DNS Security (dnssec) --------------------- Charter Current status: active working group Chair(s): James Galvin Service Applications Area Director(s) Dave Crocker Mailing lists: General Discussion:dns-security@tis.com To Subscribe: dns-security-request@tis.com Archive: ftp.tis.com:/pub/dns-security Description of Working Group: The Domain Name System (DNS) Security Working Group (dnssec) will specify enhancements to the DNS protocol to protect the DNS against unauthorized modification of data and against masquerading of DNS data origin. That is, it will add data integrity and authentication capabilities to the DNS. The specific mechanism to be added to the DNS protocol will be a digital signature. The digital signature service will be added such that the DNS resource records will be signed and, by distributing the signatures with the records, remote sites can verify the signatures and thus have confidence in the accuracy of the records received. There are at least two issues to be explored and resolved. First, should the records be signed by the primary or secondary (or both) servers distributing the resource records, or should they be signed by the start of authority for the zone of the records. This issue is relevant since there are servers for sites that are not IP connected. Second, the mechanism with which to distribute the public keys necessary to verify the digital signatures must be identified. Two essential assumptions have been identified. First, backward compatibility and co-existence with DNS servers and clients that do not support the proposed security services is required. Second, data in the DNS is considered public information. This latter assumption means that discussions and proposals involving data confidentiality and access control are explicitly outside the scope of this working group. Goals and Milestones: Mar 94 Submit proposal for adding Security enhancements to DNS as an Internet-Draft Jul 94 Update Internet-Draft on adding security enhancements to DNS Nov 94 Submit proposal for adding security enhancements to the DNS to the IESG for consideration as a Proposed Standard