Compromised-key Digest Signature (CKDS) Introduction and Requirement
draft-haikuo-ckds-01
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Authors | Haikuo Zhang , Likun Zhang | ||
Last updated | 2012-12-07 (Latest revision 2012-06-05) | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
DNS Security Extensions (DNSSEC) is widely deployed at TLD and other important domain names currently. DNSSEC is an effective method to provide security protection for end users in the network. DNSSEC needs a lot of operations to maintain the chain of trust, like DNSKEY rollover operations periodically. But the chain of trust could be broken if the operator of domain replaces the old key immediately in a emergency rollover operation when the key is compromised. The break will make the domain and his sub-domains invisible in a short time if the data in the cache of resolver is right, on the contrary, the fake RR in the cache of resolver may be "valid" if the resolver is under the attack from hackers. This document introduces the compromised-key digest signature (CKDS) resource record to mitigate the impact of invalidation which is due to emergency rollover from the authoritative name server.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)