Hi, Please find a new version of the requirements for DNSSEC client validators <http://www.ietf.org/id/draft-mglt-dnsop-dnssec-validator-requirements-02.txt>.
I added the requirements at the end of the body, so feel free to have a look at them and comment them. I think that most of the discussion should be about the use of "private KSK/ZSK". I would be happy to have your opinion on whether we should keep these requirements or not. Here is the text on private ZKS/KSK. Feel free to comment. 8. Private KSK/ZSK DNSSEC may also be used in some private environment. Corporate networks and home networks, for example, may want to take advantage of DNSSEC for a local scope network. Typically, a corporate network may use a local scope KSK / ZSK to validate DNS RRsets provided by authoritative DNSSEC server in the corporate network. This use case is also known as the "split-zone" use case. These RRsets within the corporate network may differ from those hosted on the public DNS infrastructure. Note that using different KSK/ZSK for a given zone may expose a zone to signature invalidation. This is especially the case for DNSSEC validators that are expected to flip-flop between local and public scope. How validators have to handle the various provisioned KSK/ZSKs is out of scope of the document. Home network may use DNSSEC with TLDs or associated domain names that are of local scope and not even registered in the public DNS infrastructure. Here are the considered requirements: R1) DNSSEC validator MUST be provided means to appropriately update their time. R2) DNSSEC Validator MUST be able to check the validity of their Trust Anchor KSKs. R3) DNSSEC Validator MUST be able to retrieve their Trust Anchor KSKs. R4) DNSSEC Validator MUST be able to be informed a ZSK MUST be flushed from cache. R5) DNSSEC Validator MUST be able to be informed a KSK MUST be flushed from cache. R6) DNSSEC Validator MUST be able to be informed a KSK SHOULD be trusted as a Trust Anchor KSK. R7) DNSSEC Validator MUST be able to be informed that a KSK or a ZSK MUST NOT be used for RRSIG validation. R8) The DNSSEC Validator MUST be able to be informed that a KSK or a ZSK is known "back to secure". R9) DNSSEC Validator MUST be able to be provided KSK for private use. R10) DNSSEC Validator MUST be able to be provided ZSK for private use. ---------- Forwarded message ---------- From: <[email protected]> Date: Tue, Feb 17, 2015 at 8:36 PM Subject: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-02.txt To: Daniel Migault <[email protected]> A new version of I-D, draft-mglt-dnsop-dnssec-validator-requirements-02.txt has been successfully submitted by Daniel Migault and posted to the IETF repository. Name: draft-mglt-dnsop-dnssec-validator-requirements Revision: 02 Title: DNSSEC Validators Requirements Document date: 2015-02-16 Group: Individual Submission Pages: 10 URL: http://www.ietf.org/internet-drafts/draft-mglt-dnsop-dnssec-validator-requirements-02.txt Status: https://datatracker.ietf.org/doc/draft-mglt-dnsop-dnssec-validator-requirements/ Htmlized: http://tools.ietf.org/html/draft-mglt-dnsop-dnssec-validator-requirements-02 Diff: http://www.ietf.org/rfcdiff?url2=draft-mglt-dnsop-dnssec-validator-requirements-02 Abstract: DNSSEC provides data integrity and authentication for DNSSEC validators. However, without valid trust anchor(s) and an acceptable value for the current time, DNSSEC validation cannot be performed. This document lists the requirements to be addressed so resolvers can have DNSSEC validation can be always-on. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat -- Daniel Migault Ericsson
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
