ãããã¯ã¼ã¯ã¯ã¼ãã³ã°ã°ã«ã¼ã M. StJohns Request for Comments: 5011 Independent åé¡: æ¨æºåéç¨(Standards Track) 2007å¹´9æ DNSã»ãã¥ãªãã£æ¡å¼µ(DNSSEC)ã«ããããã©ã¹ãã¢ã³ã«ã¼ã®èªåæ´æ° æ¬ææ¸ã®ä½ç½®ã¥ã æ¬ææ¸ã¯ã¤ã³ã¿ã¼ãããã³ãã¥ããã£ã®ããã«ã¤ã³ã¿ã¼ãããæ¨æºåéç¨ã« ãããããã³ã«ãè¦å®ãããã®åä¸ã®ããã«è°è«ã¨ææ¡ãæ±ãããã®ã§ããã ãã®ãããã³ã«ã®æ¨æºåã®ç¶æ³ã«ã¤ãã¦ã¯"Internet Official Protocol Standards"(STD 1)ã®ææ°çãåç §ã®ãã¨ãæ¬ææ¸ã®é å¸ã¯å¶éãããªãã è¦æ¨ æ¬ææ¸ã¯ã権éèªè¨¼ãè¡ã£ãä¸ã§DNSSECã®"ãã©ã¹ãã¢ã³ã«ã¼"ãèªåçã« æ´æ°ããææ³ãè¨è¿°ãããæ¬ææ³ã¯ããã©ã¹ããã¤ã³ãã«åå¨ããNåã®éµã® ãã¡ãN-1åã®éµãæ¼æ´©(key compromise)ããç¶æ³ã§ãæ£å¸¸ãªç¶æ ã«å復ããã ãã¨ãã§ãããæ¬ææ³ã¯ãç¾å¨ä½¿ç¨ãã¦ãããã©ã¹ãã¢ã³ã«ã¼ã«ãã£ã¦ç¢ºç«ããã ä¿¡é ¼ã«åºã¥ããã¾ãå¥ã®ãã©ã¹ãã¢ã³ã«ã¼ãDNSåå空éã®åãé層ã®å ´æ㫠追å ããæçµçã«æ¢åã®ãã©ã¹ãã¢ã³ã«ã¼ãç½®ãæãããã¨ãã§ãããã®ã§ããã ãã®ä»çµã¿ã¯ãªã¾ã«ãéç¨ç®¡çã«é¢ããä½æ¥ãå¤æ´ããå¿ è¦ããã(åå解決 å¦çã®å¤æ´ã¯å¿ è¦ã¨ããªã)ãã¾ãDNSKEYã¬ã³ã¼ãã«1ãããã®ãã©ã°ã追å ãã å¿ è¦ãããã StJohns Standards Track [Page 1] RFC 5011 Trust Anchor Update September 2007 ç®æ¬¡ 1. ã¯ããã« ........................................................2 1.1. æºæ 度åã«é¢ããè¡¨è¨ ......................................3 2. éç¨ã®æ¹æ³è« ....................................................3 2.1. éµã®ç ´æ£ ...................................................4 2.2. éµè¿½å ã®ä¿ç ...............................................4 2.3. è½åçãªéµã®æ´æ° ...........................................5 2.4. ãªã¾ã«ãã®ãã©ã¡ã¼ã¿ .......................................6 2.4.1. éµè¿½å ä¿çæé ......................................6 2.4.2. éµåé¤ä¿çæé ......................................6 2.4.3. ãã©ã¹ããã¤ã³ããã¨ã®æå°ãã©ã¹ãã¢ã³ã«ã¼æ° ........6 3. DNSKEY RDATAã¯ã¤ã¤ãã©ã¼ãããã®å¤æ´ ............................6 4. ç¶æ 表 ..........................................................6 4.1. ã¤ãã³ã ...................................................7 4.2. ç¶æ .......................................................7 5. ãã©ã¹ããã¤ã³ãã®åé¤ ..........................................8 6. éç¨ã·ããªãª(æ å ±æä¾) ..........................................9 6.1. ãã©ã¹ãã¢ã³ã«ã¼ã®è¿½å .....................................9 6.2. ãã©ã¹ãã¢ã³ã«ã¼ã®åé¤ .....................................9 6.3. éµã®ãã¼ã«ãªã¼ãã¼ ........................................10 6.4. ã¢ã¯ãã£ãéµã®æ¼æ´©æã®å¯¾å¿ ................................10 6.5. ã¹ã¿ã³ãã¤éµã®æ¼æ´©æã®å¯¾å¿ ................................10 6.6. ãã©ã¹ããã¤ã³ãã®åé¤ ....................................10 7. IANAã«é¢ããèæ ®ç¹ .............................................11 8. ã»ãã¥ãªãã£ã«é¢ããèæ ®ç¹ .....................................11 8.1. éµææ権ã¨éµåé ããªã·ã¼ ..................................11 8.2. è¤æ°éµã®æ¼æ´© ..............................................12 8.3. åçãªæ´æ° ................................................12 9. Normative References ...........................................12 10. Informative References ........................................12 1. ã¯ããã« DNSSECã»ãã¥ãªãã£æ¡å¼µ(DNSSEC)[RFC4033][RFC4034][RFC4035]ãæ®åãã¦ãã éç¨ã¨ç¾ç¶ãèå¯ããã³ãã¥ããã£ã¯æ¬¡ã®ãããªèªèãæã¤ã«è³ã£ãã ç¾å®ã«ã¯DNSããªã¼å ã«1ã¤ã®ã¾ã¨ã¾ã£ãç½²å空éãã§ããããã§ã¯ãªãã ç½²å空éã®å³¶ã ãã§ãããããããç¹å®ã®å ´æ("ãã©ã¹ããã¤ã³ã")ã èµ·ç¹ã¨ãããã¨ã«ãªãããããã®ç½²å空éã®å³¶ã¯ãã©ã¹ããã¤ã³ãå㧠ç¹å®ãããæä½1ã¤ã®é¢é£ããå ¬ééµã«ãã£ã¦æ¤è¨¼ãããã æ¬ææ¸ã§ã¯ããã©ã¹ããã¤ã³ãåã«é¢é£ããç¹å®ã®éµã"ãã©ã¹ãã¢ã³ã«ã¼"㨠å¼ã¶ã1ã¤ã®ãã©ã¹ããã¤ã³ãã¯ãè¤æ°ã®ãã©ã¹ãã¢ã³ã«ã¼ãæã¤ãã¨ãã§ããã DNSSEC対å¿ãªã¾ã«ããDNSSECã§ä¿è·ãããé層(DNSããªã¼)ã®æã«ãã æ å ±ãæ¤è¨¼ããããã«ã¯ããã®æã§ä½¿ç¨ã§ãããã©ã¹ãã¢ã³ã«ã¼ã ç¥ããªããã°ãªããªããã¾ããã©ã¹ããã¤ã³ãã¯è¤æ°ã®ãã©ã¹ãã¢ã³ã«ã¼ã æã¤å ´åããããç¾è¡ã®è¦åã§ã¯ãDNSSECã§ä¿è·ããããã¼ã¿ããæ¢ç¥ã® ãã©ã¹ãã¢ã³ã«ã¼ã®ããããã«è³ãä¿¡é ¼ã®é£éãåå¨ããã°ããã®ãã¼ã¿ã¯ "Secure(æ¤è¨¼æåï¼ä¿¡é ¼åº¦é«)"ã§ããã¨è¦ãªãããã StJohns Standards Track [Page 2] RFC 5011 Trust Anchor Update September 2007 éµãæ¬æ¥ããã¹ãå ´æã«ç¡ããã¨ã«ããç½²åã®ç©ºç½ãåå¨ãããã¨ã«ããã ããããã¯DNSSECã®ãµãããªã¼ãä¹±ç«ãããã¨ãäºæ³ãããããã®å ´åã ãªã¾ã«ãã¯èªåã®å½¹ç®ãéè¡ããããã«ãæåéãæ°åãã®ãã©ã¹ãã¢ã³ã«ã¼ã® ç¥èãå¿ è¦ã«ãªã(æªç½²åã®".COM"ãèãã¦ã¿ãã°ãã)ããªã¾ã«ãéç¨è ã« ãããã®æ å ±ã人æã§è¨å®ããããæ±ããã¨åé¡ãçããã ãããã¾ãã¦ãã ä»»æã®ãã©ã¹ãã¢ã³ã«ã¼ã«ã¤ãã¦ãéµã®ç½®ãæã/æ´æ°ã§å¿ è¦ãªä½æ¥ãè¦æ±ããã° åé¡ã¯æ´ã«å¤§ãããªãã ãããæ¬ææ¸ã§è¨è¿°ããä»çµã¿ã¯ãªã¾ã«ãã«ããã ãã©ã¹ãã¢ã³ã«ã¼ã®åæè¨å®ã«ã¯å½¹ç«ããªããããã©ã¹ããã¤ã³ãã«ããã éµã®ç½®ãæã/ãã¼ã«ãªã¼ãã¼ãããå®éçãªãã®ã«ããã¯ãã§ããã ä¸è¿°ã®éããæ¬ææ¸ã¯ãä»»æã®ãã©ã¹ããã¤ã³ãã«ããã¦ããªã¾ã«ããã»ã¼ 人æã«ããä»å ¥ãªãã«ãã©ã¹ãã¢ã³ã«ã¼ãæ´æ°ããææ³ãè¨è¿°ããã 人æã«ããä»å ¥ãå¿ è¦ã¨ãªããããªä¾å¤çäºä¾(ä¾ãã°è¤æ°ã®éµã®æ¼æ´©)ã® è°è«ããããããã®ãããªäºä¾ã¯æ¥µãã¦ç¨ã§ãããæ¬ææ¸ã¯ããªã¾ã«ãã« ããããã©ã¹ãã¢ã³ã«ã¼ã®åæè¨å®ã«é¢ããä¸è¬çãªåé¡ã«ã¤ãã¦ã¯è°è«ããªãã 1.1. æºæ 度åã«é¢ããè¡¨è¨ æ¬ææ¸ã«ããããã¼ã¯ã¼ã"ããªããã°ãªããªã(MUST)"ã"ãã¦ã¯ãªããªã (MUST NOT)"ã"è¦æ±ããã(REQUIRED)"ã"ãããã®ã¨ãã(SHALL)"ã"ã㪠ããã®ã¨ãã(SHALL NOT)"ã"ãã¹ãã§ãã(SHOULD)"ã"ãã¹ãã§ãªã (SHOULD NOT)"ã"æ¨å¥¨ããã(RECOMMENDED)"ã"ãã¦ããã/ãããã¨ãã§ã ã(MAY)"ã"ä»»æã§ãã(OPTIONAL)"ã¯ãBCP 14ã[RFC 2119]ã«è¨è¿°ããã¦ã ãã¨ããã«è§£éãããã®ã¨ããã 2. ãéç¨ã®æ¹æ³è« æ¬æ¹å¼ã®ä¸è¬æ¦å¿µã¯ãDNSé層ä¸ã®ãããã©ã¹ããã¤ã³ãã«ããã¦ãæ¢åã® ãã©ã¹ãã¢ã³ã«ã¼ã使ç¨ãã¦æ°ãããã©ã¹ãã¢ã³ã«ã¼ãèªè¨¼ã§ããã¨ãã ãã®ã§ãããã¾ã¼ã³ç®¡çè ãæ°ããSEPéµ(SEPããããè¨å®ããDNSKEYã [RFC4034]ã®ã»ã¯ã·ã§ã³2.1.1åç §)ããã©ã¹ããã¤ã³ãã®DNSKEY RRset㫠追å ããå ´åããã®RRsetãæ¢åã®ãã©ã¹ãã¢ã³ã«ã¼ã«ãã£ã¦æ¤è¨¼ã§ãããªãã°ã ãªã¾ã«ãã¯æ°ããéµããã®ãã©ã¹ããã¤ã³ãã®æå¹ãªãã©ã¹ãã¢ã³ã«ã¼ã¨ã㦠追å ãããã¨ãã§ããã ãã®ã¢ããã¼ãã«ã¯è»½æ¸ãã¹ãå¹¾ã¤ãã®åé¡ããããä¾ãã°ãæ¢åã®éµã®1ã¤ã æ¼æ´©ããã¨ãæ»æè ã¯å½¼ããçæãããã¼ã¿ã"æå¹ãª"ãã®ã¨ãã¦è¿½å ã§ã㦠ãã¾ãå¯è½æ§ããããããã¯ãéµãæ¼æ´©ãããããªãã«é¢ããããæ¢åã®éµã ç ´æ£ããæ¹æ³ãå¿ è¦ã§ãããã¨ãæå³ãã¦ãããä»ã®ä¾ã¨ãã¦ãæ¼æ´©ãã 1ã¤ã®éµãç¨ãã¦ãæ»æè ãæ°ããéµã追å ããä»ã®æ¢åã®éµå ¨ã¦ã ç ´æ£ãããã¨ãé²ãå¿ è¦ãããã StJohns Standards Track [Page 3] RFC 5011 Trust Anchor Update September 2007 2.1. éµã®ç ´æ£ 2ã¤ã®ãã©ã¹ãã¢ã³ã«ã¼ éµAã¨éµBãããå ´åã«ããã¦ãéµBãæ¼æ´©ããå ´åã èãããç¹å®ã®ç ´æ£ããã(revocation bit)ãç¡ãå ´åãéµAãå«ã¾ãªããã©ã¹ã ãã¤ã³ãã®éµã»ãããéµBã§ç½²åãã¦ãªã¾ã«ãã«éãã¤ãããã¨ã§ãéµAãç¡å¹å ã§ãã¦ãã¾ãå¯è½æ§ãããããã®åé¡ã解決ãããããDNSKEYãç ´æ£ããã«ã¯ ãã®DNSKEYã¨å¯¾ã®ç§å¯éµã®ç¥èãå¿ è¦ã¨ãªããããªä»çµã¿ã追å ããã èªå·±ç½²åRRsetã«å«ã¾ããéµã®REVOKEããã(ã»ã¯ã·ã§ã³7åç §)ã"1"ã« è¨å®ããã¦ããå ´åããªã¾ã«ãã¯ãã®éµãç ´æ£ãããã¨ã¿ãªãã ãªã¾ã«ããéµã®REVOKEãããã®è¨å®ã確èªããå ´åãç ´æ£äºå®ãæ¤è¨¼ããããã« ãã®éµã§ç½²åãããDNSKEY RRsetã¸ã®RRSIGãæ¤è¨¼ãããã以å¤ã®ãããªã ç®çã«ããã®éµã使ç¨ãã¦ã¯ãªããããã©ã¹ãã¢ã³ã«ã¼ã¨ãã¦ä½¿ç¨ãããã ä»ã®ç®çã«ä½¿ç¨ãã¦ã¯ãªããªã(MUST NOT)ãå¾è¿°ãã"追å "æä½ã¨ç°ãªãã ãªã¾ã«ããæå¹ãªç ´æ£éç¥ãåçãããªãã°ãéµã®ç ´æ£ã¯ç´ã¡ã«è¡ããã ã¾ãæ°¸ç¶çãªãã®ã¨ãªãã èªå·±ç½²åRRsetã¨ã¯ãDNSKEY RRsetã¨å¯¾å¿ããRRSIGã¬ã³ã¼ããåå¨ãã å ´åã«ãDNSKEY RRsetãå«ãDNSKEYã«ãã£ã¦RRSIGã¬ã³ã¼ããæ¤è¨¼ã§ãã ãã®ãæããããã¯ç¹æ®ãªDNSKEY RRsetã¨ããããã§ã¯ãªããDNSKEY RRsetã® æ¤è¨¼è¦ä»¶ã表ç¾ããç¨èªã®ä¸ã¤ã«éããªãã 注ï¼REVOKEããããè¨å®ãããDNSKEYã¯ãããããè¨å®ããã¦ããªãå ´å㨠ç°ãªããã£ã³ã¬ã¼ããªã³ããæã¤ã(訳注: DSã¬ã³ã¼ãã¯DNSKEYã®ãã£ã³ã¬ã¼ ããªã³ããä¿æããã®ã§)ãã®ãã¨ã¯ãDNSKEYã¨è¦ªã¾ã¼ã³ã«åå¨ããDSã¬ã³ã¼ã㮠対å¿ä»ã[RFC3755]ã«å½±é¿ãããã¾ã(訳注: ãªã¾ã«ããè¨å®ã§æã¤ãã©ã¹ã ã¢ã³ã«ã¼ã¯DNSKEYã®ãã£ã³ã¬ã¼ããªã³ããªã®ã§)ãã©ã¹ããã¤ã³ãã æ§ç¯ããããã«ãªã¾ã«ãã使ç¨ãããã£ã³ã¬ã¼ããªã³ãã«å½±é¿ããã å ã«ç¤ºããä¾ã§ã¯ãæ»æè ã¯éµBã®ç§å¯éµãç¥ã£ã¦ããã®ã§éµBãç ´æ£ã§ãã å¯è½æ§ãããããéµAãç ´æ£ãããã¨ã¯ã§ããªãã 2.2. éµè¿½å ã®ä¿ç 2ã¤ã®ãã©ã¹ãã¢ã³ã«ã¼ éµAã¨éµBãããå ´åã«ããã¦ãéµBãæ¼æ´©ããå ´åã èããããã®å ´åãæ»æè ã¯æ°ãããã©ã¹ãã¢ã³ã«ã¼ éµCãçæã»è¿½å ã (DNSKEY RRsetã«éµCã追å ããéµBã§ç½²åããã°ãã)ããã®å¾ã«æ¼æ´©ããéµBã ç¡å¹åã§ãã¦ãã¾ãå¯è½æ§ãããããã®ç¶æ³ã§ã¯ãæ»æè ã¨ã¾ã¼ã³ç®¡çè ã® åæ¹ãã¾ã¼ã³ãã¼ã¿ã«ç½²åã§ãããªã¾ã«ãã¯ãããã®ç½²åãæå¹ãªãã®ã¨ã㦠æ±ããã¨ã«ãªãã ãã®åé¡ãå®å ¨ã«è§£æ±ºãããã®ã§ã¯ãªãããå½±é¿ã軽æ¸ããããã«ãæ°ãã ãã©ã¹ãã¢ã³ã«ã¼ã®è¿½å ã«é¢ãã¦ä¿ç(hold-down)æéã追å ããã ãã©ã¹ããã¤ã³ãã«ããæ¤è¨¼æ¸ã¿DNSKEY RRsetã®ä¸ã«æ°ããSEPéµã ããã®ããªã¾ã«ãã確èªããå ´åããªã¾ã«ãã¯åçä¿çã¿ã¤ãã¼ (acceptance timer)ãèµ·åãããã®RRsetã«ç½²åãè¡ã£ã¦ããå ¨ã¦ã®éµã è¨æ¶ããã StJohns Standards Track [Page 4] RFC 5011 Trust Anchor Update September 2007 ãã®å¾ããªã¾ã«ãããã®æ°ããéµãå«ã¾ãªããæå¹ãªç½²åãæ㤠DNSKEY RRsetã確èªãããªãã°ããªã¾ã«ãã¯æ°ããéµã®åçå¦çãä¸æ¢ãã åçä¿çã¿ã¤ãã¼ããªã»ãããããã¾ããæ°ããéµã®æ¤è¨¼ã«ä½¿ç¨ããæ¢åã® éµå ¨ã¦ãåçä¿çã¿ã¤ãã¼çµäºåã«ç ´æ£ãããå ´åããªã¾ã«ãã¯åçå¦çã ä¸æ¢ããåçä¿çã¿ã¤ãã¼ããªã»ããããã åçä¿çã¿ã¤ãã¼ãæºäºãããªãã°ããªã¾ã«ãã¯ã次åãæ°ããéµã æ¤è¨¼å¯è½ãªRRsetã¨ã¨ãã«ç¢ºèªããæç¹ã§ããã®éµããã©ã¹ãã¢ã³ã«ã¼ã¨ã㦠追å ãããåçä¿çã¿ã¤ãã¼ãæºäºãããã¤ãåçä¿çæéå¾ã«æ°ããéµãå«ã DNSKEY RRsetãåå¾ãæ¤è¨¼ããã¾ã§ã¯ããªã¾ã«ãã¯ãã®æ°ããéµããã©ã¹ã ã¢ã³ã«ã¼ã¨ã¿ãªãã¦ã¯ãªããªã(MUST NOT)ã 注: ãªã¾ã«ãã¯ãéµãä¸æ¦ãã©ã¹ãã¢ã³ã«ã¼ã¨ãã¦åçãããªãã°ã ä¸ã«è¿°ã¹ãæé ã«ãããã£ã¦æ示çã«éµãå»æ£ãããã¾ã§ã¯ããã®éµã æå¹ãªãã©ã¹ãã¢ã³ã«ã¼ã¨ã¿ãªãç¶ããªããã°ãªããªã(MUST)ã å ã®ä¾ã§ã¯ãéµBãç ´æ£ããã¨ã¨ãã«æ°ããéµDã追å ããDNSKEY RRsetã éµAããã³éµBã®åæ¹ã§ç½²åãããã¨ã«ãããã¾ã¼ã³ç®¡çè ã¯éµBã®æ¼æ´©ãã æ£å¸¸ãªç¶æ ã«å復ããããã¨ãã§ããã ãã®ææ³ãåé¡ãå®å ¨ã«ã¯è§£æ±ºã§ããªãçç±ã¯ãDNSãæã¤åæ£ç¹æ§ã«é¢ä¿ã㦠ããããªã¾ã«ãã¯èªåã確èªããæ å ±ããæããªããæ¼æ´©ããéµãä¿æãã å·å¿µæ·±ãæ»æè ãããå ´åãæ¬ç©ã®ã¾ã¼ã³ããéåºããããæ¬ç©ã®ããã¼ã¿ã é®æãã(ä¾ã®å ´åãªãã°éµBã ãã§ç½²åãããªã©ãã¦)ãã¼ã¿ãå·®ãæ¿ãã ãã¨ã§ãç¹å®ã®åä¸ãªã¾ã«ãã«å¯¾ãã¦éµã®æ¼æ´©ããã£ããã¨ãæ°ã¥ãããªã ããã«ãããã¨ãã§ãããããããªããããããéµãæ¼æ´©ãã¦ããã¨ãã ç¾å¨ã®ç¶æ³ãæªåããããã§ã¯ãªãã 2.3. è½åçãªéµã®æ´æ° ãªã¾ã«ãããç¹å®ã®ãã©ã¹ããã¤ã³ãããèªåçã«éµãåå¾ãã¦æ´æ°ããããã« è¨å®ããã¦ããå ´åããã©ã¹ããã¤ã³ãã¸ã®ååãã(ã¤ã¾ãDNSKEY RRset㨠é¢é£ããRRSIGã¬ã³ã¼ãã®æ¤ç´¢)ééã¯ã15æ¥ã¾ãã¯DNSKEY RRsetã®TTLã®åå ã¾ãã¯RRSIGã®ç½²åæå¹æéã¾ã§ã®æ®ãæéã®ååã®ãã¡æå°ã®æéå ã«1度ãã å¤ãã1æéã«1度ããå°ãªãé »åº¦ã§ãªããã°ãªããªã(MUST)ã RRSIGã®ç½²åæå¹æéã¾ã§ã®æ®ãæéã¨ã¯ãRRSIGãæå¾ã«æ¤ç´¢ããã¦ãã RRSIGã®ç½²åæå¹æéçµäºæå»ã¾ã§ã®æéã§ãããã¤ã¾ãã ååãéé = MAX(1æé, MIN(15æ¥, 1/2*DNSKEYã®TTL, 1/2*RRSIGç½²åæå¹æéã¾ã§ã®æ®ãæé)) ã§ããã ååããã失æããå ´åããªã¾ã«ãã¯æåããã¾ã§ååãããç¹°ãè¿ããªããã° ãªããªã(MUST)ããã®é »åº¦ã¯1æéã«1度ããå°ãªãé »åº¦ã§ã1æ¥ã¾ã㯠DNSKEY RRsetã®TTLã®10%ã¾ãã¯RRSIGã®ç½²åæå¹æéã¾ã§ã®æ®ãæéã®10% ã®ãã¡æå°ã¨ãªãæéã«1度ããã¯å¤ããªããã°ãªããªã(MUST)ãã¤ã¾ãã ååãéé = MAX(1æé, MIN(1æ¥, 1/10*DNSKEYã®TTL, 1/10*RRSIGç½²åæå¹æéã¾ã§ã®æ®ãæé))ã§ããã StJohns Standards Track [Page 5] RFC 5011 Trust Anchor Update September 2007 2.4. ãªã¾ã«ãã®ãã©ã¡ã¼ã¿ 2.4.1. éµè¿½å ä¿çæé éµè¿½å ä¿çæéã¯ã30æ¥ã¾ãã¯ãã©ã¹ããã¤ã³ãã®DNSKEY RRsetãæ°ããéµã å«ããã¨ãåãã«èªèããéã®DNSKEY RRsetã®TTLã®æ®ãæéã®ãã¡ã®é·ãæ¹ ã¨ããããããããã¨ã«ããããªã¾ã«ããæ°ããéµãåçããåã«ãæ°ããéµã å«ãDNSKEY RRsetã®æ¤è¨¼ãå°ãªãã¨ã2åè¡ãããªããã°ãªããªã(MUST)ãã¨ã ä¿è¨¼ãããã 2.4.2. éµåé¤ä¿çæé éµåé¤ä¿çæéã¯30æ¥ã¨ãããããã¯åãªãéµç®¡çãã¼ã¿ãã¼ã¹ã®ç®¡çãã©ã¡ã¼ã¿ ã§ãããå»æ£ãããéµã®æ å ±ããã¼ã¿ãã¼ã¹ããåé¤ãããã¨ãã¦å¤±æãã¦ã æ¬ãããã³ã«ã®ã»ãã¥ãªãã£ã«æªå½±é¿ãä¸ãããã¨ã¯ãªããããã¼ã¿ãã¼ã¹ã å»æ£ãããæ å ±ã§æº¢ãããã¨ã«ãªãã ããã 2.4.3. ãã©ã¹ããã¤ã³ããã¨ã®æå°ãã©ã¹ãã¢ã³ã«ã¼æ° æ¬ãããã³ã«ã«æºæ ãããªã¾ã«ãã¯ããã©ã¹ããã¤ã³ããã¨ã«å°ãªãã¨ã 5ã¤ã®SEPéµãæ±ããã¨ãã§ããªããã°ãªããªã(MUST)ã 3. DNSKEY RDATAã¯ã¤ã¤ãã©ã¼ãããã®å¤æ´ DNSKEYã¬ã³ã¼ãã®ãã©ã°ãã£ã¼ã«ãã®8ãããç®ã"REVOKE"ãã©ã°ã¨ããã ãã®ãããã"1"ã«è¨å®ãããéµã«ãã£ã¦ç½²åãããRRSIG(DNSKEY)ã 確èªããå ´åããªã¾ã«ãã¯ãã®éµã®ç ´æ£ã®æ¤è¨¼ãé¤ãå ¨ã¦ã®ç®çã«ã¤ã㦠ãã®éµã¯æ°¸ç¶çã«ç¡å¹ã§ããã¨ã¿ãªããªããã°ãªããªã(MUST)ã 4. ç¶æ 表 ç解ãã¹ãæãéè¦ãªãã¨ã¯ããã©ã¹ããã¤ã³ãã«åå¨ããéµããªã¾ã«ããã ã©ã®ããã«è¦ãããã¨ãããã¨ã§ããã以ä¸ã®ç¶æ 表ã¯ãéµã®çæããå»æ£ã¾ã§ã® éã®æ§ã ãªæç¹ã®è¦ãæ¹ã示ãããã®ã§ãããç¶æ 表ã¯æ¬ä»æ§ã®è¦å®ã§ããã éµã®åæç¶æ ã¯"Start"ã§ãããæ§ã ãªã¤ãã³ããçºçããæ¯ã«ããªã¾ã«ãããè¦ã éµã®ç¶æ ãå¤åããã ãªã¾ã«ãããè¦ããã©ã¹ããã¤ã³ãã®éµã®ç¶æ ã以ä¸ã«ç¤ºããå·¦ã®åã¯ç¾å¨ ã®ç¶æ ã示ããå é è¡ã¯æ¬¡ã«é·ç§»ããç¶æ ã示ããè¡ã¨åã交差ããæ å ã«ã ç¾å¨ã®ç¶æ ãã次ã®ç¶æ ã«é·ç§»ããåå ã¨ãªãã¤ãã³ãã示ãã StJohns Standards Track [Page 6] RFC 5011 Trust Anchor Update September 2007 次ã®ç¶æ -------------------------------------------------- ç¾å¨ã®ç¶æ |Start |AddPend |Valid |Missing|Revoked|Removed| ------------------------------------------------------------- |Start | |NewKey | | | | | ------------------------------------------------------------- |AddPend |KeyRem | |AddTime| | | | ------------------------------------------------------------- |Valid | | | |KeyRem |Revbit | | ------------------------------------------------------------- |Missing | | |KeyPres| |Revbit | | ------------------------------------------------------------- |Revoked | | | | | |RemTime| ------------------------------------------------------------- |Removed | | | | | | | ------------------------------------------------------------- ããç¶æ 表 4.1. ã¤ãã³ã NewKey ãªã¾ã«ããæ°ããSEPéµãå«ãæå¹ãªDNSKEY RRsetã確èªããã æ°ããéµã¯ã"éµè¿½å ä¿çæé"ã®éRRsetå ã«åå¨ããå¾ã§ããã®éµã åå¨ãããã©ã¹ããã¤ã³ãã®æ°ãããã©ã¹ãã¢ã³ã«ã¼ã«ãªãã KeyPres å½è©²éµãæå¹ãªDNSKEY RRsetã«å¾©å¸°ããã KeyRem ãªã¾ã«ããå½è©²éµãå«ã¾ãªãæå¹ãªDNSKEY RRsetã確èªããã AddTime å½è©²éµãå°ãªãã¨ã"éµè¿½å ä¿çæé"ã®éãæå¹ãªDNSKEY RRset ã«åå¨ãç¶ããã RemTime ç ´æ£ãããéµããã©ã¹ããã¤ã³ãã®DNSKEY RRsetã«åå¨ããªããªã£ã¦ ããå åãªæéãçµéãããªã¾ã«ãããåé¤ãã¦ããç¶æ ã«ãªã£ãã RevBit ãã©ã¹ãã¢ã³ã«ã¼ã®DNSKEY RRsetã«REVOKEããããè¨å®ãããéµã åå¨ãããã®éµã§ç½²åãããDNSKEY RRsetã¸ã®RRSIGãåå¨ããã 4.2. ç¶æ Start å½è©²éµã¯ã¾ã ãªã¾ã«ãã«ãã©ã¹ãã¢ã³ã«ã¼ã¨ãã¦èªèããã¦ããªãã ã¾ã¼ã³ãµã¼ãä¸ã«åå¨ãã¦ãã¦ããã¦ããªãã¦ããããããªã¾ã«ã㫠確èªããã¦ããªããã確èªããããææ°ã®DNSKEY RRsetã«ã¯ å«ã¾ãã¦ããªãã£ã(ä¾ãã°KeyRemã¤ãã³ã)ã StJohns Standards Track [Page 7] RFC 5011 Trust Anchor Update September 2007 AddPend å½è©²éµã«"SEP"ããããè¨å®ããã¦ãããæå¹ãªDNSKEY RRsetã« å«ã¾ãã¦ãããã¨ããªã¾ã«ãã«ç¢ºèªããããç¾å¨ã¯å½è©²éµããã©ã¹ã ã¢ã³ã«ã¼ã¨ãã¦ä½¿ç¨ã§ããããã«ãªãã¾ã§ã®éµè¿½å ä¿çæéå ã§ããã Valid å½è©²éµãæåã«ç¢ºèªãããæç¹ããéµè¿½å ä¿çæéã®éãæå¹ãªDNSKEY RRsetã«å«ã¾ãç¶ãã¦ãããã¨ããªã¾ã«ãã«ç¢ºèªããããå½è©²éµã¯ éµè¿½å ä¿çæéå¾ã«RRsetã®æ¤è¨¼ã«ä½¿ç¨ã§ããæå¹ãªãã®ã¨ãªãã æ確åã®ããã®èª¬æ: å½è©²éµãå«ãDNSKEY RRsetããªã¾ã«ãä¸ã« ç¶ç¶çã«åå¨ããå¿ è¦ã¯ãªã(ä¾ãã°TTLãçµéãã¦ãã£ãã·ã¥ãã åé¤ããããã¨ããã)ããã ããæ¢åã®ãã©ã¹ãã¢ã³ã«ã¼ãæ¤è¨¼ãã ããDNSKEY RRsetã確èªã»æ¤è¨¼ããéã«ã¯ãå½è©²éµãRRsetå ã« åå¨ãã¦ããªããã°ãªããªã(MUST)ããããªããã°"KeyRem"ã¤ãã³ãã çºçããã Missing ããã¯ç°å¸¸ãªç¶æ ã§ãããå½è©²éµã¯ãã©ã¹ãã¢ã³ã«ã¼ã¨ãã¦æå¹ãª ç¶æ ãç¶æãã¦ããã«ãé¢ãããããªã¾ã«ããæè¿æ¤è¨¼ãã DNSKEY RRsetã«å½è©²éµãå«ã¾ãã¦ããªããã¨ã確èªããã¦ãããã¾ã¼ã³ç®¡çè 㯠éµãåé¤ããåã«REVOKEããããç¨ããã¯ããªã®ã§ãç°å¸¸ãªç¶æ ã§ããã Revoked DNSKEY RRsetãREVOKEãããã"1"ã«è¨å®ãããå½è©²éµãå«ã¿ã åãéµã§RRSIG(DNSKEY)ãç½²åããã¦ãããã¨ããªã¾ã«ããç¢ºèª ãããªãã°ããã®ç¶æ ã«é·ç§»ãããä¸æ¦ãã®ç¶æ ã«é·ç§»ããå¾ã¯ å½è©²éµã¯ãã©ã¹ãã¢ã³ã«ã¼ã¨ãã¦æ°¸ç¶çã«ç¡å¹ã§ããã¨ã¿ãªããªããã° ãªããªãã Removed å åé·ãéµåé¤ä¿çæéãçµéããå¾ãå½è©²éµã«é¢ããæ å ±ã ãªã¾ã«ãããåé¤ãããã¨ãã§ããããã®ç¶æ ã®éµãæå¹ãªãã©ã¹ã ã¢ã³ã«ã¼ã¨ã¿ãªãã¦ã¯ãªããªã(MUST NOT)ã (注ï¼ä»¥å使ç¨ããéµãåå©ç¨ããã®ã¯è¯ããªãéç¨ã§ããããã®ç¹ã é¤ãã°ããã®ç¶æ ã¯æ¦ã "Start" ç¶æ ã¨åãã§ããã ãã®ç¶æ ã¯ããªã¾ã«ããå¤ãéµãææ©ç®¡çããªãã¦ãããªãã¾ã§ã® ä¿çç¶æ ã¨èãã¦ã»ãã) 5. ãã©ã¹ããã¤ã³ãã®åé¤ ãã©ã¹ãã¢ã³ã«ã¼ãå ¨ã¦ç ´æ£ããããã©ã¹ããã¤ã³ãã¯åé¤ããããã®ã¨ ã¿ãªãããã®ãã©ã¹ããã¤ã³ãã®è¨å®ã¯ãªãã£ããã®ã¨ããã ä¸ä½ã«ä»ã®ãã©ã¹ããã¤ã³ããè¨å®ããã¦ããªãå ´åããªã¾ã«ãã¯ãåé¤ããã ãã©ã¹ããã¤ã³ã以ä¸ã®ãã¼ã¿ã"Insecure(æªç½²åç¶æ³æ¤åºï¼ä¿¡é ¼åº¦ä½)"ã¨ã㦠æ±ããä¸ä½ã«ä»ã®ãã©ã¹ããã¤ã³ããè¨å®ããã¦ããå ´åãåé¤ããããã©ã¹ã ãã¤ã³ã以ä¸ã®ãã¼ã¿ã¯ãä¸ä½ã®ãã©ã¹ããã¤ã³ãã«å¿ãã¦è©ä¾¡ãããã è¨å®ããã¦ãããã©ã¹ããã¤ã³ãã®ä¸ä½ã«å¥ã®ãã©ã¹ããã¤ã³ããåå¨ããå ´åã ä¸ä½ã®ãã©ã¹ããã¤ã³ãããä¸ä½ã®ãã©ã¹ããã¤ã³ãã¾ã§ã®ä¿¡é ¼ã®é£éã æå¹ã§ãããªããä¸ä½ã®ãã©ã¹ããã¤ã³ãã180æ¥å¾ã«ãªã¾ã«ãããåé¤ãã¦ã ãã(MAY)ãä¸ä½ã®ãã©ã¹ããã¤ã³ããåé¤ãããã©ããã¯ç®¡çè ãåå¥ã« å¤æãããã¨ã§ãããä¸ä½ã®ãã©ã¹ããã¤ã³ããåé¤ããå ´åããã®ã¾ã¼ã³ã® æ¤è¨¼ã¯ä¸ä½ã®ãã©ã¹ããã¤ã³ãããã®ä¿¡é ¼ã®é£éã«ä¾åããã StJohns Standards Track [Page 8] RFC 5011 Trust Anchor Update September 2007 6. éç¨ã·ããªãª(æ å ±æä¾) éç¨ã¢ãã«ã¨ãã¦æ¨å¥¨ããã®ã¯ããã©ã¹ããã¤ã³ããã¨ã«ã¢ã¯ãã£ãéµã¨ ã¹ã¿ã³ãã¤éµã1ã¤ãã¤æã¤ãã¨ãããã®ã§ãããã¢ã¯ãã£ãéµã¯DNSKEY RRsetã® ç½²åã«ä½¿ç¨ãããã¹ã¿ã³ãã¤éµã¯é常DNSKEY RRsetã«ç½²åãè¡ããªããã ãã©ã¹ããã¤ã³ãã®DNSKEY RRsetãã¹ã¿ã³ãã¤éµã§ç½²åãããã®ã確èªããå ´åã ãªã¾ã«ãã¯ããããã©ã¹ãã¢ã³ã«ã¼ã¨ãã¦æ±ãã ã¹ã¿ã³ãã¤éµã¯å®éã®ç½²åã«ä½¿ç¨ããªãã®ã§ã対ã®ç§å¯éµã«å¯¾ãã¦ãé »ç¹ã« 使ç¨ããªããã°ãªããªãéµã«å¯¾ãã¦ã¯ã»ã¼ä¸å¯è½ãªä»å çä¿è·(ä¾ãã°é庫ã«ä¿ç®¡ ãããè¤æ°ã°ã«ã¼ãã«åæ£ãããªã©)ãè¡ããã¨ãã§ãã(ãããã¹ãã§ãã)ã æ¦å¿µä¸ãã¹ã¿ã³ãã¤éµã¯ã¢ã¯ãã£ãéµãããæ¼æ´©ãã«ãããã®ã§ããã¹ãã ãã ããã¯æ¬ææ¸ã§æ±ããªãéç¨äºé ã«ä¾åãã¦ããã 6.1. ãã©ã¹ãã¢ã³ã«ã¼ã®è¿½å æ¢åã®ãã©ã¹ãã¢ã³ã«ã¼ãéµAã¨ããã 1. æ°ããéµãã¢ãçæããã 2. çæããéµãã¢(ã®å ¬ééµãå«ã)DNSKEYã¬ã³ã¼ããçæããSEPããã㨠署åéµ(ZSKã¾ãã¯KSK)ããããè¨å®ããã 3. çæããDNSKEYã¬ã³ã¼ããDNSKEY RRsetã«è¿½å ããã 4. æ¢åã®ãã©ã¹ãã¢ã³ã«ã¼ã§ããéµA "ã ã"ã使ç¨ãã¦DNSKEY RRsetã« ç½²åããã 5. ããããã®ãªã¾ã«ãã®ãã£ãã·ã¥æéãçµäºããæ°ããDNSKEY RRset㨠ãã®ç½²åããªã¾ã«ããæ¤ç´¢ãã¦ããã®ãå¾ ã¤ã 6. ã»ã¯ã·ã§ã³2ããã³ã»ã¯ã·ã§ã³4ã«ç¤ºããç¶æ 表ã¨æ´æ°ã¢ã«ã´ãªãºã ã«æ²¿ã£ã¦ æ°ãããã©ã¹ãã¢ã³ã«ã¼ããªã¾ã«ãã«è¡ã渡ãã 6.2. ãã©ã¹ãã¢ã³ã«ã¼ã®åé¤ æ¢åã®ãã©ã¹ãã¢ã³ã«ã¼ãéµAã¨éµBã¨ããéµAãç ´æ£ãããå ´åãèããã StJohns Standards Track [Page 9] RFC 5011 Trust Anchor Update September 2007 1. éµAã®DNSKEYã¬ã³ã¼ãã«REVOKEããããè¨å®ããã 2. DNSKEY RRsetã«éµAã¨éµBã§ç½²åããããã®æç¹ã§éµAã¯ç ´æ£ãããã ã¾ã¼ã³ç®¡çè ã¯ãç ´æ£ããéµAãå°ãªãã¨ãéµåé¤ä¿çæéå 㯠DNSKEY RRsetã«å«ããã¹ãã ãããã®å¾ã¯DNSKEY RRsetããåé¤ãã¦ããã 6.3. éµã®ãã¼ã«ãªã¼ãã¼ æ¢åã®ãã©ã¹ãã¢ã³ã«ã¼ãéµAã¨éµBã¨ãããéµAã¯ã¢ã¯ãã£ãéµã§ãã(ã¤ã¾ãã DNSKEY RRsetã«ç½²åãã¦ãã)ãéµBã¯ã¹ã¿ã³ãã¤éµã§ãã(ã¤ã¾ãã DNSKEY RRsetã«ããæå¹ãªãã©ã¹ãã¢ã³ã«ã¼ã§ããããDNSKEY RRsetã«ç½²å ãã¦ããªã)ã 1. æ°ããéµãã¢(éµC)ãçæããã 2. éµCãDNSKEY RRsetã«è¿½å ããã 3. éµAã®REVOKEããããè¨å®ããã 4. DNSKEY RRsetã«éµAã¨éµBã§ç½²åããã éµAã¯ãã®æç¹ã§ç ´æ£ããããéµBã¯ãã®æç¹ã§ã¢ã¯ãã£ãéµã¨ãªããéµC㯠éµè¿½å ä¿çæéå¾ã«ã¹ã¿ã³ãã¤éµã¨ãªããã¾ã¼ã³ç®¡çè ã¯ãç ´æ£ããéµAãå°ãªã ã¨ãéµåé¤ä¿çæéå ã¯DNSKEY RRsetã«å«ããã¹ãã ãããã®å¾ã¯DNSKEY RRsetããåé¤ãã¦ããã 6.4. ã¢ã¯ãã£ãéµã®æ¼æ´©æã®å¯¾å¿ éµAãã¢ã¯ãã£ãéµã¨ããã¨ãä¸è¿°ã®éµã®ãã¼ã«ãªã¼ãã¼(ã»ã¯ã·ã§ã³6.3)㨠åãæé ã¨ãªãã 6.5. ã¹ã¿ã³ãã¤éµã®æ¼æ´©æã®å¯¾å¿ ä¸è¿°ã®éµã®ãã¼ã«ãªã¼ãã¼(ã»ã¯ã·ã§ã³6.3)ã®å ´åã¨åãåæãéµã®å称ã 使ç¨ããã 1. æ°ããéµãã¢(éµC)ãçæããã 2. éµCãDNSKEY RRsetã«è¿½å ããã 3. éµBã®REVOKEããããè¨å®ããã 4. DNSKEY RRsetã«éµAã¨éµBã§ç½²åããã éµBã¯ãã®æç¹ã§ç ´æ£ããããéµAã¯ã¢ã¯ãã£ãéµã®ã¾ã¾ãéµCã¯éµè¿½å ä¿çæéå¾ ã«ã¹ã¿ã³ãã¤éµã¨ãªããéµåé¤ä¿çæéå ã¯éµBãDNSKEY RRsetã«å«ããã¹ã㧠ããã 6.6. ãã©ã¹ããã¤ã³ãã®åé¤ ä»ã«è¨å®ã®ãããã©ã¹ããã¤ã³ãã®ä¸ä½ã®ãã©ã¹ããã¤ã³ã(ä¾ãã°.comã«å¯¾ãã example.com)ãåé¤ããã«ã¯ãè¥å¹²ã®ãã¼ã¿åãåããå¿ è¦ã«ãªãã å ·ä½çãªæé ã¯ä»¥ä¸ã®ã¨ããã§ããã StJohns Standards Track [Page 10] RFC 5011 Trust Anchor Update September 2007 1. ä¸ä½ã¾ã¼ã³ã®æ°ããDNSKEYã¬ã³ã¼ãã¨DSã¬ã³ã¼ããçæããæ°ãã DSã¬ã³ã¼ããæ¢åã®éµã«å¯¾å¿ããå¤ãDSã¬ã³ã¼ãã¨ãããã¦è¦ªã¾ã¼ã³ã« ç»é²ããã 2. ãããã®DSã¬ã³ã¼ãã親ã¾ã¼ã³ã§å ¬éãããå¾ã«ãæ°ããDNSKEYã DNSKEY RRsetã«è¿½å ããåæã«å¤ãéµãå ¨ã¦ç ´æ£ããç ´æ£ããå ¨ã¦ã®éµã¨ æ°ãã追å ããéµã§DNSKEY RRsetã«ç½²åããã 3. 30æ¥å¾ãç ´æ£ãããå¤ãéµã®å ¬éãåæ¢ããå¤ãéµã«å¯¾å¿ãã親ã¾ã¼ã³ã® DSã¬ã³ã¼ããåé¤ããã ä¸ä½ã¸ã®ä¿¡é ¼ã®é£éãæã¤æ°ããéµã®è¿½å ã¨å¤ãéµã®ç ´æ£ãåæã«è¡ããã¨ã« ãããæ°ããéµããã©ã¹ãã¢ã³ã«ã¼ã¨ãã¦ãªã¾ã«ãã«è¿½å ãããã®ãé²ãã§ããã ã¾ããå¤ãéµã®DSã¬ã³ã¼ãã親ã¾ã¼ã³ã«ç»é²ãããã¨ã§ããã®ä¸ä½ã¾ã¼ã³ã (ãã©ã¹ããã¤ã³ããåé¤ããããã)Insecureã¨ãªããã(ä¸ä½ã¾ã¼ã³ã¸ã® ä¿¡é ¼ã®é£éããªããã)Bogus(æ¤è¨¼å¤±æï¼ä¿¡é ¼ç¦æ¢)ã¨ãªããããªç«¶åç¶æ ã« é¥ãã®ãé²ãã§ããã 7. IANAã«é¢ããèæ ®ç¹ IANAã¯REVOKEããã(8)ãDNSKEYã¬ã³ã¼ãã®ãã©ã°ãã£ã¼ã«ã([RFC4034] ã»ã¯ã·ã§ã³7åç §)ã«å²ãå½ã¦ãã 8. ã»ãã¥ãªãã£ã«é¢ããèæ ®ç¹ æ¬ãããã³ã«ã«åºæã§ã¯ãªããã©ã¹ãã¢ã³ã«ã¼ã®ãã¼ã«ãªã¼ãã¼ã® ã»ãã¥ãªãã£ã«é¢ããèæ ®ç¹ã«ã¤ãã¦ã¯ã[RFC4986]ã«è°è«ãããã 8.1. éµææ権ã¨éµåçããªã·ã¼ ã¾ã¼ã³ç®¡çè ãéµã®çæã¨é å¸ã«è²¬ä»»ãæã¤ä¸æ¹ã§ããããã®éµãã¾ã¼ã³ã èªè¨¼ããæ å ±ã¨ãã¦åãå ¥ãããã©ããã¯ãªã¾ã«ã管çè ã®æ±ºå®äºé ã§ãããã¨ã« 注æãã¹ãã§ãããããã¯ãç¾å¨ä¿¡é ¼ãã¦ãããã©ã¹ãã¢ã³ã«ã¼ã«åºã¥ã㦠ãã©ã¹ãã¢ã³ã«ã¼ã®æ´æ°ãè¡ããã©ããããªã¾ã«ã管çè ã®æ±ºå®äºé ã§ãã ãã¨ãæå³ããã ãªã¾ã«ã管çè (ããªã¾ã«ãå®è£ è )ã¯ãæ¬ä»æ§ã«åºã¥ãéµæ´æ°ã®è¨±å¯ã»ç¦æ¢ ããã©ã¹ããã¤ã³ããã¨ã«é¸æãã¦ããã(MAY)ãéµã®èªåæ´æ°ãç¦æ¢ããå ´åã 人æã¾ãã¯ãããã¯ã¼ã¯ã使ç¨ããªãæ¹æ³(out-of-band)ã«ããéµæ´æ°ã® ä»çµã¿ã確ç«ããå¿ è¦ããããããããã¯æ¬ææ¸ã®å¯¾è±¡å¤ã§ããã StJohns Standards Track [Page 11] RFC 5011 Trust Anchor Update September 2007 8.2. è¤æ°ã®éµã®æ¼æ´© æå¹ãªãã©ã¹ãã¢ã³ã«ã¼ãå°ãªãã¨ã1ã¤æ¼æ´©ãã¦ããªããã°ãæ¬æ¹å¼ã ç¨ãã¦æ£å¸¸ãªç¶æ ã«å復ããããã¨ãã§ãããä¾ãã°3ã¤ã®éµãåå¨ããå ´åã 2ã¤ã®éµãæ¼æ´©ãã¦ãæ£å¸¸ãªç¶æ ã«å復ããããã¨ãã§ããã ã¾ã¼ã³ç®¡çè ã¯ãã¾ã¼ã³ã®ãã©ã¹ãã¢ã³ã«ã¼ã¨ãã¦å¹¾ã¤æå¹ãªã¢ã¯ãã£ãéµã æã¤ã®ãé©æ£ãã«ã¤ãã¦åå¥ã«æ±ºå®ããã¾ãæ¼æ´©ãæ¤ç¥ããéã®å復æé ã ç¨æãã¦ããã¹ãã§ããããã©ã¹ããã¤ã³ãã®å ¨ã¦ã®ãã©ã¹ãã¢ã³ã«ã¼ã æ¼æ´©ããå ´åãå ¨ãªã¾ã«ãã«ããã¦äººæã¾ãã¯ãããã¯ã¼ã¯ã使ç¨ããªã æ¹æ³ã«ããéµã®æ´æ°ãå¿ è¦ã¨ãªãã 8.3. åçãªæ´æ° ãããã¯ã¼ã¯ãä»ãã¦(in-band)ããã¨ããããéµæ å ±ã«åºã¥ãã¦ãªã¾ã«ãã« ãã©ã¹ãã¢ã³ã«ã¼ã®æ´æ°ã許å¯ãããã¨ã¯ã人æã«ããå¦çã«æ¯ã¹ãã° æ½å¨çã«å®å ¨ã§ã¯ãªããããããDNSã®æã¤æ§è³ªããã©ã¹ãã¢ã³ã«ã¼ã®æ¼æ´©æã« æ´æ°ãå¿ è¦ã¨ãªããªã¾ã«ãã®æ°ãDNSã«æ¨æºç管çææ³ãåå¨ããªããã¨ãªã©ã èããã°ãæ¬ä»æ§ã®ã¢ããã¼ãã«ãã£ã¦ç¾ç¶ä»¥ä¸ã«ãªããã¨ã¯ãªãã 9. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3755] Weiler, S., "Legacy Resolver Compatibility for Delegation Signer (DS)", RFC 3755, May 2004. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005. [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005. 10. Informative References [RFC4986] Eland, H., Mundy, R., Crocker, S., and S. Krishnaswamy, "Requirements Related to DNS Security (DNSSEC) Trust Anchor Rollover", RFC 4986, August 2007. StJohns Standards Track [Page 12] RFC 5011 Trust Anchor Update September 2007 Author's Address Michael StJohns Independent EMail: [email protected] StJohns Standards Track [Page 13] RFC 5011 Trust Anchor Update September 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at [email protected]. StJohns Standards Track [Page 14]