Connected: An Internet Encyclopedia
6.3 Chaining Through Zones

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 2065
Up: 6. The AD and CD Bits and How to Resolve Securely
Prev: 6.2 Boot File Format
Next: 6.4 Secure Time

6.3 Chaining Through Zones

6.3 Chaining Through Zones

Starting with one or more trusted keys for a zone, it should be possible to retrieve signed keys for its subzones which have a key and, if the zone is not root, for its superzone. Every authoritative secure zone server MUST also include the KEY RR for a super-zone signed by the secure zone via a keyfile directive. This makes it possible to climb the tree of zones if one starts below root. A secure sub-zone is indicated by a KEY RR with non-null key information appearing with the NS RRs for the sub-zone. These make it possible to descend within the tree of zones.

A resolver should keep track of the number of successive secure zones traversed from a starting point to any secure zone it can reach. In general, the lower such a distance number is, the greater the confidence in the data. Data configured via a boot file directive should be given a distance number of zero. If a query encounters different data for the same query with different distance values, that with a larger value should be ignored.

A security conscious resolver should completely refuse to step from a secure zone into a non-secure zone unless the non-secure zone is certified to be non-secure, or only experimentally secure, by the presence of an authenticated KEY RR for the non-secure zone with the no-key type value or the presence of a KEY RR with the experimental bit set. Otherwise the resolver is getting bogus or spoofed data.

If legitimate non-secure zones are encountered in traversing the DNS tree, then no zone can be trusted as secure that can be reached only via information from such non-secure zones. Since the non-secure zone data could have been spoofed, the "secure" zone reach via it could be counterfeit. The "distance" to data in such zones or zones reached via such zones could be set to 512 or more as this exceeds the largest possible distance through secure zones in the DNS. Nevertheless, continuing to apply secure checks within "secure" zones reached via non-secure zones is a good practice and will, as a practical matter, provide some small increase in security.


Next: 6.4 Secure Time

Connected: An Internet Encyclopedia
6.3 Chaining Through Zones