INTERNET-DRAFT Mapping A.S. Number into the DNS 19 November 1994 Expires 20 May 1995 Mapping Autonomous Systems Number into the Domain Name System ------- ---------- ------- ------ ---- --- ------ ---- ------ Donald E. Eastlake 3rd Status of This Document This draft, file name draft-ietf-dnssec-as-map-01.txt, is intended to be become a standards track RFC concerning DNS and routing security. Distribution of this document is unlimited. Comments should be sent to the DNS Security Working Group mailing list [is there also a router [WG?] mailing list is should be sent to?] or to the author. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months. Internet-Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet- Drafts as reference material or to cite them other than as a ``working draft'' or ``work in progress.'' To learn the current status of any Internet-Draft, please check the 1id-abstracts.txt listing contained in the Internet-Drafts Shadow Directories on ds.internic.net, nic.nordu.net, ftp.isi.edu, or munnari.oz.au. Donald E. Eastlake 3rd [Page 1] INTERNET-DRAFT Mapping A.S. Numbers into the DNS Abstract One requirement of secure routing is that independent routing entities, such as those identified by Internet Autonomous System Numbers, be able to authenticate messages to each other. Modifications currently being developed (see other draft-ietf- dnssec-*.txt) to the Domain Name System will enable it to be used for convenient public key distribution. This draft maps all Autonomous System numbers into DNS Domain Names so that the DNS can be used to distribute their public keys. Acknowledgements The contributions of the following persons to this draft are gratefully acknowledged: Ran Atkinson, Michale A. Patton Donald E. Eastlake 3rd [Page 2] INTERNET-DRAFT Mapping A.S. Numbers into the DNS Table of Contents Status of This Document....................................1 Abstract...................................................2 Acknowledgements...........................................2 Table of Contents..........................................3 1. Introduction............................................4 2. Autonomous System Number Mapping........................5 3. Meaning of RRs..........................................6 4. Security Considerations.................................7 References.................................................7 Author's Address...........................................8 Expiration and File Name...................................8 Donald E. Eastlake 3rd [Page 3] INTERNET-DRAFT Mapping A.S. Numbers into the DNS 1. Introduction There are a number of elements that will be required to secure routing in the Internet. One of these is a way that independently operated top level routing domains be able to authenticate messages to each other. Sharing a private symmetric key between each pair of such domains is impractical. The Automonous System numbering scheme provides for 2**16 such domains which implies approximately 2**31 pairs, an impractical number of keys to securely generate, install, and periodically replace. The solution is to use public key technology whereby each domain has a private key it can use to sign messages. Other domains that know the corresponding public key can then authenticate these messages. Such authenticated messages can be used to set up and replace efficient symmetric keys on an as needed basis. But how do the domains securely obtain the Autonomous System number to public key mapping? Extensions currently being developed for the Domain Name System will enable it to be conveniently used for authenticated public key distribution (see other draft-ietf-dnssec-*.txt). All that is required is a mapping of Autonomous System numbers into domain names, which is provided by this draft. It should be noted that the public keys retrieved from DNS will likely be used mostly to authenticate only initial set up messages. Autonomous Systems that need to converse with any frequency will probably negotiate more efficient session keys. Donald E. Eastlake 3rd [Page 4] INTERNET-DRAFT Mapping A.S. Numbers into the DNS 2. Autonomous System Number Mapping Autonomous System (A.S.) numbers are 16 bit quantities. The A.S. number is mapped into a domain name as follows: (1) write the A.S. as a four digit hex number (with leading zeros if necessary), (2) reverse these digits and separated them with dots, and (3) append ".in-as.arpa" to them. Thus the domain name correspond to Autonomos System 69, which is 0045 hex, is 5.4.0.0.in-as.arpa. All of *.in-as.arpa could be handled as one zone or parts of it carved out as subzones as administrative convenience dictates. [I choose .arpa as that seems to follow the in-addr model and A.S. numbers originated in the IPv4 world.] Donald E. Eastlake 3rd [Page 5] INTERNET-DRAFT Mapping A.S. Numbers into the DNS 3. Meaning of RRs There are no enforceable restrictions on what resource records can be stored under *.in-as.arpa names; however, the following guidance is given for some RR types (the KEY RR is given first, then the rest in alphabetic order). KEY: This type of resource record associates a public key with the Autonomous System (A.S.) designated by its name. Such a public key can be used to authenticate communications with or between A.S.s. The existence of KEY RRs in the reason for mapping A.S. names into the DNS. Under DNS security as proposed in draft-ietf-dnssec- secext-*.txt the KEY RR can be used to store any type of digital key. A: DO NOT place type A RRs at A.S. nodes. A.S. domain names are reserved for Autonomous Systems only and should NEVER be used for a host or any type of end entity other than an Autonomous System. CNAME: This type of RR is an alias pointing to another domain name. An A.S. could have a CNAME pointing to a different A.S. but this is not likely to be very useful as A.S. RRs will normally be looked up when the A.S. number is actually encountered in use. MX: There is no designated use for an MX RR for an A.S. name. It could point to a host that would accept mail related to that A.S. NS: The presence of NS records under an in-as.arpa name means that it has been carved out as a subzone. This gives the A.S. complete control over the zone refresh parameters and control over the creation of inferior names. No special meaning is currently assigned to such inferior names so, although this is not advised, they could be used for hosts or whatever. PTR: The part of the forward domain tree that administratively corresponds to the A.S. should be indicated by a PTR RR. It some entity, say example.net, has several A.S.s, there would be PTRs to example.net from several names in the in-as.arpa hierarchy. RP: A Responsible Person RR should appear under each A.S. name telling you who you should contact in the case of problems with that A.S. TXT: Text RRs can be used for comments, postal address, or similar notes under an A.S. name. Donald E. Eastlake 3rd [Page 6] INTERNET-DRAFT Mapping A.S. Numbers into the DNS 4. Security Considerations The entirety of this document concerns a means to map Internet Autonomous System numbers into the Domain Name System (DNS) so that secure DNS can be used to provide secure distribution of Autonomous System's public keys. References [RFC904] - Exterior Gateway Protocol Formal Specification, D. L. Mills [RFC1034] - Domain Names - Concepts and Facilities, P. Mockapetris, November 1987 [RFC1035] - Domain Names - Implementation and Specifications, P. Mockapetris Donald E. Eastlake 3rd [Page 7] INTERNET-DRAFT Mapping A.S. Numbers into the DNS Author's Address Donald E. Eastlake 3rd Digital Equipment Corporation 550 King Street, LKG2-1/BB3 Littleton, MA 01460 Telephone: +1 508 486 6577(w) +1 508 287 4877(h) EMail: dee@lkg.dec.com Expiration and File Name This draft expires 20 May 1995 Its file name is draft-ietf-dnssec-as-map-01.txt. Donald E. Eastlake 3rd [Page 8]