RFC 3755:Legacy Resolver Compatibility for Delegat...
RFC-Ref

A - B - C - D - E - F - G - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z

DNSSEC

Click on the red underlined text to get to the source

1. Introduction
... The DNSSEC protocol has been through many iterations whose syntax and semantics are not completely compatible. This has occurred as part of the ordinary process of proposing a protocol, implementing it, ...
... Internet, and refining the definitions of the initial Proposed Standard. In the case of DNSSEC, the process has been complicated by DNS's criticality and wide deployment ...
... implementors largely on their own to determine many details of resolver function. This, combined with the number of iterations the DNSSEC specifications have been through, has resulted in fielded code with a wide variety of ...
... unsecure delegations being invisible to 2535-aware resolvers and violates the basic architectural principle that DNSSEC must do no harm -- the signing of zones must not prevent the resolution of unsecured delegations ...


2. Possible Solutions
... This will leave legacy resolvers and tools completely blinded to DNSSEC -- they will see only unknown RRs. ...
... Another way to keep legacy resolvers from ever seeing DNSSEC records with DS semantics ...
... DS-awareness (tentatively called "DA"), and having authoritative servers send DNSSEC data only in response to queries with the DA ...
... versions than they support, and retain the DO bit as the signal for DNSSEC awareness. This approach has not been tested. ...
... There is a large deployed base of DNS resolvers that understand DNSSEC as defined by the standards track RFC 2535(-> 4035prop | 4034prop | 4033prop) and [RFC2065] and, ...
... unsecure delegations, lest those delegations be invisible to such a large installed base. This will dramatically slow DNSSEC adoption. ...
... operators of resolvers to upgrade their software to support the new version of DNSSEC, as defined in RFC 3658(-> 4035prop | 4034prop | 4033prop). Historical data suggests that resolvers are rarely upgraded, and that old nameserver ...
... signing zones and allow widespread deployment of DNSSEC. ...


3. Protocol changes
... RRSIG and NSEC RRs are not downcased for purposes of DNSSEC canonical form and ordering nor for equality comparison ...
... RRs and SHOULD NOT assign any special meaning to them or give them any special treatment. It MUST NOT use them for DNSSEC validations or other DNS ...


4. IANA Considerations
... To allow zone signing (DNSSEC) and transaction security mechanisms ...
... DNSKEY contains an eight bit protocol field. The only defined value for this field is 3 (DNSSEC). No other values are allowed, hence no IANA registry is needed for this ...


5. Security Considerations
... scrutiny. Doing nothing, as described in section 2.5, will slow DNSSEC deployment. While this does not decrease security ...


6. References
... Conrad, D., "Indicating Resolver Support of DNSSEC", RFC 3225prop, December 2001. ...

A - B - C - D - E - F - G - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org