idnits 2.17.1 draft-ietf-dnsext-delegation-signer-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. (A line matching the expected section header was found, but with an unexpected indentation: ' 1 Introduction' ) ** The document seems to lack a Security Considerations section. (A line matching the expected section header was found, but with an unexpected indentation: ' 4 Security Considerations:' ) ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) (A line matching the expected section header was found, but with an unexpected indentation: ' 5 IANA Considerations:' ) ** There are 235 instances of too long lines in the document, the longest one being 3 characters in excess of 72. ** The abstract seems to contain references ([RFC3008], [RFC1035], [RFC3225], [RFC3090], [RFC2181], [RFC3226], [RFC3445], [RFC2535], [RFC2535,RFC3008,RFC3090]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 209: '... that support DS MUST support the OK b...' RFC 2119 keyword, line 211: '...ecure the delegation MUST contain a DS...' RFC 2119 keyword, line 213: '...r the delegation MUST include the foll...' RFC 2119 keyword, line 224: '...sage, the TC bit MUST be set. Additio...' RFC 2119 keyword, line 229: '...t of view). DS RRsets MUST NOT appear...' (35 more instances...) -- The abstract seems to indicate that this document obsoletes RFC3090, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC3445, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC3226, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC2535, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document obsoletes RFC3008, but the header doesn't have an 'Obsoletes:' line to match this. -- The abstract seems to indicate that this document updates RFC3090, but the header doesn't have an 'Updates:' line to match this. -- The abstract seems to indicate that this document updates RFC1035, but the header doesn't have an 'Updates:' line to match this. -- The abstract seems to indicate that this document updates RFC3226, but the header doesn't have an 'Updates:' line to match this. -- The abstract seems to indicate that this document updates RFC2535, but the header doesn't have an 'Updates:' line to match this. -- The abstract seems to indicate that this document updates RFC3008, but the header doesn't have an 'Updates:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The "Author's Address" (or "Authors' Addresses") section title is misspelled. == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be interpreted as described in RFC2119. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: A server authoritative for only the child zone, that is also a caching server MAY (if the RD bit is set in the query) perform recursion to find the DS record at the delegation point, or MAY return the DS record from its cache. In this case, the AA bit MUST not be set in the response. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 2003) is 7619 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'RFC1035' on line 721 looks like a reference -- Missing reference section? 'RFC2535' on line 724 looks like a reference -- Missing reference section? 'RFC3090' on line 730 looks like a reference -- Missing reference section? 'RFC3008' on line 727 looks like a reference -- Missing reference section? 'RFC3445' on line 736 looks like a reference -- Missing reference section? 'RFC3225' on line 733 looks like a reference -- Missing reference section? 'RFC3226' on line 744 looks like a reference -- Missing reference section? 'RFC 2181' on line 248 looks like a reference -- Missing reference section? 'RFC2181' on line 741 looks like a reference Summary: 8 errors (**), 0 flaws (~~), 5 warnings (==), 21 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSEXT Working Group Olafur Gudmundsson 3 INTERNET-DRAFT June 2003 4 6 Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090. 8 Delegation Signer Resource Record 10 Status of this Memo 12 This document is an Internet-Draft and is in full conformance with 13 all provisions of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as ``work in progress.'' 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html 31 This draft expires on January 19, 2004. 33 Copyright Notice 35 Copyright (C) The Internet Society (2003). All rights reserved. 37 Abstract 39 The delegation signer (DS) resource record is inserted at a zone cut 40 (i.e., a delegation point) to indicate that the delegated zone is 41 digitally signed and that the delegated zone recognizes the indicated 42 key as a valid zone key for the delegated zone. The DS RR is a 43 modification to the DNS Security Extensions definition, motivated by 44 operational considerations. The intent is to use this resource record 45 as an explicit statement about the delegation, rather than relying on 46 inference. 48 This document defines the DS RR, gives examples of how it is used and 49 describes the implications on resolvers. This change is not backwards 50 compatible with RFC 2535. 51 This document updates RFC1035, RFC2535, RFC3008 and RFC3090. 53 Table of contents 55 Status of this Memo . . . . . . . . . . . . . . . . . . . . . . . . 1 56 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 57 Table of contents . . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.2 Reserved Words" . . . . . . . . . . . . . . . . . . . . . . . . 4 60 2 Specification of the Delegation key Signer" . . . . . . . . . . . 4 61 2.1 Delegation Signer Record Model" . . . . . . . . . . . . . . . . 4 62 2.2 Protocol Change" . . . . . . . . . . . . . . . . . . . . . . . . 5 63 2.2.1 RFC2535 2.3.4 and 3.4: Special Considerations at 64 Delegation Points" . . . . . . . . . . . . . . . . . . . . . . . . . 6 65 2.2.1.1 Special processing for DS queries" . . . . . . . . . . . . 6 66 2.2.1.2 Special processing when child and an ancestor share 67 server" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 68 2.2.1.3 Modification on use of KEY RR in the construction of 69 Responses" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 70 2.2.2 Signer's Name (replaces RFC3008 section 2.7)" . . . . . . . . 9 71 2.2.3 Changes to RFC3090" . . . . . . . . . . . . . . . . . . . . . 9 72 2.2.3.1 RFC3090: Updates to section 1: Introduction" . . . . . . . . 9 73 2.2.3.2 RFC3090 section 2.1: Globally Secured" . . . . . . . . . . . 9 74 2.2.3.3 RFC3090 section 3: Experimental Status." . . . . . . . . . 10 75 2.2.4 NULL KEY elimination" . . . . . . . . . . . . . . . . . . . . 10 76 2.3 Comments on Protocol Changes" . . . . . . . . . . . . . . . . . 10 77 2.4 Wire Format of the DS record" . . . . . . . . . . . . . . . . . 11 78 2.4.1 Justifications for Fields" . . . . . . . . . . . . . . . . . . 12 79 2.5 Presentation Format of the DS Record" . . . . . . . . . . . . . 12 80 2.6 Transition Issues for Installed Base" . . . . . . . . . . . . . 12 81 2.6.1 Backwards compatibility with RFC2535 and RFC1035" . . . . . . 12 82 2.7 KEY and corresponding DS record example" . . . . . . . . . . . . 13 83 3 Resolver" . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 84 3.1 DS Example" . . . . . . . . . . . . . . . . . . . . . . . . . . 14 85 3.2 Resolver Cost Estimates for DS Records" . . . . . . . . . . . . 15 86 4 Security Considerations: " . . . . . . . . . . . . . . . . . . . . 15 87 5 IANA Considerations: " . . . . . . . . . . . . . . . . . . . . . . 16 88 6 Acknowledgments" . . . . . . . . . . . . . . . . . . . . . . . . . 16 89 Normative References: " . . . . . . . . . . . . . . . . . . . . . . 16 90 Informational References" " . . . . . . . . . . . . . . . . . . . . 17 91 Author Address" . . . . . . . . . . . . . . . . . . . . . . . . . . 17 92 Full Copyright Statement" . . . . . . . . . . . . . . . . . . . . . 17 93 1 Introduction 95 Familiarity with the DNS system [RFC1035], DNS security extensions 96 [RFC2535] and DNSSEC terminology [RFC3090] is important. 98 Experience shows that when the same data can reside in two 99 administratively different DNS zones, the data frequently gets out of 100 sync. The presence of an NS RRset in a zone anywhere other than at 101 the apex indicates a zone cut or delegation. The RDATA of the NS 102 RRset specifies the authoritative servers for the delegated or 103 "child" zone. Based on actual measurements, 10-30% of all delegations 104 on the Internet have differing NS RRsets at parent and child. There 105 are a number of reasons for this, including a lack of communication 106 between parent and child and bogus name servers being listed to meet 107 registry requirements. 109 DNSSEC [RFC2535,RFC3008,RFC3090] specifies that a child zone needs to 110 have its KEY RRset signed by its parent to create a verifiable chain 111 of KEYs. There has been some debate on where the signed KEY RRset 112 should reside, whether at the child [RFC2535] or at the parent. If 113 the KEY RRset resides at the child, maintaining the signed KEY RRset 114 in the child requires frequent two-way communication between the two 115 parties. First the child transmits the KEY RRset to the parent and 116 then the parent sends the signature(s) to the child. Storing the KEY 117 RRset at the parent was thought to simplify the communication. 119 DNSSEC [RFC2535] requires that the parent store a NULL KEY record for 120 an unsecure child zone to indicate that the child is unsecure. A NULL 121 KEY record is a waste: an entire signed RRset is used to communicate 122 effectively one bit of information--that the child is unsecure. 123 Chasing down NULL KEY RRsets complicates the resolution process in 124 many cases, because servers for both parent and child need to be 125 queried for the KEY RRset if the child server does not return it. 126 Storing the KEY RRset only in the parent zone simplifies this and 127 would allow the elimination of the NULL KEY RRsets entirely. For 128 large delegation zones the cost of NULL keys is a significant barrier 129 to deployment. 131 Prior to the restrictions imposed by RFC3445[RFC3445], another 132 implication of the DNSSEC key model is that the KEY record could be 133 used to store public keys for other protocols in addition to DNSSEC 134 keys. There are number of potential problems with this, including: 135 1. The KEY RRset can become quite large if many applications and 136 protocols store their keys at the zone apex. Possible protocols 137 are IPSEC, HTTP, SMTP, SSH and others that use public key 138 cryptography. 139 2. The KEY RRset may require frequent updates. 140 3. The probability of compromised or lost keys, which trigger 141 emergency key rollover procedures, increases. 143 4. The parent may refuse to sign KEY RRsets with non-DNSSEC zone 144 keys. 145 5. The parent may not meet the child's expectations of turnaround 146 time for resigning the KEY RRset. 148 Given these reasons, SIG@parent isn't any better than SIG/KEY@Child. 150 1.2 Reserved Words 152 The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", 153 "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be 154 interpreted as described in RFC2119. 156 2 Specification of the Delegation key Signer 158 This section defines the Delegation Signer (DS) RR type (type code 159 TBD) and the changes to DNS to accommodate it. 161 2.1 Delegation Signer Record Model 163 This document presents a replacement for the DNSSEC KEY record chain 164 of trust [RFC2535] that uses a new RR that resides only at the 165 parent. This record identifies the key(s) that the child uses to 166 self-sign its own KEY RRset. 168 Even though DS identifies two roles for KEYs, Key Signing Key (KSK) 169 and Zone Signing Key (ZSK), there is no requirement that zone use two 170 different keys for these roles. It is expected that many small zones 171 will only use one key, while larger zones will be more likely to use 172 multiple keys. 174 The chain of trust is now established by verifying the parent KEY 175 RRset, the DS RRset from the parent and the KEY RRset at the child. 176 This is cryptographically equivalent to using just KEY records. 178 Communication between the parent and child is greatly reduced, since 179 the child only needs to notify the parent about changes in keys that 180 sign its apex KEY RRset. The parent is ignorant of all other keys in 181 the child's apex KEY RRset. Furthermore, the child maintains full 182 control over the apex KEY RRset and its content. The child can 183 maintain any policies regarding its KEY usage for DNSSEC with minimal 184 impact on the parent. Thus if the child wants to have frequent key 185 rollover for its DNS zone keys, the parent does not need to be aware 186 of it. The child can use one key to sign only its apex KEY RRset and 187 a different key to sign the other RRsets in the zone. 189 This model fits well with a slow roll out of DNSSEC and the islands 190 of security model. In this model, someone who trusts "good.example." 191 can preconfigure a key from "good.example." as a trusted key, and 192 from then on trusts any data signed by that key or that has a chain 193 of trust to that key. If "example." starts advertising DS records, 194 "good.example." does not have to change operations by suspending 195 self-signing. DS records can be used in configuration files to 196 identify trusted keys instead of KEY records. Another significant 197 advantage is that the amount of information stored in large 198 delegation zones is reduced: rather than the NULL KEY record at every 199 unsecure delegation demanded by RFC 2535, only secure delegations 200 require additional information in the form of a signed DS RRset. 202 The main disadvantage of this approach is that verifying a zone's KEY 203 RRset requires two signature verification operations instead of the 204 one in RFC 2535 chain of trust. There is no impact on the number of 205 signatures verified for other types of RRsets. 207 2.2 Protocol Change 209 All DNS servers and resolvers that support DS MUST support the OK bit 210 [RFC3225] and a larger message size [RFC3226]. In order for a 211 delegation to be considered secure the delegation MUST contain a DS 212 RRset. If a query contains the OK bit, a server returning a referral 213 for the delegation MUST include the following RRsets in the authority 214 section in this order: 215 If DS RRset is present: 216 parent's copy of child's NS RRset 217 DS and SIG(DS) 218 If no DS RRset is present: 219 parent's copy of child's NS RRset 220 parent's zone NXT and SIG(NXT) 222 This increases the size of referral messages, possibly causing some 223 or all glue to be omitted. If the DS or NXT RRsets with signatures do 224 not fit in the DNS message, the TC bit MUST be set. Additional 225 section processing is not changed. 227 A DS RRset accompanying a NS RRset indicates that the child zone is 228 secure. If a NS RRset exists without a DS RRset, the child zone is 229 unsecure (from the parents point of view). DS RRsets MUST NOT appear 230 at non-delegation points or at a zone's apex. 232 Section 2.2.1 defines special considerations related to authoritative 233 servers responding to DS queries and replaces RFC2535 sections 2.3.4 234 and 3.4. Section 2.2.2 replaces RFC3008 section 2.7, and section 235 2.2.3 updates RFC3090. 237 2.2.1 RFC2535 2.3.4 and 3.4: Special Considerations at Delegation Points 239 DNS security views each zone as a unit of data completely under the 240 control of the zone owner with each entry (RRset) signed by a special 241 private key held by the zone manager. But the DNS protocol views the 242 leaf nodes in a zone that are also the apex nodes of a child zone 243 (i.e., delegation points) as "really" belonging to the child zone. 244 The corresponding domain names appear in two master files and might 245 have RRsets signed by both the parent and child zones' keys. A 246 retrieval could get a mixture of these RRsets and SIGs, especially 247 since one server could be serving both the zone above and below a 248 delegation point [RFC 2181]. 250 Each DS RRset stored in the parent zone MUST be signed by at least 251 one of the parent zone's private keys. The parent zone MUST NOT 252 contain a KEY RRset at any delegation point. Delegations in the 253 parent MAY contain only the following RR types: NS, DS, NXT and SIG. 254 The NS RRset MUST NOT be signed. The NXT RRset is the exceptional 255 case: it will always appear differently and authoritatively in both 256 the parent and child zones if both are secure. 258 A secure zone MUST contain a self-signed KEY RRset at its apex. Upon 259 verifying the DS RRset from the parent, a resolver MAY trust any KEY 260 identified in the DS RRset as a valid signer of the child's apex KEY 261 RRset. Resolvers configured to trust one of the keys signing the KEY 262 RRset MAY now treat any data signed by the zone keys in the KEY RRset 263 as secure. In all other cases resolvers MUST consider the zone 264 unsecure. A DS RRset MUST NOT appear at a zone's apex. 266 An authoritative server queried for type DS MUST return the DS RRset 267 in the answer section. 269 2.2.1.1 Special processing for DS queries 271 When a server is authoritative for the parent zone at a delegation 272 point and receives a query for the DS record at that name, it MUST 273 answer based on data in the parent zone, return DS or negative 274 answer. This is true whether or not it is also authoritative for the 275 child zone. 277 When the server is authoritative for the child zone at a delegation 278 point but not the parent zone, there is no natural response, since 279 the child zone is not authoritative for the DS record at the zone's 280 apex. As these queries are only expected to originate from recursive 281 servers which are not DS-aware, the authoritative server MUST answer 282 with: 283 RCODE: NOERROR 284 AA bit: set 285 Answer Section: Empty 286 Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)] 288 That is, it answers as if it is authoritative and the DS record does 289 not exist. DS-aware recursive servers will query the parent zone at 290 delegation points, so will not be affected by this. 292 A server authoritative for only the child zone, that is also a 293 caching server MAY (if the RD bit is set in the query) perform 294 recursion to find the DS record at the delegation point, or MAY 295 return the DS record from its cache. In this case, the AA bit MUST 296 not be set in the response. 298 2.2.1.2 Special processing when child and an ancestor share server 300 Special rules are needed to permit DS RR aware servers to gracefully 301 interact with older caches which otherwise might falsely label a 302 server as lame because of the placement of the DS RR set. 304 Such a situation might arise when a server is authoritative for both 305 a zone and it's grandparent, but not the parent. This sounds like an 306 obscure example, but it is very real. The root zone is currently 307 served on 13 machines, and "root-servers.net." is served on 4 of the 308 same 13, but "net." is served elsewhere. 310 When a server receives a query for (, DS, ), the 311 response MUST be determined from reading these rules in order: 313 1) If the server is authoritative for the zone that holds the DS RR 314 set (i.e., the zone that delegates , aka the "parent" zone), 315 the response contains the DS RR set as an authoritative answer. 317 2) If the server is offering recursive service and the RD bit is set 318 in the query, the server performs the query itself (according to the 319 rules for resolvers described below) and returns its findings. 321 3) If the server is authoritative for the zone that holds the 322 's SOA RR set, the response is an authoritative negative 323 answer as described in 2.2.1.1. 325 4) If the server is authoritative for a zone or zones above the 326 QNAME, a referral to the most enclosing zone's servers is made. 328 5) If the server is not authoritative for any part of the QNAME, a 329 response indicating a lame server for QNAME is given. 331 Using these rules will require some special processing on the part of 332 a DS RR aware resolver. To illustrate this, an example is used. 334 Assuming a server is authoritative for roots.example.net. and for the 335 root zone but not the intervening two zones (or the intervening two 336 label deep zone). Assume that QNAME=roots.example.net., QTYPE=DS, 337 and QCLASS=IN. 339 The resolver will issue this request (assuming no cached data) 340 expecting a referral to a net. server. Instead, rule number 3 above 341 applies and a negative answer is returned by the server. The 342 reaction by the resolver is not to accept this answer as final as it 343 can determine from the SOA RR in the negative answer the context 344 within which the server has answered. 346 A solution to this is to instruct the resolver to hunt for the 347 authoritative zone of the data in a brute force manner. 349 This can be accomplished by taking the owner name of the returned SOA 350 RR and striping off enough left-hand labels until a successful NS 351 response is obtained. A successful response here means that the 352 answer has NS records in it. (Entertaining the possibility that a 353 cut point can be two labels down in a zone.) 355 Returning to the example, the response will include a negative answer 356 with either the SOA RR for "roots.example.net." or "example.net." 357 depending on whether roots.example.net is a delegated domain. In 358 either case, removing the left most label of the SOA owner name will 359 lead to the location of the desired data. 361 2.2.1.3 Modification on use of KEY RR in the construction of Responses 363 This section updates RFC2535 section 3.5 by replacing it with the 364 following: 366 A query for KEY RR MUST NOT trigger any additional section 367 processing. Security aware resolvers will include corresponding SIG 368 records in the answer section. 370 KEY records SHOULD NOT be added to the additional records section in 371 response to any query. 373 RFC2535 specified that KEY records be added to the additional section 374 when SOA or NS records where included in an answer. This was done to 375 reduce round trips (in the case of SOA) and to force out NULL KEYs 376 (in the NS case). As this document obsoletes NULL keys there is no 377 need for the inclusion of KEYs with NSs. Furthermore as SOAs are 378 included in the authority section of negative answers, including the 379 KEYs each time will cause redundant transfers of KEYs. 381 RFC2535 section 3.5 also included rule for adding the KEY RRset to 382 the response for a query for A and AAAA types. As Restrict 383 KEY[RFC3445] eliminated use of KEY RR by all applications this rule 384 is no longer needed. 386 2.2.2 Signer's Name (replaces RFC3008 section 2.7) 388 The signer's name field of a SIG RR MUST contain the name of the zone 389 to which the data and signature belong. The combination of signer's 390 name, key tag, and algorithm MUST identify a zone key if the SIG is 391 to be considered material. This document defines a standard policy 392 for DNSSEC validation; local policy MAY override the standard policy. 394 There are no restrictions on the signer field of a SIG(0) record. 395 The combination of signer's name, key tag, and algorithm MUST 396 identify a key if this SIG(0) is to be processed. 398 2.2.3 Changes to RFC3090 400 A number of sections of RFC3090 need to be updated to reflect the DS 401 record. 403 2.2.3.1 RFC3090: Updates to section 1: Introduction 405 Most of the text is still relevant but the words ``NULL key'' are to 406 be replaced with ``missing DS RRset''. In section 1.3 the last three 407 paragraphs discuss the confusion in sections of RFC 2535 that are 408 replaced in section 2.2.1 above. Therefore, these paragraphs are now 409 obsolete. 411 2.2.3.2 RFC3090 section 2.1: Globally Secured 413 Rule 2.1.b is replaced by the following rule: 415 2.1.b. The KEY RRset at a zone's apex MUST be self-signed by a 416 private key whose public counterpart MUST appear in a zone signing 417 KEY RR (2.a) owned by the zone's apex and specifying a mandatory-to- 418 implement algorithm. This KEY RR MUST be identified by a DS RR in a 419 signed DS RRset in the parent zone. 421 If a zone cannot get its parent to advertise a DS record for it, the 422 child zone cannot be considered globally secured. The only exception 423 to this is the root zone, for which there is no parent zone. 425 2.2.3.3 RFC3090 section 3: Experimental Status. 427 The only difference between experimental status and globally secured 428 is the missing DS RRset in the parent zone. All locally secured zones 429 are experimental. 431 2.2.4 NULL KEY elimination 433 RFC3445 section 3 eliminates the top two bits in the flags field of 434 KEY RR. These two bits were used to indicate NULL KEY or NO KEY. 435 RFC3090 defines that zone is either secure or not, these rules 436 eliminates the possible need to put NULL keys in the zone apex to 437 indicate that the zone is not secured for a algorithm. Along with 438 this document these other two eliminate all uses for the NULL KEY, 439 This document obsoletes NULL KEY. 441 2.3 Comments on Protocol Changes 443 Over the years there have been various discussions surrounding the 444 DNS delegation model, declaring it to be broken because there is no 445 good way to assert if a delegation exists. In the RFC2535 version of 446 DNSSEC, the presence of the NS bit in the NXT bit map proves there is 447 a delegation at this name. Something more explicit is needed and the 448 DS record addresses this need for secure delegations. 450 The DS record is a major change to DNS: it is the first resource 451 record that can appear only on the upper side of a delegation. Adding 452 it will cause interoperabilty problems and requires a flag day for 453 DNSSEC. Many old servers and resolvers MUST be upgraded to take 454 advantage of DS. Some old servers will be able to be authoritative 455 for zones with DS records but will not add the NXT or DS records to 456 the authority section. The same is true for caching servers; in 457 fact, some might even refuse to pass on the DS or NXT records. 459 2.4 Wire Format of the DS record 461 The DS (type=TDB) record contains these fields: key tag, algorithm, 462 digest type, and the digest of a public key KEY record that is 463 allowed and/or used to sign the child's apex KEY RRset. Other keys 464 MAY sign the child's apex KEY RRset. 466 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 467 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 468 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 469 | key tag | algorithm | Digest type | 470 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 471 | digest (length depends on type) | 472 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 473 | (SHA-1 digest is 20 bytes) | 474 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 475 | | 476 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| 477 | | 478 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| 479 | | 480 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 482 The key tag is calculated as specified in RFC2535. Algorithm MUST be 483 an algorithm number assigned in the range 1..251 and the algorithm 484 MUST be allowed to sign DNS data. The digest type is an identifier 485 for the digest algorithm used. The digest is calculated over the 486 canonical name of the delegated domain name followed by the whole 487 RDATA of the KEY record (all four fields). 489 digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata) 491 KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key 493 Digest type value 0 is reserved, value 1 is SHA-1, and reserving 494 other types requires IETF standards action. For interoperabilty 495 reasons, keeping number of digest algorithms low is strongly 496 RECOMMENDED. The only reason to reserve additional digest types is 497 to increase security. 499 DS records MUST point to zone KEY records that are allowed to 500 authenticate DNS data. The indicated KEY records protocol field MUST 501 be set to 3; flag field bit 7 MUST be set to 1. The value of other 502 flag bits is not significant for the purposes of this document. 504 The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless 505 of key size. New digest types probably will have larger digests. 507 2.4.1 Justifications for Fields 509 The algorithm and key tag fields are present to allow resolvers to 510 quickly identify the candidate KEY records to examine. SHA-1 is a 511 strong cryptographic checksum: it is computationally infeasible for 512 an attacker to generate a KEY record that has the same SHA-1 digest. 513 Combining the name of the key and the key rdata as input to the 514 digest provides stronger assurance of the binding. Having the key 515 tag in the DS record adds greater assurance than the SHA-1 digest 516 alone, as there are now two different mapping functions. 518 This format allows concise representation of the keys that the child 519 will use, thus keeping down the size of the answer for the 520 delegation, reducing the probability of DNS message overflow. The 521 SHA-1 hash is strong enough to uniquely identify the key and is 522 similar to the PGP key footprint. The digest type field is present 523 for possible future expansion. 525 The DS record is well suited to listing trusted keys for islands of 526 security in configuration files. 528 2.5 Presentation Format of the DS Record 530 The presentation format of the DS record consists of three numbers 531 (key tag, algorithm and digest type) followed by the digest itself 532 presented in hex: 533 example. DS 12345 3 1 123456789abcdef67890123456789abcdef67890 535 2.6 Transition Issues for Installed Base 537 No backwards compatibility with RFC2535 is provided. 539 RFC2535-compliant resolvers will assume that all DS-secured 540 delegations are locally secure. This is bad, but the DNSEXT Working 541 Group has determined that rather than dealing with both 542 RFC2535-secured zones and DS-secured zones, a rapid adoption of DS is 543 preferable. Thus the only option for early adopters is to upgrade to 544 DS as soon as possible. 546 2.6.1 Backwards compatibility with RFC2535 and RFC1035 548 This section documents how a resolver determines the type of 549 delegation. 550 RFC1035 delegation (in parent) has: 552 RFC1035 NS 554 RFC2535 adds the following two cases: 556 Secure RFC2535: NS + NXT + SIG(NXT) 557 NXT bit map contains: NS SIG NXT 558 Unsecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT) 559 NXT bit map contains: NS SIG KEY NXT 560 KEY must be a NULL key. 562 DNSSEC with DS has the following two states: 564 Secure DS: NS + DS + SIG(DS) 565 NXT bit map contains: NS SIG NXT DS 566 Unsecure DS: NS + NXT + SIG(NXT) 567 NXT bit map contains: NS SIG NXT 569 It is difficult for a resolver to determine if a delegation is secure 570 RFC 2535 or unsecure DS. This could be overcome by adding a flag to 571 the NXT bit map, but only upgraded resolvers would understand this 572 flag, anyway. Having both parent and child signatures for a KEY RRset 573 might allow old resolvers to accept a zone as secure, but the cost of 574 doing this for a long time is much higher than just prohibiting RFC 575 2535-style signatures at child zone apexes and forcing rapid 576 deployment of DS-enabled servers and resolvers. 578 RFC 2535 and DS can in theory be deployed in parallel, but this would 579 require resolvers to deal with RFC 2535 configurations forever. This 580 document obsoletes the NULL KEY in parent zones, which is a difficult 581 enough change that to cause a flag day. 583 2.7 KEY and corresponding DS record example 585 This is an example of a KEY record and the corresponding DS record. 587 dskey.example. KEY 256 3 1 ( 588 AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj 589 4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt 590 ) ; key id = 28668 591 DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE 593 3 Resolver 595 3.1 DS Example 597 To create a chain of trust, a resolver goes from trusted KEY to DS to 598 KEY. 600 Assume the key for domain "example." is trusted. Zone "example." 601 contains at least the following records: 602 example. SOA 603 example. NS ns.example. 604 example. KEY 605 example. NXT NS SOA KEY SIG NXT secure.example. 606 example. SIG(SOA) 607 example. SIG(NS) 608 example. SIG(NXT) 609 example. SIG(KEY) 610 secure.example. NS ns1.secure.example. 611 secure.example. DS tag=12345 alg=3 digest_type=1 612 secure.example. NXT NS SIG NXT DS unsecure.example. 613 secure.example. SIG(NXT) 614 secure.example. SIG(DS) 615 unsecure.example NS ns1.unsecure.example. 616 unsecure.example. NXT NS SIG NXT example. 617 unsecure.example. SIG(NXT) 619 In zone "secure.example." following records exist: 620 secure.example. SOA 621 secure.example. NS ns1.secure.example. 622 secure.example. KEY 623 secure.example. KEY 624 secure.example. NXT 625 secure.example. SIG(KEY) 626 secure.example. SIG(SOA) 627 secure.example. SIG(NS) 628 secure.example. SIG(NXT) 630 In this example the private key for "example." signs the DS record 631 for "secure.example.", making that a secure delegation. The DS record 632 states which key is expected to sign the KEY RRset at 633 "secure.example.". Here "secure.example." signs its KEY RRset with 634 the KEY identified in the DS RRset, thus the KEY RRset is validated 635 and trusted. 637 This example has only one DS record for the child, but parents MUST 638 allow multiple DS records to facilitate key rollover and multiple KEY 639 algorithms. 641 The resolver determines the security status of "unsecure.example." by 642 examining the parent zone's NXT record for this name. The absence of 643 the DS bit indicates an unsecure delegation. Note the NXT record 644 SHOULD only be examined after verifying the corresponding signature. 646 3.2 Resolver Cost Estimates for DS Records 648 From a RFC2535 resolver point of view, for each delegation followed 649 to chase down an answer, one KEY RRset has to be verified. 650 Additional RRsets might also need to be verified based on local 651 policy (e.g., the contents of the NS RRset). Once the resolver gets 652 to the appropriate delegation, validating the answer might require 653 verifying one or more signatures. A simple A record lookup requires 654 at least N delegations to be verified and one RRset. For a DS-enabled 655 resolver, the cost is 2N+1. For an MX record, where the target of 656 the MX record is in the same zone as the MX record, the costs are N+2 657 and 2N+2, for RFC 2535 and DS, respectively. In the case of negatives 658 answer the same ratios hold true. 660 The resolver have to do an extra query to get the DS record and this 661 increases the overall cost of resolving this question, but this is 662 never worse than chasing down NULL KEY records from the parent in 663 RFC2535 DNSSEC. 665 DS adds processing overhead on resolvers and increases the size of 666 delegation answers, but much less than storing signatures in the 667 parent zone. 669 4 Security Considerations: 671 This document proposes a change to the validation chain of KEY 672 records in DNSSEC. The change is not believed to reduce security in 673 the overall system. In RFC2535 DNSSEC, the child zone has to 674 communicate keys to its parent and prudent parents will require some 675 authentication with that transaction. The modified protocol will 676 require the same authentication, but allows the child to exert more 677 local control over its own KEY RRset. 679 There is a remote possibility that an attacker could generate a valid 680 KEY that matches all the DS fields, of a specific DS set, and thus 681 forge data from the child. This possibility is considered 682 impractical, as on average more than 683 2 ^ (160 - ) 684 keys would have to be generated before a match would be found. 686 An attacker that wants to match any DS record will have to generate 687 on average at least 2^80 keys. 689 The DS record represents a change to the DNSSEC protocol and there is 690 an installed base of implementations, as well as textbooks on how to 691 set up secure delegations. Implementations that do not understand the 692 DS record will not be able to follow the KEY to DS to KEY chain and 693 will consider all zones secured that way as unsecure. 695 5 IANA Considerations: 697 IANA needs to allocate an RR type code for DS from the standard RR 698 type space (type 43 requested). 700 IANA needs to open a new registry for the DS RR type for digest 701 algorithms. Defined types are: 702 0 is Reserved, 703 1 is SHA-1. 704 Adding new reservations requires IETF standards action. 706 6 Acknowledgments 708 Over the last few years a number of people have contributed ideas 709 that are captured in this document. The core idea of using one key to 710 sign only the KEY RRset comes from discussions with Bill Manning and 711 Perry Metzger on how to put in a single root key in all resolvers. 712 Alexis Yushin, Brian Wellington, Sam Weiler, Paul Vixie, Jakob 713 Schlyter, Scott Rose, Edward Lewis, Lars-Johan Liman, Matt Larson, 714 Mark Kosters, Dan Massey, Olaf Kolman, Phillip Hallam-Baker, Miek 715 Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David 716 Blacka, Steve Bellovin, Rob Austein, Derek Atkins, Roy Arends, Mark 717 Andrews, Harald Alvestrand, and others have provided useful comments. 719 Normative References: 721 [RFC1035] P. Mockapetris, ``Domain Names - Implementation and 722 Specification'', STD 13, RFC 1035, November 1987. 724 [RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC 725 2535, March 1999. 727 [RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing 728 Authority'', RFC 3008, November 2000. 730 [RFC3090] E. Lewis `` DNS Security Extension Clarification on Zone 731 Status'', RFC 3090, March 2001. 733 [RFC3225] D. Conrad, ``Indicating Resolver Support of DNSSEC'', RFC 734 3225, December 2001. 736 [RFC3445] D. Massey, S. Rose ``Limiting the scope of the KEY Resource 737 Record (RR)``, RFC 3445, December 2002. 739 Informational References 741 [RFC2181] R. Elz, R. Bush, ``Clarifications to the DNS Specification'', 742 RFC 2181, July 1997. 744 [RFC3226] O. Gudmundsson, ``DNSSEC and IPv6 A6 aware server/resolver 745 message size requirements'', RFC 3226, December 2001. 747 Author Address 749 Olafur Gudmundsson 750 3821 Village Park Drive 751 Chevy Chase, MD, 20815 752 USA 753 755 Full Copyright Statement 757 Copyright (C) The Internet Society (2003). All Rights Reserved. 759 This document and translations of it may be copied and furnished to 760 others, and derivative works that comment on or otherwise explain it 761 or assist in its implementation may be prepared, copied, published 762 and distributed, in whole or in part, without restriction of any 763 kind, provided that the above copyright notice and this paragraph are 764 included on all such copies and derivative works. However, this 765 document itself may not be modified in any way, such as by removing 766 the copyright notice or references to the Internet Society or other 767 Internet organizations, except as needed for the purpose of 768 developing Internet standards in which case the procedures for 769 copyrights defined in the Internet Standards process must be 770 followed, or as required to translate it into languages other than 771 English. 773 The limited permissions granted above are perpetual and will not be 774 revoked by the Internet Society or its successors or assigns. 776 This document and the information contained herein is provided on an 777 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 778 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 779 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 780 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 781 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."