From owner-dns-security Fri Nov 13 12:00:37 1998 Received: by portal.ex.tis.com (8.9.1/8.9.1) id LAA28765 for dns-security-outgoing; Fri, 13 Nov 1998 11:56:35 -0500 (EST) Message-Id: <199811131545.KAA11972@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce:; Cc: dns-security@tis.com, namedroppers@internic.net From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-dnssec-simple-update-00.txt Date: Fri, 13 Nov 1998 10:45:24 -0500 Sender: owner-dns-security@ex.tis.com Precedence: bulk --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Security Working Group of the IETF. Title : Simple Secure Domain Name System (DNS) Dynamic Update Author(s) : B. Wellington Filename : draft-ietf-dnssec-simple-update-00.txt Pages : 5 Date : 12-Nov-98 This draft proposes an alternative method for performing secure Domain Name System (DNS) dynamic updates. The method described here is both simple and flexible enough to represent any policy decisions. Secure communication based on request/transaction signatures [TSIG] is used to provide authentication and authorization. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-dnssec-simple-update-00.txt". A URL for the Internet-Draft is: ftp://ftp.ietf.org/internet-drafts/draft-ietf-dnssec-simple-update-00.txt Internet-Drafts directories are located at: Africa: ftp.is.co.za Europe: ftp.nordu.net ftp.nic.it Pacific Rim: munnari.oz.au US East Coast: ftp.ietf.org US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-dnssec-simple-update-00.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <19981112095755.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-dnssec-simple-update-00.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-dnssec-simple-update-00.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19981112095755.I-D@ietf.org> --OtherAccess-- --NextPart-- ------------- End Forwarded Message ------------- From owner-dns-security Mon Nov 16 23:35:51 1998 Received: by portal.ex.tis.com (8.9.1/8.9.1) id XAA09058 for dns-security-outgoing; Mon, 16 Nov 1998 23:32:53 -0500 (EST) Message-Id: <199811170451.XAA16002@torque.pothole.com> X-Authentication-Warning: torque.pothole.com: localhost [127.0.0.1] didn't use HELO protocol To: dns-security@tis.com cc: dee3@torque.pothole.com Subject: Algorithm 253 Date: Mon, 16 Nov 1998 23:51:31 -0500 From: "Donald E. Eastlake 3rd" X-Mts: smtp Sender: owner-dns-security@ex.tis.com Precedence: bulk I'm doing updates to the rest of the main DNSSEC cluster of drafts (ddi, dss, and rsa were updated and posted in October). Mostly minor changes primarily based on IESG feedback such as addition of IANA Considerstions sections and inclusion of a reference to RFC 2119 (key words). The biggest draft, draft-ietf-dnssec-secext2-*.txt, probably has the most minor changes. The one item on which there seemed to be the least agreement was section 4.2 where the inclusion of a SIG with an answer RR is given higher priority than the inclusion of additional information RRs. Unless there a consensus to change the standard, I plan to leave that wording as it is. Algorithm 254 in that draft is currently assigned to private algorithms designated by OID. Unless there is objection, I'd like to define algorithm 253 to be for private algorithms designated by domain name. Thanks, Donald ===================================================================== Donald E. Eastlake 3rd +1 978-287-4877 dee3@torque.pothole.com 318 Acton Street +1 978-371-7148(fax) dee3@us.ibm.com Carlisle, MA 01741 USA +1 914 784 7913 From owner-dns-security Wed Nov 18 09:19:34 1998 Received: by portal.ex.tis.com (8.9.1/8.9.1) id JAA15612 for dns-security-outgoing; Wed, 18 Nov 1998 09:16:52 -0500 (EST) Message-Id: <199811181436.JAA19013@torque.pothole.com> X-Authentication-Warning: torque.pothole.com: localhost [127.0.0.1] didn't use HELO protocol To: dns-security@tis.com cc: namedroppers@internic.net Subject: draft-ietf-dnssec-simple-update-00.txt Date: Wed, 18 Nov 1998 09:36:00 -0500 From: "Donald E. Eastlake 3rd" X-Mts: smtp Sender: owner-dns-security@ex.tis.com Precedence: bulk I have no particular problem with secret key (TSIG) secure dynamic update. I just don't see any reason it has to blow away public key (SIG) secure dynamic update. In fact, in draft-ietf-dnssec-update2-*.txt I tried to add changes that clearly allow secure update based on negotiated permissions and policies embodied in TSIG. Quite possibly it is a better idea to have separate secure update documents for these two methods and I'm not even sure they need to refer each other at all, as long as neither is written in an exclusive fashion. While I'm sure there will be lots of dynamic update secured by TSIG, I'm not at all sure that the overall system will be any simpler than using SIG. Configuring and maintaining a bunch of secret keys directly would be a tremendous pain and not good cryptographic practice so I think that in real world cases of any size, you would usually set up the secret keys with TKEY (draft-ietf-dnssec-tkey-01.txt). Thus, in the case of occasional updates, you would have just as much computation and more round trips with TSIG compared with SIG. TSIG based update is, of course, much better when you have frequent updates from the same source to the same server. On policies, it may seem simpler to just declare policy to be unspecified proprietary stuff but I don't think that helps interoperability much. I think the policy options in draft-ietf-dnssec-update2-*.txt cover many common cases. One thing that draft-ietf-dnssec-simple-update-00.txt does is require that the zone key always be on line. This is less secure but simpler than the case where the zone key can be off-line, which is allowed by draft-ietf-dnssec-update2-*.txt (which covers both cases). If there is a WG consensus that it is reasonable to always require the zone key be on line for dynamic zones, it certainly woulnd't be hard to eliminate Mode A from update2 and doing that eliminates the more complicated parts of the optional to implement interoperable policies it provides. At that point, update2 would moslty just define the scape of the DNS names that a dynamic update KEY could have authority over. I think that's pretty reasonable and I would think that, by default, having secret keys that are derived from those update KEY RRs via TKEY having the same scope of control, to the extent permitted by server policy, would be natural. Since update is implemented at the server, the server has control over what can be changed anyway and there are references in update2 to additional local administrative policies being applied by the server. Really, these two drafts are not as far apart as they might seem, although one is public key based and, I think, best for occasional updates, while the other is secret key based and, I think, best for frequent updates. People should keep in mind we are still just at the Proposed Standard level here. If both are issues as Proposed and only one is implemented, presumably the other will not progress to Draft and will become historic. I suggest that this draft be re-named "Secret Key Secure Domain Name System (DNS) Dynamic Update" or "TSIG Secure Domain Name System (DNS) Dynamic Update". I'd be happy to remove the TSIG stuff from draft-ietf-dnssec-update2-*.txt and rename it "Public Key Secure Domain Name System (DNS) Dynamic Update" or the like. Thanks, Donald ===================================================================== Donald E. Eastlake 3rd +1 978-287-4877 dee3@torque.pothole.com 318 Acton Street +1 978-371-7148(fax) Carlisle, MA 01741 USA From owner-dns-security Thu Nov 19 13:56:41 1998 Received: by portal.ex.tis.com (8.9.1/8.9.1) id NAA24136 for dns-security-outgoing; Thu, 19 Nov 1998 13:53:32 -0500 (EST) Message-Id: <199811191912.OAA21518@torque.pothole.com> X-Authentication-Warning: torque.pothole.com: localhost [127.0.0.1] didn't use HELO protocol To: dns-security@tis.com cc: dee3@torque.pothole.com, galvin@commerce.net, jis@mit.eud Subject: revised DNSSEC drafts Date: Thu, 19 Nov 1998 14:12:26 -0500 From: "Donald E. Eastlake 3rd" X-Mts: smtp Sender: owner-dns-security@ex.tis.com Precedence: bulk Last month I posted draft-ietf-dnssec-ddi-06.txt draft-ietf-dnssec-dss-03.txt and draft-ietf-dnssec-rsa-01.txt I have now posted draft-ietf-dnssec-certs-03.txt draft-ietf-dnssec-dhk-03.txt draft-ietf-dnssec-secext2-06.txt and draft-ietf-dnssec-secops-02.txt which have not made it into the internet drafts directories yet but are available from ftp://ftp.pothole.com/pub/dee3. I did not have the time before the deadline to update draft-ietf-dnssec-indirect-key-01.txt which was going to be Experimental anyway and, I think, can be deferred. These above are intended to be minor updates mostly to incorporate feedback from the IESG. In each case, there is a fairly detailed summary of the changes right at the front in square brackets, generally under the "Status of This Document" section. I think not but I leave it to Chair Jim Galvin and our AD Jeff Schiller as to whether or not any IETF Last Calls are necessitated by these changes. Thanks, Donald ===================================================================== Donald E. Eastlake 3rd +1 978-287-4877 dee3@torque.pothole.com 318 Acton Street +1 978-371-7148(fax) Carlisle, MA 01741 USA From owner-dns-security Wed Nov 25 09:40:04 1998 Received: by portal.ex.tis.com (8.9.1/8.9.1) id JAA19147 for dns-security-outgoing; Wed, 25 Nov 1998 09:35:28 -0500 (EST) Message-Id: <199811251449.JAA03318@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce:; Cc: dns-security@tis.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-dnssec-certs-03.txt Date: Wed, 25 Nov 1998 09:49:34 -0500 Sender: owner-dns-security@ex.tis.com Precedence: bulk --NextPart Note: This revision reflects comments received during the last call period. A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Security Working Group of the IETF. Title : Storing Certificates in the Domain Name System (DNS) Author(s) : D. Eastlake, O. Gudmundsson Filename : draft-ietf-dnssec-certs-03.txt Pages : 9 Date : 24-Nov-98 Cryptographic public key are frequently published and their authenticity demonstrated by certificates. A CERT resource record (RR) is defined so that such certificates and related certificate revocation lists can be stored in the Domain Name System (DNS). A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnssec-certs-03.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-dnssec-certs-03.txt". Internet-Drafts directories are located at: Africa: ftp.is.co.za Europe: ftp.nordu.net ftp.nic.it Pacific Rim: munnari.oz.au US East Coast: ftp.ietf.org US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-dnssec-certs-03.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <19981124184341.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-dnssec-certs-03.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-dnssec-certs-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19981124184341.I-D@ietf.org> --OtherAccess-- --NextPart-- ------------- End Forwarded Message ------------- From owner-dns-security Wed Nov 25 10:16:40 1998 Received: by portal.ex.tis.com (8.9.1/8.9.1) id KAA19354 for dns-security-outgoing; Wed, 25 Nov 1998 10:16:28 -0500 (EST) Message-Id: <199811251531.KAA05274@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce:; Cc: dns-security@tis.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-dnssec-dhk-03.txt Date: Wed, 25 Nov 1998 10:31:40 -0500 Sender: owner-dns-security@ex.tis.com Precedence: bulk --NextPart Note: This revision reflects comments received during the last call period. A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Security Working Group of the IETF. Title : Storage of Diffie-Hellman Keys in the Domain Name System (DNS) Author(s) : D. Eastlake Filename : draft-ietf-dnssec-dhk-03.txt Pages : 8 Date : 24-Nov-98 A standard method for storing Diffie-Hellman keys in the Domain Name System is described which utilizes DNS KEY resource records. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnssec-dhk-03.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-dnssec-dhk-03.txt". Internet-Drafts directories are located at: Africa: ftp.is.co.za Europe: ftp.nordu.net ftp.nic.it Pacific Rim: munnari.oz.au US East Coast: ftp.ietf.org US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-dnssec-dhk-03.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <19981124174350.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-dnssec-dhk-03.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-dnssec-dhk-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19981124174350.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-dns-security Wed Nov 25 10:35:52 1998 Received: by portal.ex.tis.com (8.9.1/8.9.1) id KAA19450 for dns-security-outgoing; Wed, 25 Nov 1998 10:35:28 -0500 (EST) Message-Id: <199811251534.KAA05346@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce:;;;;@tis.com@tis.com;;; Cc: dns-security@tis.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-dnssec-secext2-06.txt Date: Wed, 25 Nov 1998 10:34:34 -0500 Sender: owner-dns-security@ex.tis.com Precedence: bulk --NextPart Note: This revision reflects comments received during the last call period. A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Security Working Group of the IETF. Title : Domain Name System Security Extensions Author(s) : D. Eastlake Filename : draft-ietf-dnssec-secext2-06.txt Pages : 49 Date : 24-Nov-98 Extensions to the Domain Name System (DNS) are described that provide data integrity and authentication to security aware resolvers and applications through the use of cryptographic digital signatures. These digital signatures are included in secured zones as resource records. Security can also be provided through non-security aware DNS servers in some cases. The extensions provide for the storage of authenticated public keys in the DNS. This storage of keys can support general public key distribution services as well as DNS security. The stored keys enable security aware resolvers to learn the authenticating key of zones in addition to those for which they are initially configured. Keys associated with DNS names can be retrieved to support other protocols. Provision is made for a variety of key types and algorithms. In addition, the security extensions provide for the optional authentication of DNS protocol transactions and requests. This document incorporates feedback on RFC 2065 from early implementers and potential users. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnssec-secext2-06.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-dnssec-secext2-06.txt". Internet-Drafts directories are located at: Africa: ftp.is.co.za Europe: ftp.nordu.net ftp.nic.it Pacific Rim: munnari.oz.au US East Coast: ftp.ietf.org US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-dnssec-secext2-06.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <19981124174149.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-dnssec-secext2-06.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-dnssec-secext2-06.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19981124174149.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-dns-security Wed Nov 25 11:13:51 1998 Received: by portal.ex.tis.com (8.9.1/8.9.1) id LAA19814 for dns-security-outgoing; Wed, 25 Nov 1998 11:13:30 -0500 (EST) Message-Id: <199811251605.LAA06968@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce:; Cc: dns-security@tis.com From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-dnssec-secops-02.txt Date: Wed, 25 Nov 1998 11:05:26 -0500 Sender: owner-dns-security@ex.tis.com Precedence: bulk --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Security Working Group of the IETF. Title : DNS Operational Security Considerations Author(s) : D. Eastlake Filename : draft-ietf-dnssec-secops-02.txt Pages : 9 Date : 24-Nov-98 Secure DNS is based on cryptographic techniques. A necessary part of the strength of these techniques is careful attention to the operational aspects of key and signature generation, lifetime, size, and storage. In addition, special attention must be paid to the security of the high level zones, particularly the root zone. This document discusses these operational aspects for keys and signatures used in connection with the KEY and SIG DNS resource records. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-dnssec-secops-02.txt". A URL for the Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnssec-secops-02.txt Internet-Drafts directories are located at: Africa: ftp.is.co.za Europe: ftp.nordu.net ftp.nic.it Pacific Rim: munnari.oz.au US East Coast: ftp.ietf.org US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-dnssec-secops-02.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <19981124121850.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-dnssec-secops-02.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-dnssec-secops-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19981124121850.I-D@ietf.org> --OtherAccess-- --NextPart--