7Network Working Group R. Arends
8Request for Comments: 4956 Nominet
9Category: Experimental M. Kosters
15 DNS Security (DNSSEC) Opt-In
19 This memo defines an Experimental Protocol for the Internet
20 community. It does not specify an Internet standard of any kind.
21 Discussion and suggestions for improvement are requested.
22 Distribution of this memo is unlimited.
26 Copyright (C) The IETF Trust (2007).
30 In the DNS security (DNSSEC) extensions, delegations to unsigned
31 subzones are cryptographically secured. Maintaining this
32 cryptography is not always practical or necessary. This document
33 describes an experimental "Opt-In" model that allows administrators
34 to omit this cryptography and manage the cost of adopting DNSSEC with
58Arends, et al. Experimental [Page 1]
60RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
65 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
66 2. Definitions and Terminology . . . . . . . . . . . . . . . . . 3
67 3. Experimental Status . . . . . . . . . . . . . . . . . . . . . 4
68 4. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . 5
69 4.1. Server Considerations . . . . . . . . . . . . . . . . . . 6
70 4.1.1. Delegations Only . . . . . . . . . . . . . . . . . . . 6
71 4.1.2. Insecure Delegation Responses . . . . . . . . . . . . 6
72 4.1.3. Dynamic Update . . . . . . . . . . . . . . . . . . . . 6
73 4.2. Client Considerations . . . . . . . . . . . . . . . . . . 7
74 4.2.1. Delegations Only . . . . . . . . . . . . . . . . . . . 7
75 4.2.2. Validation Process Changes . . . . . . . . . . . . . . 7
76 4.2.3. NSEC Record Caching . . . . . . . . . . . . . . . . . 8
77 4.2.4. Use of the AD bit . . . . . . . . . . . . . . . . . . 8
78 5. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
79 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
80 7. Transition Issues . . . . . . . . . . . . . . . . . . . . . . 11
81 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
82 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
83 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
84 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
85 10.2. Informative References . . . . . . . . . . . . . . . . . . 13
86 Appendix A. Implementing Opt-In Using "Views" . . . . . . . . . . 15
114Arends, et al. Experimental [Page 2]
116RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
121 The cost to cryptographically secure delegations to unsigned zones is
122 high for large delegation-centric zones and zones where insecure
123 delegations will be updated rapidly. For these zones, the costs of
124 maintaining the NextSECure (NSEC) record chain may be extremely high
125 relative to the gain of cryptographically authenticating existence of
128 This document describes an experimental method of eliminating the
129 superfluous cryptography present in secure delegations to unsigned
130 zones. Using "Opt-In", a zone administrator can choose to remove
131 insecure delegations from the NSEC chain. This is accomplished by
132 extending the semantics of the NSEC record by using a redundant bit
1352. Definitions and Terminology
137 Throughout this document, familiarity with the DNS system (RFC 1035
138 [1]), DNS security extensions ([4], [5], and [6], referred to in this
139 document as "standard DNSSEC"), and DNSSEC terminology (RFC 3090
142 The following abbreviations and terms are used in this document:
144 RR: is used to refer to a DNS resource record.
146 RRset: refers to a Resource Record Set, as defined by [8]. In this
147 document, the RRset is also defined to include the covering RRSIG
148 records, if any exist.
150 signed name: refers to a DNS name that has, at minimum, a (signed)
153 unsigned name: refers to a DNS name that does not (at least) have an
156 covering NSEC record/RRset: is the NSEC record used to prove
157 (non)existence of a particular name or RRset. This means that for
158 a RRset or name 'N', the covering NSEC record has the name 'N', or
159 has an owner name less than 'N' and "next" name greater than 'N'.
161 delegation: refers to an NS RRset with a name different from the
162 current zone apex (non-zone-apex), signifying a delegation to a
170Arends, et al. Experimental [Page 3]
172RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
175 secure delegation: refers to a signed name containing a delegation
176 (NS RRset), and a signed DS RRset, signifying a delegation to a
179 insecure delegation: refers to a signed name containing a delegation
180 (NS RRset), but lacking a DS RRset, signifying a delegation to an
183 Opt-In insecure delegation: refers to an unsigned name containing
184 only a delegation NS RRset. The covering NSEC record uses the
185 Opt-In methodology described in this document.
187 The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
188 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
189 document are to be interpreted as described in RFC 2119 [2].
1913. Experimental Status
193 This document describes an EXPERIMENTAL extension to DNSSEC. It
194 interoperates with non-experimental DNSSEC using the technique
195 described in [7]. This experiment is identified with the following
196 private algorithms (using algorithm 253):
198 "3.optin.verisignlabs.com": is an alias for DNSSEC algorithm 3, DSA,
201 "5.optin.verisignlabs.com": is an alias for DNSSEC algorithm 5,
204 Servers wishing to sign and serve zones that utilize Opt-In MUST sign
205 the zone with only one or more of these private algorithms and MUST
206 NOT use any other algorithms.
208 Resolvers MUST NOT apply the Opt-In validation rules described in
209 this document unless a zone is signed using one or more of these
212 This experimental protocol relaxes the restriction that validators
213 MUST ignore the setting of the NSEC bit in the type map as specified
214 in RFC 4035 [6] Section 5.4.
216 The remainder of this document assumes that the servers and resolvers
217 involved are aware of and are involved in this experiment.
226Arends, et al. Experimental [Page 4]
228RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
233 In DNSSEC, delegation NS RRsets are not signed, but are instead
234 accompanied by an NSEC RRset of the same name and (possibly) a DS
235 record. The security status of the subzone is determined by the
236 presence or absence of the DS RRset, cryptographically proven by the
237 NSEC record. Opt-In expands this definition by allowing insecure
238 delegations to exist within an otherwise signed zone without the
239 corresponding NSEC record at the delegation's owner name. These
240 insecure delegations are proven insecure by using a covering NSEC
243 Since this represents a change of the interpretation of NSEC records,
244 resolvers must be able to distinguish between RFC standard DNSSEC
245 NSEC records and Opt-In NSEC records. This is accomplished by
246 "tagging" the NSEC records that cover (or potentially cover) insecure
247 delegation nodes. This tag is indicated by the absence of the NSEC
248 bit in the type map. Since the NSEC bit in the type map merely
249 indicates the existence of the record itself, this bit is redundant
250 and safe for use as a tag.
252 An Opt-In tagged NSEC record does not assert the (non)existence of
253 the delegations that it covers (except for a delegation with the same
254 name). This allows for the addition or removal of these delegations
255 without recalculating or resigning records in the NSEC chain.
256 However, Opt-In tagged NSEC records do assert the (non)existence of
259 An Opt-In NSEC record MAY have the same name as an insecure
260 delegation. In this case, the delegation is proven insecure by the
261 lack of a DS bit in the type map, and the signed NSEC record does
262 assert the existence of the delegation.
264 Zones using Opt-In MAY contain a mixture of Opt-In tagged NSEC
265 records and standard DNSSEC NSEC records. If an NSEC record is not
266 Opt-In, there MUST NOT be any insecure delegations (or any other
267 records) between it and the RRsets indicated by the 'next domain
268 name' in the NSEC RDATA. If it is Opt-In, there MUST only be
269 insecure delegations between it and the next node indicated by the
270 'next domain name' in the NSEC RDATA.
274 o An Opt-In NSEC type is identified by a zero-valued (or not-
275 specified) NSEC bit in the type bit map of the NSEC record.
282Arends, et al. Experimental [Page 5]
284RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
287 o A standard DNSSEC NSEC type is identified by a one-valued NSEC bit
288 in the type bit map of the NSEC record.
292 o An Opt-In NSEC record does not assert the non-existence of a name
293 between its owner name and "next" name, although it does assert
294 that any name in this span MUST be an insecure delegation.
296 o An Opt-In NSEC record does assert the (non)existence of RRsets
297 with the same owner name.
2994.1. Server Considerations
301 Opt-In imposes some new requirements on authoritative DNS servers.
3034.1.1. Delegations Only
305 This specification dictates that only insecure delegations may exist
306 between the owner and "next" names of an Opt-In tagged NSEC record.
307 Signing tools MUST NOT generate signed zones that violate this
308 restriction. Servers MUST refuse to load and/or serve zones that
309 violate this restriction. Servers also MUST reject AXFR or IXFR
310 responses that violate this restriction.
3124.1.2. Insecure Delegation Responses
314 When returning an Opt-In insecure delegation, the server MUST return
315 the covering NSEC RRset in the Authority section.
317 In standard DNSSEC, NSEC records already must be returned along with
318 the insecure delegation. The primary difference that this proposal
319 introduces is that the Opt-In tagged NSEC record will have a
320 different owner name from the delegation RRset. This may require
321 implementations to search for the covering NSEC RRset.
325 Opt-In changes the semantics of Secure DNS Dynamic Update [9]. In
326 particular, it introduces the need for rules that describe when to
327 add or remove a delegation name from the NSEC chain. This document
328 does not attempt to define these rules. Until these rules are
329 defined, servers MUST NOT process DNS Dynamic Update requests against
330 zones that use Opt-In NSEC records. Servers SHOULD return responses
331 to update requests with RCODE=REFUSED.
338Arends, et al. Experimental [Page 6]
340RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
3434.2. Client Considerations
345 Opt-In imposes some new requirements on security-aware resolvers
346 (caching or otherwise).
3484.2.1. Delegations Only
350 As stated in Section 4.1 above, this specification restricts the
351 namespace covered by Opt-In tagged NSEC records to insecure
352 delegations only. Clients are not expected to take any special
353 measures to enforce this restriction; instead, it forms an underlying
354 assumption that clients may rely on.
3564.2.2. Validation Process Changes
358 This specification does not change the resolver's resolution
359 algorithm. However, it does change the DNSSEC validation process.
363 Resolvers MUST be able to use Opt-In tagged NSEC records to
364 cryptographically prove the validity and security status (as
365 insecure) of a referral. Resolvers determine the security status of
366 the referred-to zone as follows:
368 o In standard DNSSEC, the security status is proven by the existence
369 or absence of a DS RRset at the same name as the delegation. The
370 existence of the DS RRset indicates that the referred-to zone is
371 signed. The absence of the DS RRset is proven using a verified
372 NSEC record of the same name that does not have the DS bit set in
373 the type map. This NSEC record MAY also be tagged as Opt-In.
375 o Using Opt-In, the security status is proven by the existence of a
376 DS record (for signed) or the presence of a verified Opt-In tagged
377 NSEC record that covers the delegation name. That is, the NSEC
378 record does not have the NSEC bit set in the type map, and the
379 delegation name falls between the NSEC's owner and "next" name.
381 Using Opt-In does not substantially change the nature of following
382 referrals within DNSSEC. At every delegation point, the resolver
383 will have cryptographic proof that the referred-to subzone is signed
3864.2.2.2. Queries for DS Resource Records
388 Since queries for DS records are directed to the parent side of a
389 zone cut (see [5], Section 5), negative responses to these queries
390 may be covered by an Opt-In flagged NSEC record.
394Arends, et al. Experimental [Page 7]
396RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
399 Resolvers MUST be able to use Opt-In tagged NSEC records to
400 cryptographically prove the validity and security status of negative
401 responses to queries for DS records. In particular, a NOERROR/NODATA
402 (i.e., RCODE=3, but the answer section is empty) response to a DS
403 query may be proven by an Opt-In flagged covering NSEC record, rather
404 than an NSEC record matching the query name.
4064.2.3. NSEC Record Caching
408 Caching resolvers MUST be able to retrieve the appropriate covering
409 Opt-In NSEC record when returning referrals that need them. This
410 requirement differs from standard DNSSEC in that the covering NSEC
411 will not have the same owner name as the delegation. Some
412 implementations may have to use new methods for finding these NSEC
4154.2.4. Use of the AD bit
417 The AD bit, as defined by [3] and [6], MUST NOT be set when:
419 o sending a Name Error (RCODE=3) response where the covering NSEC is
422 o sending an Opt-In insecure delegation response, unless the
423 covering (Opt-In) NSEC record's owner name equals the delegation
426 o sending a NOERROR/NODATA response when query type is DS and the
427 covering NSEC is tagged as Opt-In, unless NSEC record's owner name
428 matches the query name.
430 This rule is based on what the Opt-In NSEC record actually proves:
431 for names that exist between the Opt-In NSEC record's owner and
432 "next" names, the Opt-In NSEC record cannot prove the non-existence
433 or existence of the name. As such, not all data in the response has
434 been cryptographically verified, so the AD bit cannot be set.
438 Using Opt-In allows administrators of large and/or changing
439 delegation-centric zones to minimize the overhead involved in
440 maintaining the security of the zone.
442 Opt-In accomplishes this by eliminating the need for NSEC records for
443 insecure delegations. This, in a zone with a large number of
444 delegations to unsigned subzones, can lead to substantial space
445 savings (both in memory and on disk). Additionally, Opt-In allows
446 for the addition or removal of insecure delegations without modifying
450Arends, et al. Experimental [Page 8]
452RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
455 the NSEC record chain. Zones that are frequently updating insecure
456 delegations (e.g., Top-Level Domains (TLDs)) can avoid the
457 substantial overhead of modifying and resigning the affected NSEC
462 Consider the zone EXAMPLE shown below. This is a zone where all of
463 the NSEC records are tagged as Opt-In.
465 Example A: Fully Opt-In Zone.
468 EXAMPLE. RRSIG SOA ...
469 EXAMPLE. NS FIRST-SECURE.EXAMPLE.
470 EXAMPLE. RRSIG NS ...
472 EXAMPLE. RRSIG DNSKEY ...
473 EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (
474 SOA NS RRSIG DNSKEY )
475 EXAMPLE. RRSIG NSEC ...
477 FIRST-SECURE.EXAMPLE. A ...
478 FIRST-SECURE.EXAMPLE. RRSIG A ...
479 FIRST-SECURE.EXAMPLE. NSEC NOT-SECURE-2.EXAMPLE. A RRSIG
480 FIRST-SECURE.EXAMPLE. RRSIG NSEC ...
482 NOT-SECURE.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE.
483 NS.NOT-SECURE.EXAMPLE. A ...
485 NOT-SECURE-2.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE.
486 NOT-SECURE-2.EXAMPLE NSEC SECOND-SECURE.EXAMPLE NS RRSIG
487 NOT-SECURE-2.EXAMPLE RRSIG NSEC ...
489 SECOND-SECURE.EXAMPLE. NS NS.ELSEWHERE.
490 SECOND-SECURE.EXAMPLE. DS ...
491 SECOND-SECURE.EXAMPLE. RRSIG DS ...
492 SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DNSKEY
493 SECOND-SECURE.EXAMPLE. RRSIG NSEC ...
495 UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE.
496 NS.UNSIGNED.EXAMPLE. A ...
506Arends, et al. Experimental [Page 9]
508RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
511 In this example, a query for a signed RRset (e.g., "FIRST-
512 SECURE.EXAMPLE A") or a secure delegation ("WWW.SECOND-SECURE.EXAMPLE
513 A") will result in a standard DNSSEC response.
515 A query for a nonexistent RRset will result in a response that
516 differs from standard DNSSEC by the following: the NSEC record will
517 be tagged as Opt-In, there may be no NSEC record proving the non-
518 existence of a matching wildcard record, and the AD bit will not be
521 A query for an insecure delegation RRset (or a referral) will return
522 both the answer (in the Authority section) and the corresponding
523 Opt-In NSEC record to prove that it is not secure.
525 Example A.1: Response to query for WWW.UNSIGNED.EXAMPLE. A
533 UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE
534 SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DS
535 SECOND-SECURE.EXAMPLE. RRSIG NSEC ...
538 NS.UNSIGNED.EXAMPLE. A ...
542 In the Example A.1 zone, the EXAMPLE. node MAY use either style of
543 NSEC record, because there are no insecure delegations that occur
544 between it and the next node, FIRST-SECURE.EXAMPLE. In other words,
545 Example A would still be a valid zone if the NSEC record for EXAMPLE.
546 was changed to the following RR:
548 EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (SOA NS
551 However, the other NSEC records (FIRST-SECURE.EXAMPLE. and SECOND-
552 SECURE.EXAMPLE.) MUST be tagged as Opt-In because there are insecure
553 delegations in the range they define. (NOT-SECURE.EXAMPLE. and
554 UNSIGNED.EXAMPLE., respectively).
556 NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that is
557 part of the NSEC chain and also covered by an Opt-In tagged NSEC
558 record. Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot be
562Arends, et al. Experimental [Page 10]
564RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
567 removed from the zone without modifying and resigning the prior NSEC
568 record. Delegations with names that fall between NOT-SECURE-
569 2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or removed without
570 resigning any NSEC records.
574 Opt-In is not backwards compatible with standard DNSSEC and is
575 considered experimental. Standard DNSSEC-compliant implementations
576 would not recognize Opt-In tagged NSEC records as different from
577 standard NSEC records. Because of this, standard DNSSEC
578 implementations, if they were to validate Opt-In style responses,
579 would reject all Opt-In insecure delegations within a zone as
580 invalid. However, by only signing with private algorithms, standard
581 DNSSEC implementations will treat Opt-In responses as unsigned.
583 It should be noted that all elements in the resolution path between
584 (and including) the validator and the authoritative name server must
585 be aware of the Opt-In experiment and implement the Opt-In semantics
586 for successful validation to be possible. In particular, this
587 includes any caching middleboxes between the validator and
588 authoritative name server.
5908. Security Considerations
592 Opt-In allows for unsigned names, in the form of delegations to
593 unsigned subzones, to exist within an otherwise signed zone. All
594 unsigned names are, by definition, insecure, and their validity or
595 existence cannot be cryptographically proven.
599 o Records with unsigned names (whether or not existing) suffer from
600 the same vulnerabilities as records in an unsigned zone. These
601 vulnerabilities are described in more detail in [12] (note in
602 particular Sections 2.3, "Name Games" and 2.6, "Authenticated
605 o Records with signed names have the same security whether or not
608 Note that with or without Opt-In, an insecure delegation may have its
609 contents undetectably altered by an attacker. Because of this, the
610 primary difference in security that Opt-In introduces is the loss of
611 the ability to prove the existence or nonexistence of an insecure
612 delegation within the span of an Opt-In NSEC record.
618Arends, et al. Experimental [Page 11]
620RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
623 In particular, this means that a malicious entity may be able to
624 insert or delete records with unsigned names. These records are
625 normally NS records, but this also includes signed wildcard
626 expansions (while the wildcard record itself is signed, its expanded
627 name is an unsigned name), which can be undetectably removed or used
628 to replace an existing unsigned delegation.
630 For example, if a resolver received the following response from the
633 Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE. A
640 DOES-NOT-EXIST.EXAMPLE. NS NS.FORGED.
641 EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. SOA NS \
643 EXAMPLE. RRSIG NSEC ...
648 Attacker has forged a name
650 The resolver would have no choice but to believe that the referral to
651 NS.FORGED. is valid. If a wildcard existed that would have been
652 expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could
653 have undetectably removed it and replaced it with the forged
656 Note that being able to add a delegation is functionally equivalent
657 to being able to add any record type: an attacker merely has to forge
658 a delegation to the nameserver under his/her control and place
659 whatever records are needed at the subzone apex.
661 While in particular cases, this issue may not present a significant
662 security problem, in general it should not be lightly dismissed.
663 Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly.
664 In particular, zone signing tools SHOULD NOT default to Opt-In, and
665 MAY choose not to support Opt-In at all.
674Arends, et al. Experimental [Page 12]
676RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
681 The contributions, suggestions, and remarks of the following persons
682 (in alphabetic order) to this document are acknowledged:
684 Mats Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill
685 Manning, Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter,
69010.1. Normative References
692 [1] Mockapetris, P., "Domain names - implementation and
693 specification", STD 13, RFC 1035, November 1987.
695 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
696 Levels", BCP 14, RFC 2119, March 1997.
698 [3] Wellington, B. and O. Gudmundsson, "Redefinition of DNS
699 Authenticated Data (AD) bit", RFC 3655, November 2003.
701 [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
702 "DNS Security Introduction and Requirements", RFC 4033,
705 [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
706 "Resource Records for the DNS Security Extensions", RFC 4034,
709 [6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
710 "Protocol Modifications for the DNS Security Extensions",
711 RFC 4035, March 2005.
713 [7] Blacka, D., "DNSSEC Experiments", RFC 4955, July 2007.
71510.2. Informative References
717 [8] Elz, R. and R. Bush, "Clarifications to the DNS Specification",
720 [9] Wellington, B., "Secure Domain Name System (DNS) Dynamic
721 Update", RFC 3007, November 2000.
723 [10] Lewis, E., "DNS Security Extension Clarification on Zone
724 Status", RFC 3090, March 2001.
730Arends, et al. Experimental [Page 13]
732RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
735 [11] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC 3225,
738 [12] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
739 System (DNS)", RFC 3833, August 2004.
786Arends, et al. Experimental [Page 14]
788RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
791Appendix A. Implementing Opt-In Using "Views"
793 In many cases, it may be convenient to implement an Opt-In zone by
794 combining two separately maintained "views" of a zone at request
795 time. In this context, "view" refers to a particular version of a
796 zone, not to any specific DNS implementation feature.
798 In this scenario, one view is the secure view, the other is the
799 insecure (or legacy) view. The secure view consists of an entirely
800 signed zone using Opt-In tagged NSEC records. The insecure view
801 contains no DNSSEC information. It is helpful, although not
802 necessary, for the secure view to be a subset (minus DNSSEC records)
803 of the insecure view.
805 In addition, the only RRsets that may solely exist in the insecure
806 view are non-zone-apex NS RRsets. That is, all non-NS RRsets (and
807 the zone apex NS RRset) MUST be signed and in the secure view.
809 These two views may be combined at request time to provide a virtual,
810 single Opt-In zone. The following algorithm is used when responding
813 V_A is the secure view as described above.
815 V_B is the insecure view as described above.
817 R_A is a response generated from V_A, following standard DNSSEC.
819 R_B is a response generated from V_B, following DNS resolution as
822 R_C is the response generated by combining R_A with R_B, as
825 A query is DNSSEC-aware if it either has the DO bit [11] turned on
826 or is for a DNSSEC-specific record type.
828 1. If V_A is a subset of V_B and the query is not DNSSEC-aware,
829 generate and return R_B, otherwise
833 3. If R_A's RCODE != NXDOMAIN, return R_A, otherwise
842Arends, et al. Experimental [Page 15]
844RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
847 4. Generate R_B and combine it with R_A to form R_C:
849 For each section (ANSWER, AUTHORITY, ADDITIONAL), copy the
850 records from R_A into R_B, EXCEPT the AUTHORITY section SOA
851 record, if R_B's RCODE = NOERROR.
864 Phone: +44 1865 332211
865 EMail: roy@nominet.org.uk
870 21355 Ridgetop Circle
874 Phone: +1 703 948 3200
875 EMail: mkosters@verisign.com
876 URI: http://www.verisignlabs.com
881 21355 Ridgetop Circle
885 Phone: +1 703 948 3200
886 EMail: davidb@verisign.com
887 URI: http://www.verisignlabs.com
898Arends, et al. Experimental [Page 16]
900RFC 4956 DNS Security (DNSSEC) Opt-In July 2007
903Full Copyright Statement
905 Copyright (C) The IETF Trust (2007).
907 This document is subject to the rights, licenses and restrictions
908 contained in BCP 78, and except as set forth therein, the authors
909 retain all their rights.
911 This document and the information contained herein are provided on an
912 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
913 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
914 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
915 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
916 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
917 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
921 The IETF takes no position regarding the validity or scope of any
922 Intellectual Property Rights or other rights that might be claimed to
923 pertain to the implementation or use of the technology described in
924 this document or the extent to which any license under such rights
925 might or might not be available; nor does it represent that it has
926 made any independent effort to identify any such rights. Information
927 on the procedures with respect to rights in RFC documents can be
928 found in BCP 78 and BCP 79.
930 Copies of IPR disclosures made to the IETF Secretariat and any
931 assurances of licenses to be made available, or the result of an
932 attempt made to obtain a general license or permission for the use of
933 such proprietary rights by implementers or users of this
934 specification can be obtained from the IETF on-line IPR repository at
935 http://www.ietf.org/ipr.
937 The IETF invites any interested party to bring to its attention any
938 copyrights, patents or patent applications, or other proprietary
939 rights that may cover technology that may be required to implement
940 this standard. Please address the information to the IETF at
945 Funding for the RFC Editor function is currently provided by the
954Arends, et al. Experimental [Page 17]