From owner-dns-security Mon Feb 10 08:41:13 1997 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id IAA08532 for dns-security-outgoing; Mon, 10 Feb 1997 08:37:37 -0500 (EST) To: IETF-Announce:;;;;@tis.com@tis.com;;; cc: dns-security@tis.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-dnssec-update-04.txt Date: Fri, 07 Feb 1997 12:08:19 -0500 Message-ID: <9702071208.aa14924@ietf.org> Sender: owner-dns-security@ex.tis.com Precedence: bulk --NextPart A Revised Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Security Working Group of the IETF. Note: This revision reflects comments received during the last call period. Title : Secure Domain Name System Dynamic Update Author(s) : D. Eastlake Filename : draft-ietf-dnssec-update-04.txt Pages : 13 Date : 02/05/1997 Domain Name System (DNS) protocol extensions have been defined to authenticate the data in DNS and provide key distribution services (draft-ietf-dnssec-secext-10.txt). DNS Dynamic Update operations have also been defined (draft-ietf-dnsind-dynDNS-*.txt>, but without a detailed description of security for the update operation. This draft describes how to use DNSSEC digital signatures covering requests and data to secure updates and restrict updates to those authorized to perform them as indicated by the updater's possession of cryptographic keys. [This version 04 draft differs from the previous version only in the deletion of a reference to the "in-key.int" domain from the introduction (and in having new dates and a new version number and this note).] Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-dnssec-update-04.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-ietf-dnssec-update-04.txt Internet-Drafts directories are located at: o Africa: ftp.is.co.za o Europe: ftp.nordu.net ftp.nis.garr.it o Pacific Rim: munnari.oz.au o US East Coast: ds.internic.net o US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ds.internic.net. In the body type: "FILE /internet-drafts/draft-ietf-dnssec-update-04.txt". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ds.internic.net" Content-Type: text/plain Content-ID: <19970207094337.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-dnssec-update-04.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-dnssec-update-04.txt"; site="ds.internic.net"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19970207094337.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-dns-security Tue Feb 11 16:03:44 1997 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id PAA20315 for dns-security-outgoing; Tue, 11 Feb 1997 15:59:05 -0500 (EST) To: IETF-Announce:;;;;@tis.com@tis.com;;; Cc: RFC Editor Cc: Internet Architecture Board Cc: dns-security@tis.com From: The IESG Subject: Protocol Action: Secure Domain Name System Dynamic Update to Proposed Standard Date: Tue, 11 Feb 1997 12:06:09 -0500 Message-ID: <9702111206.aa14655@ietf.org> Sender: owner-dns-security@ex.tis.com Precedence: bulk The IESG has approved the Internet-Draft "Secure Domain Name System Dynamic Update" as a Proposed Standard. This document is the product of the Domain Name System Security Working Group. The IESG contact person is Jeffrey Schiller. Technical Summary This document describes a protocol that when used in conjunction with Dynamic Update of DNS permits updates to be performed in a secure fashion. It describes two related mechanisms that offer different performance vs. security trade-offs to suit different environments. Working Group Summary The working group came to consensus on this document with little debate required. Protocol Quality This protocol was reviewed for the IESG by Jeffrey I. Schiller, Security AD. It appears to be competent and appropriate for the task at hand. From owner-dns-security Thu Feb 20 09:19:02 1997 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id JAA02765 for dns-security-outgoing; Thu, 20 Feb 1997 09:16:32 -0500 (EST) From: owner-dns-security@ex.tis.com Message-Id: <199702201416.JAA02765@portal.ex.tis.com> Subject: uranus.hq.tis.com? To: dns-security@tis.com Date: Wed, 19 Feb 1997 21:40:37 -0500 (EST) X-PGP-fingerprint: 41 33 31 72 76 3F 42 DA AF E6 04 6D 36 79 6F EA X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-dns-security@ex.tis.com Precedence: bulk Hi folks, I was wondering if the DNS server @uranus.hq.tis.com is still running? I've got sdig and it doesn't return things as shown in INSTALL_SEC: woodchuck% ./dig @uranus.hq.tis.com sd-bogus.tis.com. soa ; <<>> DiG 2.2 <<>> @uranus.hq.tis.com sd-bogus.tis.com. soa ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10 ;; flags: qr rd ra ad; Ques: 1, Ans: 0, Auth: 0, Addit: 0 ;; QUESTIONS: ;; sd-bogus.tis.com, type = SOA, class = IN ;; Total query time: 86 msec ;; FROM: woodchuck to SERVER: uranus.hq.tis.com 192.94.214.95 ;; WHEN: Wed Feb 19 21:39:26 1997 ;; MSG SIZE sent: 34 rcvd: 34 Alternatively, is there a list of servers with DNSSEC enabled? Thanks, Greg -- Greg Hankins (greg.hankins@cc.gatech.edu) | Georgia Institute of Technology Computing and Networking Services | College of Computing, room 213 +1 404 894 6609 | Atlanta, GA 30332-0280 Greg Hankins finger gregh@cc.gatech.edu for PGP key From owner-dns-security Thu Feb 20 09:48:51 1997 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id JAA03018 for dns-security-outgoing; Thu, 20 Feb 1997 09:48:48 -0500 (EST) X-Sender: lewis@pop.hq.tis.com Message-Id: In-Reply-To: <199702201416.JAA02765@portal.ex.tis.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 20 Feb 1997 09:50:15 -0500 To: owner-dns-security@ex.tis.com From: Edward Lewis Subject: Re: uranus.hq.tis.com? Cc: dns-security@tis.com Sender: owner-dns-security@ex.tis.com Precedence: bulk At 9:40 PM -0500 2/19/97, owner-dns-security@ex.tis.com wrote: >Hi folks, I was wondering if the DNS server @uranus.hq.tis.com is >still running? I've got sdig and it doesn't return things as shown >in INSTALL_SEC: I'll look at it - I had the same problem, although named is running on the machine.. >Alternatively, is there a list of servers with DNSSEC enabled? I'd like to know who else is running it too. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis Trusted Information Systems Phone: 301-854-5794 Email: lewis@tis.com From owner-dns-security Thu Feb 20 09:58:43 1997 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id JAA03167 for dns-security-outgoing; Thu, 20 Feb 1997 09:58:24 -0500 (EST) X-Sender: lewis@pop.hq.tis.com Message-Id: In-Reply-To: <199702201416.JAA02765@portal.ex.tis.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 20 Feb 1997 09:59:48 -0500 To: owner-dns-security@ex.tis.com From: Edward Lewis Subject: Re: uranus.hq.tis.com? Cc: dns-security@tis.com Sender: owner-dns-security@ex.tis.com Precedence: bulk At 9:40 PM -0500 2/19/97, owner-dns-security@ex.tis.com wrote: >Hi folks, I was wondering if the DNS server @uranus.hq.tis.com is >still running? I've got sdig and it doesn't return things as shown I just looked at it again from an external (to our firewall machine), and it seems up to me. (I swear I didn't touch anything!) I tried: dig @bozo.cs.umd.edu sd-bogus.tis.com any and got results. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis Trusted Information Systems Phone: 301-854-5794 Email: lewis@tis.com From owner-dns-security Thu Feb 20 10:35:27 1997 Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA03410 for dns-security-outgoing; Thu, 20 Feb 1997 10:35:14 -0500 (EST) Date: Thu, 20 Feb 1997 15:45:15 +0000 (GMT) From: Jarmo Kaikkonen To: dns-security@tis.com cc: zam@iki.fi, jii@iki.fi Subject: Signature verification Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-dns-security@ex.tis.com Precedence: bulk Hi folks, We are conducting a cryptographic experiment at HUT which involves usage of DNSSEC. The development platform is Windows NT and I'm using resolver library provided by ntbind to get KEY and SIG RRs. However ntbind4.9.5 doesn't include any dnssec_lib utilities, like UNIX sec_bind495 has (although documentation of DNS library is still in 'unresolved issues' -list in that package). I have read RFC2065 and I'm trying to program my own code to verify KEY RR's. I have managed to get Zones public key from DNSSEC server and to decrypt SIG RR data and the result is ( 01 | FF* | ... | hash ) as expected. The problem lies in veryfying of the hash value. So now I have to calculate my own hash using data: data = RDATA | RR(s)... I have byte array of SIG RR data, not including signature data (leading zero of signer's name is included) and just after this there is full KEY RR in this same byte array. Hash (MD5) calculated from this data differs from hash received from server. (I'm using crypto++) What am I doing wrong? All instructions are welcome. Best regard, Jarmo Jarmo Kaikkonen http://www.iki.fi/jii/ JMT 1 C 465, 02150 Espoo email: jii@iki.fi Phone: +358 9 4682448 GSM: +358 40 5896556