Compromised-key Digest Signature (CKDS) Introduction and Requirement
draft-haikuo-ckds-01

 
Document
Type Expired Internet-Draft (individual)
Last updated 2012-12-07 (latest revision 2012-06-05)
Stream (None)
Intended RFC status (None)
Formats
Expired & archived
plain text pdf html
Stream
Stream state (No stream defined)
Document shepherd No shepherd assigned
IESG
IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

Email authors IPR References Referenced by Nits Search lists

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-haikuo-ckds-01.txt

Abstract

DNS Security Extensions (DNSSEC) is widely deployed at TLD and other important domain names currently. DNSSEC is an effective method to provide security protection for end users in the network. DNSSEC needs a lot of operations to maintain the chain of trust, like DNSKEY rollover operations periodically. But the chain of trust could be broken if the operator of domain replaces the old key immediately in a emergency rollover operation when the key is compromised. The break will make the domain and his sub-domains invisible in a short time if the data in the cache of resolver is right, on the contrary, the fake RR in the cache of resolver may be "valid" if the resolver is under the attack from hackers. This document introduces the compromised-key digest signature (CKDS) resource record to mitigate the impact of invalidation which is due to emergency rollover from the authoritative name server.

Authors

Haikuo Zhang (zhanghaikuo@cnnic.cn)
Likun Zhang (zhanglikun@cnnic.cn)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)