DNSSEC Policy in the RIPE NCC Service Region

Olaf Kolkman

Document ID: TBD
Date: September 2005

Abstract

This document describes RIPE NCC policy for serving secured DNS data and key exchange. It does not cover deployment of DNSSEC by Local Internet Registries (LIRs) or others in its service region. It should be read alongside ripe-302 - "Policy for Reverse Address Delegation of IPv4 and IPv6 Address Space in the RIPE NCC Service Region."


Contents

1.0 Introduction
2.0 Obtaining Secure Delegations from the RIPE NCC
3.0 Procedures
4.0 References


1.0 Introduction

The RIPE NCC is committed to supporting the deployment of DNS Security Extensions (DNSSEC)[1,2,3]. DNSSEC extends the DNS and allows validating DNS resolvers to establish 'chains of trust' from known public keys to the data being validated. A full explanation of DNSSEC is out of the scope of this document. If you want this sort of information, please see [1,2,3,4 and 5].

During the resolution process, DNSSEC aware nameservers will provide secure delegations. These consist of a regular delegation (the NS record) to the nameservers that are authoritative for the child zone, as well as a signed pointer (the DS record) to a key that is authorised to sign the child zone. When the child and parent zone have exchanged keys, the RIPE NCC can provide a secure delegation.

This document describes RIPE NCC policy for serving secured DNS data and key exchange. It does not cover deployment of DNSSEC by Local Internet Registries (LIRs) or others in its service region.

 

2.0 Obtaining Secure Delegations from the RIPE NCC

It is possible to secure delegations from the RIPE NCC under the "Policy for Reverse Address Delegation of IPv4 and IPv6 Address Space in the RIPE NCC Service Region."

RIPE NCC operational staff will deploy DNSSEC zone by zone. They will only exchange keys when parent domains are being signed. This will keep information current.

Key exchange between parent and child is based on the same authorisation and authentication mechanisms as the exchange of nameserver delegation information.

The RIPE NCC will sign any announcements about secured DNS, such as changes in procedures, with its PGP key. It will publish procedures and announcements on a secure website:

https://www.ripe.net/reverse/dnssec/

and also post these to an announcement mailing list (ripe-list _at_ ripe _dot_ net).

 

3.0 Procedures

The Draft Public Key Procedure explains the procedure that the RIPE NCC will follow with its keys. You will need this document if you plan to configure the RIPE NCC as a 'trust anchor' or if you receive a secure delegation from there.

The Draft Registry Procedure explains how you can get a secure delegation.

 

4.0 References

[1] DNS Security Introduction and Requirements, Arends et al, RFC4033:
http://www.ietf.org/rfc/rfc4033.txt

[2] Resource Records for the DNS Security Extensions, Arends et al, RFC4034:
http://www.ietf.org/rfc/rfc4034.txt

[3] Protocol Modifications for the DNS Security Extensions, Arends et al, RFC4035:
http://www.ietf.org/rfc/rfc4035.txt

[4] DNSSEC HOWTO, O.M. Kolkman, RIPE NCC:
http://www.ripe.net/projects/disi/dnssec_howto/

[5] DNSSEC information portal:
http://www.dnssec.net