IETF RFC 5910
Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
Organization: | IETF |
Publication Date: | 1 May 2010 |
Status: | active |
Page Count: | 36 |
scope:
Introduction
This document describes an extension mapping for version 1.0 of
the Extensible Provisioning Protocol (EPP) described in RFC 5730
[RFC5730]. This mapping, an extension of the domain name mapping
described in RFC 5731 [RFC5731], is specified using the Extensible
Markup Language (XML) 1.0 [W3C.REC-xml-2000100
The EPP core protocol specification [RFC5730] provides a complete description of EPP command and response structures. A thorough understanding of the base protocol specification is necessary to understand the mapping described in this document. Familiarity with the Domain Name System (DNS) described in RFC 1034 [RFC1034] and RFC 1035 [RFC1035] and with DNS security extensions described in RFC 4033 [RFC4033], RFC 4034 [RFC4034], and RFC 4035 [RFC4035] is required to understand the DNS security concepts described in this document.
The EPP mapping described in this document specifies a mechanism for the provisioning and management of DNS security extensions in a shared central repository. Information exchanged via this mapping can be extracted from the repository and used to publish DNSSEC Delegation Signer (DS) resource records (RRs) as described in RFC 4034 [RFC4034].
This document obsoletes RFC 4310 [RFC4310]; thus, secDNS-1.1 as defined in this document deprecates secDNS-1.0 [RFC4310]. The motivation behind obsoleting RFC 4310 [RFC4310] includes:
- Addressing the issue with removing DS data based on the non-unique element. The client should explicitly specify the DS data to be removed, by using all four elements that are guaranteed to be unique.
- Adding the ability to add and remove elements in a single command. This makes it consistent with RFC 5731 [RFC5731].
- Clarifying and correcting the usage of the element. RFC 4310 [RFC4310] defined the element as a replacement for the DS data. This is inconsistent with RFC 5731 [RFC5731], where a element is used to change the values of the domain attributes.
- Adding support for the Key Data Interface described in Section 4.2 for "thick" DNSSEC servers that accept only key data and generate the associated DS data.