Technical Summary
This document is part of a family of documents that describes the DNS
Security Extensions (DNSSEC). The DNS Security Extensions are a
collection of resource records and protocol modifications that
provide source authentication for the DNS.
The document series consists out of 3 documents:
+ DNS Security Introduction and Requirements ([dnssec-intro])
+ Protocol Modifications for the DNS Security Extensions ([dnssec-proto])
+ Resource Records for the DNS Security Extensions ([dnssec-records])
[dnssec-intro] introduces the DNS security extensions, and describes their
capabilities and limitations. [dnssec-intro] also discusses the services
that the DNS security extensions do and do not provide. [dnssec-intro]
describes the interrelationships between the group of documents
that collectively describe DNSSEC.
[dnssec-proto] describes the DNSSEC protocol modifications.
[dnssec-proto] defines the concept of a signed zone, along with the
requirements for serving and resolving using DNSSEC. These
techniques allow a security-aware resolver to authenticate both DNS
resource records and authoritative DNS error indications.
[dnssec-records] defines the public key (DNSKEY), delegation signer
(DS), resource record digital signature (RRSIG), and authenticated
denial of existence (NSEC) resource records. The purpose and
format of each resource record is described in detail, and an
example of each resource record is given.
Working Group Summary
There was consensus within the working group to publish the
document as Proposed Standard.
Protocol Quality
The following quote from draft-ietf-dnsext-dnssec-intro-11.txt
is relevant:
"The specification in the DNSSEC document set defines the behavior
for zone signers and security-aware name servers and resolvers in
such a way that the validating entities can unambiguously determine
the state of the data.
(...)
A method for signaling advanced error codes and policy between a
security aware stub resolver and security aware recursive nameservers
is a topic for future work, as is the interface between a security
aware resolver and the applications that use it. Note, however, that
the lack of the specification of such communication does not prohibit
deployment of signed zones or the deployment of security aware
recursive name servers that prohibit propagation of bogus data to the
applications."
(end quote)
Various parts of the specification have been implemented.
There are (at least) 2 signer implementations
There are (at least) 2 authoritative server implementations
There is (at least) 1 verifying recursive nameserver (hence a verifying
resolver) implementation.
There are various troubleshooting tools that have partial or full
verification capabilities.
These implementations have been used in several workshops and have
been found to inter-operate.
This document has been reviewed for the IESG by Thomas Narten.