diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000..bd1e77c --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,101 @@ +version: 2 +jobs: + build: + docker: + - image: martinthomson/i-d-template:latest + resource_class: small + working_directory: ~/draft + + steps: + - run: + name: "Print Configuration" + command: | + xml2rfc --version + gem list -q kramdown-rfc + echo -n 'mmark '; mmark --version + + - restore_cache: + name: "Restoring cache - Git" + keys: + - v2-cache-git-{{ .Branch }}-{{ .Revision }} + - v2-cache-git-{{ .Branch }} + - v2-cache-git- + + - restore_cache: + name: "Restoring cache - References" + keys: + - v1-cache-references-{{ epoch }} + - v1-cache-references- + + # Workaround for https://discuss.circleci.com/t/22437 + - run: + name: Tag Checkout + command: | + if [ -n "$CIRCLE_TAG" ] && [ -d .git ]; then + remote=$(echo "$CIRCLE_REPOSITORY_URL" | \ + sed -e 's,/^git.github.com:,https://github.com/,') + git fetch -f "$remote" "refs/tags/$CIRCLE_TAG:refs/tags/$CIRCLE_TAG" || \ + (echo 'Removing .git cache for tag build'; rm -rf .git) + fi + + - checkout + + # Build txt and html versions of drafts + - run: + name: "Build Drafts" + command: make + + # Update editor's copy on gh-pages + - run: + name: "Update GitHub Pages" + command: | + if [ "${CIRCLE_TAG#draft-}" == "$CIRCLE_TAG" ]; then + make gh-pages + fi + + # For tagged builds, upload to the datatracker. + - deploy: + name: "Upload to Datatracker" + command: | + if [ "${CIRCLE_TAG#draft-}" != "$CIRCLE_TAG" ]; then + make upload + fi + + # Archive GitHub Issues + - run: + name: "Archive GitHub Issues" + command: "make archive || make archive DISABLE_ARCHIVE_FETCH=true && make gh-archive" + + # Create and store artifacts + - run: + name: "Create Artifacts" + command: "make artifacts CI_ARTIFACTS=/tmp/artifacts" + + - store_artifacts: + path: /tmp/artifacts + + - run: + name: "Prepare for Caching" + command: "git reflog expire --expire=now --all && git gc --prune=now" + + - save_cache: + name: "Saving Cache - Git" + key: v2-cache-git-{{ .Branch }}-{{ .Revision }} + paths: + - ~/draft/.git + + - save_cache: + name: "Saving Cache - Drafts" + key: v1-cache-references-{{ epoch }} + paths: + - ~/.cache/xml2rfc + + +workflows: + version: 2 + build: + jobs: + - build: + filters: + tags: + only: /.*?/ diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..8682023 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,8 @@ +# See http://editorconfig.org + +root = true + +[*.{md,xml,org}] +charset = utf-8 +insert_final_newline = true +trim_trailing_whitespace = true diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..4052611 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +# Automatically generated CODEOWNERS +# Regenerate with `make update-codeowners` +draft-dnsop-deleg.md ietf@tapril.net pspacek@isc.org rweber@akamai.com tale@dd.org +draft-dnsop-deleg-dnssec.md ietf@tapril.net pspacek@isc.org rweber@akamai.com tale@dd.org +draft-dnsop-deleg-transport.md ietf@tapril.net pspacek@isc.org rweber@akamai.com tale@dd.org diff --git a/.github/workflows/archive.yml b/.github/workflows/archive.yml new file mode 100644 index 0000000..605b642 --- /dev/null +++ b/.github/workflows/archive.yml @@ -0,0 +1,42 @@ +name: "Archive Issues and Pull Requests" + +on: + schedule: + - cron: '0 0 * * 0,2,4' + repository_dispatch: + types: [archive] + workflow_dispatch: + inputs: + archive_full: + description: 'Recreate the archive from scratch' + default: false + type: boolean + +jobs: + build: + name: "Archive Issues and Pull Requests" + runs-on: ubuntu-latest + steps: + - name: "Checkout" + uses: actions/checkout@v2 + + # Note: No caching for this build! + + - name: "Update Archive" + uses: martinthomson/i-d-template@v1 + env: + ARCHIVE_FULL: ${{ inputs.archive_full }} + with: + make: archive + token: ${{ github.token }} + + - name: "Update GitHub Pages" + uses: martinthomson/i-d-template@v1 + with: + make: gh-archive + token: ${{ github.token }} + + - name: "Save Archive" + uses: actions/upload-artifact@v3 + with: + path: archive.json diff --git a/.github/workflows/ghpages.yml b/.github/workflows/ghpages.yml new file mode 100644 index 0000000..a26b9db --- /dev/null +++ b/.github/workflows/ghpages.yml @@ -0,0 +1,58 @@ +name: "Update Editor's Copy" + +on: + push: + paths-ignore: + - README.md + - CONTRIBUTING.md + - LICENSE.md + - .gitignore + pull_request: + paths-ignore: + - README.md + - CONTRIBUTING.md + - LICENSE.md + - .gitignore + +jobs: + build: + name: "Update Editor's Copy" + runs-on: ubuntu-latest + steps: + - name: "Checkout" + uses: actions/checkout@v3 + + - name: "Setup" + id: setup + run: date -u "+date=%FT%T" >>"$GITHUB_OUTPUT" + + - name: "Caching" + uses: actions/cache@v3 + with: + path: | + .refcache + .venv + .gems + node_modules + .targets.mk + key: i-d-${{ steps.setup.outputs.date }} + restore-keys: i-d- + + - name: "Build Drafts" + uses: martinthomson/i-d-template@v1 + with: + token: ${{ github.token }} + + - name: "Update GitHub Pages" + uses: martinthomson/i-d-template@v1 + if: ${{ github.event_name == 'push' }} + with: + make: gh-pages + token: ${{ github.token }} + + - name: "Archive Built Drafts" + uses: actions/upload-artifact@v3 + with: + path: | + draft-*.html + draft-*.txt diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..8e01218 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,49 @@ +name: "Publish New Draft Version" + +on: + push: + tags: + - "draft-*" + +jobs: + build: + name: "Publish New Draft Version" + runs-on: ubuntu-latest + steps: + - name: "Checkout" + uses: actions/checkout@v3 + + # See https://github.com/actions/checkout/issues/290 + - name: "Get Tag Annotations" + run: git fetch -f origin ${{ github.ref }}:${{ github.ref }} + + - name: "Setup" + id: setup + run: date -u "+date=%FT%T" >>"$GITHUB_OUTPUT" + + - name: "Caching" + uses: actions/cache@v3 + with: + path: | + .refcache + .venv + .gems + node_modules + .targets.mk + key: i-d-${{ steps.setup.outputs.date }} + restore-keys: i-d- + + - name: "Build Drafts" + uses: martinthomson/i-d-template@v1 + with: + token: ${{ github.token }} + + - name: "Upload to Datatracker" + uses: martinthomson/i-d-template@v1 + with: + make: upload + + - name: "Archive Submitted Drafts" + uses: actions/upload-artifact@v3 + with: + path: "versioned/draft-*-[0-9][0-9].*" diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml new file mode 100644 index 0000000..7a67007 --- /dev/null +++ b/.github/workflows/update.yml @@ -0,0 +1,36 @@ +name: "Update Generated Files" +# This rule is not run automatically. +# It can be run manually to update all of the files that are part +# of the template, specifically: +# - README.md +# - CONTRIBUTING.md +# - .note.xml +# - .github/CODEOWNERS +# - Makefile +# +# +# This might be useful if you have: +# - added, removed, or renamed drafts (including after adoption) +# - added, removed, or changed draft editors +# - changed the title of drafts +# +# Note that this removes any customizations you have made to +# the affected files. +on: workflow_dispatch + +jobs: + build: + name: "Update Files" + runs-on: ubuntu-latest + steps: + - name: "Checkout" + uses: actions/checkout@v2 + + - name: "Update Generated Files" + uses: martinthomson/i-d-template@v1 + with: + make: update-files + token: ${{ github.token }} + + - name: "Push Update" + run: git push diff --git a/.gitignore b/.gitignore index 847c954..052ad21 100644 --- a/.gitignore +++ b/.gitignore @@ -5,12 +5,21 @@ *.txt *.upload *~ -.refcache .tags -.targets.mk /*-[0-9][0-9].xml +/.gems/ +/.refcache +/.targets.mk +/.venv/ +/.vscode/ +/lib +/node_modules/ +/versioned/ +Gemfile.lock archive.json -report.xml -venv/ -lib +draft-dnsop-deleg-dnssec.xml +draft-dnsop-deleg-transport.xml draft-dnsop-deleg.xml +package-lock.json +report.xml +!requirements.txt diff --git a/.note.xml b/.note.xml new file mode 100644 index 0000000..844dbe3 --- /dev/null +++ b/.note.xml @@ -0,0 +1,4 @@ + +Source for this draft and an issue tracker can be found at + . + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a5b7976..950e482 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -15,17 +15,3 @@ repository constitutes Contributions to the IETF Standards Process You agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions. - - -## Other Resources - -Discussion of this work occurs on the -[dnsop working group mailing list](https://mailarchive.ietf.org/arch/browse/dnsop/) -([subscribe](https://www.ietf.org/mailman/listinfo/dnsop)). In addition to -contributions in GitHub, you are encouraged to participate in discussions there. - -**Note**: Some working groups adopt a policy whereby substantive discussion of -technical issues needs to occur on the mailing list. - -You might also like to familiarize yourself with other -[working group documents](https://datatracker.ietf.org/wg/ns2/documents/). diff --git a/LICENSE.md b/LICENSE.md index de938b9..22431d8 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,4 +1,4 @@ # License See the -[guidelines for contributions](https://github.com/fl1ger/deleg/blob/master/CONTRIBUTING.md). +[guidelines for contributions](https://github.com/fl1ger/deleg/blob/main/CONTRIBUTING.md). diff --git a/README.md b/README.md index 79196bc..1702ac0 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,46 @@ -# Extensible Delegation for DNS +# DELEG Drafts -This is the working area for the Internet-Draft, "Extensible Delegation for DNS". +This is the working area for individual Internet-Drafts. -## Building the Draft +## Extensible Delegation for DNS -Formatted text and HTML versions of the draft can be built using `make`. +* [Editor's Copy](https://fl1ger.github.io/deleg/#go.draft-dnsop-deleg.html) +* [Datatracker Page](https://datatracker.ietf.org/doc/draft-dnsop-deleg) +* [Individual Draft](https://datatracker.ietf.org/doc/html/draft-dnsop-deleg) +* [Compare Editor's Copy to Individual Draft](https://fl1ger.github.io/deleg/#go.draft-dnsop-deleg.diff) -```sh -$ make -``` +## Extensible Delegation for DNS -- trust anchor side-loading + +* [Editor's Copy](https://fl1ger.github.io/deleg/#go.draft-dnsop-deleg-dnssec.html) +* [Datatracker Page](https://datatracker.ietf.org/doc/draft-dnsop-deleg-dnssec) +* [Individual Draft](https://datatracker.ietf.org/doc/html/draft-dnsop-deleg-dnssec) +* [Compare Editor's Copy to Individual Draft](https://fl1ger.github.io/deleg/#go.draft-dnsop-deleg-dnssec.diff) -This requires that you have the necessary software installed. See -[the instructions](https://github.com/martinthomson/i-d-template/blob/master/doc/SETUP.md). +## Extensible Delegation for DNS + +* [Editor's Copy](https://fl1ger.github.io/deleg/#go.draft-dnsop-deleg-transport.html) +* [Datatracker Page](https://datatracker.ietf.org/doc/draft-dnsop-deleg-transport) +* [Individual Draft](https://datatracker.ietf.org/doc/html/draft-dnsop-deleg-transport) +* [Compare Editor's Copy to Individual Draft](https://fl1ger.github.io/deleg/#go.draft-dnsop-deleg-transport.diff) ## Contributing See the -[guidelines for contributions](https://github.com/fl1ger/deleg/blob/master/CONTRIBUTING.md). +[guidelines for contributions](https://github.com/fl1ger/deleg/blob/main/CONTRIBUTING.md). + +Contributions can be made by creating pull requests. +The GitHub interface supports creating pull requests using the Edit (✏) button. + + +## Command Line Usage + +Formatted text and HTML versions of the draft can be built using `make`. + +```sh +$ make +``` + +Command line usage requires that you have the necessary software installed. See +[the instructions](https://github.com/martinthomson/i-d-template/blob/main/doc/SETUP.md). + diff --git a/draft-dnsop-deleg-dnssec.md b/draft-dnsop-deleg-dnssec.md index 5d1d70e..0554789 100644 --- a/draft-dnsop-deleg-dnssec.md +++ b/draft-dnsop-deleg-dnssec.md @@ -1,6 +1,6 @@ --- title: Extensible Delegation for DNS -- trust anchor side-loading -abbrev: DELEG +abbrev: DELEG DNSSEC docname: draft-dnsop-deleg-dnssec-latest date: {DATE} category: std @@ -188,7 +188,7 @@ DNSSEC chain of trust provided by the "sharedds" parameter will be taken into ac # DNSSEC and DELEG {#dnssec} TODO: Should DS at parent serve as fallback if the SVCB does not have sharedds=? What if there is DS at the parent side and sharedds= in the SVCB? -If there are any DS records on the same name as a DELEG record, ... +If there are any DS records on the same name as a DELEG record, ... When using the "sharedds" SvcParamKey, each DELEG record MAY indicate different DS contents. This allows delegation of a zone to multiple signers with different DNSKEYs, and allows those configurations to change independently. Note that a zone is only as secure as its least secure "sharedds" SvcParam. diff --git a/draft-dnsop-deleg-transport.md b/draft-dnsop-deleg-transport.md index 25a167e..47e69f7 100644 --- a/draft-dnsop-deleg-transport.md +++ b/draft-dnsop-deleg-transport.md @@ -1,6 +1,6 @@ --- -title: Extensible Delegation for DNS -abbrev: DELEG +title: Extensible Delegation for DNS -- Transport +abbrev: DELEG Transport docname: draft-dnsop-deleg-transport-latest date: {DATE} category: std @@ -11,7 +11,7 @@ area: Internet category: info keyword: Internet-Draft -stand_alone: no +stand_alone: yes pi: [toc, sortrefs, symrefs] author: @@ -165,7 +165,7 @@ The primary goal of transport specification in DELEG records is to provide zone ### SvcParams -All SvcParamKeys for the "dns" scheme {{?9461}} apply as specified. These are the "transport parameters", describing how to reach an endpoint. +All SvcParamKeys for the "dns" scheme {{?RFC9461}} apply as specified. These are the "transport parameters", describing how to reach an endpoint. The "alpn" transport parameter is OPTIONAL to include (unlike in SVCB-DNS, where it is generally required). If the "alpn" SvcParamKey is omitted, the only available transport is presumed to be unencrypted DNS over UDP/TCP port 53. Endpoints can indicate that insecure transport is not available by specifying "mandatory=alpn". diff --git a/draft-dnsop-deleg.md b/draft-dnsop-deleg.md index 51cb5e8..c6aa655 100644 --- a/draft-dnsop-deleg.md +++ b/draft-dnsop-deleg.md @@ -176,7 +176,7 @@ Later sections of this document will go into more detail on the resolution proce ## Goal of the DELEG record -The primary goal of the DELEG records is to provide zone owners a method to signal capabilities to clients how to connect and validate a subdomain. This method coexists with NS records in the same zone. +The primary goal of the DELEG records is to provide zone owners a method to signal capabilities to clients how to connect and validate a subdomain. This method coexists with NS records in the same zone. The DELEG record is authoritative in the parent zone and, if signed, has to be signed with the key of the parent zone. The target of an alias record is an SVCB record that exists and can be signed in the zone it is pointed at, including the child zone. @@ -184,7 +184,7 @@ The DELEG record is authoritative in the parent zone and, if signed, has to be s While DNSSEC is RECOMMENDED, unsigned DELEG records may be retrieved in a secure way from trusted, Privacy-enabling DNS servers using encrypted transports. -FOR DISCUSSION: This will lead to cyclical dependencies. A DELEG record can introduce a secure way to communicate with trusted, Privacy-enabling DNS servers. For that, it needs to be DNSSEC signed. +FOR DISCUSSION: This will lead to cyclical dependencies. A DELEG record can introduce a secure way to communicate with trusted, Privacy-enabling DNS servers. For that, it needs to be DNSSEC signed. ### Preventing downgrade attacks @@ -192,9 +192,9 @@ A flag in the DNSKEY record is used as a backwards compatible, secure signal to Without this secure signal an on-path adversary can remove DELEG records and its RRsig from a response and effectively downgrade this to a legacy DNSSEC signed response. -## Facilities +## Facilities -The DELEG record is extensible in such a way that future innovations in the domain name system, such as new methods of secure transport, message encoding, error reporting, etc, does not depend on a re-design of the DNS. +The DELEG record is extensible in such a way that future innovations in the domain name system, such as new methods of secure transport, message encoding, error reporting, etc, does not depend on a re-design of the DNS. # DELEG Record Type @@ -296,7 +296,7 @@ This document introduces the concept of signaling capabilities to clients on how A DELEG RRset MAY be present at a delegation point. The DELEG RRset MAY contain multiple records. DELEG RRsets MUST NOT appear at a zone's apex. -A DELEG RRset MAY be present with or without NS or DS RRsets at the delegation point. +A DELEG RRset MAY be present with or without NS or DS RRsets at the delegation point. Construction of a DELEG RR requires knowledge which implies communication between the operators of the child and parent zones. This communication is an operational matter not covered by this document. @@ -313,7 +313,7 @@ If a signed zone contains DELEG records, the zone MUST be signed with a DNSKEY t If a DELEG RRset is present at the delegation point, the name server MUST return both the DELEG RRset and its associated RRSIG RR in the Authority section along with the DS RRset and its associated RRSIG RR and the NS RRset. -If no DELEG RRset is present at the delegation point, and the zone was signed with a DNSKEY that has the DELEG flag set, the name server MUST return the NSEC or NSEC3 RR that proves that the DELEG RRset is not present including its associated RRSIG RR along with the DS RRset and its associated RRSIG RR if present and the NS RRset, if present. +If no DELEG RRset is present at the delegation point, and the zone was signed with a DNSKEY that has the DELEG flag set, the name server MUST return the NSEC or NSEC3 RR that proves that the DELEG RRset is not present including its associated RRSIG RR along with the DS RRset and its associated RRSIG RR if present and the NS RRset, if present. Including these DELEG, DS, NSEC or NSEC3, and RRSIG RRs increases the size of referral messages. If space does not permit inclusion of these records, including glue address records, the name server MUST set the TC bit on the response. @@ -355,7 +355,7 @@ TODO: Fill this section out ## Resolution Procedure -An example of a simplified DNS interaction after priming. This is a query for www.example.com type AAAA with DELEG-aware com and example.com authoritative servers. +An example of a simplified DNS interaction after priming. This is a query for www.example.com type AAAA with DELEG-aware com and example.com authoritative servers. * Ask www.example.com qtype AAAA to a.root-servers.net the answer is: Answer section: (empty) @@ -402,7 +402,7 @@ Further details about the specific testing methodology, please see test-plan. # Acknowledgments {:unnumbered} -This document is heavily based on past work done by Tim April in +This document is heavily based on past work done by Tim April in {{?I-D.tapril-ns2}} and thus extends the thanks to the people helping on this which are: John Levine, Erik Nygren, Jon Reed, Ben Kaduk, Mashooq Muhaimen, Jason Moreau, Jerrod Wiesman, Billy Tiemann, Gordon Marx and Brian Wellington.