Hi, Please find a draft that defines DHCP options to provision DNSSEC validators so DNSSEC validation can always be performed.
Feel free to make any comments. I would be happy to have f2f discussion during IETF88 to solve this issue with a more complete document. Best Regards, Daniel URL: http://www.ietf.org/internet-drafts/draft-mglt-homenet-dnssec-validator-dhc-options-02.txt Abstract: DNSSEC provides data integrity and authentication for DNSSEC validators. However, without valid trust anchor(s) and an acceptable value for the current time, DNSSEC validation cannot be performed. As a result, there are multiple cases where DNSSEC validation MUST NOT be performed. In addition, this list of exceptions is expected to become larger over time. Considering an increasing number of cases where DNSSEC is disabled adds complexity to the DNSSEC validator implementations and increases the vectors that disable security. This document assumes that DNSSEC adoption by end devices requires that end devices MUST be able to support a DNSSEC validation always set. This MUST be valid today as well as in the future. This document describes DHCP Options to provision the DHCP Client with valid trust anchors and time so DNSSEC validation can be performed. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. ---------- Forwarded message ---------- From: <[email protected]> Date: Mon, Oct 21, 2013 at 9:12 AM Subject: New Version Notification for draft-mglt-homenet-dnssec-validator-dhc-options-02.txt To: Daniel Migault <[email protected]> A new version of I-D, draft-mglt-homenet-dnssec-validator-dhc-options-02.txt has been successfully submitted by Daniel Migault and posted to the IETF repository. Filename: draft-mglt-homenet-dnssec-validator-dhc-options Revision: 02 Title: DNSSEC Validators DHCP Options Creation date: 2013-10-21 Group: Individual Submission Number of pages: 12 URL: http://www.ietf.org/internet-drafts/draft-mglt-homenet-dnssec-validator-dhc-options-02.txt Status: http://datatracker.ietf.org/doc/draft-mglt-homenet-dnssec-validator-dhc-options Htmlized: http://tools.ietf.org/html/draft-mglt-homenet-dnssec-validator-dhc-options-02 Diff: http://www.ietf.org/rfcdiff?url2=draft-mglt-homenet-dnssec-validator-dhc-options-02 Abstract: DNSSEC provides data integrity and authentication for DNSSEC validators. However, without valid trust anchor(s) and an acceptable value for the current time, DNSSEC validation cannot be performed. As a result, there are multiple cases where DNSSEC validation MUST NOT be performed. In addition, this list of exceptions is expected to become larger over time. Considering an increasing number of cases where DNSSEC is disabled adds complexity to the DNSSEC validator implementations and increases the vectors that disable security. This document assumes that DNSSEC adoption by end devices requires that end devices MUST be able to support a DNSSEC validation always set. This MUST be valid today as well as in the future. This document describes DHCP Options to provision the DHCP Client with valid trust anchors and time so DNSSEC validation can be performed. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
