About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Policy Proposals
search  
     
Next Sectionyou are here: RIPE > Policy Development > Policy Proposals
RIPE Navigation Ends
green dot Current Policy Proposals
green dot Archived Policy Proposals
green dot Subscribe to the Policy-Announce List
green dot Policy Proposal Template
green dot Policy Development Process Info (PDF)
RIPE NCC Navigation Ends
Next Section

RIPE Policy Proposal 2005-07

Number:
 2005-07
Policy Proposal Name:
 Introducing DNSSEC Service to Reverse DNS Trees
Author:
spacer		 Olaf Kolkman

+31 20 535 4415
RIPE NCC
Proposal Version:
 1.0
Submission Date:
 5 July 2005
Current Status :
 Accepted
Suggested WG for Discussion and Publication:
 DNS
Proposal Type:
 New
Policy Term:
Permanent
Summary of Proposal:

To implement DNSSEC, we propose extending the policy for Reverse Address Delegation of IPv4 and IPv6 Address Space in the RIPE NCC Service Region.
Draft Policy Text

It is possible to secure delegations from the RIPE NCC under the Policy for Reverse Address Delegation of IPv4 and IPv6 Address Space in the RIPE NCC Service Region.

Our operational staff will deploy DNSSEC zone by zone. We will only exchange keys when parent domains are being signed. This will keep information current.

Key exchange between parent and child is based on the same authorisation and authentication mechanisms as the exchange of nameserver delegation information.

We will sign any announcements about secured DNS, such as changes in RIPE NCC procedures, with our PGP key. We will publish procedures and announcements on our secure website (https://www.ripe.net/reverse/dnssec/) and also post these to an announcement mailing list (ripe-list@ripe.net).
Rationale:

The RIPE NCC is committed to supporting the deployment of DNS Security Extensions - a set of security extensions to the DNS that allows validating DNS resolvers to establish 'chains of trust' from known public keys to the data being validated.

During the resolution process, DNSSEC aware nameservers will provide secure delegations. These consist of a regular delegation (the NS record) to the nameservers that are authoritative for the child zone, as well as a signed pointer (the DS record) to a key that is authorised to sign the child zone. When the child and parent zone have exchanged keys, we can provide a secure delegation.

This proposal describes our planned policy for serving secured DNS data and key exchange. It does not cover deployment of DNSSEC by Local Internet Registries (LIRs) or others in our service region.

We are also introducing two new proposed procedural documents, comments are welcome on these:

The Draft Public Key Procedure explains the procedure that we will follow with our keys. You will need this document if you plan to configure the RIPE NCC as a 'trust anchor' or if you receive a secure delegation from us.

The Draft Registry Procedure explains how you can get a secure delegation.

Disclaimer
This policy and the related procedures are tailored towards the operation of a secured Domain Name System. They are not in any way tailored to the establishment of a certification authority similar to CAs used for X509 PKIs.

Appendix A. References

[1] DNS Security Introduction and Requirements, Arends et al, RFC4033, http://www.ietf.org/rfc/rfc4033.txt

[2] Resource Records for the DNS Security Extensions, Arends et al, RFC4034, http://www.ietf.org/rfc/rfc4034.txt

[3] Protocol Modifications for the DNS Security Extensions, Arends et al, RFC4035, http://www.ietf.org/rfc/rfc4035.txt

[4] DNSSEC HOWTO, O.M. Kolkman, RIPE NCC, http://www.ripe.net/projects/disi/dnssec_howto/

[5] http://www.dnssec.net a DNSSEC information portal

 

 
RELATED TOPICS
RIPE DATABASE SEARCH


 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community