RFC 3755 (rfc3755) - Page 1 of 9
Legacy Resolver Compatibility for Delegation Signer (DS)
Alternative Format: Original Text Document
Network Working Group S. Weiler
Request for Comments: 3755 SPARTA, Inc.
Updates: 3658, 2535 May 2004
Category: Standards Track
Legacy Resolver Compatibility for Delegation Signer (DS)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
As the DNS Security (DNSSEC) specifications have evolved, the syntax
and semantics of the DNSSEC resource records (RRs) have changed.
Many deployed nameservers understand variants of these semantics.
Dangerous interactions can occur when a resolver that understands an
earlier version of these semantics queries an authoritative server
that understands the new delegation signer semantics, including at
least one failure scenario that will cause an unsecured zone to be
unresolvable. This document changes the type codes and mnemonics of
the DNSSEC RRs (SIG, KEY, and NXT) to avoid those interactions.
1. Introduction
The DNSSEC protocol has been through many iterations whose syntax and
semantics are not completely compatible. This has occurred as part
of the ordinary process of proposing a protocol, implementing it,
testing it in the increasingly complex and diverse environment of the
Internet, and refining the definitions of the initial Proposed
Standard. In the case of DNSSEC, the process has been complicated by
DNS's criticality and wide deployment and the need to add security
while minimizing daily operational complexity.
A weak area for previous DNS specifications has been lack of detail
in specifying resolver behavior, leaving implementors largely on
their own to determine many details of resolver function. This,
combined with the number of iterations the DNSSEC specifications have
been through, has resulted in fielded code with a wide variety of
Weiler Standards Track