Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
5Activity
0 of .
Results for:
No results containing your search query
P. 1
Domain Policy Framework Initial Specification

Domain Policy Framework Initial Specification

Ratings: (0)|Views: 25,582 |Likes:
Published by alexstamos

More info:

Published by: alexstamos on May 11, 2012
Copyright:Attribution Non-commercial No-derivs

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/25/2014

pdf

text

original

 
 123 Mission Street|Suite 1020|San Francisco, CA|94105 415-378-9580|
info@domainpolicy.org
D
OMAIN
P
OLICY
F
RAMEWORK
(DPF)
I
NITIAL
S
PECIFICATION
Version1.3–UpdatedMay11th,2012
TheDomainPolicyFramework(DPF)isintendedtobetheprimarymechanismbywhichhigh-securitydomainscommunicatethepoliciesofvarioussubdomainstotheend-user’sclientsoftware.DPFwillutilizetheDNSsystemtopublishtrustworthyinformationabouthighsecuritydomains,andwhileHTTPandSMTPareintendedtobethefirstprotocolstargetedforDPFtheframeworkshouldbeextensibleenoughtosupportfutureapplications.
R
EQUIREMENTS
 
CompatiblewithrelevantDNSRFCs
 
Humanreadablesyntax
 
High-performanceinreal-worlduse
o
 
Cacheable
o
 
Abletobeside-loadedduringinitialDNSrequest
o
 
Usessmallestpossiblerecordsize
 
CompatiblewithDMARCforspecifyingmailsourceverification
 
DeploymentbyregistriesshouldnotrequireanICANNRSTEPrequest
 
Policyiscontrolledbytheregistry,not(directly)bythedomainholder
 
CompatiblewithDNSSECandNSEC3
 
RobustinlikelyscenariosofDNSSECfailures
 
Expansiblewithoutbreakingbackwardscompatibilityorrequiringmultiplerecordsofmultipleversions
A
RCHITECTURE
DPFrecordswillbestoredinnew,reservedzonesunderthecontrolofparticipatingTLDs.Foradomainofpattern
domain.tld 
,thedomainpolicywouldbestoredasaTXTrecordfor
domain._policy.tld 
.Fortheexampledomainofwww.bank.secure,theDPFrecordwouldbestoredunderwww.bank._policy.secure.ADPFawareclientwouldparsetheURIandlookuptheTLDinitsbuiltinbaseDPFdatabase(discussedbelow).AnyTLDwithanentrywouldcausetheclienttomaketwoparallelDNSrequests,oneforthehostandoneforthepolicy.TheuseofthisstructureshouldinsurethatDPFTXTrecordsareappropriatelycachedthroughouttheDNSsysteminparalleltotheirassociatedhostrecords.ICANNrestrictstheplacementofextrarecordsingTLDzonefiles.Theuseofthe
 _policy 
second-level-domainallowsforthedeploymentofDPFwithoutICANN’spermission.ItalsoencouragesTLDregistriestousealternateDNSsecondariestopublishthe
 _policy 
zone,eliminatinganyloadorstabilityrisktotheTLDthatcouldbeposedbyDPF.
 
 123 Mission Street|Suite 1020|San Francisco, CA|94105 415-378-9580|
info@domainpolicy.org
S
YNTAX
TheDPFsyntaxissimilartothesyntaxofDKIM.AproperlyformattedDPFrecordwillcontainalistofnamevaluepairsbondedbytheASCII=sign.Thepairswillbeseparatedbysemi-colonswithanoptionaltrainingwhitespace.Forexample,thecontentoftheTXTrecordcouldlooklikethis:
name1=value1;name2=value2; name3=value3;
Notetheoptionalspacebetweenthesecondandthirdpairs,andthesemi-colonbehindthefinalpair.Allofthecharactersinthenamefieldsandtheseparatingcharacterswillbeencodedas7-bitASCII.Exceptfortheorganizationidentificationfield,allofthecharactersinthevaluefieldwillbe7-bitASCII.Interpretationofallfieldsshouldbecasesinsensitive,althoughthecaseofcharactersinfreetextfieldsshouldbehonoredinsituationswherethevalueisdisplayedtoauser.Thepairscanbeinanyorderwiththeexceptionoftheinitialpair,andtheimplementationofanytokenizingalgorithmshouldbeinsensitivetotheorderofvalues.TheDPFrecordwillalwaysbeginwithaversionfield,likeso:
 DPFv=1
Allnameswillbecomprisedofuptoeightconsecutivealphanumericcharacters.Valuescanfallintofourtypes:
 
Booleans
:Encodedasa1forTRUEand0forFALSE.NoothervaluesarevalidinaBoolean.
 
Integers
:A32bitunsignedintegervaluebetween0and2^32-1,expressedinBASE10usingASCIIArabicnumerals.
 
BASE64
Encoded
:
 
FreeTextFields:
FreetextdelimitedbyASCIIdoublequotecharacters.Thistextfieldcancontainupper-casealphabetical,lower-casealphabeticalandnumericcharacters.Specialcharactersallowedincludespaceandunderscore.[ed.NeedanI18Nsolutionhere,perhapsusingBASE64]
DPF
E
NTRIES
Aname-valuepairwherethevalueisoftheBooleanorIntegertypeisalsoknownasaDPFentry.ThecompletelistofDPFentriespublishedbyadomainiscalledaDPFpolicy.EachDPFentryshouldcorrespondtoasinglesecurityactionthatcanbetakenbyaDPFclient.DPFentriesshouldgenerallystand-aloneandnotrequirecontextfromotherentriestoaidinterpretation.
 
 123 Mission Street|Suite 1020|San Francisco, CA|94105 415-378-9580|
info@domainpolicy.org
Entriescouldexistformanytypesofprotocols,andsuchentriescanbemixedtogetherinsharedpolicies.Clientsshouldignoreanyentriesthattheydonotunderstand,andcontinuetoimplementtheentriestheydounderstand.DPFversionswillbeiterative,andthemeaningofentrynamesassignedinpreviousversionsshouldnotbemodifiedbysubsequentversions.MostentriesshouldbeencodedasBooleansorIntegers.Integerentriesshouldincreaseinvalueastheexpectedsecuritybenefitincreases.Insituationswherefutureintermediatevaluesmaybenecessary,itisappropriatetoreservevaluesforfutureuse.BooleanTRUEvaluesshouldbemoresecurethanFALSEvalues.Table1–NetworkandIdentityEntries
EntryNameValueTypeDescriptionExamples
DPFV Integer
DPFversion.DPFv=1:DPFversion1
DNSSEC Integer
LevelofDNSSECverificationrequiredtoconnecttoahostinthisdomain.ThisvaluewillhavethemostuseasabaseentryincludedinaDPFclient.DNSSEC=0:Zonenotsigned,allowforDPFupdatesusingunsignedrecords.DNSSEC=1:Zoneissigned.UponfailureofDNSSECverification,retrywithbuiltinresolver.AllowforinsecureDPFandallowconnectiontoproceed.DNSSEC=2:Zoneissigned,attempttore-request.DonotallowforinsecureDPF,allowforconnectiontoproceed.DNSSEC=3:Zoneissigned,attempttore-request.DonotallowforinsecureDPF,donotallowforconnectionafterDNSSECfailure.
ORG Text
Atextfieldcontainingtheverifiedidentityofthedomainowner.ThiswillneedtosupportI18Nandalternatecharactersets.ORG=”BigBankN.A.”
ORGV Integer
Thelevelofverificationperformedbytheregistryontheorganizationsidentity.Highervaluesindicateagreaterlevelofverification.ThisvalueshouldbesurfacedbytheDPFclienttotheend-userviasomeUXmechanism.Detailedstandardsforthismetricwillneedtobeset.ORGV=0:Noverificationperformed.Self-identified.ORGV=2:PersonalidentificationofaindividualORGV=5:Strongenterpriseverification,equivalentorbetterthanExtendedValidationCertificates.
CTL Text
Acertificatetrustlistcomprisedofcomma-separatedentriesofBASE64encodedhashesoftrustedcertificateauthoritiestosigncertificatesinthisdomain.Thehashshouldbeproceededbyahashtype,suchasSHA1,MD5orSHA256.CTL=””:Usebuilt-inCAlistCTL=”SHA256:VH58GDSF…”:Restrictcertificatevalidationtochainsendinginthisroot.

Activity (5)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->