Internet Draft G. Lozano Expires: June 9, 2005 NIC Mexico December 9, 2004 Random NSEC RR generation draft-lozano-nsec-random-00.txt Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. This document may not be modified, and derivative works of it may not be created, except to publish it as an RFC and to translate it into languages other than English. This document may not be modified, and derivative works of it may not be created. This document may only be posted in an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on June 9, 2005. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Lozano Expires June 9, 2005 [Page 1] Internet-Draft Random NSEC RR generation December 2004 Abstract The purpose of this memo is to describe a mechanism that allows an authoritative server to answer NSEC RRs without exposing the zone to "walk enumeration" and without the need of online signing. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [1]. Table of Contents 1. Introduction...................................................2 2. NSEC random generation.........................................3 3. Authoritative DNS server considerations........................4 4. Cache DNS server considerations................................4 5. Name random generation functions...............................4 6. IANA Considerations............................................4 7. Security Considerations........................................5 References........................................................5 Author's Addresses................................................5 Intellectual Property Statement...................................5 Disclaimer of Validity............................................6 Copyright Statement...............................................6 1. Introduction DNSSEC NSEC resource records are use to securely indicate that a name or a type for a name does not exist in a zone. The NSEC RR list the next secure record in the zone to deny the existence of a name or type. An attacker can send a number of queries to obtain the zone data by following the chain created by the owner and next name of the NSEC RR, this process is called "zone walk enumeration". In today's Internet it is difficult to obtain zone data by simply sending queries when zone transfer policies have been specified. Zone administrators have shown their concern that DNSSEC will allow easy zone data extraction and a solution is being searched in the dnsext WG. Lozano Expires June 9, 2005 [Page 2] Internet-Draft Random NSEC RR generation December 2004 This memo describes the use of random names in NSEC resource records to make it difficult to attackers to obtain data while not requiring for online signing of NSEC responses. 2. NSEC random generation Consider the following canonical ordered names as described in section 6.1 of [2]: b.example e.example h.example The following NSSEC example specifies that the b.example name exists with some types in the zone and that the next authoritative name after b.example is e.example. b.example. 3600 IN NSEC e.example. (A RRSIG NSEC) The first step in the random NSEC generation process is to create a new name between each of the original names in the zone, for example between b.example. and e.example.(example 1) and between e.example. and h.example. (example 2). c.example //example 1 f.example //example 2 The first random name MUST be generated between \000 and the first name in the zone. The last random name MUST be generated between the last name in the zone and \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\ 255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\2 55\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\25 5\255\255\255\255\255\255\255\255\255\255\255. The complete zone will be: a.example (random generated) b.example (original) c.example (random generated) e.example (original) f.example (random generated) h.example (original) z.example (random generated) Lozano Expires June 9, 2005 [Page 3] Internet-Draft Random NSEC RR generation December 2004 The second step is to create NSEC RRs that span between a random name and the after random name. For example: c.example. 3600 IN NSEC f.example. (RRSIG NSEC) // example 3 The third step is to create NSEC RRs that span between an original name in the zone and the after random name. e.example. 3600 IN NSEC f.example. (A RRSIG NSEC) // example 4 The server will use example 3 to answer a non existent domain for a name between c.example. and f.example. The server will use example 4 to answer a non existence type AAAA for e.example. Because the next authoritative name in the NSEC RR is always a random generated name, a zone walking will give the attacker random zone data thus the attacker will need the same amount of work required today to obtain the original zone data via queries. The RR type for the random names will be defined in future versions of this memo. 3. Authoritative DNS server considerations The DNS server MUST use the NSEC RR that spans between random names to answer for a non existent domain. The DNS server MUST use the NSEC RR that spans between the original and random names to answer for a non existent type. 4. Cache DNS server considerations The cache server MUST use the NSEC RR received for the specific name being asked only. This means that the cache server MUST not respond a non existent domain to a client for a new query that is between a previously cached NSEC RR. 5. Name random generation functions The functions for generating random names will appear in future versions of the memo. 6. IANA Considerations This document introduces no new IANA considerations. Lozano Expires June 9, 2005 [Page 4] Internet-Draft Random NSEC RR generation December 2004 7. Security Considerations As in DNSSECbis an attacker can replay still valid NSEC answers to deny the existence of a recently created name. References Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose, "Resource Records for DNS Security Extensions", draft-ietf- dnsext-dnssec-records-08 (work in progress), May 2004. Informative References Author's Addresses Gustavo Lozano NIC Mexico Av. Eugenio Garza Sada #427 Sur. Col. Altavista Monterrey, NL Mexico Email: glozano@nic.mx Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary Lozano Expires June 9, 2005 [Page 5] Internet-Draft Random NSEC RR generation December 2004 rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Lozano Expires June 9, 2005 [Page 6]