idnits 2.17.1 

draft-ietf-dnsext-dnssec-online-signing-02.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 16.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 401.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 378.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 385.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 391.

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The abstract seems to contain references ([-bis]), which it shouldn't. 
     Please replace those with straight textual mentions of the documents in
     question.

  -- The draft header indicates that this document updates RFC4035, but the
     abstract doesn't seem to mention this, which it should.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

     (Using the creation date from RFC4034, updated by this document, for
     RFC5378 checks: 2002-02-26)

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (January 20, 2006) is 6668 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: '-bis' on line 69


     Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 9 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                          S. Weiler
3	Internet-Draft                                               SPARTA, Inc
4	Updates: 4034, 4035 (if approved)                               J. Ihren
5	Expires: July 24, 2006                                     Autonomica AB
6	                                                        January 20, 2006

8	       Minimally Covering NSEC Records and DNSSEC On-line Signing
9	               draft-ietf-dnsext-dnssec-online-signing-02

11	Status of this Memo

13	   By submitting this Internet-Draft, each author represents that any
14	   applicable patent or other IPR claims of which he or she is aware
15	   have been or will be disclosed, and any of which he or she becomes
16	   aware will be disclosed, in accordance with Section 6 of BCP 79.

18	   Internet-Drafts are working documents of the Internet Engineering
19	   Task Force (IETF), its areas, and its working groups.  Note that
20	   other groups may also distribute working documents as Internet-
21	   Drafts.

23	   Internet-Drafts are draft documents valid for a maximum of six months
24	   and may be updated, replaced, or obsoleted by other documents at any
25	   time.  It is inappropriate to use Internet-Drafts as reference
26	   material or to cite them other than as "work in progress."

28	   The list of current Internet-Drafts can be accessed at
29	   http://www.ietf.org/ietf/1id-abstracts.txt.

31	   The list of Internet-Draft Shadow Directories can be accessed at
32	   http://www.ietf.org/shadow.html.

34	   This Internet-Draft will expire on July 24, 2006.

36	Copyright Notice

38	   Copyright (C) The Internet Society (2006).

40	Abstract

42	   This document describes how to construct DNSSEC NSEC resource records
43	   that cover a smaller range of names than called for by RFC4034.  By
44	   generating and signing these records on demand, authoritative name
45	   servers can effectively stop the disclosure of zone contents
46	   otherwise made possible by walking the chain of NSEC records in a
47	   signed zone.

49	Changes from ietf-01 to ietf-02

51	   Clarified that a generated NSEC RR's type bitmap MUST have the RRSIG
52	   and NSEC bits set, to be consistent with DNSSECbis -- previous text
53	   said SHOULD.

55	   Made the applicability statement a little less oppressive.

57	Changes from ietf-00 to ietf-01

59	   Added an applicability statement, making reference to ongoing work on
60	   NSEC3.

62	   Added the phrase "epsilon functions", which has been commonly used to
63	   describe the technique and already appeared in the header of each
64	   page, in place of "increment and decrement functions".  Also added an
65	   explanatory sentence.

67	   Corrected references from 4034 section 6.2 to section 6.1.

69	   Fixed an out-of-date reference to [-bis] and other typos.

71	   Replaced IANA Considerations text.

73	   Escaped close parentheses in examples.

75	   Added some more acknowledgements.

77	Changes from weiler-01 to ietf-00

79	   Inserted RFC numbers for 4033, 4034, and 4035.

81	   Specified contents of bitmap field in synthesized NSEC RR's, pointing
82	   out that this relaxes a constraint in 4035.  Added 4035 to the
83	   Updates header.

85	Changes from weiler-00 to weiler-01

87	   Clarified that this updates RFC4034 by relaxing requirements on the
88	   next name field.

90	   Added examples covering wildcard names.

92	   In the 'better functions' section, reiterated that perfect functions
93	   aren't needed.

95	   Added a reference to RFC 2119.

97	Table of Contents

99	   1.  Introduction and Terminology . . . . . . . . . . . . . . . . .  4
100	   2.  Applicability of This Technique  . . . . . . . . . . . . . . .  4
101	   3.  Minimally Covering NSEC Records  . . . . . . . . . . . . . . .  5
102	   4.  Better Epsilon Functions . . . . . . . . . . . . . . . . . . .  6
103	   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  7
104	   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
105	   7.  Normative References . . . . . . . . . . . . . . . . . . . . .  8
106	   Appendix A.  Acknowledgments . . . . . . . . . . . . . . . . . . .  8
107	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
108	   Intellectual Property and Copyright Statements . . . . . . . . . . 11

110	1.  Introduction and Terminology

112	   With DNSSEC [1], an NSEC record lists the next instantiated name in
113	   its zone, proving that no names exist in the "span" between the
114	   NSEC's owner name and the name in the "next name" field.  In this
115	   document, an NSEC record is said to "cover" the names between its
116	   owner name and next name.

118	   Through repeated queries that return NSEC records, it is possible to
119	   retrieve all of the names in the zone, a process commonly called
120	   "walking" the zone.  Some zone owners have policies forbidding zone
121	   transfers by arbitrary clients; this side-effect of the NSEC
122	   architecture subverts those policies.

124	   This document presents a way to prevent zone walking by constructing
125	   NSEC records that cover fewer names.  These records can make zone
126	   walking take approximately as many queries as simply asking for all
127	   possible names in a zone, making zone walking impractical.  Some of
128	   these records must be created and signed on demand, which requires
129	   on-line private keys.  Anyone contemplating use of this technique is
130	   strongly encouraged to review the discussion of the risks of on-line
131	   signing in Section 6.

133	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
134	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
135	   document are to be interpreted as described in RFC 2119 [4].

137	2.  Applicability of This Technique

139	   The technique presented here may be useful to a zone owner that wants
140	   to use DNSSEC, is concerned about exposure of its zone contents via
141	   zone walking, and is willing to bear the costs of on-line signing.

143	   As discussed in Section 6, on-line signing has several security
144	   risks, including an increased likelihood of private keys being
145	   disclosed and an increased risk of denial of service attack.  Anyone
146	   contemplating use of this technique is strongly encouraged to review
147	   the discussion of the risks of on-line signing in Section 6.

149	   Furthermore, at the time this document was published, the DNSEXT
150	   working group was actively working on a mechanism to prevent zone
151	   walking that does not require on-line signing (tentatively called
152	   NSEC3).  The new mechanism is likely to expose slightly more
153	   information about the zone than this technique (e.g. the number of
154	   instantiated names), but it may be preferable to this technique.

156	3.  Minimally Covering NSEC Records

158	   This mechanism involves changes to NSEC records for instantiated
159	   names, which can still be generated and signed in advance, as well as
160	   the on-demand generation and signing of new NSEC records whenever a
161	   name must be proven not to exist.

163	   In the 'next name' field of instantiated names' NSEC records, rather
164	   than list the next instantiated name in the zone, list any name that
165	   falls lexically after the NSEC's owner name and before the next
166	   instantiated name in the zone, according to the ordering function in
167	   RFC4034 [2] section 6.1.  This relaxes the requirement in section
168	   4.1.1 of RFC4034 that the 'next name' field contains the next owner
169	   name in the zone.  This change is expected to be fully compatible
170	   with all existing DNSSEC validators.  These NSEC records are returned
171	   whenever proving something specifically about the owner name (e.g.
172	   that no resource records of a given type appear at that name).

174	   Whenever an NSEC record is needed to prove the non-existence of a
175	   name, a new NSEC record is dynamically produced and signed.  The new
176	   NSEC record has an owner name lexically before the QNAME but
177	   lexically following any existing name and a 'next name' lexically
178	   following the QNAME but before any existing name.

180	   The generated NSEC record's type bitmap MUST have the RRSIG and NSEC
181	   bits set and SHOULD NOT have any other bits set.  This relaxes the
182	   requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
183	   names that did not exist before the zone was signed.

185	   The functions to generate the lexically following and proceeding
186	   names need not be perfect nor consistent, but the generated NSEC
187	   records must not cover any existing names.  Furthermore, this
188	   technique works best when the generated NSEC records cover as few
189	   names as possible.  In this document, the functions that generate the
190	   nearby names are called 'epsilon' functions, a reference to the
191	   mathematical convention of using the greek letter epsilon to
192	   represent small deviations.

194	   An NSEC record denying the existence of a wildcard may be generated
195	   in the same way.  Since the NSEC record covering a non-existent
196	   wildcard is likely to be used in response to many queries,
197	   authoritative name servers using the techniques described here may
198	   want to pregenerate or cache that record and its corresponding RRSIG.

200	   For example, a query for an A record at the non-instantiated name
201	   example.com might produce the following two NSEC records, the first
202	   denying the existence of the name example.com and the second denying
203	   the existence of a wildcard:

205	             exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )

207	             \).com 3600 IN NSEC +.com ( RRSIG NSEC )

209	   Before answering a query with these records, an authoritative server
210	   must test for the existence of names between these endpoints.  If the
211	   generated NSEC would cover existing names (e.g. exampldd.com or
212	   *bizarre.example.com), a better epsilon function may be used or the
213	   covered name closest to the QNAME could be used as the NSEC owner
214	   name or next name, as appropriate.  If an existing name is used as
215	   the NSEC owner name, that name's real NSEC record MUST be returned.
216	   Using the same example, assuming an exampldd.com delegation exists,
217	   this record might be returned from the parent:

219	             exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )

221	   Like every authoritative record in the zone, each generated NSEC
222	   record MUST have corresponding RRSIGs generated using each algorithm
223	   (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
224	   described in RFC4035 [3] section 2.2.  To minimize the number of
225	   signatures that must be generated, a zone may wish to limit the
226	   number of algorithms in its DNSKEY RRset.

228	4.  Better Epsilon Functions

230	   Section 6.1 of RFC4034 defines a strict ordering of DNS names.
231	   Working backwards from that definition, it should be possible to
232	   define epsilon functions that generate the immediately following and
233	   preceding names, respectively.  This document does not define such
234	   functions.  Instead, this section presents functions that come
235	   reasonably close to the perfect ones.  As described above, an
236	   authoritative server should still ensure than no generated NSEC
237	   covers any existing name.

239	   To increment a name, add a leading label with a single null (zero-
240	   value) octet.

242	   To decrement a name, decrement the last character of the leftmost
243	   label, then fill that label to a length of 63 octets with octets of
244	   value 255.  To decrement a null (zero-value) octet, remove the octet
245	   -- if an empty label is left, remove the label.  Defining this
246	   function numerically: fill the left-most label to its maximum length
247	   with zeros (numeric, not ASCII zeros) and subtract one.

249	   In response to a query for the non-existent name foo.example.com,
250	   these functions produce NSEC records of:

252	     fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
253	     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
254	     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
255	     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
256	     \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )

258	     \)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
259	     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
260	     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
261	     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
262	     \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )

264	   The first of these NSEC RRs proves that no exact match for
265	   foo.example.com exists, and the second proves that there is no
266	   wildcard in example.com.

268	   Both of these functions are imperfect: they don't take into account
269	   constraints on number of labels in a name nor total length of a name.
270	   As noted in the previous section, though, this technique does not
271	   depend on the use of perfect epsilon functions: it is sufficient to
272	   test whether any instantiated names fall into the span covered by the
273	   generated NSEC and, if so, substitute those instantiated owner names
274	   for the NSEC owner name or next name, as appropriate.

276	5.  IANA Considerations

278	   This document specifies no IANA Actions.

280	6.  Security Considerations

282	   This approach requires on-demand generation of RRSIG records.  This
283	   creates several new vulnerabilities.

285	   First, on-demand signing requires that a zone's authoritative servers
286	   have access to its private keys.  Storing private keys on well-known
287	   internet-accessible servers may make them more vulnerable to
288	   unintended disclosure.

290	   Second, since generation of digital signatures tends to be
291	   computationally demanding, the requirement for on-demand signing
292	   makes authoritative servers vulnerable to a denial of service attack.

294	   Lastly, if the epsilon functions are predictable, on-demand signing
295	   may enable a chosen-plaintext attack on a zone's private keys.  Zones
296	   using this approach should attempt to use cryptographic algorithms
297	   that are resistant to chosen-plaintext attacks.  It's worth noting
298	   that while DNSSEC has a "mandatory to implement" algorithm, that is a
299	   requirement on resolvers and validators -- there is no requirement
300	   that a zone be signed with any given algorithm.

302	   The success of using minimally covering NSEC record to prevent zone
303	   walking depends greatly on the quality of the epsilon functions
304	   chosen.  An increment function that chooses a name obviously derived
305	   from the next instantiated name may be easily reverse engineered,
306	   destroying the value of this technique.  An increment function that
307	   always returns a name close to the next instantiated name is likewise
308	   a poor choice.  Good choices of epsilon functions are the ones that
309	   produce the immediately following and preceding names, respectively,
310	   though zone administrators may wish to use less perfect functions
311	   that return more human-friendly names than the functions described in
312	   Section 4 above.

314	   Another obvious but misguided concern is the danger from synthesized
315	   NSEC records being replayed.  It's possible for an attacker to replay
316	   an old but still validly signed NSEC record after a new name has been
317	   added in the span covered by that NSEC, incorrectly proving that
318	   there is no record at that name.  This danger exists with DNSSEC as
319	   defined in [3].  The techniques described here actually decrease the
320	   danger, since the span covered by any NSEC record is smaller than
321	   before.  Choosing better epsilon functions will further reduce this
322	   danger.

324	7.  Normative References

326	   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
327	        "DNS Security Introduction and Requirements", RFC 4033,
328	        March 2005.

330	   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
331	        "Resource Records for the DNS Security Extensions", RFC 4034,
332	        March 2005.

334	   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
335	        "Protocol Modifications for the DNS Security Extensions",
336	        RFC 4035, March 2005.

338	   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
339	        Levels", BCP 14, RFC 2119, March 1997.

341	Appendix A.  Acknowledgments

343	   Many individuals contributed to this design.  They include, in
344	   addition to the authors of this document, Olaf Kolkman, Ed Lewis,
345	   Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
346	   Jakob Schlyter, Bill Manning, and Joao Damas.

348	   In addition, the editors would like to thank Ed Lewis, Scott Rose,
349	   and David Blacka for their careful review of the document.

351	Authors' Addresses

353	   Samuel Weiler
354	   SPARTA, Inc
355	   7075 Samuel Morse Drive
356	   Columbia, Maryland  21046
357	   US

359	   Email: weiler@tislabs.com

361	   Johan Ihren
362	   Autonomica AB
363	   Bellmansgatan 30
364	   Stockholm  SE-118 47
365	   Sweden

367	   Email: johani@autonomica.se

369	Intellectual Property Statement

371	   The IETF takes no position regarding the validity or scope of any
372	   Intellectual Property Rights or other rights that might be claimed to
373	   pertain to the implementation or use of the technology described in
374	   this document or the extent to which any license under such rights
375	   might or might not be available; nor does it represent that it has
376	   made any independent effort to identify any such rights.  Information
377	   on the procedures with respect to rights in RFC documents can be
378	   found in BCP 78 and BCP 79.

380	   Copies of IPR disclosures made to the IETF Secretariat and any
381	   assurances of licenses to be made available, or the result of an
382	   attempt made to obtain a general license or permission for the use of
383	   such proprietary rights by implementers or users of this
384	   specification can be obtained from the IETF on-line IPR repository at
385	   http://www.ietf.org/ipr.

387	   The IETF invites any interested party to bring to its attention any
388	   copyrights, patents or patent applications, or other proprietary
389	   rights that may cover technology that may be required to implement
390	   this standard.  Please address the information to the IETF at
391	   ietf-ipr@ietf.org.

393	Disclaimer of Validity

395	   This document and the information contained herein are provided on an
396	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
397	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
398	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
399	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
400	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
401	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

403	Copyright Statement

405	   Copyright (C) The Internet Society (2006).  This document is subject
406	   to the rights, licenses and restrictions contained in BCP 78, and
407	   except as set forth therein, the authors retain all their rights.

409	Acknowledgment

411	   Funding for the RFC Editor function is currently provided by the
412	   Internet Society.