RFC 3130 (rfc3130) - Page 2 of 10

Notes from the State-Of-The-Technology: DNSSEC

Alternative Format: Original Text Document
< Previous
Next >
RFC 3130              DNSSEC Status Meeting Report             June 2001


   The agenda of the meeting consisted of three items.  Reports from
   each group on their current research goals were followed by a
   discussion of questions being asked of DNSSEC.  Finally, with
   reaching Draft Standard status as a goal, what was needed to make
   this happen was considered.

   This report is not simply a transcript of the meeting, it is a
   summary.  Some of the information presented here was obtained in
   direct contact with participants after the meeting.

1.1 What does the term "DNSSEC" mean?

   One of the comments made during discussions is that DNSSEC does not
   refer to just one monolithic technology.  The term has come to refer
   to "toolbox" of techniques and methodologies, that when used properly
   can improve the integrity of the DNS.  Given this observation, it can
   be seen that some portions of DNSSEC are evolving much more rapidly
   than other portions.  In particular, TSIG [RFC 2845] has certainly
   reached a level "being deployable" for zone transfers.

   The following four components are considered to be part of DNSSEC.
   The concept of digital signature protection of DNS traffic as
   described in RFC 2535 and a few support documents (such as [RFC
   3008]), which is designed to protect the transfer of data on an
   Internet scale.  The concept of protecting queries and responses
   through the less-scalable but more efficient TSIG mechanism [RFC
   2845], which has applicability to zone transfers, DHCP registrations,
   and other resolver to name server traffic.  Secure dynamic updates
   [RFC 3007], by virtue of using TSIG, can be considered to be part of
   DNSSEC.  Finally, the definition of the CERT resource record [RFC
   2538] gives DNS the ability to become a distribution mechanism for
   security data.

   This definition of the components of DNSSEC is in no way definitive.
   To be honest, this is a somewhat artificial grouping.  DNSSEC does
   not encompass all of the security practiced in DNS today, for
   example, the redefinition of when and how data is cached [RFC 2181],
   plays a big role in hardening the DNS system.  The four elements of
   DNSSEC described in the previous paragraph are grouped together
   mostly because they do interrelate, but also they were developed at
   approximately the same time.

2.0 Group Reports

   The first part of the meeting consisted of reports of goals.  From
   this a taxonomy of efforts has been made to see if there are gaps in
   the work.




Lewis                        Informational
< Previous
Next >