Network Working Group R. Austein Internet-Draft M. Graff Expires: December 16, 2006 ISC June 14, 2006 Relaxing Gratuitous TSIG Requirement draft-austein-dnsext-relax-gratuitous-tsig-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 16, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract GSS-TSIG is not implementable as specified due to an omission, and the specification contains an unnecessary restriction. This note proposes a fix to both of these problems. Austein & Graff Expires December 16, 2006 [Page 1] Internet-Draft Relaxing Gratuitous TSIG Requirement June 2006 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Reserved Words . . . . . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Interoperability Testing . . . . . . . . . . . . . . . . . . . 4 4. Suggested Protocol Action . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . . 6 8.2. Informative References . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 Intellectual Property and Copyright Statements . . . . . . . . . . 9 Austein & Graff Expires December 16, 2006 [Page 2] Internet-Draft Relaxing Gratuitous TSIG Requirement June 2006 1. Introduction GSS-TSIG ([RFC3645]) is not implementable as specified, and contains an unnecessary restriction. This note discusses these problems and proposes a fix to both of these problems. 1.1. Reserved Words The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Background TSIG ([RFC2845]) is a simple shared-secret channel security mechanism for DNS. A companion mechanism, TKEY ([RFC2930]), provides an extensible mechanism for negotiating shared secrets for use with TSIG. GSS-TSIG ([RFC3645]) is a mechanism built on top of TKEY, GSS-API ([RFC2743]), and SPNEGO ([RFC4178]) which extends TSIG to support algorithms within the GSS-API framework (such as Kerberos 5 [RFC4121]). In recent years, GSS-TSIG has become one of the major uses of TSIG. Sadly, the current specifications are not sufficient to allow an implementor to achieve interoperability with GSS-TSIG as deployed. Much of the problem has been due to weaknesses of the original SPNEGO specification, which have been addressed in [RFC4178]. However, even after achieving SPNEGO interoperability, there's still a problem with GSS-TSIG, which we refer to here as the "gratuitous TSIG" problem. Section 4.2 of [RFC2845] clearly forbids signed responses to unsigned queries, and defines the format of a response signature in such a way that it cannot be computed without knowing the signature of the corresponding request. Section 2.2 of [RFC3645] modifies the base TSIG protocol to allow an signed responses to unsigned requests on a per-algorithm basis, while sections 3.1.3.1 and 4.1.3 of [RFC3645] not only allow but require the final TKEY of the negotiation sequence to be signed using the newly-negotiated key. Unfortunately, the format of the response signature in this case is not specified anywhere, which is a problem, since the definition in the base TSIG specification provides no way to compute such a signature. In spite of the language used in [RFC3645] 3.1.3.1, the issue here is not really security. The change to the base TSIG protocol here does not add any security at all, as the GSS-API negotiation is self- Austein & Graff Expires December 16, 2006 [Page 3] Internet-Draft Relaxing Gratuitous TSIG Requirement June 2006 authenticating. This was known at the time that [RFC3645] was written (see archives of the Namedroppers mailing list, July 2002). The real reason for this change was simply that several vendors had shipped early implementations that required this TSIG to be present, and did not want the code they had already shipped to be declared non-compliant. Due to an oversight, no one realized that this code violated the base TSIG specification until [RFC3645] was just about to be published; as a result, the authors requested and received permission from the DNSEXT working group to make this change to the base TSIG specification. As is all too often the case with last- minute protocol changes, nobody noticed at the time that this left the GSS-TSIG specification incomplete. We refer to the problematic TSIG described above as the "gratuitous TSIG" because as far as we can tell it is in fact gratuitous, and serves no purpose except to complicate the protocol. To the best of our knowledge, there is no existing public specification of the GSS_GetMIC() input value to be used when generating the gratuitous TSIG. 3. Interoperability Testing The authors of this note have recently had occasion to test a GSS- TSIG implementation against several different versions of the most widely deployed implementation. Our results can be summarized as follows: o In all of our testing, we have not found even a single implementation that actually rejects the GSS-TSIG protocol negotiation (as required by [RFC3645] 3.1.3.1) if the name server simply omits the gratuitous TSIG. o While we still do not know how the other implementations calculate the input value to GSS_GetMIC(), we do know that it is not any of the values that we consider obvious, because we've tried them all and they have all failed. We are thus in effect left in the ridiculous position of being forced to violate the specification in order to interoperate with the other existing implementations. No doubt vendors who have implemented this and want to interoperate would be willing to tell us how they calculate the input value to GSS_GetMIC(), but as the specification is demonstrably incomplete in its current form, a revision of the specification would be necessary in any case. Austein & Graff Expires December 16, 2006 [Page 4] Internet-Draft Relaxing Gratuitous TSIG Requirement June 2006 4. Suggested Protocol Action Since, as far as we can tell, the gratuitous TSIG serves no useful purpose and is not in fact required for interoperation with the existing implementations, we propose abolishing it. In deference to the Robustness Principle, we suggest continuing to allow the gratuitous TSIG, but no longer requiring it. Specifically: Amend [RFC3645] 4.1.3 to change The message MUST be signed with a TSIG record as described in section 5, Sending and Verifying Signed Messages. to The message MAY be signed with a TSIG record as described in section 5, Sending and Verifying Signed Messages. Amend [RFC3645] 3.1.3.1 to change Confirmation is in the form of a query response with RCODE=NOERROR and with the last client supplied TKEY record in the answer section of the query. The response MUST be signed with a TSIG record. Note that the server is allowed to sign a response to unsigned client's query due to modification to the RFC 2845 specified in Section 2.2 above. The signature in the TSIG record MUST be verified using the procedure detailed in section 5, Sending and Verifying Signed Messages. If the response is not signed, OR if the response is signed but the signature is invalid, then an attacker has tampered with the message in transit or has attempted to send the client a false response. In this case, the client MAY continue waiting for a response to its last TKEY query until the time period since the client sent last TKEY query expires. Such a time period is specified by the policy local to the client. This is a new option that allows the DNS client to accept multiple answers for one query ID and select one (not necessarily the first one) based on some criteria. to Confirmation is in the form of a query response with RCODE=NOERROR and with the last client supplied TKEY record in the answer section of the query. The response MAY be signed with a TSIG record. Note that the server is allowed to sign a response to unsigned client's query due to modification to the RFC 2845 specified in Section 2.2 above. Alert readers will note that the latter change removes more text than just the gratuitous TSIG check per se. The remainder of the paragraph in question is not relevant once the requirement to check the gratuitous TSIG has been relaxed, and as the last few sentences of the paragraph demonstrate a serious misunderstanding of how the DNS and TKEY protocols work, simply removing the now-irrelevant text seems best. Austein & Graff Expires December 16, 2006 [Page 5] Internet-Draft Relaxing Gratuitous TSIG Requirement June 2006 5. IANA Considerations This document has no IANA Considerations. 6. Security Considerations This note proposes a minor simplification to an excessively complex channel security mechanism. To the best of the authors' knowledge, this change does not weaken the mechanism. Note that discussion of the security properties of the "gratuitous TSIG" (not called by that name) in [RFC3645] 3.1.3.1 is incorrect, and that the working group responsible for publication of [RFC3645] was aware of this error at the time of publication. See archives of the Namedroppers mailing list, July 2002, for details. 7. Acknowledgements Thanks to Cricket Liu, Russ Mundy, and Joe Quanaim. Apologies to anyone inadvertently omitted from the above list. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, BCP 14, March 1997. [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845, May 2000. [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY RR)", RFC 2930, September 2000. [RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J., and R. Hall, "Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)", RFC 3645, October 2003. 8.2. Informative References [RFC2743] Linn, J., "Generic Security Service Application Program Interface Version 2, Update 1", RFC 2743, January 2000. Austein & Graff Expires December 16, 2006 [Page 6] Internet-Draft Relaxing Gratuitous TSIG Requirement June 2006 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2", RFC 4121, July 2005. [RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism", RFC 4178, October 2005. Austein & Graff Expires December 16, 2006 [Page 7] Internet-Draft Relaxing Gratuitous TSIG Requirement June 2006 Authors' Addresses Rob Austein ISC 950 Charter Street Redwood City, CA 94063 USA Email: sra@isc.org Michael Graff ISC 950 Charter Street Redwood City, CA 94063 USA Email: michael_graff@isc.org Austein & Graff Expires December 16, 2006 [Page 8] Internet-Draft Relaxing Gratuitous TSIG Requirement June 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Austein & Graff Expires December 16, 2006 [Page 9]