security-aware
Click on the red underlined text to get to the source
... name server behavior necessary for handling signed zones. Section 4
describes the behavior of entities that include security-aware
resolver functions. Finally, Section 5 defines how to use DNSSEC RRs
...
...
This section describes the behavior of entities that include
security-aware name server functions. In many cases such functions
will be part of a security-aware ...
... security-aware name server functions. In many cases such functions
will be part of a security-aware recursive name server, but a
security-aware ...
... security-aware recursive name server, but a
security-aware authoritative name server has some of the same
requirements ...
... name server has some of the same
requirements. Functions specific to security-aware recursive name
servers are described in Section 3.2; functions specific to
authoritative servers are described in Section 3.1.
...
... bit. The CD bit
is controlled by resolvers; a security-aware name server MUST copy
the CD bit ...
... query into the corresponding response. The AD bit
is controlled by name servers; a security-aware name server MUST
ignore the setting of the AD bit ...
... RR DO bit ([RFC3225]) set, a security-aware authoritative name
server for a signed zone MUST include additional RRSIG, NSEC ...
... When responding to a query that has the DO bit set, a security-aware
authoritative name server SHOULD attempt to send RRSIG RRs ...
... name server SHOULD attempt to send RRSIG RRs that a
security-aware resolver can use to authenticate the RRsets in the
response. A name server ...
... the SOA or NS RRs at the apex of a signed zone, a security-aware
authoritative name server for that zone MAY return the zone apex
...
... When responding to a query that has the DO bit set, a security-aware
authoritative name server for a signed zone MUST include NSEC RRs ...
...
As explained above, there are several situations in which a
security-aware authoritative name server has to locate an NSEC RR
...
... When responding to a query that has the DO bit set, a security-aware
authoritative name server returning a referral includes DNSSEC ...
... RRset.
A security-aware resolver sends queries to the parent zone when
looking for a needed DS RR ...
... network configuration that
forces a security-aware resolver to channel its queries through a
...
... security-oblivious recursive name server). The rest of this section
describes how a security-aware name server processes DS queries ...
... order to avoid this problem.
The need for special processing by a security-aware name server only
arises when all the following conditions are met:
...
... AD bits are designed for use in communication between
security-aware resolvers and security-aware recursive name servers.
These bits ...
... bits are designed for use in communication between
security-aware resolvers and security-aware recursive name servers.
These bits are for the most part not relevant to query ...
... bits are for the most part not relevant to query processing by
security-aware authoritative name servers.
A security-aware ...
... security-aware authoritative name servers.
A security-aware name server does not perform signature validation ...
... query processing, even when the CD bit
is clear. A security-aware name server SHOULD clear the CD bit when
...
... composing an authoritative response.
A security-aware name server MUST NOT set the AD bit in a response
...
... name server considers all RRsets in the Answer and
Authority sections of the response to be authentic. A security-aware
name server's local policy MAY consider data from an authoritative
...
... configured explicitly.
A security-aware name server that supports recursion MUST follow the
rules for the CD ...
... name server is
an entity that acts in both the security-aware name server and
security-aware ...
... security-aware name server and
security-aware resolver roles. This section uses the terms "name
server side" and "resolver side" to refer to the code within a
...
... roles. This section uses the terms "name
server side" and "resolver side" to refer to the code within a
security-aware recursive name server that implements the
security-aware ...
... security-aware recursive name server that implements the
security-aware name server role and the code that implements the
...
... name server role and the code that implements the
security-aware resolver role, respectively.
...
...
The resolver side follows the usual rules for caching and negative
caching that would apply to any security-aware resolver.
...
...
The CD bit exists in order to allow a security-aware resolver to
disable signature validation ...
... disable signature validation in a security-aware name server's
processing of a particular query ...
... checks while protecting clients that depend on the resolver side of a
security-aware recursive name server to perform such checks. Several
of the possible reasons why signature ...
...
This section describes the behavior of entities that include
security-aware resolver functions. In many cases such functions will
be part of a security-aware recursive name server ...
... security-aware resolver functions. In many cases such functions will
be part of a security-aware recursive name server, but a stand-alone
security-aware ...
... security-aware recursive name server, but a stand-alone
security-aware resolver has many of the same requirements. Functions
specific to security-aware ...
... security-aware resolver has many of the same requirements. Functions
specific to security-aware recursive name servers are described in
Section 3.2.
...
... queries.
A security-aware resolver MUST support a message size of at least
1220 octets, SHOULD support a message size ...
... to advertise the message size that it is willing to accept. A
security-aware resolver's IP layer MUST handle fragmented UDP packets
...
...
A security-aware resolver MUST support the signature verification
mechanisms described in Section 5 and SHOULD apply them to every
...
... received response, except when:
o the security-aware resolver is part of a security-aware recursive
name server ...
...
o the security-aware resolver is part of a security-aware recursive
name server, and the response is the result of recursion on behalf
...
... query generated directly via some
form of application interface that instructed the security-aware
resolver not to perform validation for this query ...
... query has been disabled by local policy.
A security-aware resolver's support for signature verification MUST
include support for verification ...
... When attempting to retrieve missing NSEC RRs that reside on the
parental side at a zone cut, a security-aware iterative-mode resolver
MUST query the name servers for the parent zone, not the child zone.
...
...
When attempting to retrieve a missing DS, a security-aware
iterative-mode resolver MUST query the name servers for the parent
...
... query the name servers for the parent
zone, not the child zone. As explained in Section 3.1.4.1,
security-aware name servers need to apply special processing rules to
handle the DS RR ...
...
A security-aware resolver MUST be able to determine whether it should
expect a particular RRset to be signed. More precisely, a
...
... expect a particular RRset to be signed. More precisely, a
security-aware resolver must be able to distinguish between four
cases:
...
... not able to obtain the necessary DNSSEC RRs. This can occur when
the security-aware resolver is not able to contact security-aware
name servers for the relevant zones.
...
... DNSSEC RRs. This can occur when
the security-aware resolver is not able to contact security-aware
name servers for the relevant zones.
...
...
A security-aware resolver MUST be capable of being configured with at
least one trusted public key or DS RR ...
... public keys or DS RRs. Since a
security-aware resolver will not be able to validate signatures
...
...
A security-aware resolver SHOULD cache each response as a single
atomic entry containing the entire answer, including the named RRset ...
... RRSIG record, it is possible to deduce that an
answer was synthesized from a wildcard. A security-aware
recursive name server could store this wildcard ...
... 2. NSEC RRs received to prove the non-existence of a name could be
reused by a security-aware resolver to prove the non-existence of
any name in the name range it spans.
...
... the response. See Section 3.2 for the effect this bit has on the
behavior of security-aware recursive name servers.
A security-aware ...
... security-aware recursive name servers.
A security-aware resolver MUST clear the AD bit when composing query
...
... To prevent such unnecessary DNS traffic, security-aware resolvers MAY
cache data with invalid signatures ...
... Section 3.2.2 for discussion of how the responses returned by a
security-aware recursive name server interact with a BAD cache.
...
...
A non-validating security-aware stub resolver MAY include the DNSSEC
RRs returned by a security-aware recursive name server ...
... A non-validating security-aware stub resolver MAY include the DNSSEC
RRs returned by a security-aware recursive name server as part of the
data that the stub resolver hands back to the application that
...
... name server.
A validating security-aware stub resolver MUST set the DO bit,
because otherwise it will not receive the DNSSEC RRs ...
...
A non-validating security-aware stub resolver SHOULD NOT set the CD
bit when sending queries unless it is requested by the application
layer ...
... queries unless it is requested by the application
layer, as by definition, a non-validating stub resolver depends on
the security-aware recursive name server to perform validation on its
...
... behalf.
A validating security-aware stub resolver SHOULD set the CD bit,
because otherwise the security-aware ...
... security-aware stub resolver SHOULD set the CD bit,
because otherwise the security-aware recursive name server will
answer the query ...
...
A non-validating security-aware stub resolver MAY chose to examine
the setting of the AD bit in response messages that it receives in
...
... the setting of the AD bit in response messages that it receives in
order to determine whether the security-aware recursive name server
that sent the response claims to have cryptographically verified the
...
... Authority sections of the response message.
Note, however, that the responses received by a security-aware stub
resolver are heavily dependent on the local policy of the
security-aware ...
... security-aware stub
resolver are heavily dependent on the local policy of the
security-aware recursive name server. Therefore, there may be little
practical value in checking the status of the AD bit ...
... practical value in checking the status of the AD bit, except perhaps
as a debugging aid. In any case, a security-aware stub resolver MUST
NOT place any reliance on signature validation ...
... signature validation allegedly performed on
its behalf, except when the security-aware stub resolver obtained the
data in question from a trusted security-aware recursive name server ...
... its behalf, except when the security-aware stub resolver obtained the
data in question from a trusted security-aware recursive name server
via a secure channel ...
... secure channel.
A validating security-aware stub resolver SHOULD NOT examine the
setting of the AD bit in response messages, as, by definition, the
...
... To use DNSSEC RRs for authentication, a security-aware resolver
requires configured knowledge of at least one authenticated DNSKEY ...
... DNSSEC (by setting the DO bit),
a security-aware name server should attempt to provide the necessary
DNSKEY ...
... NSEC, and DS RRsets in a response (see Section 3).
However, a security-aware resolver may still receive a response that
lacks the appropriate DNSSEC RRs, whether due to configuration issues
...
... RRset exists for the delegated name (see Section 3.1.4). A
security-aware resolver MUST query the name servers for the parent
zone for the DS ...
... NSEC RR and clear in the parent NSEC RR.
A security-aware resolver MUST use the parent NSEC RR when attempting
to prove that a DS ...
... NSEC RRs to prove that an RRset is
not present in a signed zone. Security-aware name servers should
automatically include any necessary NSEC RRs for signed zones in
...
... automatically include any necessary NSEC RRs for signed zones in
their responses to security-aware resolvers.
Denial of existence is determined by the following rules:
...
... NSEC
RRsets is not present in a response (perhaps due to message
truncation), then a security-aware resolver MUST resend the query in
order to attempt to obtain the full collection of NSEC RRs ...
... recursive-mode resolvers. For this reason, use of these control bits
by a security-aware recursive-mode resolver requires a secure
channel. See Sections 3.2.2 and 4.9 for further discussion.
...
... particular applications, the facilities that DNSSEC provides for stub
resolvers may prove inadequate. Operators of security-aware
recursive name servers will have to pay close attention to the
behavior of the applications that use their services ...