Read without ads and support Scribd by becoming a Scribd Premium Reader.
See Premium Plans
 
 123 Mission Street|Suite 1020|San Francisco, CA|94105 415-378-9580|
info@domainpolicy.org
D
OMAIN
P
OLICY
F
RAMEWORK
(DPF)
I
NITIAL
S
PECIFICATION
Version1.3–UpdatedMay11th,2012
TheDomainPolicyFramework(DPF)isintendedtobetheprimarymechanismbywhichhigh-securitydomainscommunicatethepoliciesofvarioussubdomainstotheend-user’sclientsoftware.DPFwillutilizetheDNSsystemtopublishtrustworthyinformationabouthighsecuritydomains,andwhileHTTPandSMTPareintendedtobethefirstprotocolstargetedforDPFtheframeworkshouldbeextensibleenoughtosupportfutureapplications.
R
EQUIREMENTS
 
CompatiblewithrelevantDNSRFCs
 
Humanreadablesyntax
 
High-performanceinreal-worlduse
o
 
Cacheable
o
 
Abletobeside-loadedduringinitialDNSrequest
o
 
Usessmallestpossiblerecordsize
 
CompatiblewithDMARCforspecifyingmailsourceverification
 
DeploymentbyregistriesshouldnotrequireanICANNRSTEPrequest
 
Policyiscontrolledbytheregistry,not(directly)bythedomainholder
 
CompatiblewithDNSSECandNSEC3
 
RobustinlikelyscenariosofDNSSECfailures
 
Expansiblewithoutbreakingbackwardscompatibilityorrequiringmultiplerecordsofmultipleversions
A
RCHITECTURE
DPFrecordswillbestoredinnew,reservedzonesunderthecontrolofparticipatingTLDs.Foradomainofpattern
domain.tld 
,thedomainpolicywouldbestoredasaTXTrecordfor
domain._policy.tld 
.Fortheexampledomainofwww.bank.secure,theDPFrecordwouldbestoredunderwww.bank._policy.secure.ADPFawareclientwouldparsetheURIandlookuptheTLDinitsbuiltinbaseDPFdatabase(discussedbelow).AnyTLDwithanentrywouldcausetheclienttomaketwoparallelDNSrequests,oneforthehostandoneforthepolicy.TheuseofthisstructureshouldinsurethatDPFTXTrecordsareappropriatelycachedthroughouttheDNSsysteminparalleltotheirassociatedhostrecords.ICANNrestrictstheplacementofextrarecordsingTLDzonefiles.Theuseofthe
 _policy 
second-level-domainallowsforthedeploymentofDPFwithoutICANN’spermission.ItalsoencouragesTLDregistriestousealternateDNSsecondariestopublishthe
 _policy 
zone,eliminatinganyloadorstabilityrisktotheTLDthatcouldbeposedbyDPF.
 
 123 Mission Street|Suite 1020|San Francisco, CA|94105 415-378-9580|
info@domainpolicy.org
S
YNTAX
TheDPFsyntaxissimilartothesyntaxofDKIM.AproperlyformattedDPFrecordwillcontainalistofnamevaluepairsbondedbytheASCII=sign.Thepairswillbeseparatedbysemi-colonswithanoptionaltrainingwhitespace.Forexample,thecontentoftheTXTrecordcouldlooklikethis:
name1=value1;name2=value2; name3=value3;
Notetheoptionalspacebetweenthesecondandthirdpairs,andthesemi-colonbehindthefinalpair.Allofthecharactersinthenamefieldsandtheseparatingcharacterswillbeencodedas7-bitASCII.Exceptfortheorganizationidentificationfield,allofthecharactersinthevaluefieldwillbe7-bitASCII.Interpretationofallfieldsshouldbecasesinsensitive,althoughthecaseofcharactersinfreetextfieldsshouldbehonoredinsituationswherethevalueisdisplayedtoauser.Thepairscanbeinanyorderwiththeexceptionoftheinitialpair,andtheimplementationofanytokenizingalgorithmshouldbeinsensitivetotheorderofvalues.TheDPFrecordwillalwaysbeginwithaversionfield,likeso:
 DPFv=1
Allnameswillbecomprisedofuptoeightconsecutivealphanumericcharacters.Valuescanfallintofourtypes:
 
Booleans
:Encodedasa1forTRUEand0forFALSE.NoothervaluesarevalidinaBoolean.
 
Integers
:A32bitunsignedintegervaluebetween0and2^32-1,expressedinBASE10usingASCIIArabicnumerals.
 
BASE64
Encoded
:
 
FreeTextFields:
FreetextdelimitedbyASCIIdoublequotecharacters.Thistextfieldcancontainupper-casealphabetical,lower-casealphabeticalandnumericcharacters.Specialcharactersallowedincludespaceandunderscore.[ed.NeedanI18Nsolutionhere,perhapsusingBASE64]
DPF
E
NTRIES
Aname-valuepairwherethevalueisoftheBooleanorIntegertypeisalsoknownasaDPFentry.ThecompletelistofDPFentriespublishedbyadomainiscalledaDPFpolicy.EachDPFentryshouldcorrespondtoasinglesecurityactionthatcanbetakenbyaDPFclient.DPFentriesshouldgenerallystand-aloneandnotrequirecontextfromotherentriestoaidinterpretation.
 
 123 Mission Street|Suite 1020|San Francisco, CA|94105 415-378-9580|
info@domainpolicy.org
Entriescouldexistformanytypesofprotocols,andsuchentriescanbemixedtogetherinsharedpolicies.Clientsshouldignoreanyentriesthattheydonotunderstand,andcontinuetoimplementtheentriestheydounderstand.DPFversionswillbeiterative,andthemeaningofentrynamesassignedinpreviousversionsshouldnotbemodifiedbysubsequentversions.MostentriesshouldbeencodedasBooleansorIntegers.Integerentriesshouldincreaseinvalueastheexpectedsecuritybenefitincreases.Insituationswherefutureintermediatevaluesmaybenecessary,itisappropriatetoreservevaluesforfutureuse.BooleanTRUEvaluesshouldbemoresecurethanFALSEvalues.Table1–NetworkandIdentityEntries
EntryNameValueTypeDescriptionExamples
DPFV Integer
DPFversion.DPFv=1:DPFversion1
DNSSEC Integer
LevelofDNSSECverificationrequiredtoconnecttoahostinthisdomain.ThisvaluewillhavethemostuseasabaseentryincludedinaDPFclient.DNSSEC=0:Zonenotsigned,allowforDPFupdatesusingunsignedrecords.DNSSEC=1:Zoneissigned.UponfailureofDNSSECverification,retrywithbuiltinresolver.AllowforinsecureDPFandallowconnectiontoproceed.DNSSEC=2:Zoneissigned,attempttore-request.DonotallowforinsecureDPF,allowforconnectiontoproceed.DNSSEC=3:Zoneissigned,attempttore-request.DonotallowforinsecureDPF,donotallowforconnectionafterDNSSECfailure.
ORG Text
Atextfieldcontainingtheverifiedidentityofthedomainowner.ThiswillneedtosupportI18Nandalternatecharactersets.ORG=”BigBankN.A.”
ORGV Integer
Thelevelofverificationperformedbytheregistryontheorganizationsidentity.Highervaluesindicateagreaterlevelofverification.ThisvalueshouldbesurfacedbytheDPFclienttotheend-userviasomeUXmechanism.Detailedstandardsforthismetricwillneedtobeset.ORGV=0:Noverificationperformed.Self-identified.ORGV=2:PersonalidentificationofaindividualORGV=5:Strongenterpriseverification,equivalentorbetterthanExtendedValidationCertificates.
CTL Text
Acertificatetrustlistcomprisedofcomma-separatedentriesofBASE64encodedhashesoftrustedcertificateauthoritiestosigncertificatesinthisdomain.Thehashshouldbeproceededbyahashtype,suchasSHA1,MD5orSHA256.CTL=””:Usebuilt-inCAlistCTL=”SHA256:VH58GDSF…”:Restrictcertificatevalidationtochainsendinginthisroot.
Search
Search History:
Searching...
Result 00 of 00
00 results for result for
  • p.
    • Notes
    Load more