RFC 3755:Legacy Resolver Compatibility for Delegat...
RFC-Ref

A - B - C - D - E - F - G - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z

RR

Click on the red underlined text to get to the source

1. Introduction
... DS) [RFC3658] introduction of new semantics for the NXT RR that are incompatible with the semantics in [RFC2535 ...
... Delegation Signer (DS) introduces new semantics for the NXT RR that are incompatible with the semantics in RFC 2535(-> 4035prop | 4034prop | 4033prop) ...
... DS, an unsecure referral returns, in addition to the NS, a proof of non-existence of a DS RR in the form of an NXT and SIG ...


2. Possible Solutions
... The obvious drawback to this is that new resolvers will not be able to validate zones signed with the old RRs. This problem already exists, however, because of the changes made by DS, and resolvers ...
... exists, however, because of the changes made by DS, and resolvers that understand the old RRs (and have compatibility issues with DS) ...
... tools completely blinded to DNSSEC -- they will see only unknown RRs. ...
... EDNS0 flags, this is not a universal solution. It could, though, be considered in addition to changing the RR type codes. ...


3. Protocol changes
... To avoid operational confusion, it's also necessary to change the mnemonics for these RRs. DNSKEY will be the replacement for KEY, with the mnemonic ...
... RFC3597], domain names embedded in RRSIG and NSEC RRs MUST NOT be compressed, 2) Embedded domain names ...
... 2) Embedded domain names in RRSIG and NSEC RRs are not downcased for purposes of DNSSEC canonical form ...
... If a resolver receives the old types, it SHOULD treat them as unknown RRs and SHOULD NOT assign any special meaning to them or give them any special treatment. It MUST NOT use them for DNSSEC validations ...
... If SIG, KEY, or NXT RRs are included in a zone, they MUST NOT receive special treatment. As an example, if a SIG is included in a signed ...
... particularly wildcard proofs and unsecure referrals, will contain NSEC RRs. Resolvers MUST NOT treat answers with NSEC RRs as negative answers merely because they contain an NSEC ...
... wildcard proofs and unsecure referrals, will contain NSEC RRs. Resolvers MUST NOT treat answers with NSEC RRs as negative answers merely because they contain an NSEC. ...


4. IANA Considerations
... by assigning types 46, 47, and 48 to the RRSIG, NSEC, and DNSKEY RRs, respectively. ...
... DNSKEY, RRSIG, and DS RRs. Only algorithms usable for SIG(0) and/or TSIG ...
... TSIG may be used in SIG and KEY RRs. All currently defined algorithms ...


6. References
... Secret Key Establishment for DNS (TKEY RR)", RFC 2930prop, September 2000. ...
... Delegation Signer (DS) Resource Record (RR)", RFC 3658(-> 4035prop | 4034prop | 4033prop), December 2003. ...
... Massey, D., and S. Rose, "Limiting the Scope of the KEY Resource Record (RR)", RFC 3445(-> 4035prop | 4034prop | 4033prop), December 2002. ...
... Gustafsson, A., "Handling of Unknown DNS Resource Record (RR) Types", RFC 3597prop, September 2003. ...

A - B - C - D - E - F - G - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org