RFC4641_and_I-D2.pdf

Size: px

Start display at page:

Download "RFC4641_and_I-D2.pdf"

たかよししもね
7 years ago
Views:

1 RFC 4641 SWG 1

2 Appendix A. Terminology Anchored key DNSKEY hard anchor (ed) Bogus RFC RRSet DNSKEY RRSet Bogus 2

3 Appendix A. Terminology Key Signing Key KSK Key Signing Key(KSK) zone apex key set KSK Key size key size modulus size modulus size key size modulus n. pl. moduli [-lai], ; absolute value. (Infoseek ) 3

4 Appendix A. Terminology Private and public keys DNSSEC DNS public key( ) private key( ) 2 ( ) public key DNSKEY RR DNS private key 4

5 Appendix A. Terminology Key rollover key rollover(key supercession ) Secure Entry Point (SEP) key DS trust anchor KSK SEP flag(rfc 4035 ) 5

6 Appendix A. Terminology Self-signature DNSKEY DNSKEY x DNSKEY x selfsignature( ) self-signature DNSKEY 6

7 Appendix A. Terminology Signing the zone file Signer signer RRSet 7

8 Appendix A. Terminology Zone Signing Key(ZSK) ( DNSKEY RRSet ) ZSK Zone administrator primary authoritative role ( ) 8

9 RFC 4641 & Internet Draft RFC4641-bis-02 9

10 Abstract RFC4641 DNSSEC DNSSEC DNSSEC RFC4641 RFC2541(DNS RFC) RFC4641 RFC

11 1. Introduction DNS RFC DNSSEC RFC RFC workshop DNSSEC RFC DNSSEC bits-2 Internet draft Internet Draft Internet Draft 11

12 1. Introduction ( (signing) (publishing)) DNS 2 " " C 12

13 1. Introduction RFC RFC2119 RFC2119 RFC MUST MAY DNSSEC RFC2541 RFC2541(DNS ) DNS 13

14 1.1 The Use of the Term Key ( ) RFC DNSSEC (a key is used to sign data) DNSKEY RR 14

15 1.2 Time Definitions ( ) (Signature validity period) RRSIG RR RRSIG RR (Signature publication period) RRSIG RRSIG RRSIG DNS (Key effectivity period) / TTL (Maximum/Minimum Zone Time to Live (TTL)) RR (?) TTL TTL SOA RR MINIMUM 11 (RFC2308 DNS ) 15

(Key effectivity period) / TTL (Maximum/Minimum Zone Time to

16 2. Keeping the Chain of Trust Intact ( ) bogus( ) (Bogus RFC ) Bogus 16

17 2. Keeping the Chain of Trust Intact ( ) (non-authoritive) notify IXFR AXFR( ) notify SOA AXFR 17

18 2. Keeping the Chain of Trust Intact ( ) (some middle box) ( ) -- "Security-aware"

19 3. Keys Generation and Storage ( ) 3 InternetDraft bits-02 RFC

20 3.1 Zone and Key Signing Keys (3.1 [KSK]) DNSSEC DNSKEY DNSKEY (the validation) (the motivations) DNSSEC (KSK) (ZSK) (SEP) ( ) ( bits02 ) (KSK) DNSSEC RRSet RRSet (ZSK) KSK SEP Key KSK SEP key 1 1 SEP flag KSK KSK SEP KSK ZSK SEP SEP 20

21 3.1.1 Motivations for the KSK and ZSK Separations (KSK ZSK ) KSK ZSK ZSK KSK ( bit ) KSK KSK ZSK ZSK KSK 21

22 3.1.1 Motivations for the KSK and ZSK Separations (KSK ZSK ) KSK ZSK KSK ZSK KSK ZSK ZSK KSK SEP DS DNS SEP KSK SEP flag KSK DNSKEY RR flag ZSK flag KSK ZSK ( Internet Draft ) ZSK ( Internet Draft ) ZSK ( Internet Draft ) 22

23 3.1.1 Motivations for the KSK and ZSK Separations (KSK ZSK ) KSK ZSK ZSK KSK KSK ZSK KSK ZSK HSM( ) 23

24 3.1.1 Motivations for the KSK and ZSK Separations (KSK ZSK ) (KSK) DNSKEY RR KSK (SEP) 24

25 3.1.1 Motivations for the KSK and ZSK Separations (KSK ZSK ) DNS KSK ZSK ZSK KSK KSK ZSK HSM KSK ZSK SEP KSK 25

26 3.1.2 KSK for High-Level Zones ( KSK) ( ) ( (compromised) ) DNS ( ) DNS 26

27 3.1.2 KSK for High-Level Zones ( KSK) Internet Draft Internet Draft DNS KSK KSK ( ) (MITM) exsamle. somebank.exsamle. DNS exsamle. KSK 27

28 3.1.2 Practical concequences of KSK and ZSK Separation ( KSK ZSK ) KSK SEP DNSKEY RR SEP KSK ZSK ( RFC ) SEP KSK ZSK ( RFC ) ZSK ( RFC ) ZSK ( RFC ) KSK DNSKEY RR KSK SEP (RFC5011 ) KSK 28

29 Rolling a KSK that is not a trust-anchor ( KSK ) KSK 3 ( 2 ) KSK (?) 29

30 Rolling a KSK that is not a trust-anchor ( KSK ) DNSSEC 3 KSK KSK KSK KSK 30

31 Rolling a KSK that is a trust-anchor ( KSK ) KSK bogus KSK KSK 31

32 Rolling a KSK that is a trust-anchor ( KSK ) RFC5011 RFC5011 KSK 32

33 3.2 Key Generation ( ) RFC4086 (2007 ) ( InternetDraft ) RFC4086 ( ) 33

34 3.3 key Effectivity Period ( ) KSK 20 34

35 3.3 key Effectivity Period ( ) DNSSEC (KSK) ZSK

36 3.3 key Effectivity Period ( ) ZSK KSK (KSK ZSK ) ZSK 36

37 3.3 key Effectivity Period ( ) KSK ZSK KSK ZSK ZSK HSM 37

38 3.4 Key Algorithm( ) DNSSEC 3 RSA DSA (Elliptic Curve Cryptography) DNSSEC Internet Draft RSA DSA RSA 2000 RSA DSA NIST( ) RSA RSA DSA DSA 10 38

39 3.4 Key Algorithm( ) RSA/SHA-1 RSA ( ) MD5 SHA-1 RSA/SHA-256 RSA/ SHA-1 RSA/SHA-1 RSA/SHA-256 RSA/SHA-1 RSA/MD5 SHA-1 SHA-1 ( SHA-256) SHA-1 hash SHA-1 hash (SHA-256 ) DNS 39

40 3.5 Key Sizes( ) ( [17](1996 Applied Cryptography ) 8.10 ) (ZSK vs KSK)

41 3.5 Key Sizes( ) RFC 3766 RFC 3766 state n bits 90bit 3 2bit bits bit?! 41

42 3.5 Key Sizes( ) [13] n ( ) System requiremen t for attack resistance (bits) Symmetric key size (bits) RSA or DSA modulus size (bits) ( 1024bits 1300bits 2048bits) KSK

43 3.5 Key Sizes( ) DNS TLDs root zone 5 ZSK ( ) ZSK (KSK ) 100bits [16] 7.5 [17] [16] 43

44 3.5 Key Sizes( ) RRSIG DNSKEY DNS UDP RRSIG 2 44

45 3.5 Key Sizes( ) DNSSEC 1024bit 700bit 1024bit bit 1024bit 80bit 1024bit 1024bit 2048bit ( (5/27)) 112bit CPU 1024bit 4 45

46 3.5 Key Sizes( ) 1024bit 1024bit web 1024bit TLS DNSSEC TLS DNSSEC TLS 1024bit 2048bit 1024bit TLS web 1024bit 15 RSA DSA 1024bit 46

47 3.6 Private Key Storage( ) RRSIG NSEC RR 47

48 3.6 Private Key Storage( ) DNS SOA RRs MNAME NS RRset NS RRSet NOTIFY IXFR AXFR 48

49 3.6 Private Key Storage( ) DNS DNS HSM ( TLD ) ( ) : ZSK KSK HSM DNSSEC (RFC 3007 ) RR 49

50 3.6 Private Key Storage( ) RR 50

51 4. Signature Generation, Key Rollover, and Related policies 4.1. Time in DNSSEC DNSSEC DNS REFRESH RETRY EXPIRATION minimum TTL (RR )TTL DNSSEC DNS bogus ( ) draft-morris-dnsop-dnssec-key-timing 51

52 Time Considerations 52

53 Time Considerations TTL fraction(???? (5/27)) 1? (5/27) TTL query RRset RFC 4033 section 7.1

54 Time Considerations query RR TTL 1 54

55 Time Considerations TTL authoritative 55

56 Timing Considerations TTL RR 5 10 TTL 2 56

57 Timing Considerations validator RR DS, DNSKEY, RRSIG, ( ) query RR recursive delegation point DS DNSKEY RRSIG TTL 57

58 Time Considerations RRSIG expire (?) SERVFAIL AA bit 58

59 Time Considerations expire SOA refresh refresh: SOA serial serial query RRSIG expire( ) SOA expire expire: SOA 2 refresh expire 59

60 Time Considerations DNSSEC SOA expire SOA expire RRSIG refresh refresh x RRSIG SOA expire 60

61 Time Considerations authoritative non-secure securityaware bogus( ) SOA expiration timer 1/3 1/4 61

62 Time Considerations watch dog ( )expire expire?? DNSSEC 62

63 4.2. Key Rollovers ( ) DNSSEC DNSSEC 63

64 4.2. Key Rollovers DNSKEY( ) RRSIG(by DNSKEY) 64

65 Zone Signing Key Rollovers ZSK 2 double signatures( ) pre-publication( ) 65

66 Pre-Publication Key Rollovers 2 DNS 1 66

67 Appendix B. Zone Signing Key Rollover How-To pre-published signature 67

68 Appendix B. Zone Signing Key rollover How-To Step 0: The preparation 2 DNSKEY RRset active published published (DNSSEC ) (DNSKEY) active published 68

69 Appendix B. Zone Signing Key Rollover How-To Step 1: Determine expiration active RRSIG TTL 69

70 Appendix B. Zone Signing key Rollover How-To Step 2 published published active active active rolled 70

71 Appendix B. Zone Signing Key Rollover How-To Step 3 1 (Step 1) It is safe to engine in a new rollover (Step 1) after at least one signature validity period. signature validity period DNSKEY RR TTL? validity validity period validity period DNSKEY RRSIG?(6/24) RRSIG TTL? 71

72 Pre-Published Key Rollover initial SOA0 RRSIG10(SOA0) DNSKEY1 DNSKEY10 KSK ZSK( ) RRSIG1 (DNSKEY) RRSIG10(DNSKEY) 72

73 Pre-Published Key Rollover new DNSKEY SOA1 RRSIG10(SOA1) DNSKEY1 ZSK( ) DNSKEY10 DNSKEY11 RRSIG1 (DNSKEY) RRSIG10(DNSKEY) DNSKEY10@ 73

74 Pre-Publish key Rollover DNSKEY 11 key set brute force attack +key set TTL 74

75 Pre-Published Key Rollover new RRSIG SOA2 RRSIG11(SOA2) DNSKEY1 DNSKEY10 DNSKEY11 RRSIG1 (DNSKEY) RRSIG11(DNSKEY) DNSKEY10 75

76 Pre-Publish Key Rollover DNSKEY 11 DNSKEY 10 DNSKEY 10 key set ver.1(==soa1) ver.2(==soa2) key set ver.1 +ver.1 TTL 76

77 Pre-Published Key Rollover DNSKEY removal SOA3 RRSIG11(SOA3) DNSKEY1 DNSKEY11 RRSIG1 (DNSKEY) RRSIG11(DNSKEY) DNSKEY10 77

78 Pre-Publish key Rollover SOA0 RRSIG10(SOA0) DNSKEY1 DNSKEY10 DNSKEY11 RRSIG1 (DNSKEY) RRSIG10(DNSKEY) SOA1 RRSIG10(SOA1) DNSKEY1 DNSKEY10 DNSKEY11 RRSIG1 (DNSKEY) RRSIG11(DNSKEY) SOA2 RRSIG10(SOA2) DNSKEY1 DNSKEY11 DNSKEY12 RRSIG1 (DNSKEY) RRSIG11(DNSKEY) 78

79 Pre-Publish key Rollover SOA3 RRSIG10(SOA3) DNSKEY1 DNSKEY11 DNSKEY12 RRSIG1 (DNSKEY) RRSIG12(DNSKEY) SOA4 RRSIG10(SOA4) DNSKEY1 DNSKEY12 DNSKEY13 RRSIG1 (DNSKEY) RRSIG12(DNSKEY) 79

80 Pre-Publish Key Rollover new DNSKEY 80

81 Double Signature Zone Signing Key Rollover new DNSKEY stage authoritative validator TTL 81

82 Double Signature Zone Signing Key Rollover initial SOA0 RRSIG10(SOA0) DNSKEY1 DNSKEY10 RRSIG1 (DNSKEY) RRSIG10(DNSKEY) 82

83 Double Signature Zone Signing Key Rollover new DNSKEY SOA1 RRSIG10(SOA1) RRSIG11(SOA1) DNSKEY1 DNSKEY10 DNSKEY11 RRSIG1 (DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) 83

84 Double Signature Zone Signing Key Rollover validator ver.0(initial) DNSKEY11 DNSKEY RRSet RRSIG10(*) ver.0 TTL 84

85 Double Signature Zone Signing Key Rollover DNSKEY removal SOA2 RRSIG11(SOA2) DNSKEY1 DNSKEY11 RRSIG1 (DNSKEY) RRSIG11(DNSKEY) DNSKEY DNSKEY11 85

86 Double Signature Zone Signing Key Rollover ( )RRSIG ( recursive query ) DNSKEY RRSet new DNSKEY TTL 86

87 Double Signature Zone Signing Key Rollover new DNSKEY ver.0 This way all caches are cleared of the old signatures.??? TTL 87

88 Pros and Cons of the Schemes Pre-Publish Key rollover 2 4 ( ZSK )KSK (4.2.3) 88

89 Pros and Cons of the Scheme Double signature ZSK rollover prohibitive: 3 89

90 Key Signing Key Rollovers KSK ZSK (zone apex key set ) key set double signature scheme KSK key set 90

91 Key Signing Key Rollovers initial Parent: SOA0 RRSigpar(SOA0) DS1 RRSigpar(DS) Child: SOA0 RRSIG10(SOA0) DNSKEY1 TTL_DS ::= TTL(DS1) DS authoritative TTL_DS DNSKEY10 RRSIG1 (DNSKEY) RRSIG10(DNSKEY) 91

92 Key Signing Key Rollovers new DNSKEY Parent: SOA0 RRSigpar(SOA0) DS1 RRSigpar(DS) Child: SOA0 RRSIG10(SOA1) DNSKEY1 DNSKEY2 DNSKEY10 RRSIG1 (DNSKEY) RRSIG2 (DNSKEY) RRSIG10(DNSKEY) 92

93 Key Signing Key Rollovers 2 KSK DNSKEY2 DNSKEY2 DS DS authoritative validator TTL_DS 93

94 Key Signing Key Rollovers DS change Parent: SOA1 RRSigpar(SOA1) DS2 RRSigpar(DS) Child: SOA0 RRSIG10(SOA0) DNSKEY1 DNSKEY2 DNSKEY10 RRSIG1 (DNSKEY) RRSIG2 (DNSKEY) RRSIG10(DNSKEY) 94

95 Key Signing Key Rollovers DNSKEY removal Parent: SOA1 RRSigpar(SOA1) DS2 RRSigpar(DS) Child: SOA2 RRSIG10(SOA2) DNSKEY2 DNSKEY10 RRSIG2 (DNSKEY) RRSIG10(DNSKEY) 95

96 Key Signing Key Rollovers The scenario above puts the responsibility for maintaining a valid chain of trust with the child. 1 ( )1 DS inband KSK DNS? KSK DS 2 96

97 Difference Between ZSK and KSK Rollovers KSK trust anchor ZSK pre-publish( ) double signature( ) KSK key set ZSK KSK key set 97

98 Difference Between ZSK and KSK Rollovers KSK pre-publish pre-publish DS KSK pre-publish 98

99 Difference Between ZSK and KSK Rollovers initial new DS new DNSKEY DS/DNSKEY removal Parent: SOA0 SOA > SOA2 RRSIGpar(SOA0) RRSIGpar(SOA1) > RRSIGpar(SOA2) DS1 DS > DS2 DS > RRSIGpar(DS) RRSIGpar(DS) > RRSIGpar(DS) Child: SOA > SOA1 SOA1 RRSIG10(SOA0) > RRSIG10(SOA1) RRSIG10(SOA1) > DNSKEY > DNSKEY2 DNSKEY > DNSKEY > DNSKEY10 DNSKEY10 RRSIG1 (DNSKEY) > RRSIG2(DNSKEY) RRSIG2 (DNSKEY) RRSIG10(DNSKEY) > RRSIG10(DNSKEY) RRSIG10(DNSKEY)

100 Difference Between ZSK and KSK Rollovers KSK ( DS) new DS DS1 DS2 DS DNS ( / ) DNSKEY1 DNSKEY2 DS 100

101 Difference Between ZSK and KSK Rollovers new DS DNSKEY2 DS2 DNSKEY2 DNS security lame double signature 1 pre-publish 2 101

102 Key algorithm rollover [-bis ] 102

103 Key algorithm rollover RFC algorithm downgrade protection There MUST be an RRSIG for each RRset using at least one DNSKEY of each algorithm in the zone apex DNSKEY RRset. TTL DNSKEY DNSKEY 103

104 Key algorithm rollover Initial 2 New RRSIGS 3 New DNSKEY SOA0 SOA1 SOA2 RRSIG1(SOA0) RRSIG1(SOA1) RRSIG1(SOA2) RRSIG2(SOA1) RRSIG2(SOA2) DNSKEY1 DNSKEY1 DNSKEY1 RRSIG1(DNSKEY) RRSIG1(DNSKEY) DNSKEY2 RRSIG2(DNSKEY) RRSIG1(DNSKEY) RRSIG2(DNSKEY) Remove DNSKEY 5 Remove RRSIGS SOA3 RRSIG1(SOA3) RRSIG2(SOA3) SOA4 RRSIG2(SOA4) DNSKEY2 DNSKEY2 RRSIG1(DNSKEY) RRSIG2(DNSKEY) RRSIG2(DNSKEY)

105 Key algorithm rollover step 2 key set key set RRSIG DNSKEY (step 3) 105

106 Key algorithm rollover step 4 ( DNSKEY) step 5 106

107 Automated Key Rollovers ZSK KSK 107

108 4.3. Planning for Emergency Key Rollover ( ) ( ) DNSSEC 108

109 4.3. Planning for Emergency Key Rollover DS resolver(validator) trust anchor (intact) 109

110 4.3. Planning for Emergency Key Rollover Zone operator validator 110

111 KSK Compromise KSK DNSKEY trust anchor DS KSK key set key set ZSK DNS 111

112 KSK Compromise KSK trust anchor DS DS KSK DS KSK 112

113 KSK Compromise KSK DS KSK ( ) KSK DNSKEY RR DS DS KSK DNSKEY RR 113

114 Keeping the Chain of Trust Intact KSK DS KSK DS KSK KSK key set 114

115 Keeping the Chain of Trust Intact KSK( ) KSK( ) ZSK KSK( ) ZSK KSK( ) 115

116 Keeping the Chain of Trust Intact 1. KSK( ) KSK( ) ZSK 2. DS( ) DS( ) 116

117 Keeping the Chain of Trust Intact 3.upload DS( ) KSK( ) KSK( ) ZSK 117

118 Keeping the Chain of Trust Intact 4. KSK 3. DS( ) authoritative (secondary ) DS( ) TTL DS( ) validator DS( )

119 Keeping the Chain of Trust Intact 5. KSK( ) KSK( ) ZSK 119

120 Keeping the Chain of Trust Intact An additional danger of a key compromise is that compromised key could be used to facilitate a legitimate DNSKEY/DS rollover and/or name server change at the parent. DNSKEY DS (?) (?) (?)

121 Keeping the Chain of Trust Intact (dispute) contact person out-of-band(dns ) DNSKEY DS 121

122 Breaking the Chain of Trust Bogus ( ) KSK DS( ) DS( ) Insecure ( =DNSSEC ) DS 122

123 ZSK Compromise ( ) ZSK KSK ZSK 123

124 ZSK Compromise ZSK RRSIG expire expire validator?? cache poisoning man-in-the-middle attack (6/24) (6/24) 124

125 Compromises of Keys Anchored in Resolvers DNSSEC root security aware resolver trust-anchor key SEP key.se ISP 4 (6/24) 125

126 Compromises of Keys Anchored in Resolvers trust anchor (DNSSEC social engineering ) SSL/TLS Web out-of-band (authenticated) 126

127 4.4. Parental Policies Initial Key Exchanges and Parental Policiies Considerations (exchange:?) authorization authorization DNSSEC DNS 127

128 Initial Key Exchanges and Parental Policies Considerations DNSKEY out-of-band DNS SEP bit(dnskey flag 257) DNSKEY RRset DNSKEY RRset DNSKEY RR DNSKEY 128

129 Initial Key Exchanges and Parental Policies Considerations DNSKEY DNSKEY DNSKEY RRSIG? DNSKEY KSK 129

130 Initial Key Exchanges and Parental Policies Considerations DNS DNSKEY DNSKEY DS DNSKEY RR DNS 130

131 Storing Keys or Hashes? DNSKEY DS DS DNSKEY DS DS 131

132 Storing Keys or Hashes? ( ) DNSKEY DS DNSKEY whois DNS DS 132

133 Storing Keys or Hashes? DNSKEY DS (6/24) DS DNSKEY Extensible Provisioning Protocol(EPP) DNSSEC [RFC 4310] 133

134 Security Lameness DNSKEY DS Bogus( ) lame DS O.K.? DNS key id 134

135 Security Lameness DS SEP key security lame DNS 135

136 DS Signature Validity Period DS replay KSK Bogus DS 2 136

137 DS Signature Validity Period DS? 137

138 DS Signature Validity Period DS 1 DS TTL zone owner TTL authoritative query DS (6/ 24 ) 138

139 Changing DNS Operators Cooperating DNS operators (thin) registrant( ) registrant DNSSEC DNS DNS 139

140 Cooperating DNS operators DNS registrant DNS registrant loosing operator( DNS ) gaining operator( DNS ) loosing operator gaining operator 140

141 Cooperating DNS operators pre-publish ZSK loosing operator gaining operator ZSK prepublish double signing KSK KSK KSK key set 141

142 Cooperating DNS Operators(initial) parent: NSA/DSA Child at A: ZSKA KSKA RRSIGZA(DNSKEY) RRSIGKA(DNSKEY) SOAA RRSIGZA(SOA) NSA RRSIGZA(NS) 142

143 Cooperating DNS Operators(pre-publish) parent: NSA/DSA Child at A: ZSKA ZSKB KSKA KSKB RRSIGZB RRSIGKB RRSIGZA RRSIGKA referral(non authoritative) Child at B: ZSKA ZSKB KSKA KSKB RRSIGZB(DNSKEY) RRSIGKB(DNSKEY) RRSIGZA(DNSKEY) RRSIGKA(DNSKEY) SOAA RRSIGZA(SOA) SOAB RRSIGZB(SOA) NSA NSB RRSIGZA(NS) authoritative NSB RRSIGZB(NS) 143

144 Cooperating DNS Operators(Redelegation) parent: NSB/DSB Child at A: ZSKA ZSKB KSKA KSKB RRSIGZB(DNSKEY) RRSIGKB(DNSKEY) RRSIGZA(DNSKEY) RRSIGKA(DNSKEY) SOAA RRSIGZA(SOA) NSA NSB RRSIGZA(NS) Child at B: ZSKA ZSKB KSKA KSKB RRSIGZB(DNSKEY) RRSIGKB(DNSKEY) RRSIGZA(DNSKEY) RRSIGKA(DNSKEY) SOAB RRSIGZB(SOA) NSA NSB A query RRSIGZB(NS) 144

145 Cooperating DNS Operators(post migration) parent: NSB/DSB Child at B: ZSKB KSKB RRSIGZB(DNSKEY) RRSIGKB(DNSKEY) SOAB RRSIGZB(SOA) NSB RRSIGZB(NS) 145

146 Non Cooperating DNS Operators loosing operator DNS TTL DNSKEY loosing operator DNSKEY 146

147 Non Cooperating DNS Operators validator loosing operator ( ) gaining operator loosing operator RRSIG loosing operator 147

148 Non Cooperating DNS Operators NS RR loosing operator NSEC3 (zone enumerate ) RRSIG 148

149 Non Cooperating DNS Operators registrant loosing operator DS loosing operator DNSKEY 149

150 Non Cooperating DNS Operators DNSKEY 150

151 5. Next Record type 151

152 5. Next Record type NSEC/NSEC3 RRTYPE (glue ) RRTYPE NSEC NSEC3 152

153 5.1. Differences between NSEC and NSEC3 153

154 5.1. Differences between NSEC and NSEC3 154

155 5.1. Differences between NSEC and NSEC3 155

156 5.1. Differences between NSEC and NSEC3 156

157 5.1. Differences between NSEC and NSEC3 157

158 5.1. Differences between NSEC and NSEC3 158

159 5.2. NSEC or NSEC

160 5.2. NSEC or NSEC3 160

161 5.2. NSEC or NSEC3 161

162 5.3. NSEC3 parameters DNS name compression 162

163 NSEC3 Algorithm 163

164 NSEC3 Algorithm 164

165 NSEC3 Iterations 165

166 NSEC3 Iterations 166

167 NSEC3 Salt 167

168 NSEC3 Salt 168

169 NSEC3 Salt 169

170 Opt-out 170

171 Opt-out 171

172 6. Security Considerations 172

173 7. IANA considerations 173

174 8. Acknowledgements 174

175 9. References 175

176 Appendix A. Terminology 176

177 Appendix B. Zone Signing Key Rollover How-To 177

178 Appendix C. Typographic Conventions 178

179 Appendix D. Document Editing History 179

のコピー

のコピー DNSSEC Masakazu Asama @ NISOC 1 What? DNS SECurity extensions. DNS Resource Record(RR), RR. (Validator) RR. RR. 2 Why? Thread Analysis of the Domain Name System(RFC3833): Packet Interception ID Guessing