RFC 3090 (rfc3090) - Page 1 of 11


DNS Security Extension Clarification on Zone Status



Alternative Format: Original Text Document



Network Working Group                                           E. Lewis
Request for Comments: 3090                                      NAI Labs
Category: Standards Track                                     March 2001


          DNS Security Extension Clarification on Zone Status

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   The definition of a secured zone is presented, clarifying and
   updating sections of RFC 2535.  RFC 2535 defines a zone to be secured
   based on a per algorithm basis, e.g., a zone can be secured with RSA
   keys, and not secured with DSA keys.  This document changes this to
   define a zone to be secured or not secured regardless of the key
   algorithm used (or not used).  To further simplify the determination
   of a zone's status, "experimentally secure" status is deprecated.

1 Introduction

   Whether a DNS zone is "secured" or not is a question asked in at
   least four contexts.  A zone administrator asks the question when
   configuring a zone to use DNSSEC.  A dynamic update server asks the
   question when an update request arrives, which may require DNSSEC
   processing.  A delegating zone asks the question of a child zone when
   the parent enters data indicating the status the child.  A resolver
   asks the question upon receipt of data belonging to the zone.

1.1 When a Zone's Status is Important

   A zone administrator needs to be able to determine what steps are
   needed to make the zone as secure as it can be.  Realizing that due
   to the distributed nature of DNS and its administration, any single
   zone is at the mercy of other zones when it comes to the appearance
   of security.  This document will define what makes a zone qualify as
   secure.




Lewis                       Standards Track