| Internet-Draft | ds-digest-verbatim | September 2020 |
| van Dijk | Expires 29 March 2021 | [Page] |
The VERBATIM DS Digest is defined as a direct copy of the input data without any hashing.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 29 March 2021.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
The currently defined DS Digest Algorithms take the input data and hash it into a fixed-length form using well defined hashing algorithms (several SHA variants, and one mostly unused GOST algorithm). That hashing operation makes any data inside the (C)DNSKEY record unreachable until that data is retrieved from the child zone. Thus, DS records do not actually convey information; they merely verify information that can be retrieved elsewhere.¶
A DS record set can only answer the question 'this data that I have here, do you recognise it?'. For several imagined use cases for signed data at the parent, this might not be sufficient.¶
This document introduces a new Digest Algorithm, proposed name VERBATIM (alternative suggestion: NULL). The VERBATIM Digest Algorithm takes the input data (DNSKEY owner name | DNSKEY RDATA per section 5.1.4 of [RFC4034]) and copies it unmodified into the DS Digest field.¶
This document lives on GitHub; proposed text and editorial changes are very much welcomed there, but any functional changes should always first be discussed on the IETF DNSOP WG mailing list.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The subsection titles in this section attempt to follow the terminology from [RFC8499] in as far as it has suitable terms. 'Implementation' is understood to mean both 'code changes' and 'operational changes' here.¶
Validating resolvers are encouraged to implement the VERBATIM Digest Algorithm.¶
This specification defines no changes to query processing in stub resolvers.¶
Zone validators are encouraged to recognise the VERBATIM Digest Algorithm and, where possible, verify it against the child zone's DNSKEY, if it has any for the given algorithm.¶
Domain registries are encouraged to allow VERBATIM digests at their user's request. However, a likely outcome is that domain registries will only allow the VERBATIM digest for DNSSEC algorithms whose specifications call for use of the VERBATIM digest.¶
FIXME¶
[RFC Editor: please remove this section before publication]¶
This document updates the IANA registry "Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms" at https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml¶
The following entry is added to the registry:¶
+--------------+----------------+ | Value | TBD | | Description | VERBATIM | | Status | OPTIONAL | | Reference | RFC TBD2 | +--------------+----------------+¶