INTERNET-DRAFT Mapping A.S. Number into the DNS
12 January 1995
Expires 11 July 1995
Mapping Autonomous Systems Number into the Domain Name System
------- ---------- ------- ------ ---- --- ------ ---- ------
Donald E. Eastlake 3rd
Status of This Document
This draft, file name draft-ietf-dnssec-as-map-01.txt, is intended to
be become a standards track RFC concerning DNS and routing security.
Distribution of this document is unlimited. Comments should be sent
to the DNS Security Working Group mailing list <dns-security@tis.com>
or to the author.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months. Internet-Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet-
Drafts as reference material or to cite them other than as a
``working draft'' or ``work in progress.''
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net, nic.nordu.net, ftp.isi.edu,
munnari.oz.au, or ftp.is.co.za.
Donald E. Eastlake 3rd [Page 1]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
Abstract
One requirement of secure routing is that independent routing
entities, such as those identified by Internet Autonomous System
Numbers, be able to authenticate messages to each other.
Modifications currently being developed (see draft-ietf-dnssec-
secext-*.txt) to the Domain Name System will enable it to be used for
convenient public key distribution. This draft maps all Autonomous
System numbers into DNS Domain Names so that the DNS can be used to
distribute their public keys.
Acknowledgements
The contributions of the following persons to this draft are
gratefully acknowledged: Ran Atkinson, Christian Huitema, Tony Li,
Michael A. Patton.
Donald E. Eastlake 3rd [Page 2]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
Table of Contents
Status of This Document....................................1
Abstract...................................................2
Acknowledgements...........................................2
Table of Contents..........................................3
1. Introduction............................................4
2. Autonomous System Number Mapping........................5
3. Meaning of RRs..........................................6
4. Security Considerations.................................7
References.................................................7
Author's Address...........................................7
Expiration and File Name...................................7
Donald E. Eastlake 3rd [Page 3]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
1. Introduction
There are a number of elements that will be required to secure
routing in the Internet. One of these is a way that independently
operated top level routing domains be able to authenticate messages
to each other.
Sharing a private symmetric key between each pair of such domains is
impractical. The Autonomous System numbering scheme provides for
2**16 such domains which implies approximately 2**31 pairs, an
impractical number of keys to securely generate, install, and
periodically replace.
The solution is to use public key technology whereby each domain has
a private key it can use to sign messages. Other domains that know
the corresponding public key can then authenticate these messages.
Such authenticated messages can be used to set up and maintain
efficient symmetric keys on an as needed basis.
But how do the domains securely obtain the Autonomous System number
to public key mapping?
Extensions currently being developed for the Domain Name System will
enable it to be conveniently used for authenticated public key
distribution (see draft-ietf-dnssec-secext-*.txt). All that is
required is a mapping of Autonomous System numbers into domain names,
which is provided by this draft.
It should be noted that the public keys retrieved from DNS will
likely be used primarily to authenticate initial connection set up
messages. Autonomous Systems that need to converse with any
frequency will probably negotiate more efficient session keys.
Donald E. Eastlake 3rd [Page 4]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
2. Autonomous System Number Mapping
Autonomous System (A.S.) numbers are 16 bit quantities, usually
written as decimal number whose maximum value would be 65,535. For
example, ANS is autonomous system 690. The A.S. number is mapped
into a domain name as described below.
Take the thousands part of the A.S. number and the number modulo
1,000 as decimal numbers, reverse their order and put a period
between them, and then append ".in-as.arpa". This mapping is
analogous to the IPv4 address mapping into the in-addr.arpa DNS
domain.
Thus the domain name correspond to Autonomous System 690 (decimal) is
690.0.in-as.arpa.
and the domain corresponding to the largest possible A.S. number is
535.65.in-as.arpa.
Donald E. Eastlake 3rd [Page 5]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
3. Meaning of RRs
The following guidance is given for some RR types that could be
stored under the names mapped from A.S. numbers. The KEY RR is given
first, then the rest in alphabetic order.
KEY: This type of resource record associates a public key with
the Autonomous System (A.S.) designated by its name. Such a public
key can be used to authenticate communications with or between A.S.s.
The existence of KEY RRs in the reason for mapping A.S. names into
the DNS. Under DNS security as proposed in draft-ietf-dnssec-
secext-*.txt the KEY RR can be used to store any type of digital key.
A: DO NOT place type A RRs at A.S. nodes. A.S. domain names are
reserved for Autonomous Systems only and should NOT be used for a
host or any type of end entity other than an Autonomous System.
CNAME: This type of RR is an alias pointing to another domain
name. An A.S. could have a CNAME pointing to a different A.S. but
this is not likely to be very useful as A.S. RRs will normally be
looked up when the A.S. number is actually encountered in use.
MX: There is no special use for an MX RR for an A.S. name. It
could point to a host that would accept mail related to that A.S.
NS: The presence of NS records under an in-as.arpa name means
that it has been carved out as a subzone. This gives the A.S.
complete control over the zone refresh parameters and control over
the creation of inferior names. No special meaning is currently
assigned to such inferior names so, although this is not advised,
they could be used for hosts or whatever.
PTR: The part of the forward domain tree that administratively
corresponds to the A.S. should be indicated by a PTR RR. It some
entity, say example.net, has several A.S.s, there would be PTRs to
example.net from several names in the in-as.arpa hierarchy.
RP: A Responsible Person RR SHOULD appear under each A.S. name
telling you who you should contact in the case of problems with that
A.S.
TXT: Text RRs can be used for comments, postal address, or
similar notes under an A.S. name.
Donald E. Eastlake 3rd [Page 6]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
4. Security Considerations
The entirety of this document concerns a means to map Internet
Autonomous System numbers into the Domain Name System (DNS) so that
secure DNS can be used to provide secure distribution of Autonomous
System's public keys.
References
[RFC904] - Exterior Gateway Protocol Formal Specification, D. L.
Mills
[RFC1034] - Domain Names - Concepts and Facilities, P. Mockapetris,
November 1987
[RFC1035] - Domain Names - Implementation and Specifications, P.
Mockapetris
Author's Address
Donald E. Eastlake 3rd
Digital Equipment Corporation
550 King Street, LKG2-1/BB3
Littleton, MA 01460
Telephone: +1 508 486 6577(w) +1 508 287 4877(h)
EMail: dee@lkg.dec.com
Expiration and File Name
This draft expires 11 July 1995
Its file name is draft-ietf-dnssec-as-map-01.txt.
Donald E. Eastlake 3rd [Page 7]
