DNS Extensions R. Arends
Internet-Draft
Expires: April 24, 2003 M. Larson
VeriSign
D. Massey
USC/ISI
S. Rose
NIST
October 24, 2002
DNS Security Introduction and Requirements
draft-ietf-dnsext-dnssec-intro-03
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 24, 2003.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
The Domain Name System Security Extensions (DNSSEC) provide data
origin authentication and data integrity. This document introduces
these extensions and describes their capabilities and limitations.
The services that the security extensions provide and do not provide
are discussed. Lastly, the group of documents that describe the DNS
security extensions and their interrelationships is discussed.
Arends, et al. Expires April 24, 2003 [Page 1]
Internet-Draft DNSSEC Intro. and Requirements October 2002
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions of Important DNSSEC Terms . . . . . . . . . . . 4
3. Services Provided by DNS Security . . . . . . . . . . . . . 5
3.1 Data Origin Authentication and Data Integrity . . . . . . . 5
3.1.1 Authenticating Name and Type Non-Existence . . . . . . . . . 6
3.2 Key Distribution . . . . . . . . . . . . . . . . . . . . . . 6
3.3 Transaction Security . . . . . . . . . . . . . . . . . . . . 7
4. Services Not Provided by DNS Security . . . . . . . . . . . 8
5. Resolver Considerations . . . . . . . . . . . . . . . . . . 9
6. Zone Considerations . . . . . . . . . . . . . . . . . . . . 10
7. Server Considerations . . . . . . . . . . . . . . . . . . . 11
8. DNS Security Document Family . . . . . . . . . . . . . . . . 12
8.1 DNS Security Document Roadmap . . . . . . . . . . . . . . . 12
8.2 Categories of DNS Security Documents . . . . . . . . . . . . 12
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . 14
10. Security Considerations . . . . . . . . . . . . . . . . . . 15
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . .