RFC 3755 (rfc3755) - Page 1 of 9


Legacy Resolver Compatibility for Delegation Signer (DS)



Alternative Format: Original Text Document



Network Working Group                                          S. Weiler
Request for Comments: 3755                                  SPARTA, Inc.
Updates: 3658, 2535                                             May 2004
Category: Standards Track


        Legacy Resolver Compatibility for Delegation Signer (DS)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   As the DNS Security (DNSSEC) specifications have evolved, the syntax
   and semantics of the DNSSEC resource records (RRs) have changed.
   Many deployed nameservers understand variants of these semantics.
   Dangerous interactions can occur when a resolver that understands an
   earlier version of these semantics queries an authoritative server
   that understands the new delegation signer semantics, including at
   least one failure scenario that will cause an unsecured zone to be
   unresolvable.  This document changes the type codes and mnemonics of
   the DNSSEC RRs (SIG, KEY, and NXT) to avoid those interactions.

1.  Introduction

   The DNSSEC protocol has been through many iterations whose syntax and
   semantics are not completely compatible.  This has occurred as part
   of the ordinary process of proposing a protocol, implementing it,
   testing it in the increasingly complex and diverse environment of the
   Internet, and refining the definitions of the initial Proposed
   Standard.  In the case of DNSSEC, the process has been complicated by
   DNS's criticality and wide deployment and the need to add security
   while minimizing daily operational complexity.

   A weak area for previous DNS specifications has been lack of detail
   in specifying resolver behavior, leaving implementors largely on
   their own to determine many details of resolver function.  This,
   combined with the number of iterations the DNSSEC specifications have
   been through, has resulted in fielded code with a wide variety of



Weiler                      Standards Track