Derivation of DNS Name Predecessor and Successor
Draft of message to be sent after approval:
From: The IESG
To: IETF-Announce Cc: Internet Architecture Board , RFC Editor , dnsext mailing list , dnsext chair Subject: Document Action: 'Derivation of DNS Name Predecessor and Successor' to Experimental RFC The IESG has approved the following document: - 'Derivation of DNS Name Predecessor and Successor ' as an Experimental RFC This document is the product of the DNS Extensions Working Group. The IESG contact persons are Mark Townsley and Jari Arkko. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dns-name-p-s-02.txt
Technical Summary The first draft, draft-ietf-dnsext-dnssec-online-signing describes how to construct DNSSEC NSEC resource records that cover a smaller range of names than called for by RFC4034. By generating and signing these records on demand, authoritative name servers can effectively stop the disclosure of zone contents otherwise made possible by walking the chain of NSEC records in a signed zone. The other draft, draft-ietf-dnsext-dns-name-p-s describes two methods for deriving the canonically-ordered predecessor and successor of a DNS name. These methods may be used for dynamic NSEC resource record synthesis, enabling security-aware name servers to provide authenticated denial of existence without disclosing other owner names in a DNSSEC-secured zone. Working Group Summary There was consensus in the DNSEXT WG to publisg the online-signing draft as Proposed Standards. During IETF Last Call, some people suggested that this draft would be better published as an Experimental RFC. However, the WG had discussed the publication status of both of these drafts explicitly, and the number people who raised this issue in IETF LC was not sufficient to question the earlier WG consensus. Protocol Quality These documents were reviewed for the IESG by Margaret Wasserman.