TT
|
||||
CLASS="USERINPUT"
|
||||
><B
|
||||
>example.com</B
|
||||
></TT
|
||||
> keys and the
|
||||
signatures by the <TT
|
||||
CLASS="USERINPUT"
|
||||
><B
|
||||
>.com</B
|
||||
></TT
|
||||
> keys.
|
||||
</P
|
||||
></DIV
|
||||
><DIV
|
||||
CLASS="REFSECT1"
|
||||
><A
|
||||
NAME="AEN116"
|
||||
></A
|
||||
><H2
|
||||
>SEE ALSO</H2
|
||||
><P
|
||||
> <SPAN
|
||||
CLASS="CITEREFENTRY"
|
||||
><SPAN
|
||||
CLASS="REFENTRYTITLE"
|
||||
>dnssec-keygen</SPAN
|
||||
>(8)</SPAN
|
||||
>,
|
||||
<SPAN
|
||||
CLASS="CITEREFENTRY"
|
||||
><SPAN
|
||||
CLASS="REFENTRYTITLE"
|
||||
>dnssec-makekeyset</SPAN
|
||||
>(8)</SPAN
|
||||
>,
|
||||
<SPAN
|
||||
CLASS="CITEREFENTRY"
|
||||
><SPAN
|
||||
CLASS="REFENTRYTITLE"
|
||||
>dnssec-signzone</SPAN
|
||||
>(8)</SPAN
|
||||
>.
|
||||
</P
|
||||
></DIV
|
||||
><DIV
|
||||
CLASS="REFSECT1"
|
||||
><A
|
||||
NAME="AEN128"
|
||||
></A
|
||||
><H2
|
||||
>AUTHOR</H2
|
||||
><P
|
||||
> Internet Software Consortium
|
||||
</P
|
||||
></DIV
|
||||
></BODY
|
||||
></HTML
|
||||
>
|
Binary file not shown.
Before Width: | Height: | Size: 6.2 KiB |
@ -1,148 +0,0 @@
|
||||
<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
|
||||
<!ENTITY dbstyle SYSTEM "@HTMLSTYLE@" CDATA DSSSL>
|
||||
]>
|
||||
|
||||
<style-sheet>
|
||||
<style-specification use="docbook">
|
||||
<style-specification-body>
|
||||
|
||||
<!-- ;; your stuff goes here... -->
|
||||
|
||||
(define %html-prefix%
|
||||
;; Add the specified prefix to HTML output filenames
|
||||
"Bv9ARM.")
|
||||
|
||||
(define %use-id-as-filename%
|
||||
;; Use ID attributes as name for component HTML files?
|
||||
#t)
|
||||
|
||||
(define %root-filename%
|
||||
;; Name for the root HTML document
|
||||
"Bv9ARM")
|
||||
|
||||
(define %section-autolabel%
|
||||
;; REFENTRY section-autolabel
|
||||
;; PURP Are sections enumerated?
|
||||
;; DESC
|
||||
;; If true, unlabeled sections will be enumerated.
|
||||
;; /DESC
|
||||
;; AUTHOR N/A
|
||||
;; /REFENTRY
|
||||
#t)
|
||||
|
||||
(define %html-ext%
|
||||
;; REFENTRY html-ext
|
||||
;; PURP Default extension for HTML output files
|
||||
;; DESC
|
||||
;; The default extension for HTML output files.
|
||||
;; /DESC
|
||||
;; AUTHOR N/A
|
||||
;; /REFENTRY
|
||||
".html")
|
||||
|
||||
(define nochunks
|
||||
;; REFENTRY nochunks
|
||||
;; PURP Suppress chunking of output pages
|
||||
;; DESC
|
||||
;; If true, the entire source document is formatted as a single HTML
|
||||
;; document and output on stdout.
|
||||
;; (This option can conveniently be set with '-V nochunks' on the
|
||||
;; Jade command line).
|
||||
;; /DESC
|
||||
;; AUTHOR N/A
|
||||
;; /REFENTRY
|
||||
#f)
|
||||
|
||||
(define rootchunk
|
||||
;; REFENTRY rootchunk
|
||||
;; PURP Make a chunk for the root element when nochunks is used
|
||||
;; DESC
|
||||
;; If true, a chunk will be created for the root element, even though
|
||||
;; nochunks is specified. This option has no effect if nochunks is not
|
||||
;; true.
|
||||
;; (This option can conveniently be set with '-V rootchunk' on the
|
||||
;; Jade command line).
|
||||
;; /DESC
|
||||
;; AUTHOR N/A
|
||||
;; /REFENTRY
|
||||
#t)
|
||||
|
||||
(define html-index
|
||||
;; REFENTRY html-index
|
||||
;; PURP HTML indexing?
|
||||
;; DESC
|
||||
;; Turns on HTML indexing. If true, then index data will be written
|
||||
;; to the file defined by 'html-index-filename'. This data can be
|
||||
;; collated and turned into a DocBook index with bin/collateindex.pl.
|
||||
;; /DESC
|
||||
;; AUTHOR N/A
|
||||
;; /REFENTRY
|
||||
#t)
|
||||
|
||||
(define html-manifest
|
||||
;; REFENTRY html-manifest
|
||||
;; PURP Write a manifest?
|
||||
;; DESC
|
||||
;; If not '#f' then the list of HTML files created by the stylesheet
|
||||
;; will be written to the file named by 'html-manifest-filename'.
|
||||
;; /DESC
|
||||
;; AUTHOR N/A
|
||||
;; /REFENTRY
|
||||
#t)
|
||||
|
||||
(define (chunk-element-list)
|
||||
(list (normalize "preface")
|
||||
(normalize "chapter")
|
||||
(normalize "appendix")
|
||||
(normalize "article")
|
||||
(normalize "glossary")
|
||||
(normalize "bibliography")
|
||||
(normalize "index")
|
||||
(normalize "colophon")
|
||||
(normalize "setindex")
|
||||
(normalize "reference")
|
||||
(normalize "refentry")
|
||||
(normalize "part")
|
||||
(normalize "book") ;; just in case nothing else matches...
|
||||
(normalize "set") ;; sets are definitely chunks...
|
||||
))
|
||||
|
||||
;
|
||||
; Add some cell padding to tables so that they don't look so cramped
|
||||
; in Netscape.
|
||||
;
|
||||
; The following definition was cut-and-pasted from dbtable.dsl and the
|
||||
; single line containing the word CELLPADDING was added.
|
||||
;
|
||||
(element tgroup
|
||||
(let* ((wrapper (parent (current-node)))
|
||||
(frameattr (attribute-string (normalize "frame") wrapper))
|
||||
(pgwide (attribute-string (normalize "pgwide") wrapper))
|
||||
(footnotes (select-elements (descendants (current-node))
|
||||
(normalize "footnote")))
|
||||
(border (if (equal? frameattr (normalize "none"))
|
||||
'(("BORDER" "0"))
|
||||
'(("BORDER" "1"))))
|
||||
(width (if (equal? pgwide "1")
|
||||
(list (list "WIDTH" ($table-width$)))
|
||||
'()))
|
||||
(head (select-elements (children (current-node)) (normalize "thead")))
|
||||
(body (select-elements (children (current-node)) (normalize "tbody")))
|
||||
(feet (select-elements (children (current-node)) (normalize "tfoot"))))
|
||||
(make element gi: "TABLE"
|
||||
attributes: (append
|
||||
'(("CELLPADDING" "3"))
|
||||
border
|
||||
width
|
||||
(if %cals-table-class%
|
||||
(list (list "CLASS" %cals-table-class%))
|
||||
'()))
|
||||
(process-node-list head)
|
||||
(process-node-list body)
|
||||
(process-node-list feet)
|
||||
(make-table-endnotes))))
|
||||
|
||||
</style-specification-body>
|
||||
</style-specification>
|
||||
<external-specification id="docbook" document="dbstyle">
|
||||
</style-sheet>
|
@ -1,42 +0,0 @@
|
||||
<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
|
||||
<!ENTITY dbstyle SYSTEM "@PRINTSTYLE@" CDATA DSSSL>
|
||||
]>
|
||||
|
||||
|
||||
<style-sheet>
|
||||
<style-specification use="docbook">
|
||||
<style-specification-body>
|
||||
|
||||
<!-- ;; your stuff goes here... -->
|
||||
|
||||
(define %generate-book-titlepage% #t)
|
||||
|
||||
(define %section-autolabel%
|
||||
;; REFENTRY section-autolabel
|
||||
;; PURP Are sections enumerated?
|
||||
;; DESC
|
||||
;; If true, unlabeled sections will be enumerated.
|
||||
;; /DESC
|
||||
;; AUTHOR N/A
|
||||
;; /REFENTRY
|
||||
#t)
|
||||
|
||||
;; Margins around cell contents
|
||||
;; (define %cals-cell-before-row-margin% 20pt)
|
||||
;; (define %cals-cell-after-row-margin% 20pt)
|
||||
|
||||
;; seems to be a bug in JadeTeX -- we get a wierd indent on table
|
||||
;; cells for the first line only. This is a workaround.
|
||||
;; Adam Di Carlo, adam@onshore.com
|
||||
(define %cals-cell-before-column-margin% 5pt)
|
||||
(define %cals-cell-after-column-margin% 5pt)
|
||||
|
||||
;; Inheritable start and end indent for cell contents
|
||||
(define %cals-cell-content-start-indent% 5pt)
|
||||
(define %cals-cell-content-end-indent% 5pt)
|
||||
|
||||
|
||||
</style-specification-body>
|
||||
</style-specification>
|
||||
<external-specification id="docbook" document="dbstyle">
|
||||
</style-sheet>
|
@ -1,21 +0,0 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
|
||||
# Copyright (C) 2000, 2001 Internet Software Consortium.
|
||||
#
|
||||
# Permission to use, copy, modify, and distribute this software for any
|
||||
# purpose with or without fee is hereby granted, provided that the above
|
||||
# copyright notice and this permission notice appear in all copies.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
# $Id: validate.sh.in,v 1.2.206.1 2004/03/06 13:16:14 marka Exp $
|
||||
|
||||
nsgmls -sv @SGMLDIR@/docbook/dsssl/modular/dtds/decls/xml.dcl \
|
||||
Bv9ARM-book.xml
|
@ -1,561 +0,0 @@
|
||||
|
||||
|
||||
DNSEXT M. Stapp
|
||||
Internet-Draft Cisco Systems, Inc.
|
||||
Expires: January 14, 2005 T. Lemon
|
||||
A. Gustafsson
|
||||
Nominum, Inc.
|
||||
July 16, 2004
|
||||
|
||||
|
||||
A DNS RR for Encoding DHCP Information (DHCID RR)
|
||||
<draft-ietf-dnsext-dhcid-rr-08.txt>
|
||||
|
||||
Status of this Memo
|
||||
|
||||
This document is an Internet-Draft and is subject to all provisions
|
||||
of section 3 of RFC 3667. By submitting this Internet-Draft, each
|
||||
author represents that any applicable patent or other IPR claims of
|
||||
which he or she is aware have been or will be disclosed, and any of
|
||||
which he or she become aware will be disclosed, in accordance with
|
||||
RFC 3668.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as
|
||||
Internet-Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at http://
|
||||
www.ietf.org/ietf/1id-abstracts.txt.
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
This Internet-Draft will expire on January 14, 2005.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||||
|
||||
Abstract
|
||||
|
||||
It is possible for multiple DHCP clients to attempt to update the
|
||||
same DNS FQDN as they obtain DHCP leases. Whether the DHCP server or
|
||||
the clients themselves perform the DNS updates, conflicts can arise.
|
||||
To resolve such conflicts, "Resolution of DNS Name Conflicts" [1]
|
||||
proposes storing client identifiers in the DNS to unambiguously
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires January 14, 2005 [Page 1]
|
||||
|
||||
Internet-Draft The DHCID RR July 2004
|
||||
|
||||
|
||||
associate domain names with the DHCP clients to which they refer.
|
||||
This memo defines a distinct RR type for this purpose for use by DHCP
|
||||
clients and servers, the "DHCID" RR.
|
||||
|
||||
Table of Contents
|
||||
|
||||
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
3. The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
3.1 DHCID RDATA format . . . . . . . . . . . . . . . . . . . . 4
|
||||
3.2 DHCID Presentation Format . . . . . . . . . . . . . . . . 4
|
||||
3.3 The DHCID RR Type Codes . . . . . . . . . . . . . . . . . 4
|
||||
3.4 Computation of the RDATA . . . . . . . . . . . . . . . . . 4
|
||||
3.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . 5
|
||||
3.5.1 Example 1 . . . . . . . . . . . . . . . . . . . . . . 6
|
||||
3.5.2 Example 2 . . . . . . . . . . . . . . . . . . . . . . 6
|
||||
4. Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . . 6
|
||||
5. Updater Behavior . . . . . . . . . . . . . . . . . . . . . . . 6
|
||||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
|
||||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
|
||||
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
|
||||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
|
||||
9.1 Normative References . . . . . . . . . . . . . . . . . . . . 8
|
||||
9.2 Informative References . . . . . . . . . . . . . . . . . . . 8
|
||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 9
|
||||
Intellectual Property and Copyright Statements . . . . . . . . 10
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires January 14, 2005 [Page 2]
|
||||
|
||||
Internet-Draft The DHCID RR July 2004
|
||||
|
||||
|
||||
1. Terminology
|
||||
|
||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||||
document are to be interpreted as described in RFC 2119 [2].
|
||||
|
||||
2. Introduction
|
||||
|
||||
A set of procedures to allow DHCP [7] clients and servers to
|
||||
automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
|
||||
in "Resolution of DNS Name Conflicts" [1].
|
||||
|
||||
Conflicts can arise if multiple DHCP clients wish to use the same DNS
|
||||
name. To resolve such conflicts, "Resolution of DNS Name Conflicts"
|
||||
[1] proposes storing client identifiers in the DNS to unambiguously
|
||||
associate domain names with the DHCP clients using them. In the
|
||||
interest of clarity, it is preferable for this DHCP information to
|
||||
use a distinct RR type. This memo defines a distinct RR for this
|
||||
purpose for use by DHCP clients or servers, the "DHCID" RR.
|
||||
|
||||
In order to avoid exposing potentially sensitive identifying
|
||||
information, the data stored is the result of a one-way MD5 [5] hash
|
||||
computation. The hash includes information from the DHCP client's
|
||||
REQUEST message as well as the domain name itself, so that the data
|
||||
stored in the DHCID RR will be dependent on both the client
|
||||
identification used in the DHCP protocol interaction and the domain
|
||||
name. This means that the DHCID RDATA will vary if a single client
|
||||
is associated over time with more than one name. This makes it
|
||||
difficult to 'track' a client as it is associated with various domain
|
||||
names.
|
||||
|
||||
The MD5 hash algorithm has been shown to be weaker than the SHA-1
|
||||
algorithm; it could therefore be argued that SHA-1 is a better
|
||||
choice. However, SHA-1 is significantly slower than MD5. A
|
||||
successful attack of MD5's weakness does not reveal the original data
|
||||
that was used to generate the signature, but rather provides a new
|
||||
set of input data that will produce the same signature. Because we
|
||||
are using the MD5 hash to conceal the original data, the fact that an
|
||||
attacker could produce a different plaintext resulting in the same
|
||||
MD5 output is not significant concern.
|
||||
|
||||
3. The DHCID RR
|
||||
|
||||
The DHCID RR is defined with mnemonic DHCID and type code [TBD]. The
|
||||
DHCID RR is only defined in the IN class. DHCID RRs cause no
|
||||
additional section processing. The DHCID RR is not a singleton type.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires January 14, 2005 [Page 3]
|
||||
|
||||
Internet-Draft The DHCID RR July 2004
|
||||
|
||||
|
||||
3.1 DHCID RDATA format
|
||||
|
||||
The RDATA section of a DHCID RR in transmission contains RDLENGTH
|
||||
bytes of binary data. The format of this data and its interpretation
|
||||
by DHCP servers and clients are described below.
|
||||
|
||||
DNS software should consider the RDATA section to be opaque. DHCP
|
||||
clients or servers use the DHCID RR to associate a DHCP client's
|
||||
identity with a DNS name, so that multiple DHCP clients and servers
|
||||
may deterministically perform dynamic DNS updates to the same zone.
|
||||
From the updater's perspective, the DHCID resource record RDATA
|
||||
consists of a 16-bit identifier type, in network byte order, followed
|
||||
by one or more bytes representing the actual identifier:
|
||||
|
||||
< 16 bits > DHCP identifier used
|
||||
< n bytes > MD5 digest
|
||||
|
||||
|
||||
3.2 DHCID Presentation Format
|
||||
|
||||
In DNS master files, the RDATA is represented as a single block in
|
||||
base 64 encoding identical to that used for representing binary data
|
||||
in RFC 2535 [8]. The data may be divided up into any number of white
|
||||
space separated substrings, down to single base 64 digits, which are
|
||||
concatenated to form the complete RDATA. These substrings can span
|
||||
lines using the standard parentheses.
|
||||
|
||||
3.3 The DHCID RR Type Codes
|
||||
|
||||
The DHCID RR Type Code specifies what data from the DHCP client's
|
||||
request was used as input into the hash function. The type codes are
|
||||
defined in a registry maintained by IANA, as specified in Section 7.
|
||||
The initial list of assigned values for the type code is:
|
||||
|
||||
0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [7].
|
||||
0x0001 = The data portion from a DHCPv4 client's Client Identifier
|
||||
option [9].
|
||||
0x0002 = The client's DUID (i.e., the data portion of a DHCPv6
|
||||
client's Client Identifier option [10] or the DUID field from a
|
||||
DHCPv4 client's Client Identifier option [12]).
|
||||
|
||||
0x0003 - 0xfffe = Available to be assigned by IANA.
|
||||
|
||||
0xffff = RESERVED
|
||||
|
||||
3.4 Computation of the RDATA
|
||||
|
||||
The DHCID RDATA is formed by concatenating the two type bytes with
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires January 14, 2005 [Page 4]
|
||||
|
||||
Internet-Draft The DHCID RR July 2004
|
||||
|
||||
|
||||
some variable-length identifying data.
|
||||
|
||||
< type > < data >
|
||||
|
||||
The RDATA for all type codes other than 0xffff, which is reserved for
|
||||
future expansion, is formed by concatenating the two type bytes and a
|
||||
16-byte MD5 hash value. The input to the hash function is defined to
|
||||
be:
|
||||
|
||||
data = MD5(< identifier > < FQDN >)
|
||||
|
||||
The FQDN is represented in the buffer in unambiguous canonical form
|
||||
as described in RFC 2535 [8], section 8.1. The type code and the
|
||||
identifier are related as specified in Section 3.3: the type code
|
||||
describes the source of the identifier.
|
||||
|
||||
When the updater is using the client's link-layer address as the
|
||||
identifier, the first two bytes of the DHCID RDATA MUST be zero. To
|
||||
generate the rest of the resource record, the updater computes a
|
||||
one-way hash using the MD5 algorithm across a buffer containing the
|
||||
client's network hardware type, link-layer address, and the FQDN
|
||||
data. Specifically, the first byte of the buffer contains the
|
||||
network hardware type as it appeared in the DHCP 'htype' field of the
|
||||
client's DHCPREQUEST message. All of the significant bytes of the
|
||||
chaddr field in the client's DHCPREQUEST message follow, in the same
|
||||
order in which the bytes appear in the DHCPREQUEST message. The
|
||||
number of significant bytes in the 'chaddr' field is specified in the
|
||||
'hlen' field of the DHCPREQUEST message. The FQDN data, as specified
|
||||
above, follows.
|
||||
|
||||
When the updater is using the DHCPv4 Client Identifier option sent by
|
||||
the client in its DHCPREQUEST message, the first two bytes of the
|
||||
DHCID RR MUST be 0x0001, in network byte order. The rest of the
|
||||
DHCID RR MUST contain the results of computing an MD5 hash across the
|
||||
payload of the option, followed by the FQDN. The payload of the
|
||||
option consists of the bytes of the option following the option code
|
||||
and length.
|
||||
|
||||
When the updater is using the DHCPv6 DUID sent by the client in its
|
||||
REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002,
|
||||
in network byte order. The rest of the DHCID RR MUST contain the
|
||||
results of computing an MD5 hash across the payload of the option,
|
||||
followed by the FQDN. The payload of the option consists of the
|
||||
bytes of the option following the option code and length.
|
||||
|
||||
3.5 Examples
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires January 14, 2005 [Page 5]
|
||||
|
||||
Internet-Draft The DHCID RR July 2004
|
||||
|
||||
|
||||
3.5.1 Example 1
|
||||
|
||||
A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
|
||||
Ethernet MAC address 01:02:03:04:05:06 using domain name
|
||||
"client.example.com" uses the client's link-layer address to identify
|
||||
the client. The DHCID RDATA is composed by setting the two type
|
||||
bytes to zero, and performing an MD5 hash computation across a buffer
|
||||
containing the Ethernet MAC type byte, 0x01, the six bytes of MAC
|
||||
address, and the domain name (represented as specified in Section
|
||||
3.4).
|
||||
|
||||
client.example.com. A 10.0.0.1
|
||||
client.example.com. DHCID AAAUMru0ZM5OK/PdVAJgZ/HU
|
||||
|
||||
|
||||
3.5.2 Example 2
|
||||
|
||||
A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
|
||||
included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
|
||||
in its DHCP request. The server updates the name "chi.example.com"
|
||||
on the client's behalf, and uses the DHCP client identifier option
|
||||
data as input in forming a DHCID RR. The DHCID RDATA is formed by
|
||||
setting the two type bytes to the value 0x0001, and performing an MD5
|
||||
hash computation across a buffer containing the seven bytes from the
|
||||
client-id option and the FQDN (represented as specified in Section
|
||||
3.4).
|
||||
|
||||
chi.example.com. A 10.0.12.99
|
||||
chi.example.com. DHCID AAHdd5jiQ3kEjANDm82cbObk\012
|
||||
|
||||
|
||||
4. Use of the DHCID RR
|
||||
|
||||
This RR MUST NOT be used for any purpose other than that detailed in
|
||||
"Resolution of DNS Name Conflicts" [1]. Although this RR contains
|
||||
data that is opaque to DNS servers, the data must be consistent
|
||||
across all entities that update and interpret this record.
|
||||
Therefore, new data formats may only be defined through actions of
|
||||
the DHC Working Group, as a result of revising [1].
|
||||
|
||||
5. Updater Behavior
|
||||
|
||||
The data in the DHCID RR allows updaters to determine whether more
|
||||
than one DHCP client desires to use a particular FQDN. This allows
|
||||
site administrators to establish policy about DNS updates. The DHCID
|
||||
RR does not establish any policy itself.
|
||||
|
||||
Updaters use data from a DHCP client's request and the domain name
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires January 14, 2005 [Page 6]
|
||||
|
||||
Internet-Draft The DHCID RR July 2004
|
||||
|
||||
|
||||
that the client desires to use to compute a client identity hash, and
|
||||
then compare that hash to the data in any DHCID RRs on the name that
|
||||
they wish to associate with the client's IP address. If an updater
|
||||
discovers DHCID RRs whose RDATA does not match the client identity
|
||||
that they have computed, the updater SHOULD conclude that a different
|
||||
client is currently associated with the name in question. The
|
||||
updater SHOULD then proceed according to the site's administrative
|
||||
policy. That policy might dictate that a different name be selected,
|
||||
or it might permit the updater to continue.
|
||||
|
||||
6. Security Considerations
|
||||
|
||||
The DHCID record as such does not introduce any new security problems
|
||||
into the DNS. In order to avoid exposing private information about
|
||||
DHCP clients to public scrutiny, a one-way hash is used to obscure
|
||||
all client information. In order to make it difficult to 'track' a
|
||||
client by examining the names associated with a particular hash
|
||||
value, the FQDN is included in the hash computation. Thus, the RDATA
|
||||
is dependent on both the DHCP client identification data and on each
|
||||
FQDN associated with the client.
|
||||
|
||||
Administrators should be wary of permitting unsecured DNS updates to
|
||||
zones which are exposed to the global Internet. Both DHCP clients
|
||||
and servers SHOULD use some form of update authentication (e.g., TSIG
|
||||
[11]) when performing DNS updates.
|
||||
|
||||
7. IANA Considerations
|
||||
|
||||
IANA is requested to allocate an RR type number for the DHCID record
|
||||
type.
|
||||
|
||||
This specification defines a new number-space for the 16-bit type
|
||||
codes associated with the DHCID RR. IANA is requested to establish a
|
||||
registry of the values for this number-space.
|
||||
|
||||
Three initial values are assigned in Section 3.3, and the value
|
||||
0xFFFF is reserved for future use. New DHCID RR type codes are
|
||||
tentatively assigned after the specification for the associated type
|
||||
code, published as an Internet Draft, has received expert review by a
|
||||
designated expert. The final assignment of DHCID RR type codes is
|
||||
through Standards Action, as defined in RFC 2434 [6].
|
||||
|
||||
8. Acknowledgements
|
||||
|
||||
Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz, and
|
||||
Ralph Droms for their review and suggestions.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires January 14, 2005 [Page 7]
|
||||
|
||||
Internet-Draft The DHCID RR July 2004
|
||||
|
||||
|
||||
9. References
|
||||
|
||||
9.1 Normative References
|
||||
|
||||
[1] Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
|
||||
DHCP Clients (draft-ietf-dhc-dns-resolution-*)", July 2004.
|
||||
|
||||
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
||||
Levels", BCP 14, RFC 2119, March 1997.
|
||||
|
||||
[3] Mockapetris, P., "Domain names - concepts and facilities", STD
|
||||
13, RFC 1034, November 1987.
|
||||
|
||||
[4] Mockapetris, P., "Domain names - implementation and
|
||||
specification", STD 13, RFC 1035, November 1987.
|
||||
|
||||
[5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
|
||||
1992.
|
||||
|
||||
[6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
|
||||
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
|
||||
|
||||
9.2 Informative References
|
||||
|
||||
[7] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
|
||||
March 1997.
|
||||
|
||||
[8] Eastlake, D., "Domain Name System Security Extensions", RFC
|
||||
2535, March 1999.
|
||||
|
||||
[9] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
|
||||
Extensions", RFC 2132, March 1997.
|
||||
|
||||
[10] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
|
||||
Carney, "Dynamic Host Configuration Protocol for IPv6
|
||||
(DHCPv6)", RFC 3315, July 2003.
|
||||
|
||||
[11] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
|
||||
"Secret Key Transaction Authentication for DNS (TSIG)", RFC
|
||||
2845, May 2000.
|
||||
|
||||
[12] Lemon, T. and B. Sommerfeld, "Node-Specific Client Identifiers
|
||||
for DHCPv4 (draft-ietf-dhc-3315id-for-v4-*)", February 2004.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires January 14, 2005 [Page 8]
|
||||
|
||||
Internet-Draft The DHCID RR July 2004
|
||||
|
||||
|
||||
Authors' Addresses
|
||||
|
||||
Mark Stapp
|
||||
Cisco Systems, Inc.
|
||||
1414 Massachusetts Ave.
|
||||
Boxborough, MA 01719
|
||||
USA
|
||||
|
||||
Phone: 978.936.1535
|
||||
EMail: mjs@cisco.com
|
||||
|
||||
|
||||
Ted Lemon
|
||||
Nominum, Inc.
|
||||
950 Charter St.
|
||||
Redwood City, CA 94063
|
||||
USA
|
||||
|
||||
EMail: mellon@nominum.com
|
||||
|
||||
|
||||
Andreas Gustafsson
|
||||
Nominum, Inc.
|
||||
950 Charter St.
|
||||
Redwood City, CA 94063
|
||||
USA
|
||||
|
||||
EMail: gson@nominum.com
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires January 14, 2005 [Page 9]
|
||||
|
||||
Internet-Draft The DHCID RR July 2004
|
||||
|
||||
|
||||
Intellectual Property Statement
|
||||
|
||||
The IETF takes no position regarding the validity or scope of any
|
||||
Intellectual Property Rights or other rights that might be claimed to
|
||||
pertain to the implementation or use of the technology described in
|
||||
this document or the extent to which any license under such rights
|
||||
might or might not be available; nor does it represent that it has
|
||||
made any independent effort to identify any such rights. Information
|
||||
on the procedures with respect to rights in RFC documents can be
|
||||
found in BCP 78 and BCP 79.
|
||||
|
||||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||||
assurances of licenses to be made available, or the result of an
|
||||
attempt made to obtain a general license or permission for the use of
|
||||
such proprietary rights by implementers or users of this
|
||||
specification can be obtained from the IETF on-line IPR repository at
|
||||
http://www.ietf.org/ipr.
|
||||
|
||||
The IETF invites any interested party to bring to its attention any
|
||||
copyrights, patents or patent applications, or other proprietary
|
||||
rights that may cover technology that may be required to implement
|
||||
this standard. Please address the information to the IETF at
|
||||
ietf-ipr@ietf.org.
|
||||
|
||||
|
||||
Disclaimer of Validity
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
Copyright Statement
|
||||
|
||||
Copyright (C) The Internet Society (2004). This document is subject
|
||||
to the rights, licenses and restrictions contained in BCP 78, and
|
||||
except as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
Acknowledgment
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
|
||||
|
||||
|
||||
Stapp, et al. Expires January 14, 2005 [Page 10]
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,639 +0,0 @@
|
||||
|
||||
INTERNET-DRAFT Donald E. Eastlake 3rd
|
||||
Clarifies STD0013 Motorola Laboratories
|
||||
Expires December 2004 July 2004
|
||||
|
||||
|
||||
|
||||
Domain Name System (DNS) Case Insensitivity Clarification
|
||||
------ ---- ------ ----- ---- ------------- -------------
|
||||
<draft-ietf-dnsext-insensitive-04.txt>
|
||||
|
||||
Donald E. Eastlake 3rd
|
||||
|
||||
|
||||
|
||||
Status of This Document
|
||||
|
||||
By submitting this Internet-Draft, I certify that any applicable
|
||||
patent or other IPR claims of which I am aware have been disclosed,
|
||||
and any of which I become aware will be disclosed, in accordance with
|
||||
RFC 3668.
|
||||
|
||||
Distribution of this document is unlimited. Comments should be sent
|
||||
to the DNSEXT working group at namedroppers@ops.ietf.org.
|
||||
|
||||
This document is an Internet-Draft and is in full conformance with
|
||||
all provisions of Section 10 of RFC 2026. Internet-Drafts are
|
||||
working documents of the Internet Engineering Task Force (IETF), its
|
||||
areas, and its working groups. Note that other groups may also
|
||||
distribute working documents as Internet-Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-
|
||||
Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
|
||||
|
||||
Abstract
|
||||
|
||||
Domain Name System (DNS) names are "case insensitive". This document
|
||||
explains exactly what that means and provides a clear specification
|
||||
of the rules. This clarification should not have any interoperability
|
||||
consequences.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 1]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
Acknowledgements
|
||||
|
||||
The contributions to this document of Rob Austein, Olafur
|
||||
Gudmundsson, Daniel J. Anderson, Alan Barrett, Marc Blanchet, Dana,
|
||||
Andreas Gustafsson, Andrew Main, and Scott Seligman are gratefully
|
||||
acknowledged.
|
||||
|
||||
|
||||
|
||||
Table of Contents
|
||||
|
||||
Status of This Document....................................1
|
||||
Abstract...................................................1
|
||||
|
||||
Acknowledgements...........................................2
|
||||
Table of Contents..........................................2
|
||||
|
||||
1. Introduction............................................3
|
||||
2. Case Insensitivity of DNS Labels........................3
|
||||
2.1 Escaping Unusual DNS Label Octets......................3
|
||||
2.2 Example Labels with Escapes............................4
|
||||
3. Name Lookup, Label Types, and CLASS.....................4
|
||||
3.1 Original DNS Label Types...............................5
|
||||
3.2 Extended Label Type Case Insensitivity Considerations..5
|
||||
3.3 CLASS Case Insensitivity Considerations................5
|
||||
4. Case on Input and Output................................6
|
||||
4.1 DNS Output Case Preservation...........................6
|
||||
4.2 DNS Input Case Preservation............................6
|
||||
5. Internationalized Domain Names..........................7
|
||||
6. Security Considerations.................................7
|
||||
|
||||
Copyright and Disclaimer...................................9
|
||||
Normative References.......................................9
|
||||
Informative References....................................10
|
||||
-02 to -03 Changes........................................10
|
||||
-03 to -04 Changes........................................11
|
||||
Author's Address..........................................11
|
||||
Expiration and File Name..................................11
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 2]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
1. Introduction
|
||||
|
||||
The Domain Name System (DNS) is the global hierarchical replicated
|
||||
distributed database system for Internet addressing, mail proxy, and
|
||||
other information. Each node in the DNS tree has a name consisting of
|
||||
zero or more labels [STD 13][RFC 1591, 2606] that are treated in a
|
||||
case insensitive fashion. This document clarifies the meaning of
|
||||
"case insensitive" for the DNS.
|
||||
|
||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||||
document are to be interpreted as described in [RFC 2119].
|
||||
|
||||
|
||||
|
||||
2. Case Insensitivity of DNS Labels
|
||||
|
||||
DNS was specified in the era of [ASCII]. DNS names were expected to
|
||||
look like most host names or Internet email address right halves (the
|
||||
part after the at-sign, "@") or be numeric as in the in-addr.arpa
|
||||
part of the DNS name space. For example,
|
||||
|
||||
foo.example.net.
|
||||
aol.com.
|
||||
www.gnu.ai.mit.edu.
|
||||
or 69.2.0.192.in-addr.arpa.
|
||||
|
||||
Case varied alternatives to the above would be DNS names like
|
||||
|
||||
Foo.ExamplE.net.
|
||||
AOL.COM.
|
||||
WWW.gnu.AI.mit.EDU.
|
||||
or 69.2.0.192.in-ADDR.ARPA.
|
||||
|
||||
However, the individual octets of which DNS names consist are not
|
||||
limited to valid ASCII character codes. They are 8-bit bytes and all
|
||||
values are allowed. Many applications, however, interpret them as
|
||||
ASCII characters.
|
||||
|
||||
|
||||
|
||||
2.1 Escaping Unusual DNS Label Octets
|
||||
|
||||
In Master Files [STD 13] and other human readable and writable ASCII
|
||||
contexts, an escape is needed for the byte value for period (0x2E,
|
||||
".") and all octet values outside of the inclusive range of 0x21
|
||||
("!") to 0x7E ("~"). That is to say, 0x2E and all octet values in
|
||||
the two inclusive ranges 0x00 to 0x20 and 0x7F to 0xFF.
|
||||
|
||||
One typographic convention for octets that do not correspond to an
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 3]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
ASCII printing graphic is to use a back-slash followed by the value
|
||||
of the octet as an unsigned integer represented by exactly three
|
||||
decimal digits.
|
||||
|
||||
The same convention can be used for printing ASCII characters so that
|
||||
they will be treated as a normal label character. This includes the
|
||||
back-slash character used in this convention itself which can be
|
||||
expressed as \092 or \\ and the special label separator period (".")
|
||||
which can be expressed as and \046 or \. respectively. It is
|
||||
advisable to avoid using a backslash to quote an immediately
|
||||
following non-printing ASCII character code to avoid implementation
|
||||
difficulties.
|
||||
|
||||
A back-slash followed by only one or two decimal digits is undefined.
|
||||
A back-slash followed by four decimal digits produces two octets, the
|
||||
first octet having the value of the first three digits considered as
|
||||
a decimal number and the second octet being the character code for
|
||||
the fourth decimal digit.
|
||||
|
||||
|
||||
|
||||
2.2 Example Labels with Escapes
|
||||
|
||||
The first example below shows embedded spaces and a period (".")
|
||||
within a label. The second one show a 5 octet label where the second
|
||||
octet has all bits zero, the third is a backslash, and the fourth
|
||||
octet has all bits one.
|
||||
|
||||
Donald\032E\.\032Eastlake\0323rd.example.
|
||||
and a\000\\\255z.example.
|
||||
|
||||
|
||||
|
||||
3. Name Lookup, Label Types, and CLASS
|
||||
|
||||
The design decision was made that comparisons on name lookup for DNS
|
||||
queries should be case insensitive [STD 13]. That is to say, a lookup
|
||||
string octet with a value in the inclusive range of 0x41 to 0x5A, the
|
||||
upper case ASCII letters, MUST match the identical value and also
|
||||
match the corresponding value in the inclusive range 0x61 to 0x7A,
|
||||
the lower case ASCII letters. And a lookup string octet with a lower
|
||||
case ASCII letter value MUST similarly match the identical value and
|
||||
also match the corresponding value in the upper case ASCII letter
|
||||
range.
|
||||
|
||||
(Historical Note: the terms "upper case" and "lower case" were
|
||||
invented after movable type. The terms originally referred to the
|
||||
two font trays for storing, in partitioned areas, the different
|
||||
physical type elements. Before movable type, the nearest equivalent
|
||||
terms were "majuscule" and "minuscule".)
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 4]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
One way to implement this rule would be, when comparing octets, to
|
||||
subtract 0x20 from all octets in the inclusive range 0x61 to 0x7A
|
||||
before the comparison. Such an operation is commonly known as "case
|
||||
folding" but implementation via case folding is not required. Note
|
||||
that the DNS case insensitivity does NOT correspond to the case
|
||||
folding specified in iso-8859-1 or iso-8859-2. For example, the
|
||||
octets 0xDD (\221) and 0xFD (\253) do NOT match although in other
|
||||
contexts, where they are interpreted as the upper and lower case
|
||||
version of "Y" with an acute accent, they might.
|
||||
|
||||
|
||||
|
||||
3.1 Original DNS Label Types
|
||||
|
||||
DNS labels in wire encoded names have a type associated with them.
|
||||
The original DNS standard [RFC 1035] had only two types. ASCII
|
||||
labels, with a length of from zero to 63 octets, and indirect labels
|
||||
which consist of an offset pointer to a name location elsewhere in
|
||||
the wire encoding on a DNS message. (The ASCII label of length zero
|
||||
is reserved for use as the name of the root node of the name tree.)
|
||||
ASCII labels follow the ASCII case conventions described herein and,
|
||||
as stated above, can actually contain arbitrary byte values. Indirect
|
||||
labels are, in effect, replaced by the name to which they point which
|
||||
is then treated with the case insensitivity rules in this document.
|
||||
|
||||
|
||||
|
||||
3.2 Extended Label Type Case Insensitivity Considerations
|
||||
|
||||
DNS was extended by [RFC 2671] to have additional label type numbers
|
||||
available. (The only such type defined so far is the BINARY type [RFC
|
||||
2673].)
|
||||
|
||||
The ASCII case insensitivity conventions only apply to ASCII labels,
|
||||
that is to say, label type 0x0, whether appearing directly or invoked
|
||||
by indirect labels.
|
||||
|
||||
|
||||
|
||||
3.3 CLASS Case Insensitivity Considerations
|
||||
|
||||
As described in [STD 13] and [RFC 2929], DNS has an additional axis
|
||||
for data location called CLASS. The only CLASS in global use at this
|
||||
time is the "IN" or Internet CLASS.
|
||||
|
||||
The handling of DNS label case is not CLASS dependent.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 5]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
4. Case on Input and Output
|
||||
|
||||
While ASCII label comparisons are case insensitive, [STD 13] says
|
||||
case MUST be preserved on output, and preserved when convenient on
|
||||
input. However, this means less than it would appear since the
|
||||
preservation of case on output is NOT required when output is
|
||||
optimized by the use of indirect labels, as explained below.
|
||||
|
||||
|
||||
|
||||
4.1 DNS Output Case Preservation
|
||||
|
||||
[STD 13] views the DNS namespace as a node tree. ASCII output is as
|
||||
if a name was marshaled by taking the label on the node whose name is
|
||||
to be output, converting it to a typographically encoded ASCII
|
||||
string, walking up the tree outputting each label encountered, and
|
||||
preceding all labels but the first with a period ("."). Wire output
|
||||
follows the same sequence but each label is wire encoded and no
|
||||
periods inserted. No "case conversion" or "case folding" is done
|
||||
during such output operations, thus "preserving" case. However, to
|
||||
optimize output, indirect labels may be used to point to names
|
||||
elsewhere in the DNS answer. In determining whether the name to be
|
||||
pointed to, for example the QNAME, is the "same" as the remainder of
|
||||
the name being optimized, the case insensitive comparison specified
|
||||
above is done. Thus such optimization MAY easily destroy the output
|
||||
preservation of case. This type of optimization is commonly called
|
||||
"name compression".
|
||||
|
||||
|
||||
|
||||
4.2 DNS Input Case Preservation
|
||||
|
||||
Originally, DNS input came from an ASCII Master File as defined in
|
||||
[STD 13] or a zone transfer. DNS Dynamic update and incremental zone
|
||||
transfers [RFC 1995] have been added as a source of DNS data [RFC
|
||||
2136, 3007]. When a node in the DNS name tree is created by any of
|
||||
such inputs, no case conversion is done. Thus the case of ASCII
|
||||
labels is preserved if they are for nodes being created. However,
|
||||
when a name label is input for a node that already exist in DNS data
|
||||
being held, the situation is more complex. Implementations may retain
|
||||
the case first input for such a label or allow new input to override
|
||||
the old case or even maintain separate copies preserving the input
|
||||
case.
|
||||
|
||||
For example, if data with owner name "foo.bar.example" is input and
|
||||
then later data with owner name "xyz.BAR.example" is input, the name
|
||||
of the label on the "bar.example" node, i.e. "bar", might or might
|
||||
not be changed to "BAR" or the actual input case could be preserved.
|
||||
Thus later retrieval of data stored under "xyz.bar.example" in this
|
||||
case can easily return data with "xyz.BAR.example". The same
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 6]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
considerations apply when inputting multiple data records with owner
|
||||
names differing only in case. For example, if an "A" record is stored
|
||||
as the first resourced record under owner name "xyz.BAR.example" and
|
||||
then a second "A" record is stored under "XYZ.BAR.example", the
|
||||
second MAY be stored with the first (lower case initial label) name
|
||||
or the second MAY override the first so that only an upper case
|
||||
initial label is retained or both capitalizations MAY be kept.
|
||||
|
||||
Note that the order of insertion into a server database of the DNS
|
||||
name tree nodes that appear in a Master File is not defined so that
|
||||
the results of inconsistent capitalization in a Master File are
|
||||
unpredictable output capitalization.
|
||||
|
||||
|
||||
|
||||
5. Internationalized Domain Names
|
||||
|
||||
A scheme has been adopted for "internationalized domain names" and
|
||||
"internationalized labels" as described in [RFC 3490, 3454, 3491, and
|
||||
3492]. It makes most of [UNICODE] available through a separate
|
||||
application level transformation from internationalized domain name
|
||||
to DNS domain name and from DNS domain name to internationalized
|
||||
domain name. Any case insensitivity that internationalized domain
|
||||
names and labels have varies depending on the script and is handled
|
||||
entirely as part of the transformation described in [RFC 3454] and
|
||||
[RFC 3491] which should be seen for further details. This is not a
|
||||
part of the DNS as standardized in STD 13.
|
||||
|
||||
|
||||
|
||||
6. Security Considerations
|
||||
|
||||
The equivalence of certain DNS label types with case differences, as
|
||||
clarified in this document, can lead to security problems. For
|
||||
example, a user could be confused by believing two domain names
|
||||
differing only in case were actually different names.
|
||||
|
||||
Furthermore, a domain name may be used in contexts other than the
|
||||
DNS. It could be used as a case sensitive index into some data base
|
||||
system. Or it could be interpreted as binary data by some integrity
|
||||
or authentication code system. These problems can usually be handled
|
||||
by using a standardized or "canonical" form of the DNS ASCII type
|
||||
labels, that is, always mapping the ASCII letter value octets in
|
||||
ASCII labels to some specific pre-chosen case, either upper case or
|
||||
lower case. An example of a canonical form for domain names (and also
|
||||
a canonical ordering for them) appears in Section 8 of [RFC 2535].
|
||||
See also [RFC 3597].
|
||||
|
||||
Finally, a non-DNS name may be stored into DNS with the false
|
||||
expectation that case will always be preserved. For example, although
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 7]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
this would be quite rare, on a system with case sensitive email
|
||||
address local parts, an attempt to store two "RP" records that
|
||||
differed only in case would probably produce unexpected results that
|
||||
might have security implications. That is because the entire email
|
||||
address, including the possibly case sensitive local or left hand
|
||||
part, is encoded into a DNS name in a readable fashion where the case
|
||||
of some letters might be changed on output as described above.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 8]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
Copyright and Disclaimer
|
||||
|
||||
Copyright (C) The Internet Society 2004. This document is subject to
|
||||
the rights, licenses and restrictions contained in BCP 78, and except
|
||||
as set forth therein, the authors retain all their rights.
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
|
||||
Normative References
|
||||
|
||||
[ASCII] - ANSI, "USA Standard Code for Information Interchange",
|
||||
X3.4, American National Standards Institute: New York, 1968.
|
||||
|
||||
[RFC 1034, 1035] - See [STD 13].
|
||||
|
||||
[RFC 1995] - M. Ohta, "Incremental Zone Transfer in DNS", August
|
||||
1996.
|
||||
|
||||
[RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate
|
||||
Requirement Levels", March 1997.
|
||||
|
||||
[RFC 2136] - P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
|
||||
"Dynamic Updates in the Domain Name System (DNS UPDATE)", April 1997.
|
||||
|
||||
[RFC 2535] - D. Eastlake, "Domain Name System Security Extensions",
|
||||
March 1999.
|
||||
|
||||
[RFC 3007] - B. Wellington, "Secure Domain Name System (DNS) Dynamic
|
||||
Update", November 2000.
|
||||
|
||||
[RFC 3597] - Andreas Gustafsson, "Handling of Unknown DNS RR Types",
|
||||
draft-ietf-dnsext-unknown-rrs-05.txt, March 2003.
|
||||
|
||||
[STD 13]
|
||||
- P. Mockapetris, "Domain names - concepts and facilities", RFC
|
||||
1034, November 1987.
|
||||
- P. Mockapetris, "Domain names - implementation and
|
||||
specification", RFC 1035, November 1987.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 9]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
Informative References
|
||||
|
||||
[RFC 1591] - J. Postel, "Domain Name System Structure and
|
||||
Delegation", March 1994.
|
||||
|
||||
[RFC 2606] - D. Eastlake, A. Panitz, "Reserved Top Level DNS Names",
|
||||
June 1999.
|
||||
|
||||
[RFC 2929] - D. Eastlake, E. Brunner-Williams, B. Manning, "Domain
|
||||
Name System (DNS) IANA Considerations", September 2000.
|
||||
|
||||
[RFC 2671] - P. Vixie, "Extension mechanisms for DNS (EDNS0)", August
|
||||
1999.
|
||||
|
||||
[RFC 2673] - M. Crawford, "Binary Labels in the Domain Name System",
|
||||
August 1999.
|
||||
|
||||
[RFC 3092] - D. Eastlake 3rd, C. Manros, E. Raymond, "Etymology of
|
||||
Foo", 1 April 2001.
|
||||
|
||||
[RFC 3454] - P. Hoffman, M. Blanchet, "Preparation of
|
||||
Internationalized String ("stringprep")", December 2002.
|
||||
|
||||
[RFC 3490] - P. Faltstrom, P. Hoffman, A. Costello,
|
||||
"Internationalizing Domain Names in Applications (IDNA)", March 2003.
|
||||
|
||||
[RFC 3491] - P. Hoffman, M. Blanchet, "Nameprep: A Stringprep Profile
|
||||
for Internationalized Domain Names (IDN)", March 2003.
|
||||
|
||||
[RFC 3492] - A. Costello, "Punycode: A Bootstring encoding of Unicode
|
||||
for Internationalized Domain Names in Applications (IDNA)", March
|
||||
2003.
|
||||
|
||||
[UNICODE] - The Unicode Consortium, "The Unicode Standard",
|
||||
<http://www.unicode.org/unicode/standard/standard.html>.
|
||||
|
||||
|
||||
|
||||
-02 to -03 Changes
|
||||
|
||||
The following changes were made between draft version -02 and -03:
|
||||
|
||||
1. Add internationalized domain name section and references.
|
||||
|
||||
2. Change to indicate that later input of a label for an existing DNS
|
||||
name tree node may or may not be normalized to the earlier input or
|
||||
override it or both may be preserved.
|
||||
|
||||
3. Numerous minor wording changes.
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 10]
|
||||
|
||||
|
||||
INTERNET-DRAFT DNS Case Insensitivity
|
||||
|
||||
|
||||
-03 to -04 Changes
|
||||
|
||||
The following changes were made between draft version -03 and -04:
|
||||
|
||||
1. Change to conform to the new IPR, Copyright, etc., notice
|
||||
requirements.
|
||||
|
||||
2. Change in some section headers for clarity.
|
||||
|
||||
3. Drop section on wildcards.
|
||||
|
||||
4. Add emphasis on loss of case preservation due to name compression.
|
||||
|
||||
5. Add references to RFCs 1995 and 3092.
|
||||
|
||||
|
||||
|
||||
Author's Address
|
||||
|
||||
Donald E. Eastlake 3rd
|
||||
Motorola Laboratories
|
||||
155 Beaver Street
|
||||
Milford, MA 01757 USA
|
||||
|
||||
Telephone: +1 508-786-7554 (w)
|
||||
+1 508-634-2066 (h)
|
||||
EMail: Donald.Eastlake@motorola.com
|
||||
|
||||
|
||||
|
||||
Expiration and File Name
|
||||
|
||||
This draft expires December 2004.
|
||||
|
||||
Its file name is draft-ietf-dnsext-insensitive-04.txt.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 11]
|
||||
|
||||
|
@ -1,335 +0,0 @@
|
||||
|
||||
DNS Extensions Working Group J. Schlyter
|
||||
Internet-Draft August 24, 2004
|
||||
Expires: February 22, 2005
|
||||
|
||||
|
||||
RFC 3597 Interoperability Report
|
||||
draft-ietf-dnsext-interop3597-01.txt
|
||||
|
||||
Status of this Memo
|
||||
|
||||
By submitting this Internet-Draft, I certify that any applicable
|
||||
patent or other IPR claims of which I am aware have been disclosed,
|
||||
and any of which I become aware will be disclosed, in accordance with
|
||||
RFC 3667.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that other
|
||||
groups may also distribute working documents as Internet-Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at http://
|
||||
www.ietf.org/ietf/1id-abstracts.txt.
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
This Internet-Draft will expire on February 22, 2005.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||||
|
||||
Abstract
|
||||
|
||||
This memo documents the result from the RFC 3597 (Handling of Unknown
|
||||
DNS Resource Record Types) interoperability testing.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Schlyter Expires February 22, 2005 [Page 1]
|
||||
|
||||
Internet-Draft RFC 3597 Interoperability Report August 2004
|
||||
|
||||
|
||||
Table of Contents
|
||||
|
||||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
2. Implementations . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
3. Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
3.1 Authoritative Primary Name Server . . . . . . . . . . . . . . 3
|
||||
3.2 Authoritative Secondary Name Server . . . . . . . . . . . . . 3
|
||||
3.3 Full Recursive Resolver . . . . . . . . . . . . . . . . . . . 3
|
||||
3.4 Stub Resolver . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
3.5 DNSSEC Signer . . . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
4. Problems found . . . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
Normative References . . . . . . . . . . . . . . . . . . . . . 4
|
||||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
A. Test zone data . . . . . . . . . . . . . . . . . . . . . . . . 5
|
||||
Intellectual Property and Copyright Statements . . . . . . . . 6
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Schlyter Expires February 22, 2005 [Page 2]
|
||||
|
||||
Internet-Draft RFC 3597 Interoperability Report August 2004
|
||||
|
||||
|
||||
1. Introduction
|
||||
|
||||
This memo documents the result from the RFC 3597 (Handling of Unknown
|
||||
DNS Resource Record Types) interoperability testing. The test was
|
||||
performed during June and July 2004 by request of the IETF DNS
|
||||
Extensions Working Group.
|
||||
|
||||
2. Implementations
|
||||
|
||||
The following is a list, in alphabetic order, of implementations for
|
||||
compliance of RFC 3597:
|
||||
|
||||
DNSJava 1.6.4
|
||||
ISC BIND 8.4.5rc4
|
||||
ISC BIND 9.3.0rc2
|
||||
NSD 2.1.1
|
||||
Net::DNS 0.47 patchlevel 1
|
||||
Nominum ANS 2.2.1.0.d
|
||||
|
||||
These implementations covers the following functions (number of
|
||||
implementations tested for each function in paranthesis):
|
||||
|
||||
Authoritative Name Servers (4)
|
||||
Full Recursive Resolver (2)
|
||||
Stub Resolver (4)
|
||||
DNSSEC Zone Signers (2)
|
||||
|
||||
3. Tests
|
||||
|
||||
3.1 Authoritative Primary Name Server
|
||||
|
||||
The test zone data (Appendix A) was loaded into the name server
|
||||
implementation and the server was queried for the loaded information.
|
||||
|
||||
3.2 Authoritative Secondary Name Server
|
||||
|
||||
The test zone data (Appendix A) was transferred using AXFR from
|
||||
another name server implementation and the server was queried for the
|
||||
transferred information.
|
||||
|
||||
3.3 Full Recursive Resolver
|
||||
|
||||
A recursive resolver was queried for resource records from a domain
|
||||
with the test zone data (Appendix A).
|
||||
|
||||
3.4 Stub Resolver
|
||||
|
||||
A stub resolver was used to query resource records from a domain with
|
||||
|
||||
|
||||
|
||||
Schlyter Expires February 22, 2005 [Page 3]
|
||||
|
||||
Internet-Draft RFC 3597 Interoperability Report August 2004
|
||||
|
||||
|
||||
the test zone data (Appendix A).
|
||||
|
||||
3.5 DNSSEC Signer
|
||||
|
||||
A DNSSEC signer was used to sign a zone with test zone data (Appendix
|
||||
A).
|
||||
|
||||
4. Problems found
|
||||
|
||||
Two implementations had problems with text presentation of zero
|
||||
length RDATA.
|
||||
|
||||
One implementation had problems with text presentation of RR type
|
||||
code and classes >= 4096.
|
||||
|
||||
Bug reports were filed for problems found.
|
||||
|
||||
5. Summary
|
||||
|
||||
Unknown type codes works in the tested authoritative servers,
|
||||
recursive resolvers and stub clients.
|
||||
|
||||
No changes are needed to advance RFC 3597 to draft standard.
|
||||
|
||||
Normative References
|
||||
|
||||
[1] Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
|
||||
Types", RFC 3597, September 2003.
|
||||
|
||||
|
||||
Author's Address
|
||||
|
||||
Jakob Schlyter
|
||||
|
||||
EMail: jakob@rfc.se
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Schlyter Expires February 22, 2005 [Page 4]
|
||||
|
||||
Internet-Draft RFC 3597 Interoperability Report August 2004
|
||||
|
||||
|
||||
Appendix A. Test zone data
|
||||
|
||||
; A-record encoded as TYPE1
|
||||
a TYPE1 \# 4 7f000001
|
||||
a TYPE1 192.0.2.1
|
||||
a A \# 4 7f000002
|
||||
|
||||
; draft-ietf-secsh-dns-05.txt
|
||||
sshfp TYPE44 \# 22 01 01 c691e90714a1629d167de8e5ee0021f12a7eaa1e
|
||||
|
||||
; bogus test record (from RFC 3597)
|
||||
type731 TYPE731 \# 6 abcd (
|
||||
ef 01 23 45 )
|
||||
|
||||
; zero length RDATA (from RFC 3597)
|
||||
type62347 TYPE62347 \# 0
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Schlyter Expires February 22, 2005 [Page 5]
|
||||
|
||||
Internet-Draft RFC 3597 Interoperability Report August 2004
|
||||
|
||||
|
||||
Intellectual Property Statement
|
||||
|
||||
The IETF takes no position regarding the validity or scope of any
|
||||
Intellectual Property Rights or other rights that might be claimed to
|
||||
pertain to the implementation or use of the technology described in
|
||||
this document or the extent to which any license under such rights
|
||||
might or might not be available; nor does it represent that it has
|
||||
made any independent effort to identify any such rights. Information
|
||||
on the IETF's procedures with respect to rights in IETF Documents can
|
||||
be found in BCP 78 and BCP 79.
|
||||
|
||||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||||
assurances of licenses to be made available, or the result of an
|
||||
attempt made to obtain a general license or permission for the use of
|
||||
such proprietary rights by implementers or users of this
|
||||
specification can be obtained from the IETF on-line IPR repository at
|
||||
http://www.ietf.org/ipr.
|
||||
|
||||
The IETF invites any interested party to bring to its attention any
|
||||
copyrights, patents or patent applications, or other proprietary
|
||||
rights that may cover technology that may be required to implement
|
||||
this standard. Please address the information to the IETF at
|
||||
ietf-ipr@ietf.org.
|
||||
|
||||
|
||||
Disclaimer of Validity
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
Copyright Statement
|
||||
|
||||
Copyright (C) The Internet Society (2004). This document is subject
|
||||
to the rights, licenses and restrictions contained in BCP 78, and
|
||||
except as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
Acknowledgment
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
|
||||
|
||||
|
||||
Schlyter Expires February 22, 2005 [Page 6]
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,466 +0,0 @@
|
||||
|
||||
|
||||
INTERNET-DRAFT Donald E. Eastlake 3rd
|
||||
UPDATES RFC 2845 Motorola Laboratories
|
||||
Expires: February 2005 August 2004
|
||||
|
||||
|
||||
HMAC SHA TSIG Algorithm Identifiers
|
||||
---- --- ---- --------- -----------
|
||||
<draft-ietf-dnsext-tsig-sha-00.txt>
|
||||
|
||||
|
||||
Status of This Document
|
||||
|
||||
By submitting this Internet-Draft, I certify that any applicable
|
||||
patent or other IPR claims of which I am aware have been disclosed,
|
||||
or will be disclosed, and any of which I become aware will be
|
||||
disclosed, in accordance with RFC 3668.
|
||||
|
||||
This draft is intended to be become a Proposed Standard RFC.
|
||||
Distribution of this document is unlimited. Comments should be sent
|
||||
to the DNSEXT working group mailing list <namedroppers@ops.ietf.org>.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as Internet-
|
||||
Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than a "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/1id-abstracts.html
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html
|
||||
|
||||
|
||||
Abstract
|
||||
|
||||
Use of the TSIG DNS resource record requires specification of a
|
||||
cryptographic message authentication code. Currently identifiers
|
||||
have been specified only for the HMAC-MD5 and GSS TSIG algorithms.
|
||||
This document standardizes identifiers for additional HMAC SHA TSIG
|
||||
algorithms and standardizes how to specify the truncation of HMAC
|
||||
values.
|
||||
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society 2004. All Rights Reserved.
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 1]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
Table of Contents
|
||||
|
||||
Status of This Document....................................1
|
||||
Abstract...................................................1
|
||||
Copyright Notice...........................................1
|
||||
|
||||
Table of Contents..........................................2
|
||||
|
||||
1. Introduction............................................3
|
||||
|
||||
2. Algorithms and Identifiers..............................4
|
||||
|
||||
3. Specifying Truncation...................................5
|
||||
|
||||
4. IANA Considerations.....................................6
|
||||
5. Security Considerations.................................6
|
||||
6. Copyright and Disclaimer................................6
|
||||
|
||||
7. Normative References....................................7
|
||||
8. Informative References..................................7
|
||||
|
||||
Authors Address............................................8
|
||||
Expiration and File Name...................................8
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 2]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
1. Introduction
|
||||
|
||||
[RFC 2845] specifies a TSIG Resource Record (RR) that can be used to
|
||||
authenticate DNS queries and responses. This RR contains a domain
|
||||
name syntax data item which names the authentication algorithm used.
|
||||
[RFC 2845] defines the HMAC-MD5.SIG-ALG.REG.INT name for
|
||||
authentication codes using the HMAC [RFC 2104] algorithm with the MD5
|
||||
[RFC 1321] hash algorithm. IANA has also registered "gss-tsig" as an
|
||||
identifier for TSIG authentication where the cryptographic operations
|
||||
are delegated to GSS [RFC 3645].
|
||||
|
||||
In section 2, this document specifies additional names for TSIG
|
||||
authentication algorithms based on US NIST SHA algorithms and HMAC.
|
||||
|
||||
In section 3, this document specifies the meaning of inequality
|
||||
between the normal output size of the specified hash function and the
|
||||
length of MAC (message authentication code) data given in the TSIG
|
||||
RR. In particular, it specifies that a shorter length field value
|
||||
specifies truncation and a longer length field is an error.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 3]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
2. Algorithms and Identifiers
|
||||
|
||||
TSIG Resource Records (RRs) [RFC 2845] are used to authenticate DNS
|
||||
queries and responses. They are intended to be efficient symmetric
|
||||
authentication codes based on a shared secret. (Asymmetric signatures
|
||||
can be provided using the SIG RR [RFC 2931]. In particular, SIG(0)
|
||||
can be used for transaction signatures.) Used with a strong hash
|
||||
function, HMAC [RFC 2104] provides a way to calculate such symmetric
|
||||
authentication codes. The only specified HMAC based TSIG algorithm
|
||||
identifier has been HMAC-MD5.SIG-ALG.REG.INT based on MD5 [RFC 1321].
|
||||
|
||||
The use of SHA-1 [FIPS 180-1, RFC 3174], which is a 160 bit hash, as
|
||||
compared with the 128 bits for MD5, and additional hash algorithms in
|
||||
the SHA family [FIPS 180-2, RFC sha224] with 224, 256, 384, and 512
|
||||
bits, may be preferred in some case. Use of TSIG between a DNS
|
||||
resolver and server is by mutual agreement. That agreement can
|
||||
include the support of additional algorithms.
|
||||
|
||||
For completeness in relation to HMAC based algorithms, the current
|
||||
HMAC-MD5.SIG-ALG.REG.INT identifier is included in the table below.
|
||||
Implementations which support TSIG MUST implement HMAC MD5, SHOULD
|
||||
implement HMAC SHA-1, and MAY implement gss-tsig and the other
|
||||
algorithms listed below.
|
||||
|
||||
Mandatory HMAC-MD5.SIG-ALG.REG.INT
|
||||
Recommended hmac-sha1
|
||||
Optional hmac-sha224
|
||||
Optional hmac-sha256
|
||||
Optional hamc-sha384
|
||||
Optional hmac-sha512
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 4]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
3. Specifying Truncation
|
||||
|
||||
In some cases, it is reasonable to truncate the output of HMAC and
|
||||
use the truncated value for authentication. HMAC SHA-1 truncated to
|
||||
96 bits is an optional available in several IETF protocols including
|
||||
IPSEC and TLS.
|
||||
|
||||
The TSIG RR [RFC 2845] includes a "MAC size" field, which gives the
|
||||
size of the MAC field in octets. But [RFC 2845] does not specify what
|
||||
to do if this MAC size differs from the length of the output of HMAC
|
||||
for a particular hash function.
|
||||
|
||||
The specification for TSIG handling is changed as follows:
|
||||
|
||||
1. If The "MAC size" field is larger than the HMAC output length or
|
||||
is zero: This case MUST NOT be generated and if received MUST
|
||||
cause the packet to be dropped and RCODE 1 (FORMERR) to be
|
||||
returned.
|
||||
|
||||
2. If the "MAC size" field equals the HMAC output length: Operation
|
||||
is as described in [RFC 2845].
|
||||
|
||||
3. If the "MAC size" field is less than the HMAC output length but is
|
||||
not zero: This is sent when the signer has truncated the HMAC
|
||||
output as described in RFC 2104, taking initial octets and
|
||||
discarding trailing octets. TSIG truncation can only be to an
|
||||
integral number of octets. On receipt of a packet with truncation
|
||||
thus indicated, the locally calculated MAC is similarly truncated
|
||||
and only the truncated values compared for authentication.
|
||||
|
||||
TSIG implementations SHOULD implement SHA-1 truncated to 96 bits (12
|
||||
octets) and MAY implement any or all other truncations valid under
|
||||
case 3 above.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 5]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
4. IANA Considerations
|
||||
|
||||
This document, on approval for publication as a standards track RFC,
|
||||
registers the new TSIG algorithm identifiers listed in Section 2 with
|
||||
IANA.
|
||||
|
||||
|
||||
|
||||
5. Security Considerations
|
||||
|
||||
For all of the message authentication code algorithms listed herein,
|
||||
those producing longer values are believed to be stronger; however,
|
||||
while there are some arguments that mild truncation can strengthen a
|
||||
MAC by reducing the information available to an attacker, excessive
|
||||
truncation clearly weakens authentication by reducing the number of
|
||||
bits an attacker has to try to force. See [RFC 2104] which recommends
|
||||
that ah HMAC never be truncated to less than half its length nor to
|
||||
less than 80 bits (10 octets).
|
||||
|
||||
See also the Security Considerations section of [RFC 2845].
|
||||
|
||||
|
||||
|
||||
6. Copyright and Disclaimer
|
||||
|
||||
Copyright (C) The Internet Society 2004. This document is subject to
|
||||
the rights, licenses and restrictions contained in BCP 78 and except
|
||||
as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 6]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
7. Normative References
|
||||
|
||||
[FIPS 180-2] - "Secure Hash Standard", (SHA-1/256/384/512) US Federal
|
||||
Information Processing Standard, Draft, 1 August 2002.
|
||||
|
||||
[RFC 1321] - Rivest, R., "The MD5 Message-Digest Algorithm ", RFC
|
||||
1321, April 1992.
|
||||
|
||||
[RFC 2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
|
||||
Hashing for Message Authentication", RFC 2104, February 1997.
|
||||
|
||||
[RFC 2434] - Narten, T. and H. Alvestrand, "Guidelines for Writing an
|
||||
IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
|
||||
|
||||
[RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
|
||||
Wellington, "Secret Key Transaction Authentication for DNS (TSIG)",
|
||||
RFC 2845, May 2000.
|
||||
|
||||
[RFC sha224] - "A 224-bit One-way Hash Function: SHA-224", R.
|
||||
Housley, December 2003, work in progress, draft-ietf-pkix-
|
||||
sha224-*.txt.
|
||||
|
||||
|
||||
|
||||
8. Informative References.
|
||||
|
||||
[FIPS 180-1] - Secure Hash Standard, (SHA-1) US Federal Information
|
||||
Processing Standard, 17 April 1995.
|
||||
|
||||
[RFC 2931] - Eastlake 3rd, D., "DNS Request and Transaction
|
||||
Signatures ( SIG(0)s )", RFC 2931, September 2000.
|
||||
|
||||
[RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
|
||||
1 (SHA1)", RFC 3174, September 2001.
|
||||
|
||||
[RFC 3645] - Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead,
|
||||
J., and R. Hall, "Generic Security Service Algorithm for Secret Key
|
||||
Transaction Authentication for DNS (GSS-TSIG)", RFC 3645, October
|
||||
2003.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 7]
|
||||
|
||||
|
||||
INTERNET-DRAFT HMAC-SHA TSIG Identifiers
|
||||
|
||||
|
||||
Authors Address
|
||||
|
||||
Donald E. Eastlake 3rd
|
||||
Motorola Laboratories
|
||||
155 Beaver Street
|
||||
Milford, MA 01757 USA
|
||||
|
||||
Telephone: +1-508-786-7554 (w)
|
||||
+1-508-634-2066 (h)
|
||||
EMail: Donald.Eastlake@motorola.com
|
||||
|
||||
|
||||
|
||||
Expiration and File Name
|
||||
|
||||
This draft expires in February 2005.
|
||||
|
||||
Its file name is draft-ietf-dnsext-tsig-sha-00.txt
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
D. Eastlake 3rd [Page 8]
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,391 +0,0 @@
|
||||
|
||||
DNSOP G. Guette
|
||||
Internet-Draft IRISA / INRIA
|
||||
Expires: February 5, 2005 O. Courtay
|
||||
Thomson R&D
|
||||
August 7, 2004
|
||||
|
||||
|
||||
Requirements for Automated Key Rollover in DNSSEC
|
||||
draft-ietf-dnsop-key-rollover-requirements-01.txt
|
||||
|
||||
Status of this Memo
|
||||
|
||||
By submitting this Internet-Draft, I certify that any applicable
|
||||
patent or other IPR claims of which I am aware have been disclosed,
|
||||
and any of which I become aware will be disclosed, in accordance with
|
||||
RFC 3668.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as
|
||||
Internet-Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/ietf/1id-abstracts.txt.
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
This Internet-Draft will expire on February 5, 2005.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||||
|
||||
Abstract
|
||||
|
||||
This document describes problems that appear during an automated
|
||||
rollover and gives the requirements for the design of communication
|
||||
between parent zone and child zone in an automated rollover process.
|
||||
This document is essentially about key rollover, the rollover of
|
||||
another Resource Record present at delegation point (NS RR) is also
|
||||
discussed.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Guette & Courtay Expires February 5, 2005 [Page 1]
|
||||
|
||||
Internet-Draft Automated Rollover Requirements August 2004
|
||||
|
||||
|
||||
Table of Contents
|
||||
|
||||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
2. The Key Rollover Process . . . . . . . . . . . . . . . . . . . 3
|
||||
3. Basic Requirements . . . . . . . . . . . . . . . . . . . . . . 4
|
||||
4. Messages authentication and information exchanged . . . . . . 4
|
||||
5. Emergency Rollover . . . . . . . . . . . . . . . . . . . . . . 5
|
||||
6. Other Resource Record concerned by automatic rollover . . . . 5
|
||||
7. Security consideration . . . . . . . . . . . . . . . . . . . . 5
|
||||
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5
|
||||
9. Normative References . . . . . . . . . . . . . . . . . . . . . 5
|
||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 6
|
||||
Intellectual Property and Copyright Statements . . . . . . . . 7
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Guette & Courtay Expires February 5, 2005 [Page 2]
|
||||
|
||||
Internet-Draft Automated Rollover Requirements August 2004
|
||||
|
||||
|
||||
1. Introduction
|
||||
|
||||
The DNS security extensions (DNSSEC) [4][8][7][9] uses public-key
|
||||
cryptography and digital signatures. It stores the public part of
|
||||
keys in DNSKEY Resource Records (RRs). Because old keys and
|
||||
frequently used keys are vulnerable, they must be renewed
|
||||
periodically. In DNSSEC, this is the case for Zone Signing Keys
|
||||
(ZSKs) and Key Signing Keys (KSKs) [1][2]. Automation of key
|
||||
rollover process is necessary for large zones because there are too
|
||||
many changes to handle a manual administration.
|
||||
|
||||
Let us consider for example a zone with 100000 secure delegations.
|
||||
If the child zones change their keys once a year on average, that
|
||||
implies 300 changes per day for the parent zone. This amount of
|
||||
changes are hard to manage manually.
|
||||
|
||||
Automated rollover is optional and resulting from an agreement
|
||||
between the administrator of the parent zone and the administrator of
|
||||
the child zone. Of course, key rollover can also be done manually by
|
||||
administrators.
|
||||
|
||||
This document describes the requirements for the design of messages
|
||||
of automated key rollover process and focusses on interaction between
|
||||
parent and child zone.
|
||||
|
||||
2. The Key Rollover Process
|
||||
|
||||
Key rollover consists in renewing the DNSSEC keys used to sign
|
||||
resource records in a given DNS zone file. There are two types of
|
||||
rollover, ZSK rollovers and KSK rollovers.
|
||||
|
||||
In a ZSK rollover, all changes are local to the zone that renews its
|
||||
key: there is no need to contact other zones (e.g., parent zone) to
|
||||
propagate the performed changes because a ZSK has no associated DS
|
||||
record in the parent zone.
|
||||
|
||||
In a KSK rollover, new DS RR(s) must be created and stored in the
|
||||
parent zone. In consequence, the child zone must contact its parent
|
||||
zone and must notify it about the KSK change(s).
|
||||
|
||||
Manual key rollover exists and works [3]. The key rollover is built
|
||||
from two parts of different nature:
|
||||
o An algorithm that generates new keys and signs the zone file. It
|
||||
could be local to the zone
|
||||
o The interaction between parent and child zones
|
||||
|
||||
One example of manual key rollover is:
|
||||
|
||||
|
||||
|
||||
|
||||
Guette & Courtay Expires February 5, 2005 [Page 3]
|
||||
|
||||
Internet-Draft Automated Rollover Requirements August 2004
|
||||
|
||||
|
||||
o The child zone creates a new KSK
|
||||
o The child zone waits for the creation of the DS RR in its parent
|
||||
zone
|
||||
o The child zone deletes the old key.
|
||||
|
||||
In manual rollover, communications are managed by the zone
|
||||
administrators and the security of these communications is out of
|
||||
scope of DNSSEC.
|
||||
|
||||
Automated key rollover should use a secure communication between
|
||||
parent and child zones. This document concentrates on defining
|
||||
interactions between entities present in key rollover process.
|
||||
|
||||
3. Basic Requirements
|
||||
|
||||
The main constraint to respect during a key rollover is that the
|
||||
chain of trust MUST be preserved, even if a resolver retrieves some
|
||||
RRs from recursive cache server. Every RR MUST be verifiable at any
|
||||
time, every RRs exchanged during the rollover should be authenticated
|
||||
and their integrity should be guaranteed.
|
||||
|
||||
Two entities act during a KSK rollover: the child zone and its parent
|
||||
zone. These zones are generally managed by different administrators.
|
||||
These administrators should agree on some parameters like
|
||||
availability of automated rollover, the maximum delay between
|
||||
notification of changes in the child zone and the resigning of the
|
||||
parent zone. The child zone needs to know this delay to schedule its
|
||||
changes.
|
||||
|
||||
4. Messages authentication and information exchanged
|
||||
|
||||
Every exchanged message MUST be authenticated and the authentication
|
||||
tool MUST be a DNSSEC tool such as TSIG [6], SIG(0) [5] or DNSSEC
|
||||
request with verifiable SIG records.
|
||||
|
||||
Once the changes related to a KSK are made in a child zone, this zone
|
||||
MUST notify its parent zone in order to create the new DS RR and
|
||||
store this DS RR in parent zone file.
|
||||
|
||||
The parent zone MUST receive all the child keys that needs the
|
||||
creation of associated DS RRs in the parent zone.
|
||||
|
||||
Some errors could occur during transmission between child zone and
|
||||
parent zone. Key rollover solution MUST be fault tolerant, i.e. at
|
||||
any time the rollover MUST be in a consistent state and all RRs MUST
|
||||
be verifiable, even if an error occurs. That is to say that it MUST
|
||||
remain a valid chain of trust.
|
||||
|
||||
|
||||
|
||||
|
||||
Guette & Courtay Expires February 5, 2005 [Page 4]
|
||||
|
||||
Internet-Draft Automated Rollover Requirements August 2004
|
||||
|
||||
|
||||
5. Emergency Rollover
|
||||
|
||||
A key of a zone might be compromised and this key MUST be changed as
|
||||
soon as possible. Fast changes could break the chain of trust. The
|
||||
part of DNS tree having this zone as apex can become unverifiable,
|
||||
but the break of the chain of trust is necessary if we want to no one
|
||||
can use the compromised key to spoof DNS data.
|
||||
|
||||
In case of emergency rollover, the administrators of parent and child
|
||||
zones should create new key(s) and DS RR(s) as fast as possible in
|
||||
order to reduce the time the chain of trust is broken.
|
||||
|
||||
6. Other Resource Record concerned by automatic rollover
|
||||
|
||||
NS records are also present at delegation point, so when the child
|
||||
zone renews some NS RR, the corresponding records at delegation point
|
||||
in parent zone (glue) MUST be updated. NS records are concerned by
|
||||
rollover and this rollover could be automated too. In this case,
|
||||
when the child zone notifies its parent zone that some NS records
|
||||
have been changed, the parent zone MUST verify that these NS records
|
||||
are present in child zone before doing any changes in its own zone
|
||||
file. This allows to avoid inconsistency between NS records at
|
||||
delegation point and NS records present in the child zone.
|
||||
|
||||
7. Security consideration
|
||||
|
||||
This document describes requirements to design an automated key
|
||||
rollover in DNSSEC based on DNSSEC security. In the same way, as
|
||||
plain DNSSEC, the automatic key rollover contains no mechanism
|
||||
protecting against denial of service (DoS). The security level
|
||||
obtain after an automatic key rollover, is the security level
|
||||
provided by DNSSEC.
|
||||
|
||||
8. Acknowledgments
|
||||
|
||||
The authors want to acknowledge Francis Dupont, Mohsen Souissi,
|
||||
Bernard Cousin, Bertrand L‰onard and members of IDsA project for
|
||||
their contribution to this document.
|
||||
|
||||
9 Normative References
|
||||
|
||||
[1] Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
|
||||
RFC 3658, December 2003.
|
||||
|
||||
[2] Kolkman, O., Schlyter, J. and E. Lewis, "Domain Name System KEY
|
||||
(DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
|
||||
RFC 3757, May 2004.
|
||||
|
||||
|
||||
|
||||
|
||||
Guette & Courtay Expires February 5, 2005 [Page 5]
|
||||
|
||||
Internet-Draft Automated Rollover Requirements August 2004
|
||||
|
||||
|
||||
[3] Kolkman, O., "DNSSEC Operational Practices",
|
||||
draft-ietf-dnsop-dnssec-operational-practice-01 (work in
|
||||
progress), May 2004.
|
||||
|
||||
[4] Eastlake, D., "Domain Name System Security Extensions", RFC
|
||||
2535, March 1999.
|
||||
|
||||
[5] Eastlake, D., "DNS Request and Transaction Signatures (
|
||||
SIG(0)s)", RFC 2931, September 2000.
|
||||
|
||||
[6] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
|
||||
"Secret Key Transaction Authentication for DNS (TSIG)", RFC
|
||||
2845, May 2000.
|
||||
|
||||
[7] Arends, R., "Resource Records for the DNS Security Extensions",
|
||||
draft-ietf-dnsext-dnssec-records-09 (work in progress), July
|
||||
2004.
|
||||
|
||||
[8] Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose,
|
||||
"DNS Security Introduction and Requirements",
|
||||
draft-ietf-dnsext-dnssec-intro-11 (work in progress), July 2004.
|
||||
|
||||
[9] Arends, R., "Protocol Modifications for the DNS Security
|
||||
Extensions", draft-ietf-dnsext-dnssec-protocol-07 (work in
|
||||
progress), July 2004.
|
||||
|
||||
|
||||
Authors' Addresses
|
||||
|
||||
Gilles Guette
|
||||
IRISA / INRIA
|
||||
Campus de Beaulieu
|
||||
35042 Rennes CEDEX
|
||||
FR
|
||||
|
||||
EMail: gilles.guette@irisa.fr
|
||||
URI: http://www.irisa.fr
|
||||
|
||||
|
||||
Olivier Courtay
|
||||
Thomson R&D
|
||||
1, avenue Belle Fontaine
|
||||
35510 Cesson S‰vign‰ CEDEX
|
||||
FR
|
||||
|
||||
EMail: olivier.courtay@thomson.net
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Guette & Courtay Expires February 5, 2005 [Page 6]
|
||||
|
||||
Internet-Draft Automated Rollover Requirements August 2004
|
||||
|
||||
|
||||
Intellectual Property Statement
|
||||
|
||||
The IETF takes no position regarding the validity or scope of any
|
||||
Intellectual Property Rights or other rights that might be claimed to
|
||||
pertain to the implementation or use of the technology described in
|
||||
this document or the extent to which any license under such rights
|
||||
might or might not be available; nor does it represent that it has
|
||||
made any independent effort to identify any such rights. Information
|
||||
on the procedures with respect to rights in RFC documents can be
|
||||
found in BCP 78 and BCP 79.
|
||||
|
||||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||||
assurances of licenses to be made available, or the result of an
|
||||
attempt made to obtain a general license or permission for the use of
|
||||
such proprietary rights by implementers or users of this
|
||||
specification can be obtained from the IETF on-line IPR repository at
|
||||
http://www.ietf.org/ipr.
|
||||
|
||||
The IETF invites any interested party to bring to its attention any
|
||||
copyrights, patents or patent applications, or other proprietary
|
||||
rights that may cover technology that may be required to implement
|
||||
this standard. Please address the information to the IETF at
|
||||
ietf-ipr@ietf.org.
|
||||
|
||||
|
||||
Disclaimer of Validity
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
Copyright Statement
|
||||
|
||||
Copyright (C) The Internet Society (2004). This document is subject
|
||||
to the rights, licenses and restrictions contained in BCP 78, and
|
||||
except as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
Acknowledgment
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
|
||||
|
||||
|
||||
Guette & Courtay Expires February 5, 2005 [Page 7]
|
||||
|
@ -1,505 +0,0 @@
|
||||
|
||||
|
||||
IETF DNSOP Working Group Y. Morishita
|
||||
Internet-Draft JPRS
|
||||
Expires: July 11, 2004 T. Jinmei
|
||||
Toshiba
|
||||
January 11, 2004
|
||||
|
||||
|
||||
Common Misbehavior against DNS Queries for IPv6 Addresses
|
||||
draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
|
||||
|
||||
Status of this Memo
|
||||
|
||||
This document is an Internet-Draft and is in full conformance with
|
||||
all provisions of Section 10 of RFC2026.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that other
|
||||
groups may also distribute working documents as Internet-Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at http://
|
||||
www.ietf.org/ietf/1id-abstracts.txt.
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
This Internet-Draft will expire on July 11, 2004.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||||
|
||||
Abstract
|
||||
|
||||
There is some known misbehavior of DNS authoritative servers when
|
||||
they are queried for AAAA resource records. Such behavior can block
|
||||
IPv4 communication which should actually be available, cause a
|
||||
significant delay in name resolution, or even make a denial of
|
||||
service attack. This memo describes details of the known cases and
|
||||
discusses the effect of the cases.
|
||||
|
||||
1. Introduction
|
||||
|
||||
Many DNS clients (resolvers) that support IPv6 first search for AAAA
|
||||
Resource Records (RRs) of a target host name, and then for A RRs of
|
||||
|
||||
|
||||
|
||||
Morishita & Jinmei Expires July 11, 2004 [Page 1]
|
||||
|
||||
Internet-Draft Common Misbehavior against AAAA Queries January 2004
|
||||
|
||||
|
||||
the same name. This fallback mechanism is based on the DNS
|
||||
specifications, which if not obeyed by authoritative servers can
|
||||
produce unpleasant results. In some cases, for example, a web browser
|
||||
fails to connect to a web server it could otherwise. In the following
|
||||
sections, this memo describes some typical cases of the misbehavior
|
||||
and its (bad) effects.
|
||||
|
||||
Note that the misbehavior is not specific to AAAA RRs. In fact, all
|
||||
known examples also apply to the cases of queries for MX, NS, and SOA
|
||||
RRs. The authors even believe this can be generalized for all types
|
||||
of queries other than those for A RRs. In this memo, however, we
|
||||
concentrate on the case for AAAA queries, since the problem is
|
||||
particularly severe for resolvers that support IPv6, which thus
|
||||
affects many end users. Resolvers at end users normally send A and/or
|
||||
AAAA queries only, and so the problem for the other cases is
|
||||
relatively minor.
|
||||
|
||||
2. Network Model
|
||||
|
||||
In this memo, we assume a typical network model of name resolution
|
||||
environment using DNS. It consists of three components; stub
|
||||
resolvers, caching servers, and authoritative servers. A stub
|
||||
resolver issues a recursive query to a caching server, which then
|
||||
handles the entire name resolution procedure recursively. The caching
|
||||
server caches the result of the query as well as sends the result to
|
||||
the stub resolver. The authoritative servers respond to queries for
|
||||
names for which they have the authority, normally in a non-recursive
|
||||
manner.
|
||||
|
||||
3. Expected Behavior
|
||||
|
||||
Suppose that an authoritative server has an A RR but not a AAAA RR
|
||||
for a host name. Then the server should return a response to a query
|
||||
for a AAAA RR of the name with the RCODE being 0 (indicating no
|
||||
error) and with an empty answer section [1]. Such a response
|
||||
indicates that there is at least one RR of a different type than AAAA
|
||||
for the queried name, and the stub resolver can then look for A RRs.
|
||||
|
||||
This way, the caching server can cache the fact that the queried name
|
||||
does not have a AAAA RR (but may have other types of RRs), and thus
|
||||
can improve the response time to further queries for a AAAA RR of the
|
||||
name.
|
||||
|
||||
4. Problematic Behaviors
|
||||
|
||||
There are some known cases at authoritative servers that do not
|
||||
conform to the expected behavior. This section describes those
|
||||
problematic cases.
|
||||
|
||||
|
||||
|
||||
Morishita & Jinmei Expires July 11, 2004 [Page 2]
|
||||
|
||||
Internet-Draft Common Misbehavior against AAAA Queries January 2004
|
||||
|
||||
|
||||
4.1 Return NXDOMAIN
|
||||
|
||||
This type of server returns a response with the RCODE being 3
|
||||
(NXDOMAIN) to a query for a AAAA RR, indicating it does not have any
|
||||
RRs of any type for the queried name.
|
||||
|
||||
With this response, the stub resolver may immediately give up and
|
||||
never fall back. Even if the resolver retries with a query for an A
|
||||
RR, the negative response for the name has been cached in the caching
|
||||
server, and the caching server will simply return the negative
|
||||
response. As a result, the stub resolver considers this as a fatal
|
||||
error in name resolution.
|
||||
|
||||
There have been several known examples of this behavior, but all the
|
||||
examples that the authors know have changed their behavior as of this
|
||||
writing.
|
||||
|
||||
4.2 Return NOTIMP
|
||||
|
||||
Other authoritative servers return a response with the RCODE being 4
|
||||
(NOTIMP), indicating the servers do not support the requested type of
|
||||
query.
|
||||
|
||||
This case is less harmful than the previous one; if the stub resolver
|
||||
falls back to querying for an A RR, the caching server will process
|
||||
the query correctly and return an appropriate response.
|
||||
|
||||
In this case, the caching server does not cache the fact that the
|
||||
queried name has no AAAA RR, resulting in redundant queries for AAAA
|
||||
RRs in the future. The behavior will waste network bandwidth and
|
||||
increase the load of the authoritative server.
|
||||
|
||||
Using SERVFAIL or FORMERR would cause the same effect, though the
|
||||
authors have not seen such implementations yet.
|
||||
|
||||
4.3 Return a Broken Response
|
||||
|
||||
Another different type of authoritative servers returns broken
|
||||
responses to AAAA queries. A known behavior of this category is to
|
||||
return a response whose RR type is AAAA, but the length of the RDATA
|
||||
is 4 bytes. The 4-byte data looks like the IPv4 address of the
|
||||
queried host name. That is, the RR in the answer section would be
|
||||
described like this:
|
||||
|
||||
www.bad.example. 600 IN AAAA 192.0.2.1
|
||||
|
||||
which is, of course, bogus (or at least meaningless).
|
||||
|
||||
|
||||
|
||||
|
||||
Morishita & Jinmei Expires July 11, 2004 [Page 3]
|
||||
|
||||
Internet-Draft Common Misbehavior against AAAA Queries January 2004
|
||||
|
||||
|
||||
A widely deployed caching server implementation transparently returns
|
||||
the broken response (as well as caches it) to the stub resolver.
|
||||
Another known server implementation parses the response by
|
||||
themselves, and sends a separate response with the RCODE being 2
|
||||
(SERVFAIL).
|
||||
|
||||
In either case, the broken response does not affect queries for an A
|
||||
RR of the same name. If the stub resolver falls back to A queries, it
|
||||
will get an appropriate response.
|
||||
|
||||
The latter case, however, causes the same bad effect as that
|
||||
described in the previous section: redundant queries for AAAA RRs.
|
||||
|
||||
4.4 Make Lame Delegation
|
||||
|
||||
Some authoritative servers respond to AAAA queries in a way causing
|
||||
lame delegation. In this case the parent zone specifies that the
|
||||
authoritative server should have the authority of a zone, but the
|
||||
server does not return an authoritative response for AAAA queries
|
||||
within the zone (i.e., the AA bit in the response is not set). On the
|
||||
other hand, the authoritative server returns an authoritative
|
||||
response for A queries.
|
||||
|
||||
When a caching server asks the server for AAAA RRs in the zone, it
|
||||
recognizes the delegation is lame, and return a response with the
|
||||
RCODE being 2 (SERVFAIL) to the stub resolver.
|
||||
|
||||
Furthermore, some caching servers record the authoritative server as
|
||||
lame for the zone and will not use it for a certain period of time.
|
||||
With this type of caching server, even if the stub resolver falls
|
||||
back to querying for an A RR, the caching server will simply return a
|
||||
response with the RCODE being SERVFAIL, since all the servers are
|
||||
known to be "lame."
|
||||
|
||||
There is also an implementation that relaxes the behavior a little
|
||||
bit. It basically tries to avoid using the lame server, but still
|
||||
continues to try it as a last resort. With this type of caching
|
||||
server, the stub resolver will get a correct response if it falls
|
||||
back after SERVFAIL. However, this still causes redundant AAAA
|
||||
queries as explained in the previous sections.
|
||||
|
||||
4.5 Ignore Queries for AAAA
|
||||
|
||||
Some authoritative severs seem to ignore queries for a AAAA RR,
|
||||
causing a delay at the stub resolver to fall back to a query for an A
|
||||
RR. This behavior may even cause a fatal timeout at the resolver.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Morishita & Jinmei Expires July 11, 2004 [Page 4]
|
||||
|
||||
Internet-Draft Common Misbehavior against AAAA Queries January 2004
|
||||
|
||||
|
||||
5. Security Considerations
|
||||
|
||||
The CERT/CC pointed out that the response with NXDOMAIN described in
|
||||
Section 4.1 can be used for a denial of service attack [2]. The same
|
||||
argument applies to the case of "lame delegation" described in
|
||||
Section 4.4 with a certain type of caching server.
|
||||
|
||||
6. Acknowledgements
|
||||
|
||||
Erik Nordmark encouraged the authors to publish this document as an
|
||||
Internet Draft. Akira Kato and Paul Vixie reviewed a preliminary
|
||||
version of this document. Pekka Savola carefully reviewed a previous
|
||||
version and provided detailed comments.
|
||||
|
||||
Informative References
|
||||
|
||||
[1] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC
|
||||
1034, November 1987.
|
||||
|
||||
[2] The CERT Coordination Center, "Incorrect NXDOMAIN responses from
|
||||
AAAA queries could cause denial-of-service conditions", March
|
||||
2003, <http://www.kb.cert.org/vuls/id/714121>.
|
||||
|
||||
|
||||
Authors' Addresses
|
||||
|
||||
MORISHITA Orange Yasuhiro
|
||||
Research and Development Department, Japan Registry Service Co.,Ltd.
|
||||
Fuundo Bldg 3F, 1-2 Kanda-Ogawamachi
|
||||
Chiyoda-ku, Tokyo 101-0052
|
||||
Japan
|
||||
|
||||
EMail: yasuhiro@jprs.co.jp
|
||||
|
||||
|
||||
JINMEI Tatuya
|
||||
Corporate Research & Development Center, Toshiba Corporation
|
||||
1 Komukai Toshiba-cho, Saiwai-ku
|
||||
Kawasaki-shi, Kanagawa 212-8582
|
||||
Japan
|
||||
|
||||
EMail: jinmei@isl.rdc.toshiba.co.jp
|
||||
|
||||
Appendix A. Live Examples
|
||||
|
||||
In this appendix, we show concrete implementations and domain names
|
||||
that may cause problematic cases so that the behavior can be
|
||||
reproduced in a practical environment. The examples are for
|
||||
|
||||
|
||||
|
||||
Morishita & Jinmei Expires July 11, 2004 [Page 5]
|
||||
|
||||
Internet-Draft Common Misbehavior against AAAA Queries January 2004
|
||||
|
||||
|
||||
informational purposes only, and the authors do not intend to accuse
|
||||
any implementations or zone administrators.
|
||||
|
||||
The behavior described in Section 4.2 (return NOTIMP) can be found by
|
||||
looking for a AAAA RR of www.css.vtext.com at 66.174.3.4.
|
||||
|
||||
The behavior described in Section 4.3 (broken responses) can be seen
|
||||
by querying for a AAAA RR of "www.gslb.mainichi.co.jp," which is an
|
||||
alias of "www.mainichi.co.jp," at 210.173.172.2. The same behavior
|
||||
can be found with the name "vip.alt.ihp.sony.co.jp," an alias of
|
||||
"www.sony.co.jp," at 210.139.255.204.
|
||||
|
||||
The behavior described in Section 4.4 (lame delegation) can be found
|
||||
by querying for a AAAA RR of "www.ual.com" at 209.87.113.4.
|
||||
|
||||
The behavior described in Section 4.5 (ignore queries) can be seen by
|
||||
trying to ask for a AAAA RR of "ad.3jp.doubleclick.net," which is an
|
||||
alias of "ad.jp.doubleclick.net," at 210.153.90.9.
|
||||
|
||||
Many authoritative server implementations show the expected behavior
|
||||
described in Section 3. Some DNS load balancers reportedly have a
|
||||
problematic behavior shown in Section 4, but the authors do not have
|
||||
a concrete example. The CERT/CC provides a list of implementations
|
||||
that behave as described in Section 4.1 [2].
|
||||
|
||||
The BIND9 caching server implementation is an example of the latter
|
||||
cases described in Section 4.3 and Section 4.4, respectively. The
|
||||
BIND8 caching server implementation is an example of the former case
|
||||
described in Section 4.3. As for the issue shown in Section 4.4,
|
||||
BIND8 caching servers prior to 8.3.5 show the behavior described as
|
||||
the former case in this section. The versions 8.3.5 and later of
|
||||
BIND8 caching server behave like the BIND9 caching server
|
||||
implementation with this matter.
|
||||
|
||||
Regarding resolver implementations, the authors are only familiar
|
||||
with the ones derived from the BIND implementation. These
|
||||
implementations always fall back regardless of the RCODE; NXDOMAIN,
|
||||
NOTIMP, or SERVFAIL. It even falls back when getting a broken
|
||||
response. However, the behavior does not help the situation in the
|
||||
NXDOMAIN case (see Section 4.1). Lame delegation (Section 4.4) also
|
||||
causes a fatal error at the resolver side if the resolver is using
|
||||
some older versions of BIND8 caching server.
|
||||
|
||||
The authors hear that a stub resolver routine implemented in some web
|
||||
browsers interprets the broken response described in Section 4.3 as a
|
||||
fatal error and does not fall back to A queries. However, we have not
|
||||
confirmed this information.
|
||||
|
||||
|
||||
|
||||
|
||||
Morishita & Jinmei Expires July 11, 2004 [Page 6]
|
||||
|
||||
Internet-Draft Common Misbehavior against AAAA Queries January 2004
|
||||
|
||||
|
||||
Appendix B. Change History
|
||||
|
||||
Changes since draft-morishita-dnsop-misbehavior-against-aaaa-00 are:
|
||||
|
||||
o Made a separate appendix and moved live examples to appendix so
|
||||
that we can remove them when this document is (ever) officially
|
||||
published.
|
||||
|
||||
o Revised some live examples based on the recent status.
|
||||
|
||||
o Noted in introduction that the misbehavior is not specific to AAAA
|
||||
and that this document still concentrates on the AAAA case.
|
||||
|
||||
o Changed the section title of "delegation loop" to "lame
|
||||
delegation" in order to reflect the essential point of the issue.
|
||||
Wording on this matter was updated accordingly.
|
||||
|
||||
o Updated the Acknowledgements list.
|
||||
|
||||
o Changed the reference category from normative to informative (this
|
||||
is an informational document after all).
|
||||
|
||||
o Changed the draft name to an IETF dnsop working group document (as
|
||||
agreed).
|
||||
|
||||
o Applied several editorial fixes.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Morishita & Jinmei Expires July 11, 2004 [Page 7]
|
||||
|
||||
Internet-Draft Common Misbehavior against AAAA Queries January 2004
|
||||
|
||||
|
||||
Intellectual Property Statement
|
||||
|
||||
The IETF takes no position regarding the validity or scope of any
|
||||
intellectual property or other rights that might be claimed to
|
||||
pertain to the implementation or use of the technology described in
|
||||
this document or the extent to which any license under such rights
|
||||
might or might not be available; neither does it represent that it
|
||||
has made any effort to identify any such rights. Information on the
|
||||
IETF's procedures with respect to rights in standards-track and
|
||||
standards-related documentation can be found in BCP-11. Copies of
|
||||
claims of rights made available for publication and any assurances of
|
||||
licenses to be made available, or the result of an attempt made to
|
||||
obtain a general license or permission for the use of such
|
||||
proprietary rights by implementors or users of this specification can
|
||||
be obtained from the IETF Secretariat.
|
||||
|
||||
The IETF invites any interested party to bring to its attention any
|
||||
copyrights, patents or patent applications, or other proprietary
|
||||
rights which may cover technology that may be required to practice
|
||||
this standard. Please address the information to the IETF Executive
|
||||
Director.
|
||||
|
||||
|
||||
Full Copyright Statement
|
||||
|
||||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||||
|
||||
This document and translations of it may be copied and furnished to
|
||||
others, and derivative works that comment on or otherwise explain it
|
||||
or assist in its implementation may be prepared, copied, published
|
||||
and distributed, in whole or in part, without restriction of any
|
||||
kind, provided that the above copyright notice and this paragraph are
|
||||
included on all such copies and derivative works. However, this
|
||||
document itself may not be modified in any way, such as by removing
|
||||
the copyright notice or references to the Internet Society or other
|
||||
Internet organizations, except as needed for the purpose of
|
||||
developing Internet standards in which case the procedures for
|
||||
copyrights defined in the Internet Standards process must be
|
||||
followed, or as required to translate it into languages other than
|
||||
English.
|
||||
|
||||
The limited permissions granted above are perpetual and will not be
|
||||
revoked by the Internet Society or its successors or assignees.
|
||||
|
||||
This document and the information contained herein is provided on an
|
||||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||||
|
||||
|
||||
|
||||
Morishita & Jinmei Expires July 11, 2004 [Page 8]
|
||||
|
||||
Internet-Draft Common Misbehavior against AAAA Queries January 2004
|
||||
|
||||
|
||||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
Acknowledgement
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Morishita & Jinmei Expires July 11, 2004 [Page 9]
|
||||
|
||||
|
@ -1,485 +0,0 @@
|
||||
DNSOP Working Group Paul Vixie, ISC (Ed.)
|
||||
INTERNET-DRAFT Akira Kato, WIDE
|
||||
<draft-ietf-dnsop-respsize-01.txt> July, 2004
|
||||
|
||||
|
||||
DNS Response Size Issues
|
||||
|
||||
|
||||
Status of this Memo
|
||||
This document is an Internet-Draft and is subject to all provisions
|
||||
of section 3 of RFC 3667. By submitting this Internet-Draft, each
|
||||
author represents that any applicable patent or other IPR claims of
|
||||
which we are aware have been or will be disclosed, and any of which
|
||||
we become aware will be disclosed, in accordance with RFC 3668.
|
||||
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as Internet-
|
||||
Drafts.
|
||||
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
|
||||
The list of current Internet-Drafts can be accessed at
|
||||
http://www.ietf.org/ietf/1id-abstracts.txt
|
||||
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
|
||||
Copyright Notice
|
||||
|
||||
|
||||
Copyright (C) The Internet Society (2003-2004). All Rights Reserved.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Abstract
|
||||
|
||||
|
||||
With a mandated default minimum maximum message size of 512 octets,
|
||||
the DNS protocol presents some special problems for zones wishing to
|
||||
expose a moderate or high number of authority servers (NS RRs). This
|
||||
document explains the operational issues caused by, or related to
|
||||
this response size limit.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Expires December 2004 [Page 1]
|
||||
INTERNET-DRAFT June 2003 RESPSIZE
|
||||
|
||||
|
||||
|
||||
1 - Introduction and Overview
|
||||
|
||||
|
||||
1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512
|
||||
octets. Even though this limitation was due to the required minimum UDP
|
||||
reassembly limit for IPv4, it is a hard DNS protocol limit and is not
|
||||
implicitly relaxed by changes in transport, for example to IPv6.
|
||||
|
||||
|
||||
1.2. The EDNS0 standard (see [RFC2671 2.3, 4.5]) permits larger
|
||||
responses by mutual agreement of the requestor and responder. However,
|
||||
deployment of EDNS0 cannot be expected to reach every Internet resolver
|
||||
in the short or medium term. The 512 octet message size limit remains
|
||||
in practical effect at this time.
|
||||
|
||||
|
||||
1.3. Since DNS responses include a copy of the request, the space
|
||||
available for response data is somewhat less than the full 512 octets.
|
||||
For negative responses, there is rarely a space constraint. For
|
||||
positive and delegation responses, though, every octet must be carefully
|
||||
and sparingly allocated. This document specifically addresses
|
||||
delegation response sizes.
|
||||
|
||||
|
||||
2 - Delegation Details
|
||||
|
||||
|
||||
2.1. A delegation response will include the following elements:
|
||||
|
||||
|
||||
Header Section: fixed length (12 octets)
|
||||
Question Section: original query (name, class, type)
|
||||
Answer Section: (empty)
|
||||
Authority Section: NS RRset (nameserver names)
|
||||
Additional Section: A and AAAA RRsets (nameserver addresses)
|
||||
|
||||
|
||||
2.2. If the total response size would exceed 512 octets, and if the data
|
||||
that would not fit was in the question, answer, or authority section,
|
||||
then the TC bit will be set (indicating truncation) which may cause the
|
||||
requestor to retry using TCP, depending on what information was present
|
||||
and what was omitted. If a retry using TCP is needed, the total cost of
|
||||
the transaction is much higher.
|
||||
|
||||
|
||||
2.3. RRsets are never sent partially, so if truncation occurs, entire
|
||||
RRsets are omitted. Note that the authority section consists of a
|
||||
single RRset. It is absolutely essential that truncation not occur in
|
||||
the authority section.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Expires December 2004 [Page 2]
|
||||
INTERNET-DRAFT June 2003 RESPSIZE
|
||||
|
||||
|
||||
|
||||
2.4. DNS label compression allows a domain name to be instantiated only
|
||||
once per DNS message, and then referenced with a two-octet "pointer"
|
||||
from other locations in that same DNS message. If all nameserver names
|
||||
in a message are similar (for example, all ending in ".ROOT-
|
||||
SERVERS.NET"), then more space will be available for uncompressable data
|
||||
(such as nameserver addresses).
|
||||
|
||||
|
||||
2.5. The query name can be as long as 255 characters of presentation
|
||||
data, which can be up to 256 octets of network data. In this worst case
|
||||
scenario, the question section will be 260 octets in size, which would
|
||||
leave only 240 octets for the authority and additional sections (after
|
||||
deducting 12 octets for the fixed length header.)
|
||||
|
||||
|
||||
2.6. Average and maximum question section sizes can be predicted by the
|
||||
zone owner, since they will know what names actually exist, and can
|
||||
measure which ones are queried for most often. For cost and performance
|
||||
reasons, the majority of requests should be satisfied without truncation
|
||||
or TCP retry.
|
||||
|
||||
|
||||
2.7. Requestors who deliberately send large queries to force truncation
|
||||
are only increasing their own costs, and cannot effectively attack the
|
||||
resources of an authority server since the requestor would have to retry
|
||||
using TCP to complete the attack. An attack that always used TCP would
|
||||
have a lower cost.
|
||||
|
||||
|
||||
2.8. The minimum useful number of address records is two, since with
|
||||
only one address, the probability that it would refer to an unreachable
|
||||
server is too high. Truncation which occurs after two address records
|
||||
have been added to the additional data section is therefore less
|
||||
operationally significant than truncation which occurs earlier.
|
||||
|
||||
|
||||
2.9. The best case is no truncation. (This is because many requestors
|
||||
will retry using TCP by reflex, without considering whether the omitted
|
||||
data was actually necessary.)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Expires December 2004 [Page 3]
|
||||
INTERNET-DRAFT June 2003 RESPSIZE
|
||||
|
||||
|
||||
|
||||
3 - Analysis
|
||||
|
||||
|
||||
3.1. An instrumented protocol trace of a best case delegation response
|
||||
follows. Note that 13 servers are named, and 13 addresses are given.
|
||||
This query was artificially designed to exactly reach the 512 octet
|
||||
limit.
|
||||
|
||||
|
||||
;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13
|
||||
;; QUERY SECTION:
|
||||
;; [23456789.123456789.123456789.\
|
||||
123456789.123456789.123456789.com A IN] ;; @80
|
||||
|
||||
|
||||
;; AUTHORITY SECTION:
|
||||
com. 86400 NS E.GTLD-SERVERS.NET. ;; @112
|
||||
com. 86400 NS F.GTLD-SERVERS.NET. ;; @128
|
||||
com. 86400 NS G.GTLD-SERVERS.NET. ;; @144
|
||||
com. 86400 NS H.GTLD-SERVERS.NET. ;; @160
|
||||
com. 86400 NS I.GTLD-SERVERS.NET. ;; @176
|
||||
com. 86400 NS J.GTLD-SERVERS.NET. ;; @192
|
||||
com. 86400 NS K.GTLD-SERVERS.NET. ;; @208
|
||||
com. 86400 NS L.GTLD-SERVERS.NET. ;; @224
|
||||
com. 86400 NS M.GTLD-SERVERS.NET. ;; @240
|
||||
com. 86400 NS A.GTLD-SERVERS.NET. ;; @256
|
||||
com. 86400 NS B.GTLD-SERVERS.NET. ;; @272
|
||||
com. 86400 NS C.GTLD-SERVERS.NET. ;; @288
|
||||
com. 86400 NS D.GTLD-SERVERS.NET. ;; @304
|
||||
|
||||
|
||||
;; ADDITIONAL SECTION:
|
||||
A.GTLD-SERVERS.NET. 86400 A 192.5.6.30 ;; @320
|
||||
B.GTLD-SERVERS.NET. 86400 A 192.33.14.30 ;; @336
|
||||
C.GTLD-SERVERS.NET. 86400 A 192.26.92.30 ;; @352
|
||||
D.GTLD-SERVERS.NET. 86400 A 192.31.80.30 ;; @368
|
||||
E.GTLD-SERVERS.NET. 86400 A 192.12.94.30 ;; @384
|
||||
F.GTLD-SERVERS.NET. 86400 A 192.35.51.30 ;; @400
|
||||
G.GTLD-SERVERS.NET. 86400 A 192.42.93.30 ;; @416
|
||||
H.GTLD-SERVERS.NET. 86400 A 192.54.112.30 ;; @432
|
||||
I.GTLD-SERVERS.NET. 86400 A 192.43.172.30 ;; @448
|
||||
J.GTLD-SERVERS.NET. 86400 A 192.48.79.30 ;; @464
|
||||
K.GTLD-SERVERS.NET. 86400 A 192.52.178.30 ;; @480
|
||||
L.GTLD-SERVERS.NET. 86400 A 192.41.162.30 ;; @496
|
||||
M.GTLD-SERVERS.NET. 86400 A 192.55.83.30 ;; @512
|
||||
|
||||
|
||||
;; MSG SIZE sent: 80 rcvd: 512
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Expires December 2004 [Page 4]
|
||||
INTERNET-DRAFT June 2003 RESPSIZE
|
||||
|
||||
|
||||
|
||||
3.2. For longer query names, the number of address records supplied will
|
||||
be lower. Furthermore, it is only by using a common parent name (which
|
||||
is GTLD-SERVERS.NET in this example) that all 13 addresses are able to
|
||||
fit. The following output from a response simulator demonstrates these
|
||||
properties:
|
||||
|
||||
|
||||
% perl respsize.pl 13 13 0
|
||||
common name, average case: msg:303 nsaddr#13 (green)
|
||||
common name, worst case: msg:495 nsaddr# 1 (red)
|
||||
uncommon name, average case: msg:457 nsaddr# 3 (orange)
|
||||
uncommon name, worst case: msg:649(*) nsaddr# 0 (red)
|
||||
% perl respsize.pl 13 13 2
|
||||
common name, average case: msg:303 nsaddr#11 (orange)
|
||||
common name, worst case: msg:495 nsaddr# 1 (red)
|
||||
uncommon name, average case: msg:457 nsaddr# 2 (orange)
|
||||
uncommon name, worst case: msg:649(*) nsaddr# 0 (red)
|
||||
|
||||
|
||||
(Note: The response simulator program is shown in Section 5.)
|
||||
|
||||
|
||||
Here we use the term "green" if all address records could fit, or
|
||||
"orange" if two or more could fit, or "red" if fewer than two could fit.
|
||||
It's clear that without a common parent for nameserver names, much space
|
||||
would be lost.
|
||||
|
||||
|
||||
We're assuming an average query name size of 64 since that is the
|
||||
typical average maximum size seen in trace data at the time of this
|
||||
writing. If Internationalized Domain Name (IDN) or any other technology
|
||||
which results in larger query names be deployed significantly in advance
|
||||
of EDNS, then more new measurements and new estimates will have to be
|
||||
made.
|
||||
|
||||
|
||||
4 - Conclusions
|
||||
|
||||
|
||||
4.1. The current practice of giving all nameserver names a common parent
|
||||
(such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS
|
||||
responses and allows for more nameservers to be enumerated than would
|
||||
otherwise be possible. (Note that in this case it is wise to serve the
|
||||
common parent domain's zone from the same servers that are named within
|
||||
it, in order to limit external dependencies when all your eggs are in a
|
||||
single basket.)
|
||||
|
||||
|
||||
4.2. Thirteen (13) seems to be the effective maximum number of
|
||||
nameserver names usable traditional (non-extended) DNS, assuming a
|
||||
common parent domain name, and assuming that additional-data truncation
|
||||
is undesirable in the average case.
|
||||
|
||||
|
||||
|
||||
|
||||
Expires December 2004 [Page 5]
|
||||
INTERNET-DRAFT June 2003 RESPSIZE
|
||||
|
||||
|
||||
|
||||
4.3. Adding two to five IPv6 nameserver address records (AAAA RRs) to a
|
||||
prototypical delegation that currently contains thirteen (13) IPv4
|
||||
nameserver addresses (A RRs) for thirteen (13) nameserver names under a
|
||||
common parent, would not have a significant negative operational impact
|
||||
on the domain name system.
|
||||
|
||||
|
||||
5 - Source Code
|
||||
|
||||
|
||||
#!/usr/bin/perl -w
|
||||
|
||||
|
||||
$asize = 2+2+2+4+2+4;
|
||||
$aaaasize = 2+2+2+4+2+16;
|
||||
($nns, $na, $naaaa) = @ARGV;
|
||||
test("common", "average", common_name_average($nns),
|
||||
$na, $naaaa);
|
||||
test("common", "worst", common_name_worst($nns),
|
||||
$na, $naaaa);
|
||||
test("uncommon", "average", uncommon_name_average($nns),
|
||||
$na, $naaaa);
|
||||
test("uncommon", "worst", uncommon_name_worst($nns),
|
||||
$na, $naaaa);
|
||||
exit 0;
|
||||
|
||||
|
||||
sub test { my ($namekind, $casekind, $msg, $na, $naaaa) = @_;
|
||||
my $nglue = numglue($msg, $na, $naaaa);
|
||||
printf "%8s name, %7s case: msg:%3d%s nsaddr#%2d (%s)\n",
|
||||
$namekind, $casekind,
|
||||
$msg, ($msg > 512) ? "(*)" : " ",
|
||||
$nglue, ($nglue == $na + $naaaa) ? "green"
|
||||
: ($nglue >= 2) ? "orange"
|
||||
: "red";
|
||||
}
|
||||
|
||||
|
||||
sub pnum { my ($num, $tot) = @_;
|
||||
return sprintf "%3d%s",
|
||||
}
|
||||
|
||||
|
||||
sub numglue { my ($msg, $na, $naaaa) = @_;
|
||||
my $space = ($msg > 512) ? 0 : (512 - $msg);
|
||||
my $num = 0;
|
||||
|
||||
|
||||
while ($space && ($na || $naaaa )) {
|
||||
if ($na) {
|
||||
if ($space >= $asize) {
|
||||
$space -= $asize;
|
||||
|
||||
|
||||
|
||||
|
||||
Expires December 2004 [Page 6]
|
||||
INTERNET-DRAFT June 2003 RESPSIZE
|
||||
|
||||
|
||||
|
||||
$num++;
|
||||
}
|
||||
$na--;
|
||||
}
|
||||
if ($naaaa) {
|
||||
if ($space >= $aaaasize) {
|
||||
$space -= $aaaasize;
|
||||
$num++;
|
||||
}
|
||||
$naaaa--;
|
||||
}
|
||||
}
|
||||
return $num;
|
||||
}
|
||||
|
||||
|
||||
sub msgsize { my ($qname, $nns, $nsns) = @_;
|
||||
return 12 + # header
|
||||
$qname+2+2 + # query
|
||||
0 + # answer
|
||||
$nns * (4+2+2+4+2+$nsns); # authority
|
||||
}
|
||||
|
||||
|
||||
sub average_case { my ($nns, $nsns) = @_;
|
||||
return msgsize(64, $nns, $nsns);
|
||||
}
|
||||
|
||||
|
||||
sub worst_case { my ($nns, $nsns) = @_;
|
||||
return msgsize(256, $nns, $nsns);
|
||||
}
|
||||
|
||||
|
||||
sub common_name_average { my ($nns) = @_;
|
||||
return 15 + average_case($nns, 2);
|
||||
}
|
||||
|
||||
|
||||
sub common_name_worst { my ($nns) = @_;
|
||||
return 15 + worst_case($nns, 2);
|
||||
}
|
||||
|
||||
|
||||
sub uncommon_name_average { my ($nns) = @_;
|
||||
return average_case($nns, 15);
|
||||
}
|
||||
|
||||
|
||||
sub uncommon_name_worst { my ($nns) = @_;
|
||||
return worst_case($nns, 15);
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
Expires December 2004 [Page 7]
|
||||
INTERNET-DRAFT June 2003 RESPSIZE
|
||||
|
||||
|
||||
|
||||
Security Considerations
|
||||
|
||||
|
||||
The recommendations contained in this document have no known security
|
||||
implications.
|
||||
|
||||
|
||||
IANA Considerations
|
||||
|
||||
|
||||
This document does not call for changes or additions to any IANA
|
||||
registry.
|
||||
|
||||
|
||||
IPR Statement
|
||||
|
||||
|
||||
Copyright (C) The Internet Society (2003-2004). This document is
|
||||
subject to the rights, licenses and restrictions contained in BCP 78,
|
||||
and except as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR
|
||||
IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
Authors' Addresses
|
||||
|
||||
|
||||
Paul Vixie
|
||||
950 Charter Street
|
||||
Redwood City, CA 94063
|
||||
+1 650 423 1301
|
||||
vixie@isc.org
|
||||
|
||||
|
||||
Akira Kato
|
||||
University of Tokyo, Information Technology Center
|
||||
2-11-16 Yayoi Bunkyo
|
||||
Tokyo 113-8658, JAPAN
|
||||
+81 3 5841 2750
|
||||
kato@wide.ad.jp
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Expires December 2004 [Page 8]
|
@ -1,617 +0,0 @@
|
||||
|
||||
|
||||
Network Working Group S. Woolf
|
||||
Internet-Draft Internet Systems Consortium, Inc.
|
||||
Expires: January 16, 2005 D. Conrad
|
||||
Nominum, Inc.
|
||||
July 18, 2004
|
||||
|
||||
|
||||
Identifying an Authoritative Name `Server
|
||||
draft-ietf-dnsop-serverid-02
|
||||
|
||||
Status of this Memo
|
||||
|
||||
This document is an Internet-Draft and is subject to all provisions
|
||||
of section 3 of RFC 3667. By submitting this Internet-Draft, each
|
||||
author represents that any applicable patent or other IPR claims of
|
||||
which he or she is aware have been or will be disclosed, and any of
|
||||
which he or she become aware will be disclosed, in accordance with
|
||||
RFC 3668.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as
|
||||
Internet-Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at http://
|
||||
www.ietf.org/ietf/1id-abstracts.txt.
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
This Internet-Draft will expire on January 16, 2005.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||||
|
||||
Abstract
|
||||
|
||||
With the increased use of DNS anycast, load balancing, and other
|
||||
mechanisms allowing more than one DNS name server to share a single
|
||||
IP address, it is sometimes difficult to tell which of a pool of name
|
||||
servers has answered a particular query. A standardized mechanism to
|
||||
determine the identity of a name server responding to a particular
|
||||
query would be useful, particularly as a diagnostic aid. Existing ad
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 1]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name `Server July 2004
|
||||
|
||||
|
||||
hoc mechanisms for addressing this concern are not adequate. This
|
||||
document attempts to describe the common ad hoc solution to this
|
||||
problem, including its advantages and disadvantasges, and to
|
||||
characterize an improved mechanism.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 2]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name `Server July 2004
|
||||
|
||||
|
||||
1. Introduction
|
||||
|
||||
With the increased use of DNS anycast, load balancing, and other
|
||||
mechanisms allowing more than one DNS name server to share a single
|
||||
IP address, it is sometimes difficult to tell which of a pool of name
|
||||
servers has answered a particular query. A standardized mechanism to
|
||||
determine the identity of a name server responding to a particular
|
||||
query would be useful, particularly as a diagnostic aid.
|
||||
|
||||
Unfortunately, existing ad-hoc mechanisms for providing such
|
||||
identification have some shortcomings, not the least of which is the
|
||||
lack of prior analysis of exactly how such a mechanism should be
|
||||
designed and deployed. This document describes the existing
|
||||
convention used in one widely deployed implementation of the DNS
|
||||
protocol and discusses requirements for an improved solution to the
|
||||
problem.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 3]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name `Server July 2004
|
||||
|
||||
|
||||
2. Rationale
|
||||
|
||||
Identifying which name server is responding to queries is often
|
||||
useful, particularly in attempting to diagnose name server
|
||||
difficulties. However, relying on the IP address of the name server
|
||||
has become more problematic due the deployment of various load
|
||||
balancing solutions, including the use of shared unicast addresses as
|
||||
documented in [RFC3258].
|
||||
|
||||
An unfortunate side effect of these load balancing solutions is that
|
||||
traditional methods of determining which server is responding can be
|
||||
unreliable. Specifically, non-DNS methods such as ICMP ping, TCP
|
||||
connections, or non-DNS UDP packets (e.g., as generated by tools such
|
||||
as "traceroute"), etc., can end up going to a different server than
|
||||
that which receives the DNS queries.
|
||||
|
||||
The widespread use of the existing convention suggests a need for a
|
||||
documented, interoperable means of querying the identity of a
|
||||
nameserver that may be part of an anycast or load-balancing cluster.
|
||||
At the same time, however, it also has some drawbacks that argue
|
||||
against standardizing it as it's been practiced so far.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 4]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name `Server July 2004
|
||||
|
||||
|
||||
3. Existing Conventions
|
||||
|
||||
Recent versions of the commonly deployed Berkeley Internet Name
|
||||
Domain implementation of the DNS protocol suite from the Internet
|
||||
Software Consortium [BIND] support a way of identifying a particular
|
||||
server via the use of a standard, if somewhat unusual, DNS query.
|
||||
Specifically, a query to a late model BIND server for a TXT resource
|
||||
record in class 3 (CHAOS) for the domain name "HOSTNAME.BIND." will
|
||||
return a string that can be configured by the name server
|
||||
administrator to provide a unique identifier for the responding
|
||||
server (defaulting to the value of a gethostname() call). This
|
||||
mechanism, which is an extension of the BIND convention of using
|
||||
CHAOS class TXT RR queries to sub-domains of the "BIND." domain for
|
||||
version information, has been copied by several name server vendors.
|
||||
|
||||
For reference, the other well-known name used by recent versions of
|
||||
BIND within the CHAOS class "BIND." domain is "VERSION.BIND." A
|
||||
query for a TXT RR for this name will return an administratively re-
|
||||
definable string which defaults to the version of the server
|
||||
responding.
|
||||
|
||||
3.1 Advantages
|
||||
|
||||
There are several valuable attributes to this mechanism, which
|
||||
account for its usefulness.
|
||||
1. This mechanism is within the DNS protocol itself. An
|
||||
identification mechanism that relies on the DNS protocol is more
|
||||
likely to be successful (although not guaranteed) in going to the
|
||||
same machine as a "normal" DNS query.
|
||||
2. It is simple to configure. An administrator can easily turn on
|
||||
this feature and control the results of the relevant query.
|
||||
3. It allows the administrator complete control of what information
|
||||
is given out in the response, minimizing passive leakage of
|
||||
implementation or configuration details. Such details are often
|
||||
considered sensitive by infrastructure operators.
|
||||
|
||||
3.2 Disadvantages
|
||||
|
||||
At the same time, there are some forbidding drawbacks to the
|
||||
VERSION.BIND mechanism that argue against standardizing it as it
|
||||
currently operates.
|
||||
1. It requires an additional query to correlate between the answer
|
||||
to a DNS query under normal conditions and the supposed identity
|
||||
of the server receiving the query. There are a number of
|
||||
situations in which this simply isn't reliable.
|
||||
2. It reserves an entire class in the DNS (CHAOS) for what amounts
|
||||
to one zone. While CHAOS class is defined in [RFC1034] and
|
||||
[RFC1035], it's not clear that supporting it solely for this
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 5]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name `Server July 2004
|
||||
|
||||
|
||||
purpose is a good use of the namespace or of implementation
|
||||
effort.
|
||||
3. It is implementation specific. BIND is one DNS implementation.
|
||||
At the time of this writing, it is probably the most prevalent,
|
||||
for authoritative servers anyway. This does not justify
|
||||
standardizing on its ad hoc solution to a problem shared across
|
||||
many operators and implementors.
|
||||
|
||||
The first of the listed disadvantages is technically the most
|
||||
serious. It argues for an attempt to design a good answer to the
|
||||
problem that "I need to know what nameserver is answering my
|
||||
queries", not simply a convenient one.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 6]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name `Server July 2004
|
||||
|
||||
|
||||
4. Characteristics of an Implementation Neutral Convention
|
||||
|
||||
The discussion above of advantages and disadvantages to the
|
||||
HOSTNAME.BIND mechanism suggest some requirements for a better
|
||||
solution to the server identification problem. These are summarized
|
||||
here as guidelines for any effort to provide appropriate protocol
|
||||
extensions:
|
||||
1. The mechanism adopted MUST be in-band for the DNS protocol. That
|
||||
is, it needs to allow the query for the server's identifying
|
||||
information to be part of a normal, operational query. It SHOULD
|
||||
also permit a separate, dedicated query for the server's
|
||||
identifying information.
|
||||
2. The new mechanism should not require dedicated namespaces or
|
||||
other reserved values outside of the existing protocol mechanisms
|
||||
for these, i.e. the OPT pseudo-RR.
|
||||
3. Support for the identification functionality SHOULD be easy to
|
||||
implement and easy to enable. It MUST be easy to disable and
|
||||
SHOULD lend itself to access controls on who can query for it.
|
||||
4. It should be possible to return a unique identifier for a server
|
||||
without requiring the exposure of information that may be
|
||||
non-public and considered sensitive by the operator, such as a
|
||||
hostname or unicast IP address maintained for administrative
|
||||
purposes.
|
||||
5. The identification mechanism SHOULD NOT be
|
||||
implementation-specific.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 7]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name `Server July 2004
|
||||
|
||||
|
||||
5. IANA Considerations
|
||||
|
||||
This document proposes no specific IANA action. Protocol extensions,
|
||||
if any, to meet the requirements described are out of scope for this
|
||||
document. Should such extensions be specified and adopted by normal
|
||||
IETF process, the specification will include appropriate guidance to
|
||||
IANA.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 8]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name `Server July 2004
|
||||
|
||||
|
||||
6. Security Considerations
|
||||
|
||||
Providing identifying information as to which server is responding
|
||||
can be seen as information leakage and thus a security risk. This
|
||||
motivates the suggestion above that a new mechanism for server
|
||||
identification allow the administrator to disable the functionality
|
||||
altogether or partially restrict availability of the data. It also
|
||||
suggests that the serverid data should not be readily correlated with
|
||||
a hostname or unicast IP address that may be considered private to
|
||||
the nameserver operator's management infrastructure.
|
||||
|
||||
Propagation of protocol or service meta-data can sometimes expose the
|
||||
application to denial of service or other attack. As DNS is a
|
||||
critically important infrastructure service for the production
|
||||
Internet, extra care needs to be taken against this risk for
|
||||
designers, implementors, and operators of a new mechanism for server
|
||||
identification.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 9]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name `Server July 2004
|
||||
|
||||
|
||||
7. Acknowledgements
|
||||
|
||||
The technique for host identification documented here was initially
|
||||
implemented by Paul Vixie of the Internet Software Consortium in the
|
||||
Berkeley Internet Name Daemon package. Comments and questions on
|
||||
earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
|
||||
Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
|
||||
ICANN Root Server System Advisory Committee. The newest draft takes
|
||||
a significantly different direction from previous versions, owing to
|
||||
discussion among contributors to the DNSOP working group and others,
|
||||
particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam Weiler,
|
||||
and Rob Austein.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 10]
|
||||
|
||||
Internet-Draft Identifying an Authoritative Name `Server July 2004
|
||||
|
||||
|
||||
Intellectual Property Statement
|
||||
|
||||
The IETF takes no position regarding the validity or scope of any
|
||||
Intellectual Property Rights or other rights that might be claimed to
|
||||
pertain to the implementation or use of the technology described in
|
||||
this document or the extent to which any license under such rights
|
||||
might or might not be available; nor does it represent that it has
|
||||
made any independent effort to identify any such rights. Information
|
||||
on the procedures with respect to rights in RFC documents can be
|
||||
found in BCP 78 and BCP 79.
|
||||
|
||||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||||
assurances of licenses to be made available, or the result of an
|
||||
attempt made to obtain a general license or permission for the use of
|
||||
such proprietary rights by implementers or users of this
|
||||
specification can be obtained from the IETF on-line IPR repository at
|
||||
http://www.ietf.org/ipr.
|
||||
|
||||
The IETF invites any interested party to bring to its attention any
|
||||
copyrights, patents or patent applications, or other proprietary
|
||||
rights that may cover technology that may be required to implement
|
||||
this standard. Please address the information to the IETF at
|
||||
ietf-ipr@ietf.org.
|
||||
|
||||
|
||||
Disclaimer of Validity
|
||||
|
||||
This document and the information contained herein are provided on an
|
||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
|
||||
Copyright Statement
|
||||
|
||||
Copyright (C) The Internet Society (2004). This document is subject
|
||||
to the rights, licenses and restrictions contained in BCP 78, and
|
||||
except as set forth therein, the authors retain all their rights.
|
||||
|
||||
|
||||
Acknowledgment
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
|
||||
|
||||
|
||||
Woolf & Conrad Expires January 16, 2005 [Page 11]
|
||||
|
||||
|
@ -1,951 +0,0 @@
|
||||
|
||||
|
||||
IPSECKEY WG M. Richardson
|
||||
Internet-Draft SSW
|
||||
|Expires: August 1, 2004 February 2004
|
||||
|
||||
|
||||
A Method for Storing IPsec Keying Material in DNS
|
||||
| draft-ietf-ipseckey-rr-09.txt
|
||||
|
||||
Status of this Memo
|
||||
|
||||
This document is an Internet-Draft and is in full conformance with
|
||||
all provisions of Section 10 of RFC2026.
|
||||
|
||||
Internet-Drafts are working documents of the Internet Engineering
|
||||
Task Force (IETF), its areas, and its working groups. Note that
|
||||
other groups may also distribute working documents as Internet-
|
||||
Drafts.
|
||||
|
||||
Internet-Drafts are draft documents valid for a maximum of six months
|
||||
and may be updated, replaced, or obsoleted by other documents at any
|
||||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
The list of current Internet-Drafts can be accessed at http://
|
||||
www.ietf.org/ietf/1id-abstracts.txt.
|
||||
|
||||
The list of Internet-Draft Shadow Directories can be accessed at
|
||||
http://www.ietf.org/shadow.html.
|
||||
|
||||
| This Internet-Draft will expire on August 1, 2004.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
| Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||||
|
||||
Abstract
|
||||
|
||||
| This document describes a new resource record for Domain Name System
|
||||
| (DNS). This record may be used to store public keys for use in IP
|
||||
| security (IPsec) systems. The record also includes provisions for
|
||||
| indicating what system should be contacted when establishing an IPsec
|
||||
| tunnel with the entity in question.
|
||||
|
||||
This record replaces the functionality of the sub-type #1 of the KEY
|
||||
Resource Record, which has been obsoleted by RFC3445.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 1]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
Table of Contents
|
||||
|
||||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
| 1.2 Use of reverse (in-addr.arpa) map . . . . . . . . . . . . . . 3
|
||||
| 1.3 Usage Criteria . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||
| 2. Storage formats . . . . . . . . . . . . . . . . . . . . . . . 5
|
||||
| 2.1 IPSECKEY RDATA format . . . . . . . . . . . . . . . . . . . . 5
|
||||
| 2.2 RDATA format - precedence . . . . . . . . . . . . . . . . . . 5
|
||||
| 2.3 RDATA format - gateway type . . . . . . . . . . . . . . . . . 5
|
||||
| 2.4 RDATA format - algorithm type . . . . . . . . . . . . . . . . 6
|
||||
| 2.5 RDATA format - gateway . . . . . . . . . . . . . . . . . . . . 6
|
||||
| 2.6 RDATA format - public keys . . . . . . . . . . . . . . . . . . 6
|
||||
| 3. Presentation formats . . . . . . . . . . . . . . . . . . . . . 8
|
||||
| 3.1 Representation of IPSECKEY RRs . . . . . . . . . . . . . . . . 8
|
||||
| 3.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
|
||||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10
|
||||
| 4.1 Active attacks against unsecured IPSECKEY resource records . . 10
|
||||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
|
||||
| 6. Intellectual Property Claims . . . . . . . . . . . . . . . . . 13
|
||||
| 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
|
||||
| Normative references . . . . . . . . . . . . . . . . . . . . . 15
|
||||
| Non-normative references . . . . . . . . . . . . . . . . . . . 16
|
||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . 16
|
||||
| Full Copyright Statement . . . . . . . . . . . . . . . . . . . 17
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 2]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
1. Introduction
|
||||
|
||||
It postulated that there is an end system desiring to establish an
|
||||
IPsec tunnel with some remote entity on the network. This system,
|
||||
having only a DNS name of some kind (forward, reverse or even
|
||||
user@FQDN) needs a public key to authenticate the remote entity. It
|
||||
also desires some guidance about whether to contact the entity
|
||||
directly, or whether to contact another entity, as the gateway to
|
||||
that desired entity.
|
||||
|
||||
The IPSECKEY RR provides a storage mechanism for such items as the
|
||||
public key, and the gateway information.
|
||||
|
||||
The type number for the IPSECKEY RR is TBD.
|
||||
|
||||
1.1 Overview
|
||||
|
||||
The IPSECKEY resource record (RR) is used to publish a public key
|
||||
that is to be associated with a Domain Name System (DNS) name for use
|
||||
with the IPsec protocol suite. This can be the public key of a
|
||||
host, network, or application (in the case of per-port keying).
|
||||
|
||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||||
document are to be interpreted as described in RFC2119 [7].
|
||||
|
||||
|1.2 Use of reverse (in-addr.arpa) map
|
||||
|
||||
| Often a security gateway will only have access to the IP address to
|
||||
| which communication is desired. It will not know the forward name.
|
||||
| As such, it will frequently be the case that the IP address will be
|
||||
| used an index into the reverse map.
|
||||
|
||||
| The lookup is done in the usual fashion as for PTR records. The IP
|
||||
| address' octets (IPv4) or nibbles (IPv6) are reversed and looked up
|
||||
| under the .arpa. zone. Any CNAMEs or DNAMEs found SHOULD be
|
||||
| followed.
|
||||
|
||||
| Note: even when the IPsec function is the end-host, often only the
|
||||
| application will know the forward name used. While the case where
|
||||
| the application knows the forward name is common, the user could
|
||||
| easily have typed in a literal IP address. This storage mechanism
|
||||
| does not preclude using the forward name when it is available, but
|
||||
| does not require it.
|
||||
|
||||
|1.3 Usage Criteria
|
||||
|
||||
An IPSECKEY resource record SHOULD be used in combination with DNSSEC
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 3]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
unless some other means of authenticating the IPSECKEY resource
|
||||
record is available.
|
||||
|
||||
It is expected that there will often be multiple IPSECKEY resource
|
||||
records at the same name. This will be due to the presence of
|
||||
multiple gateways and the need to rollover keys.
|
||||
|
||||
This resource record is class independent.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 4]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
2. Storage formats
|
||||
|
||||
2.1 IPSECKEY RDATA format
|
||||
|
||||
The RDATA for an IPSECKEY RR consists of a precedence value, a
|
||||
gateway type, a public key, algorithm type, and an optional gateway
|
||||
address.
|
||||
|
||||
0 1 2 3
|
||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
| precedence | gateway type | algorithm | gateway |
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+ +
|
||||
~ gateway ~
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
| /
|
||||
/ public key /
|
||||
/ /
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
|
||||
|
||||
|
||||
2.2 RDATA format - precedence
|
||||
|
||||
This is an 8-bit precedence for this record. This is interpreted in
|
||||
the same way as the PREFERENCE field described in section 3.3.9 of
|
||||
RFC1035 [2].
|
||||
|
||||
Gateways listed in IPSECKEY records with lower precedence are to be
|
||||
attempted first. Where there is a tie in precedence, the order
|
||||
should be non-deterministic.
|
||||
|
||||
2.3 RDATA format - gateway type
|
||||
|
||||
The gateway type field indicates the format of the information that
|
||||
is stored in the gateway field.
|
||||
|
||||
The following values are defined:
|
||||
|
||||
0 No gateway is present
|
||||
|
||||
1 A 4-byte IPv4 address is present
|
||||
|
||||
2 A 16-byte IPv6 address is present
|
||||
|
||||
3 A wire-encoded domain name is present. The wire-encoded format is
|
||||
self-describing, so the length is implicit. The domain name MUST
|
||||
NOT be compressed. (see section 3.3 of RFC1035 [2]).
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 5]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
2.4 RDATA format - algorithm type
|
||||
|
||||
The algorithm type field identifies the public key's cryptographic
|
||||
algorithm and determines the format of the public key field.
|
||||
|
||||
A value of 0 indicates that no key is present.
|
||||
|
||||
The following values are defined:
|
||||
|
||||
1 A DSA key is present, in the format defined in RFC2536 [10]
|
||||
|
||||
2 A RSA key is present, in the format defined in RFC3110 [11]
|
||||
|
||||
|
||||
2.5 RDATA format - gateway
|
||||
|
||||
The gateway field indicates a gateway to which an IPsec tunnel may be
|
||||
created in order to reach the entity named by this resource record.
|
||||
|
||||
There are three formats:
|
||||
|
||||
A 32-bit IPv4 address is present in the gateway field. The data
|
||||
portion is an IPv4 address as described in section 3.4.1 of RFC1035
|
||||
[2]. This is a 32-bit number in network byte order.
|
||||
|
||||
A 128-bit IPv6 address is present in the gateway field. The data
|
||||
portion is an IPv6 address as described in section 2.2 of RFC3596
|
||||
[13]. This is a 128-bit number in network byte order.
|
||||
|
||||
The gateway field is a normal wire-encoded domain name, as described
|
||||
in section 3.3 of RFC1035 [2]. Compression MUST NOT be used.
|
||||
|
||||
2.6 RDATA format - public keys
|
||||
|
||||
Both of the public key types defined in this document (RSA and DSA)
|
||||
inherit their public key formats from the corresponding KEY RR
|
||||
formats. Specifically, the public key field contains the algorithm-
|
||||
specific portion of the KEY RR RDATA, which is all of the KEY RR DATA
|
||||
after the first four octets. This is the same portion of the KEY RR
|
||||
that must be specified by documents that define a DNSSEC algorithm.
|
||||
Those documents also specify a message digest to be used for
|
||||
generation of SIG RRs; that specification is not relevant for
|
||||
IPSECKEY RR.
|
||||
|
||||
Future algorithms, if they are to be used by both DNSSEC (in the KEY
|
||||
RR) and IPSECKEY, are likely to use the same public key encodings in
|
||||
both records. Unless otherwise specified, the IPSECKEY public key
|
||||
field will contain the algorithm-specific portion of the KEY RR RDATA
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 6]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
for the corresponding algorithm. The algorithm must still be
|
||||
designated for use by IPSECKEY, and an IPSECKEY algorithm type number
|
||||
(which might be different than the DNSSEC algorithm number) must be
|
||||
assigned to it.
|
||||
|
||||
The DSA key format is defined in RFC2536 [10]
|
||||
|
||||
The RSA key format is defined in RFC3110 [11], with the following
|
||||
changes:
|
||||
|
||||
The earlier definition of RSA/MD5 in RFC2065 limited the exponent and
|
||||
modulus to 2552 bits in length. RFC3110 extended that limit to 4096
|
||||
bits for RSA/SHA1 keys. The IPSECKEY RR imposes no length limit on
|
||||
RSA public keys, other than the 65535 octet limit imposed by the two-
|
||||
octet length encoding. This length extension is applicable only to
|
||||
IPSECKEY and not to KEY RRs.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 7]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
3. Presentation formats
|
||||
|
||||
3.1 Representation of IPSECKEY RRs
|
||||
|
||||
IPSECKEY RRs may appear in a zone data master file. The precedence,
|
||||
gateway type and algorithm and gateway fields are REQUIRED. The
|
||||
base64 encoded public key block is OPTIONAL; if not present, then the
|
||||
public key field of the resource record MUST be construed as being
|
||||
zero octets in length.
|
||||
|
||||
The algorithm field is an unsigned integer. No mnemonics are
|
||||
defined.
|
||||
|
||||
If no gateway is to be indicated, then the gateway type field MUST be
|
||||
zero, and the gateway field MUST be "."
|
||||
|
||||
The Public Key field is represented as a Base64 encoding of the
|
||||
Public Key. Whitespace is allowed within the Base64 text. For a
|
||||
definition of Base64 encoding, see RFC3548 [6] Section 5.2.
|
||||
|
||||
The general presentation for the record as as follows:
|
||||
|
||||
IN IPSECKEY ( precedence gateway-type algorithm
|
||||
gateway base64-encoded-public-key )
|
||||
|
||||
|
||||
3.2 Examples
|
||||
|
||||
An example of a node 192.0.2.38 that will accept IPsec tunnels on its
|
||||
own behalf.
|
||||
|
||||
38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2
|
||||
192.0.2.38
|
||||
AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
|
||||
|
||||
An example of a node, 192.0.2.38 that has published its key only.
|
||||
|
||||
38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 0 2
|
||||
.
|
||||
AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
|
||||
|
||||
An example of a node, 192.0.2.38 that has delegated authority to the
|
||||
node 192.0.2.3.
|
||||
|
||||
38.2.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 1 2
|
||||
192.0.2.3
|
||||
AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 8]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
An example of a node, 192.0.1.38 that has delegated authority to the
|
||||
node with the identity "mygateway.example.com".
|
||||
|
||||
38.1.0.192.in-addr.arpa. 7200 IN IPSECKEY ( 10 3 2
|
||||
mygateway.example.com.
|
||||
AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
|
||||
|
||||
An example of a node, 2001:0DB8:0200:1:210:f3ff:fe03:4d0 that has
|
||||
delegated authority to the node 2001:0DB8:c000:0200:2::1
|
||||
|
||||
$ORIGIN 1.0.0.0.0.0.2.8.B.D.0.1.0.0.2.ip6.arpa.
|
||||
0.d.4.0.3.0.e.f.f.f.3.f.0.1.2.0 7200 IN IPSECKEY ( 10 2 2
|
||||
2001:0DB8:0:8002::2000:1
|
||||
AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 9]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
4. Security Considerations
|
||||
|
||||
This entire memo pertains to the provision of public keying material
|
||||
for use by key management protocols such as ISAKMP/IKE (RFC2407) [8].
|
||||
|
||||
The IPSECKEY resource record contains information that SHOULD be
|
||||
communicated to the end client in an integral fashion - i.e. free
|
||||
from modification. The form of this channel is up to the consumer of
|
||||
the data - there must be a trust relationship between the end
|
||||
consumer of this resource record and the server. This relationship
|
||||
may be end-to-end DNSSEC validation, a TSIG or SIG(0) channel to
|
||||
another secure source, a secure local channel on the host, or some
|
||||
combination of the above.
|
||||
|
||||
The keying material provided by the IPSECKEY resource record is not
|
||||
sensitive to passive attacks. The keying material may be freely
|
||||
disclosed to any party without any impact on the security properties
|
||||
of the resulting IPsec session: IPsec and IKE provide for defense
|
||||
against both active and passive attacks.
|
||||
|
||||
Any derivative standard that makes use of this resource record MUST
|
||||
carefully document their trust model, and why the trust model of
|
||||
DNSSEC is appropriate, if that is the secure channel used.
|
||||
|
||||
4.1 Active attacks against unsecured IPSECKEY resource records
|
||||
|
||||
This section deals with active attacks against the DNS. These
|
||||
attacks require that DNS requests and responses be intercepted and
|
||||
changed. DNSSEC is designed to defend against attacks of this kind.
|
||||
|
||||
The first kind of active attack is when the attacker replaces the
|
||||
keying material with either a key under its control or with garbage.
|
||||
|
||||
If the attacker is not able to mount a subsequent man-in-the-middle
|
||||
attack on the IKE negotiation after replacing the public key, then
|
||||
this will result in a denial of service, as the authenticator used by
|
||||
IKE would fail.
|
||||
|
||||
If the attacker is able to both to mount active attacks against DNS
|
||||
and is also in a position to perform a man-in-the-middle attack on
|
||||
IKE and IPsec negotiations, then the attacker will be in a position
|
||||
to compromise the resulting IPsec channel. Note that an attacker
|
||||
must be able to perform active DNS attacks on both sides of the IKE
|
||||
negotiation in order for this to succeed.
|
||||
|
||||
The second kind of active attack is one in which the attacker
|
||||
replaces the the gateway address to point to a node under the
|
||||
attacker's control. The attacker can then either replace the public
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 10]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
key or remove it, thus providing an IPSECKEY record of its own to
|
||||
match the gateway address.
|
||||
|
||||
This later form creates a simple man-in-the-middle since the attacker
|
||||
can then create a second tunnel to the real destination. Note that,
|
||||
as before, this requires that the attacker also mount an active
|
||||
attack against the responder.
|
||||
|
||||
Note that the man-in-the-middle can not just forward cleartext
|
||||
packets to the original destination. While the destination may be
|
||||
willing to speak in the clear, replying to the original sender, the
|
||||
sender will have already created a policy expecting ciphertext.
|
||||
Thus, the attacker will need to intercept traffic from both sides.
|
||||
In some cases, the attacker may be able to accomplish the full
|
||||
intercept by use of Network Addresss/Port Translation (NAT/NAPT)
|
||||
technology.
|
||||
|
||||
| Note that risk of a man-in-the-middle attack mediated by the IPSECKEY
|
||||
| RR only applies to cases where the gateway field of the IPSECKEY RR
|
||||
| indicates a different entity than the owner name of the IPSECKEY RR.
|
||||
|
||||
| An active attack on the DNS that caused the wrong IP address to be
|
||||
| retrieved (via forged A RR), and therefore the wrong QNAME to be
|
||||
| queried would also result in a man-in-the-middle attack. This
|
||||
| situation exists independantly of whether or not the IPSECKEY RR is
|
||||
| used.
|
||||
|
||||
| In cases where the end-to-end integrity of the IPSECKEY RR is
|
||||
| suspect, the end client MUST restrict its use of the IPSECKEY RR to
|
||||
| cases where the RR owner name matches the content of the gateway
|
||||
| field.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 11]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
5. IANA Considerations
|
||||
|
||||
This document updates the IANA Registry for DNS Resource Record Types
|
||||
by assigning type X to the IPSECKEY record.
|
||||
|
||||
This document creates two new IANA registries, both specific to the
|
||||
IPSECKEY Resource Record:
|
||||
|
||||
This document creates an IANA registry for the algorithm type field.
|
||||
|
||||
Values 0, 1 and 2 are defined in Section 2.4. Algorithm numbers 3
|
||||
through 255 can be assigned by IETF Consensus (see RFC2434 [5]).
|
||||
|
||||
This document creates an IANA registry for the gateway type field.
|
||||
|
||||
Values 0, 1, 2 and 3 are defined in Section 2.3. Gateway type
|
||||
numbers 4 through 255 can be assigned by Standards Action (see
|
||||
RFC2434 [5]).
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 12]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
6. Intellectual Property Claims
|
||||
|
||||
The IETF takes no position regarding the validity or scope of any
|
||||
intellectual property or other rights that might be claimed to
|
||||
pertain to the implementation or use of the technology described in
|
||||
this document or the extent to which any license under such rights
|
||||
might or might not be available; neither does it represent that it
|
||||
has made any effort to identify any such rights. Information on the
|
||||
IETF's procedures with respect to rights in standards-track and
|
||||
standards-related documentation can be found in BCP-11. Copies of
|
||||
claims of rights made available for publication and any assurances of
|
||||
licenses to be made available, or the result of an attempt made to
|
||||
obtain a general license or permission for the use of such
|
||||
proprietary rights by implementors or users of this specification can
|
||||
be obtained from the IETF Secretariat.
|
||||
|
||||
The IETF invites any interested party to bring to its attention any
|
||||
copyrights, patents or patent applications, or other proprietary
|
||||
rights which may cover technology that may be required to practice
|
||||
this standard. Please address the information to the IETF Executive
|
||||
Director.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 13]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
7. Acknowledgments
|
||||
|
||||
My thanks to Paul Hoffman, Sam Weiler, Jean-Jacques Puig, Rob
|
||||
Austein, and Olafur Gurmundsson who reviewed this document carefully.
|
||||
Additional thanks to Olafur Gurmundsson for a reference
|
||||
implementation.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 14]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
Normative references
|
||||
|
||||
[1] Mockapetris, P., "Domain names - concepts and facilities", STD
|
||||
13, RFC 1034, November 1987.
|
||||
|
||||
[2] Mockapetris, P., "Domain names - implementation and
|
||||
specification", STD 13, RFC 1035, November 1987.
|
||||
|
||||
[3] Bradner, S., "The Internet Standards Process -- Revision 3", BCP
|
||||
9, RFC 2026, October 1996.
|
||||
|
||||
[4] Eastlake, D. and C. Kaufman, "Domain Name System Security
|
||||
Extensions", RFC 2065, January 1997.
|
||||
|
||||
[5] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
|
||||
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
|
||||
|
||||
[6] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
|
||||
RFC 3548, July 2003.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 15]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
Non-normative references
|
||||
|
||||
[7] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
||||
Levels", BCP 14, RFC 2119, March 1997.
|
||||
|
||||
[8] Piper, D., "The Internet IP Security Domain of Interpretation
|
||||
for ISAKMP", RFC 2407, November 1998.
|
||||
|
||||
[9] Eastlake, D., "Domain Name System Security Extensions", RFC
|
||||
2535, March 1999.
|
||||
|
||||
[10] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
|
||||
(DNS)", RFC 2536, March 1999.
|
||||
|
||||
[11] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
|
||||
System (DNS)", RFC 3110, May 2001.
|
||||
|
||||
[12] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource
|
||||
Record (RR)", RFC 3445, December 2002.
|
||||
|
||||
[13] Thomson, S., Huitema, C., Ksinant, V. and M. Souissi, "DNS
|
||||
Extensions to Support IP Version 6", RFC 3596, October 2003.
|
||||
|
||||
|
||||
Author's Address
|
||||
|
||||
Michael C. Richardson
|
||||
Sandelman Software Works
|
||||
470 Dawson Avenue
|
||||
Ottawa, ON K1Z 5V7
|
||||
CA
|
||||
|
||||
EMail: mcr@sandelman.ottawa.on.ca
|
||||
URI: http://www.sandelman.ottawa.on.ca/
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 16]
|
||||
|
||||
|Internet-Draft Storing IPsec keying material in DNS February 2004
|
||||
|
||||
|
||||
Full Copyright Statement
|
||||
|
||||
| Copyright (C) The Internet Society (2004). All Rights Reserved.
|
||||
|
||||
This document and translations of it may be copied and furnished to
|
||||
others, and derivative works that comment on or otherwise explain it
|
||||
or assist in its implementation may be prepared, copied, published
|
||||
and distributed, in whole or in part, without restriction of any
|
||||
kind, provided that the above copyright notice and this paragraph are
|
||||
included on all such copies and derivative works. However, this
|
||||
document itself may not be modified in any way, such as by removing
|
||||
the copyright notice or references to the Internet Society or other
|
||||
Internet organizations, except as needed for the purpose of
|
||||
developing Internet standards in which case the procedures for
|
||||
copyrights defined in the Internet Standards process must be
|
||||
followed, or as required to translate it into languages other than
|
||||
English.
|
||||
|
||||
The limited permissions granted above are perpetual and will not be
|
||||
revoked by the Internet Society or its successors or assigns.
|
||||
|
||||
This document and the information contained herein is provided on an
|
||||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
Acknowledgement
|
||||
|
||||
Funding for the RFC Editor function is currently provided by the
|
||||
Internet Society.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|Richardson Expires August 1, 2004 [Page 17]
|
Loading…
Reference in New Issue
Block a user