Internet DRAFT - draft-moreau-dnsext-takrem-dns
draft-moreau-dnsext-takrem-dns
INTERNET DRAFT Thierry Moreau
Document: draft-moreau-dnsext-takrem-dns-02.txt CONNOTECH
Category: Informational April, 2006
Expires: October, 2006
The Trust Anchor Key Renewal Method
Applied to DNS Security (TAKREM-DNSSEC)
Status of this Memo
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Copyright Notice
Copyright (C) The Internet Society (2006).
IPR Disclosure Acknowledgment
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Abstract
This document provides an authentication scheme based on the
generic SDDA-RR mechanism (SEP DNSKEY Direct Authenticator DNS
Resource Record). The result is an automated key rollover mechanism
for trust anchor keys. This represents additional security protocol
elements to the DNS Security Extensions (DNSSEC) in the area of key
management support functions for the DNS root zone and islands of
trust.
Moreau Informational [page 1]
Internet-Draft TAKREM-DNSSEC April, 2006
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Document Organization . . . . . . . . . . . . . . . . . . . 4
2. Initial Procedures for the Use of TAKREM in the DNSSEC . . . . . . 4
2.1 Initial Generation of Trust Anchor Keys . . . . . . . . . . 4
2.2 Initial Trust Anchor Key Distribution . . . . . . . . . . . 5
3. Trust Anchor Key Rollover Overview . . . . . . . . . . . . . . . . 5
3.1 Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . 6
4. Detailed Zone Management Processing for Trust Anchor Key Rollover 7
4.1 Procedures . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2 Data Formats . . . . . . . . . . . . . . . . . . . . . . . . 7
5. Resolver Procedures for Trust Anchor Key Rollover . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . . 9
Appendix A - Synopsis of the TAKREM Security Procedure . . . . . . . 10
Appendix B - Hash Function Input Stream Details . . . . . . . . . . . 12
Normative References . . . . . . . . . . . . . . . . . . . . . . . . 14
Informative References . . . . . . . . . . . . . . . . . . . . . . . 14
Document Revision History . . . . . . . . . . . . . . . . . . . . . . 14
From revision -01 to revision -02 . . . . . . . . . . . . . . . 15
From revision -00 to revision -01 . . . . . . . . . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . . 15
IPR Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Intellectual Property . . . . . . . . . . . . . . . . . . . . . 16
Derivative Works Limitation . . . . . . . . . . . . . . . . . . 16
Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . . 16
Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Moreau Informational [page 2]
Internet-Draft TAKREM-DNSSEC April, 2006
1. Introduction
The DNS security protocol ([RFC4033], [RFC4034], and [RFC4035]) is
intended to provide DNS data assurance using a "chain of trust"
where the links are public key cryptography digital signatures, and
with a "trust anchor" is tied to one end of the chain. A trust
anchor is a public signature key associated with an "island of
trust" or the DNS root. Trust anchor key rollover relates to the
need to change the KSK (Key Singing Key) of a DNSSEC-aware DNS zone
when the parent zone is DNSSEC-oblivious or absent (i.e.
respectively an island of trust or the DNS root). The present
document addresses trust anchor key distribution issues, and
provides an automated rollover mechanism for trust anchor keys.
The technological capability specified herein rests on four
foundations:
o the DNS security protocol itself ([RFC4033], [RFC4034], and
[RFC4035]),
o the operational guidelines for the DNS security protocol
([RFC2541bis]),
o the SEP DNSKEY Direct Authenticator resource record (SDDA-RR)
specification ([SDDA-RR]), and
o additional security principles and formal specifications
related to cryptographic mechanisms, including references
[ASN1-DER], [RFC2459], and [ISO10118-4].
The present document makes contributions in two directions:
o a mix of formal protocol interoperability provisions and less
formal operational guidelines, where the security foundation
rests on proper performance of both, in contrast to the
limited scope on-the-wire protocol compliance, and
o formal provisions for cryptographic processing, allowing the
security-related computations to succeed in encoding trust
information (by DNS zone managers) and validating compliant
encoded trust information (in DNS resolvers).
Strictly speaking, the present document contains no protocol
provision impacting interoperability for DNS protocol entities not
involved in the present automated trust anchor key rollover scheme.
See also the reference [SDDA-RR], in which interoperability issues
are addressed, e.g. between different trust anchor key management
schemes based on the SDDA resource record.
Otherwise, it would be a double-sided sword to use the [RFC2119]
terminology to specify compliance in the present document. Doing so
might allow an implementation to claim "compliance to a security
standard for trust anchor key" while in fact the confidence in a
trust anchor key will systematically depend on operational
procedures. Moreover, trust anchor key rollover procedures are
spread across the nameserver and resolver dichotomy, and the
respective security principles should be analyzed in isolation.
Accordingly, the present document writing style avoids specifying
what actually allows a resolver to accept a trust anchor key, which
is nonetheless the stated goal of an automated trust anchor key
rollover scheme.
Moreau Informational [page 3]
Internet-Draft TAKREM-DNSSEC April, 2006
1.1 Document Organization
The normative appendix A specifies the TAKREM security procedure,
which is the security foundation for the present document. The
adaptation to the DNSSEC trust anchor rollover operation is covered
in the main part of the document.
The TAKREM procedure requires adaptations to the generation of an
initial trust anchor key, which is covered in section 2 in the case
of DNSSEC. These key generation provisions define some trust anchor
key initialization (TAK-i) data to be configured in DNS resolvers
as a preliminary, out-of-band procedure.
The rollover operation itself is first described in section 3.
The TAKREM procedure implies the publication of a "TAKREM rollover
message," which turns into inserting specialized DNS resource
records as explained in section 4.
The rollover operation is completed with the relying party
validation of the TAKREM rollover message, which turns into DNS
resolver provisions in section 5.
Unambiguous input format specification is critical to
interoperability of cryptographic integrity mechanisms. The
normative appendix B specifies the required unambiguous input
format for the TAKREM procedure. The type of specifications in
appendix B occurs in section 5.3.2. in [RFC4035], in this case for
unambiguous input to a digital signature algorithm in the DNSSEC
protocol itself.
2. Initial Procedures for the Use of TAKREM in the DNSSEC
2.1 Initial Generation of Trust Anchor Keys
The secure generation of signature key pairs by zone managers is an
implicit procedural requirement for support of the DNSSEC
specifications. While the original DNSSEC requires a single
signature key pair to be generated (appendix A notation
"<r[0],R[0]>"), the present document assumes that a different
procedure is being followed. Specifically, the TAKREM procedure
requires the initial generation of a series of future signature key
pairs (appendix A notation "<r[i],R[i]>" for "0<i<=n"), and the
computation of a series of cryptographic hash code values (appendix
A notation "D[i]" for "0<i<=n"). This computation uses the hash
function input syntax specification in appendix B.
The number of future key pairs (appendix A notation "n") should
accommodate the expected lifetime of the DNSSEC service for the
domain, and the trust anchor cryptoperiod policy: it might be in
the order of tens or hundreds.
The zone manager should safeguard the relevant data independently
Moreau Informational [page 4]
Internet-Draft TAKREM-DNSSEC April, 2006
for each future signature key pair (appendix A notation
"<r[i],R[i],N[i],p[i],s[i]>"). Bar code printouts in tamper-evident
sealed envelopes appears as a suitable storage media for storage of
individual key pairs in separate components. The term "dead
storage" applies to this storage type because the cryptographic key
material is remote from any live digital computing device.
2.2 Initial Trust Anchor Key Distribution
With the original DNSSEC, the signature public key (appendix A
notation "R[0]") is initially distributed with the domain name as
the initial trust anchor key, and the signature private key
(appendix A notation "r[0]") is put into production (e.g. to sign
ZSK DNSKEY resource records).
Initial trust anchor distribution mechanisms are outside of the
DNSSEC specifications. The TAKREM proposal does not change this.
However, the initial trust anchor configuration data (appendix A
notation "R[0]") is replaced by an integer reference number "f" and
the series of cryptographic hash code values. The integer reference
number "f" is a 32-bit value. For a given domain name, the integer
value range from "f+1" to "f+n" should not be re-used by another
initial trust anchor configuration.
In summary, in a resolver the initial trust anchor configuration is
received as TAK-i data comprising, for each domain name subject to
the present automated rollover scheme:
1) the domain name,
2) a series of cryptographic hash code values (appendix A
notation "D[1], D[2], ..., D[n]"), and
3) a 32-bit integer reference value "f".
No special attention is paid to the hash code values and the
reference at this initial configuration time: they are simply kept
for later reference. At a later time, the resolver is able to
support the automated trust anchor key rollover procedure specified
in the following document section.
3. Trust Anchor Key Rollover Overview
For trust anchor key rollover, the present document specifies that
the new signature key pair (appendix A notation "<r[i],R[i]>" for
some "i" in the range "0<i<=n") is not to be generated, but rather
retrieved from the storage of future keys initially generated per
above subsection 2.1 for the same domain name. This rule is not
enforced by cryptographic means, but if the new key has a different
domain name, it can not be authenticated with the present scheme.
In addition to the retrieval of the next digital signature key pair
from secure storage, the TAKREM basic procedure mandates the
publication of a rollover message, which for DNSSEC purposes turns
into the simultaneous publication of an SDDA resource record with
the DNSKEY record. The generic format for the SDDA record is
specified in [SDDA-RR] and its application to TAKREM is specified
Moreau Informational [page 5]
Internet-Draft TAKREM-DNSSEC April, 2006
in the present document section 4. An SDDA records "targets" a
DNSKEY record, alike a parental DS record.
Accordingly, the DNS trust anchor rollover (augmented with TAKREM)
can be described as a three phase procedure.
o In the first phase, the zone manager retrieves the relevant
data for the future signature key pair (appendix A notation
"<r[i],R[i],N[i],p[i],s[i]>") and sets
a) the new signature private key (appendix A notation
"r[i]") in the protected computing environment used for
generating zone digital signatures,
b) the new signature public key (appendix A notation "R[i]")
in a DNSKEY resource record, and
c) the key tag for the new signature public key and the
other TAKREM rollover message elements (appendix A
notation "<R[i],N[i],p[i],s[i]>"), plus the value "f+i",
where "f" is the 32-bit reference described in the above
subsection 2.2, in an SDDA resource record.
The zone manager includes the new DNSKEY record and the SDDA
record targeting it in the zone data at the same zone version
update. Obituary SDDA RRs may be added to signal or confirm
the expiry of a DNSKEY RR that is no longer present in the
DNSKEY RRset, or should never be present (obituary SDDA RRs
are defined in section 2.2.5 of [SDDA-RR]). Furthermore, the
zone signing operation must include an RRSIG record targeting
the SDDA RRset and using the new signature key. There are
mandatory provisions in section 2.4 of [SDDA-RR] for the
simultaneous publication of such DNSKEY, SDDA, and RRSIG
records. The simultaneous publication of these records in a
zone data completes the zone manager duties specific to a
trust anchor key rollover operation according to the present
authentication scheme.
o The second phase is the new KSK usage in DNS zone signing
according to DNSSEC specifications. If the new DNSKEY record
is to be authenticated also by a parental DS record, this
second phase may be delayed until this DS record has been
included in the parental zone.
o The third phase is run by resolvers having received the TAK-i
data configuration for this domain name. This is specified in
section 5.
3.1 Usage Scenarios
The manager of an island of trust or the DNS root can use the
present authentication scheme for trust anchor rollover, provided
the TAK-i data distribution was done according to the above
subsection 2.2.
A normal secure child zone may also use the present rollover
scheme, e.g. if it is suspected that some DNS resolver would not
Moreau Informational [page 6]
Internet-Draft TAKREM-DNSSEC April, 2006
have a trust anchor for validating the parent zone signatures.
In any case, only the DNS resolvers having been configured with the
TAK-i data for a domain name can authenticate its trust anchor
using the present authentication scheme.
4. Detailed Zone Management Processing for Trust Anchor Key Rollover
4.1 Procedures
This section specifies how a zone manager creates at once the SDDA
record and the targeted DNSKEY record for a trust anchor key
rollover. The DNSKEY record must have both the "Zone Key" and
"Secure Entry Point" flags set to 1. The lifetime of an SDDA record
should be the same as the one in the targeted DNSKEY.
The intended cryptoperiod for the DNSKEY signature public key
should be reflected in the SDDA record field pair for
Authentication Expiration and Authentication Inception.
Specifically, after the earliest SDDA expiration time ever
published for a given target DNSKEY signature public key, the zone
manager must not reuse the same signature public key value again.
Likewise, before the latest inception time ever published for a
given target DNSKEY signature public key, the zone manager must not
use the signature public key.
The DNS publication of the DNSKEY and SDDA records create or
augment corresponding RRsets. The RRSIG signatures for these DNSKEY
and SDDA RRsets are specified respectively in section 2.2 of
[RFC4035], and in section 2.4 of [SDDA-RR].
4.2 Data Formats
This section specifies the TAKREM application of SDDA RR wire
format and formation, using the notation from appendix A. The
generic provisions of [SDDA-RR] apply to the SDDA record formation
and the targeting to the appropriate DNSKEY record.
The SDDA RR Authentication Mechanism Type field ([SDDA-RR] section
2.2.3) must contain 1 for the present document to apply.
The SDDA RR Authentication Context Type field ([SDDA-RR] section
2.2.4) should be 2 or 0.
o When this field value is 2, the 32-bits opaque value in the
Authentication Context Data field must hold the value "f+i".
From the value "f+i", a resolver can efficiently identify a
most probable candidate digest "D[i]" for TAKREM hash code
validation.
o When the Authentication Context Type field is 0, the SDDA RR
Authentication Context Data field is absent.
o Other Authentication Context Type values may be used provided
a prior arrangement allowing relying parties to identify the
relevant initial trust anchor configuration.
Moreau Informational [page 7]
Internet-Draft TAKREM-DNSSEC April, 2006
The SDDA RR must contain one set of Algorithm-Related fields
([SDDA-RR] section 2.2.10). For the Authentication Algorithm Type
field ([SDDA-RR] section 2.2.10.1) within this set, the currently
allocated values are
o 1: MASH-1 as defined in [ISO10118-4], and
o 2: MASH-2 as defined in [ISO10118-4],
encoded as a single octet binary field value.
Two MASH parameters, respectively "N[i]", a large composite number
of unknown factorization, and "p[i]", a large prime number,
populate the Authentication Algorithm Common Parameters field
([SDDA-RR] section 2.2.10.2) in the SDDA RR wire format. Each of
"N[i]" and "p[i]" is encoded as a variable length unsigned integer
prefixed by a length indication: the unsigned integer length in
octets is represented as one octet if it is in the range of 1 to
255 and by a zero octet followed by a two octet length if it is
longer than 255 bytes. Leading zero bytes should be omitted from
the unsigned integer representation.
The SDDA RR Authentication Mechanism Data field ([SDDA-RR] section
2.2.11) comprises a length indication as in the preceding paragraph
holding the length (octet count) of the TAKREM rollover message
salt field "s[i]", followed by an octet stream of this length,
encoding this salt field in binary form. The encoded salt may
contain leading zeroes.
5. Resolver Procedures for Trust Anchor Key Rollover
The present authentication scheme uses the generic DNS rollover
procedures specified in section 3 of reference [SDDA-RR]. The
present document section provides the required details for a
complete DNS resolver procedure specifications.
A resolver may process an SDDA record by first matching the DNSKEY
record pointed by the SDDA record, then reconstructing a TAKREM
digest from the DNSKEY and SDDA record, and finally checking the
presence of an identical digest value "D[i]" among the TAK-i data
that the resolver may have accepted as part of trusted
configuration.
As can be inferred from other portions of this document, a resolver
should validate the authenticity of a DNS resource record pair SDDA
plus linked DNSKEY with the SDDA having an Authentication Mechanism
Type set to 1 as if they provide a TAKREM rollover message. This
validation is based on a number of data elements:
o the DNSKEY RR linked to the SDDA RR, providing the public key
component "R[i]" of the TAKREM MASH input stream (in the case
of an obituary SDDA RR, the DNSKEY value is taken from the DNS
resolver state information),
o the field contents from the SDDA RR Authentication Mechanism
Data field, providing the salt component "s[i]" of the TAKREM
MASH input stream, and
o the two large integer values from the SDDA RR Authentication
Moreau Informational [page 8]
Internet-Draft TAKREM-DNSSEC April, 2006
Algorithm Common Parameters field, providing the MASH
parameters "N[i]" and "p[i]", thus revealing the specific MASH
function used in the computation of the hash code outputs in
the TAK-i data configuration,
from which a TAKREM MASH input stream must be reconstructed
according to appendix B, using values "s[i]", "R[i]", "N[i]",
"p[i]". Then the resolver computes a TAKREM rollover message hash
code according to the integer value from the Authentication
Algorithm Type field (either 1 or 2), providing the selection among
the MASH-1 and MASH-2 variants. Finally, the computed message hash
code is checked for equality with any of the trusted digests "D[i]"
from the initial TAK-i data configurations associated with the
relevant domain name. If the SDDA RR Authentication Context Type
field holds the value 2, the SDDA RR Authentication Context Data
field provides a 32-bit reference value "f+i" that provides a hint
for selecting a candidate digest "D[i]". If no matching trusted
digests "D[i]" can be found, the resolver should abstain from
granting a trust anchor status to the DNSKEY record (or an obituary
SDDA RR should be considered bogus).
6. Security Considerations
The TAKREM security effectiveness rests more on end-to-end
cryptographic properties than on particulars of DNS protocol
operations.
The malicious parties will typically attempt to circumvent the
cryptographic computations, notably by exploiting mishaps in manual
procedures (e.g. attempting to read a signature private key file)
or in implementation weaknesses (e.g. inadequate integrity
protection of resolver configuration).
7. IANA Considerations
The present document provides a specification for the
authentication scheme identified by the value "1" in the SDDA
record Authentication Mechanism Type field. The SDDA record
Authentication Mechanism Type name space is created in the
reference [SDDA-RR], where the assigned value "1" registration is
originally requested.
There are no additional IANA considerations.
Moreau Informational [page 9]
Internet-Draft TAKREM-DNSSEC April, 2006
Appendix A - Synopsis of the TAKREM Security Procedure
In this appendix, the TAKREM security procedure is described
without reference to the DNS protocols. This appendix is normative.
The purpose of any key management scheme is to preserve the
cryptographic properties of algorithms. For TAKREM, this is further
covered in reference [CONNOTECH].
We use the notation "R[i]" for the public trust anchor key "R[i]",
with the private key counterpart "r[i]".
The zone owner establishes key pairs "<r[0],R[0]>", "<r[1],R[1]>",
"<r[2],R[2]>", ..., "<r[n],R[n]>", allocating the pair
"<r[0],R[0]>" as the initial trust anchor key pair, and reserving
each key pairs "<r[i],R[i]>" for the cryptoperiod starting with the
"i"'th trust anchor renewal, for "1<=i<=n".
Actually, the initial key pair "<r[0],R[0]>" is not essential; the
DNS resolver may bootstrap with the validation of the key pair
"<r[1],R[1]>" using the normal TAKREM rollover validation
procedure. The initial key pair "<r[0],R[0]>" is mentioned to
relate the TAKREM description to the prior procedure of manual
trust anchor key configuration.
A separate MASH (Modular Arithmetic Secure Hash) instance "H[i]" is
created for each "R[i]". MASH is defined in International standard
document ISO/IEC 10118-4:1998 ([ISO10118-4]).
That is, the zone owner selects a large composite modulus number
"N[i]" used in the MASH round function and a prime number "p[i]"
used in the MASH final reduction function.
Then, the zone owner selects a random salt field "s[i]".
A hash computation gives a root key digest "D[i]" :
"D[i]=H[i](s[i]|R[i]|N[i]|P[i])" .
The digest "D[i]" is like an advanced notice of future trust anchor
key "R[i]".
The data tuple "<r[i],R[i],N[i],p[i],s[i]>" is set aside in dead
storage.
The trust anchor key initial distribution is
"R[0], D[1], D[2], ..., D[n]" .
Security rationale: with data tuple "<r[i],R[i],N[i],p[i],s[i]>"
totally concealed until the usage period for key pair
"<r[i],R[i]>", an adversary is left with the digest "D[i]" from
which it is deemed impossible to mount a brute force attack.
Moreau Informational [page 10]
Internet-Draft TAKREM-DNSSEC April, 2006
A trust anchor key rollover is triggered by a rollover message
carrying the following information:
"i,<R[i],N[i],p[i],s[i]>" .
Upon receipt of this message, the DNS resolver becomes in a
position to validate the trust anchor key digest "D[i]".
Moreau Informational [page 11]
Internet-Draft TAKREM-DNSSEC April, 2006
Appendix B - Hash Function Input Stream Details
This appendix is normative.
The TAKREM rollover message processing requires the unambiguous
definition of a cryptographic hash function input stream in a
format not necessarily typical of the DNS RR formatting rules. The
input format is based on the ASN.1 distinguished encoring rules
[ASN1-DER]. The input format is based on the X.509 public key
encoding standard. In addition to providing an unambiguous
canonical encoding, this approach supports the inclusion of new
digital signature algorithms in the initial TAK-i data
configuration.
The TAKREM MASH input stream to be (re)constructed is the ASN.1 DER
encoding for a value of the ASN.1 type defined as:
SEQUENCE {
OCTET STRING SIZE(20..MAX),
-- salt field "s[i]", SDDA RR
-- Authentication Mechanism Data field
[1] IMPLICIT SEQUENCE { -- SubjectPublicKeyInfo "R[i]"
-- in RFC2459
SEQUENCE { -- AlgorithmIdentifier in RFC2459
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
subjectPublicKey BIT STRING
-- public key encoded as a "subjectPublicKey"
-- per RFC 2459, or per encoding rules for the
-- subject public key algorithm
}
INTEGER, -- the MASH parameter "N[i]"
INTEGER -- the MASH parameter "p[i]"
}
In (re)constructing the MASH input stream, the ASN.1 encoding shall
omit the optional fields that are "witness values" that allow
verification of either number-theoretic properties intrinsic to the
public key value, or the unbiased selection of random public key
parameters (e.g. in [RC2459] for the Diffie-Hellman cryptosystem).
Such fields may occur in the "parameters" ASN.1 field above, and/or
in the "subjectPublicKey" ASN.1 field above
Other optional fields should be provided in the ASN.1 encoding of a
public key. Some optional fields are required for the complete
knowledge of a public key value and must be retained (e.g. the
three DSA common parameters are required even if they are encoded
in an optional field of an ASN.1 sequence). In the case of RSA
public keys, the X.509 mandates a NULL field in the
AlgorithmIdentifier ASN.1 structure, which must be retained
according to the present specification.
Moreau Informational [page 12]
Internet-Draft TAKREM-DNSSEC April, 2006
In doing the above encoding conversion from the DNS encoding to
ASN.1 encoding inspired from the X.509 specifications, the public
key information is stripped of some usage control data. That is, a
given type of public key might be allowable with a number of
digital signature algorithms. The TAKREM mechanism specified in the
body of this document protects the public key value with the type
of public key, but not with a specific digital signature algorithm.
Specifically, this allows RSA public keys to be used in the future
with hash algorithms different from SHA-1, but also omit to protect
against the use of weaker algorithms once stronger algorithms are
deployed.
The current digital signature algorithms allowed for DNS zone
signing are limited to RSA and DSA, plus the unspecified private
algorithms. For RSA (resp. DSA), the ASN.1 encoding specification
is in section 7.3.1 (resp. 7.3.3) in [RFC2459]. For private
algorithms, a similar public key encoding specification should be
relied upon.
Moreau Informational [page 13]
Internet-Draft TAKREM-DNSSEC April, 2006
Normative References
[ASN1-DER] International Standard ISO/IEC 8825-1, ITU-T
Recommendation X.690, "Information technology ASN.1
encoding rules: Specification of Basic Encoding Rules
(BER), Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER)", July 2002
[ISO10118-4] International standard document ISO/IEC 10118-4:1998,
"Information technology - Security techniques -
Hash-functions - Part 4: Hash-functions using modular
arithmetic"
[RFC2459] R. Housley, W. Ford, W. Polk, D. Solo, "Internet X.509 Public
Key Infrastructure Certificate and CRL Profile", RFC 2459,
January 1999
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, S. Rose, "DNS
Security Introduction and Requirements", RFC 4033, March 2005
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, S. Rose,
"Resource Records for the DNS Security Extensions", RFC 4034,
March 2005
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, S. Rose,
"Protocol Modifications for the DNS Security Extensions",
RFC 4035, March 2005
[SDDA-RR] T. Moreau, "The SEP DNSKEY Direct Authenticator DNS Resource
Record (SDDA-RR)", work-in-progress, Internet Draft
draft-moreau-dnsext-sdda-rr-02.txt, April 2006
Informative References
[CONNOTECH] Thierry Moreau, "A Note About Trust Anchor Key
Distribution", CONNOTECH Experts-conseils inc., Document
Number C003444, 2005/07/05,
http://www.connotech.com/takrem.pdf
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate Requirement
Levels", RFC2119, March 1997
[RFC2541bis] O. Kolkman, R. Gieben, "DNSSEC Operational Practices",
[[Internet-Draft
draft-ietf-dnsop-dnssec-operational-practices-08.txt,
March 6, 2006, approved for RFC publication obsoleting
RFC2541]]
Document Revision History
[[This document section to be removed upon RFC publication.]]
Moreau Informational [page 14]
Internet-Draft TAKREM-DNSSEC April, 2006
>From revision -01 to revision -02
Major document editing with some technical changes and corrections,
including:
a) Document made informational instead of standard track, made
explicit the non-use of RFC2119 keywords, and indicated the
explicit avoidance of a basis for compliance statements (in
revised introduction text).
b) Moved some provisions about resolver process to the [SDDA-RR]
document.
c) Removed text that provided some design rationales.
d) Removed the initial public key "R[0]" in the TAK-i
configuration, avoiding a design bug, i.e. the lack of
expiration time and obituary capability for public key "R[0]"
(left public key "R[0]" in the text it as a tutorial
convenience).
e) Fixed a design bug with the introduction of the obituary SDDA,
luckily with no impact on services provided by the TAKREM for
DNSSEC scheme.
f) The IANA considerations were stipulated as emty.
>From revision -00 to revision -01
a) Changed the encoding for "N[i]", "p[i]", "s[i]" in section
4.2, making it alike the RSA public key exponent encoding in
DNSKEY RR.
b) Alignments with the technical changes in the revision -01 of
[SDDA-RR].
c) Minor editorial clarifications and corrections.
Author's Address
Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc, Canada
Tel.: +1-514-385-5691
e-mail: thierry.moreau@connotech.com
Moreau Informational [page 15]
Internet-Draft TAKREM-DNSSEC April, 2006
IPR Notices
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology described
in this document or the extent to which any license under such
rights might or might not be available; nor does it represent that
it has made any independent effort to identify any such rights.
Information on the ISOC's procedures with respect to rights in ISOC
Documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Derivative Works Limitation
This document may not be modified, and derivative works of it may
not be created, except to publish it as an RFC and to translate it
into languages other than English.
Copyright Notice
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
Disclaimer
This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
Moreau Informational [page 16]