Network Working Group D. Zhang Internet-Draft Huawei Intended status: Experimental July 22, 2014 Expires: January 23, 2015 Certificate Transparency for Domain Name System Security Extensions draft-zhang-ct-dnssec-trans-00 Abstract In draft-ietf-trans-rfc6962-bis, a solution is proposed for publicly logging the existence of Transport Layer Security (TLS) certificates using Merkle Hash Trees. This document tries to use this idea in DNSSEC and publicly logging the existence of keys used in securing DNS resource records. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 23, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Zhang Expires January 23, 2015 [Page 1] Internet-Draft CT-DNSSEC July 2014 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Cryptographic Components of Certificate Transparency . . . . 3 3. Log Format and Operation . . . . . . . . . . . . . . . . . . 3 3.1. Log Entries . . . . . . . . . . . . . . . . . . . . . . . 3 4. Including the Signed Certificate Timestamp into DNS Security Extensions . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. SCT RR . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1.1. The Key Tag Field . . . . . . . . . . . . . . . . . . 4 4.1.2. The Algorithm Field . . . . . . . . . . . . . . . . . 5 4.1.3. The Digest Type Field . . . . . . . . . . . . . . . . 5 4.1.4. The Digest Field . . . . . . . . . . . . . . . . . . 5 4.1.5. The SCT Field . . . . . . . . . . . . . . . . . . . . 5 4.2. Operations . . . . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 6.1. Logging other types of RRs . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 8. Normative References . . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction [I-D.ietf-trans-rfc6962-bis] specifies a Certificate Transparency (CT) mechanism to disclosing TLS certificates into public logs so as to benefit the public to monitor the operations in issuing certificates. The logs do not prevent mis-issuing behavior, but the provided public audibility can increase the possibility in detecting certain mis-behaviors of issuers. The logs are constructed with Merkle Hash Trees to ensure the append-only property, and thus enable anyone to verify the correctness of each log and to monitor when new certificates are added to it. Note that CT is a common mechanism although [I-D.ietf-trans-rfc6962-bis] only describe its usage in publishing TLS server certificates issued by public certificate authorities (CAs). This document discusses the application of CT to publicly logging the public keys used by DNSSEC. DNSSEC distributes public keys to provide origin authentication and integrity protection for DNS resource records. In order to prove the validity of keys used for Zhang Expires January 23, 2015 [Page 2] Internet-Draft CT-DNSSEC July 2014 signing DNS data, DNSSEC uses DNS public key (DNSKEY) RRsets and Delegation Signer (DS) RRsets to form authentication chains for the signed data, with each link in the chains vouching for the next. If an authentication chain can be eventually connected to the a trsuted public key, the client can then ensure the key for signing the data is valid. The application of CT to publish the existence of (DNSKEY) RRsets and (DS) RRsets can benefit the detection of misissurance of DNSSEC keys. For instance, if the owner of foo.example.com finds that its parent zone (example.com) publish a DS RR for its zone which however does not point to any legal zone signing keys or key signing keys, the owner can claim that a mississuance event occures. This work re-use some text in [I-D.ietf-trans-rfc6962-bis]. 2. Cryptographic Components of Certificate Transparency The introduce of cryptographic components of CT is in Section 2 of [I-D.ietf-trans-rfc6962-bis]. When applying CT for NDSSEC, a log is a single, ever-growing, append-only Merkle Tree of DNSKEY and DS RRs. 3. Log Format and Operation When generating a new DNSKEY RR or a DS RR (i.e., during the publication of a KSK or a zone authentication key), a zone owner will publish the RR to the CT logs. Because a key will not be trusted by clients unless logged, it is expected that a zone owner will usually deliver the RRs (keys) for audit purposes. Identical to what is specified in [I-D.ietf-trans-rfc6962-bis],when a valid DNSKEY RR or a valid DS RR is submitted to a log, the log MUST immediately return a Signed Certificate Timestamp (SCT). The SCT is the log's promise to incorporate the RR in the Merkle Tree within a fixed amount of time known as the Maximum Merge Delay (MMD). If the log has previously seen the certificate, it MAY return the same SCT as it returned before. DNS servers MUST provide an SCT from one or more logs to the client within a SCT RR. DNS clients MUST NOT trust a key that does not have a valid SCT. 3.1. Log Entries A zone owner can submit a DNSKEY or DS RR to any log before publishing the RR. In order to enable attribution of each logged RR to its issuer, the log SHALL publish a list of acceptable zone signing public keys (or hashes of public keys) of root zones or islands of security. Each submitted RR MUST be accompanied by all additional RRs (DNSKEY RRs, DS RRs, and RRSIG RRs) which construct an Zhang Expires January 23, 2015 [Page 3] Internet-Draft CT-DNSSEC July 2014 authentication chain to an accepted root public key. Note that the NSEC RR is not provided since the existence of this type of RR indicates the broken of an authentication chain. A typical authentication chain is Public Key->[DS->(DNSKEY)*->DNSKEY]*->RRset, where "*" denotes zero or more subchains. (DNSKEY)* indicates that DNSSEC permits additional layers of DNSKEY RRs signing other DNSKEY RRs within a zone. Each DNSKEY/DS RR in the chain is authenticated by a RRSIG RR. In practice, a RRSIG RR may be used to sign a DS/DNSKEY RRset rather than a single RR. In this case, not only the DS/DNSKEY RR on the authentication chain but also other records in the RRset SHOULD be provided to the log the verification purpose. Otherwise, the log may have to consult DNS again in order to verify the authentication chains. 4. Including the Signed Certificate Timestamp into DNS Security Extensions 4.1. SCT RR The SCT associated with a DNSKEY/ DS RR is stored within a STC RR. The type number for the DS record is TBD1. The DS resource record is class independent. The DS RR has no special TTL requirements. 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Tag | Algorithm | Digest Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / Digest / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / STC / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4.1.1. The Key Tag Field The Key Tag field lists the key tag of the DNSKEY RR referred to by the SCT record, in network byte order. Appendix B of [RFC4034] describes how to compute a Key Tag. Zhang Expires January 23, 2015 [Page 4] Internet-Draft CT-DNSSEC July 2014 4.1.2. The Algorithm Field The Algorithm field lists the algorithm number of the DNSKEY RR referred to by the SCT record. Appendix A.1 of [RFC4034] lists the algorithm number types. 4.1.3. The Digest Type Field The Digest Type field identifies the algorithm used to construct the digest used to identify the DNSKEY RR that the SCT RR refers to. Appendix A.2 of [RFC4034] lists the possible digest algorithm types. 4.1.4. The Digest Field The method of calculating digest is identical to what is specified in Section 5.1.4 of [RFC4034] 4.1.5. The SCT Field This field contains the SCT got from the log. 4.2. Operations After introducing the SCT RR, the verification procedures of DNS data specified in DNSSEC[RFC4305] do not change a lot. However, the correctness of CTS needs to be assessed during checking the validity of a NDSKEY/DS RR. A NDSKEY/DS RR needs to be associated with a CTS RR which contains a valid CTS and signed with a proper public key. Otherwise, the NDSKEY/DS RR will not be used to construct the authentication chain. The signatures of NDSKEY/DS RR and its CTS RR should be stored in different RRSIG RR respectively. In addition, a DNS server will sends CTS RRs and the associated RRSIG RRs to a resolver only when it indicates the support of CT in the request. 5. IANA Considerations This document makes no request of IANA. Note to RFC Editor: this section may be removed on publication as an RFC. 6. Security Considerations Zhang Expires January 23, 2015 [Page 5] Internet-Draft CT-DNSSEC July 2014 6.1. Logging other types of RRs The above section tries to propose a solution to disclose keys for DNSSEC in logs for the public to audit. However, it may be valuable to also log the RRs specified in [RFC1035]. For instance, assume there is an attacker which has compromised the zone authentication key and is able to perform the MITM attack between a resolver and the DNS server of the zone. It is possible for an attacker to transfer a forged RR which is signed with the compromised key. The current solution cannot benefit the detection of this attack in this scenario. However, if the RR is also required to be uploaded to public logs, the condition is changed. If the attacker does not publish the RR to a log, it cannot get the SCT. When the attacker tries to publish the RR to the log, the owner of the zone may detect the problem even if the attacker can provide keys to convince the log to accept the RR. 7. Acknowledgements 8. Normative References [I-D.ietf-trans-rfc6962-bis] Laurie, B., Langley, A., Kasper, E., and R. Stradling, "Certificate Transparency", draft-ietf-trans- rfc6962-bis-04 (work in progress), July 2014. [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005. [RFC4305] Eastlake, D., "Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)", RFC 4305, December 2005. Author's Address Dacheng Zhang Huawei Email: zhangdacheng@huawei.com Zhang Expires January 23, 2015 [Page 6]