< draft-blacka-dnssec-opt-in-00.txt   draft-blacka-dnssec-opt-in-01.txt >
DNSEXT R. Arends DNSEXT R. Arends
Internet-Draft Telematica Instituut Internet-Draft Telematica Instituut
Expires: April 13, 2004 M. Kosters Expires: June 22, 2005 M. Kosters
D. Blacka D. Blacka
Verisign, Inc. Verisign, Inc.
October 14, 2003 December 22, 2004
DNSSEC Opt-In DNSSEC Opt-In
draft-blacka-dnssec-opt-in-00 draft-blacka-dnssec-opt-in-01
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is subject to all provisions
all provisions of Section 10 of RFC2026. of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that
groups may also distribute working documents as Internet-Drafts. other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http:// The list of current Internet-Drafts can be accessed at
www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 13, 2004. This Internet-Draft will expire on June 22, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2004).
Abstract Abstract
In DNSSEC (RFC 2535bis, [3], [4], and [5]), delegations to unsigned In DNSSEC (RFC 2535bis, [3], [4], and [5]), delegations to unsigned
subzones are cryptographically secured. Maintaining this subzones are cryptographically secured. Maintaining this
cryptography is not practical or necessary. This document describes cryptography is not practical or necessary. This document describes
an experimental "Opt-In" model that allows administrators to omit an experimental "Opt-In" model that allows administrators to omit
this cryptography and manage the cost of adopting DNSSEC with large this cryptography and manage the cost of adopting DNSSEC with large
zones. zones.
Table of Contents Table of Contents
1. Definitions and Terminology . . . . . . . . . . . . . . . . 3 1. Definitions and Terminology . . . . . . . . . . . . . . . . . 3
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Protocol Additions . . . . . . . . . . . . . . . . . . . . . 5 3. Experimental Status . . . . . . . . . . . . . . . . . . . . . 5
3.1 Server Considerations . . . . . . . . . . . . . . . . . . . 6 4. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . 6
3.1.1 Delegations Only . . . . . . . . . . . . . . . . . . . . . . 6 4.1 Server Considerations . . . . . . . . . . . . . . . . . . 7
3.1.2 Insecure Delegation Responses . . . . . . . . . . . . . . . 6 4.1.1 Delegations Only . . . . . . . . . . . . . . . . . . . 7
3.1.3 Wildcards and Opt-In . . . . . . . . . . . . . . . . . . . . 6 4.1.2 Insecure Delegation Responses . . . . . . . . . . . . 7
3.1.4 Dynamic Update . . . . . . . . . . . . . . . . . . . . . . . 7 4.1.3 Wildcards and Opt-In . . . . . . . . . . . . . . . . . 7
3.2 Client Considerations . . . . . . . . . . . . . . . . . . . 7 4.1.4 Dynamic Update . . . . . . . . . . . . . . . . . . . . 8
3.2.1 Delegations Only . . . . . . . . . . . . . . . . . . . . . . 7 4.2 Client Considerations . . . . . . . . . . . . . . . . . . 8
3.2.2 Validation Process Changes . . . . . . . . . . . . . . . . . 7 4.2.1 Delegations Only . . . . . . . . . . . . . . . . . . . 8
3.2.3 NSEC Record Caching . . . . . . . . . . . . . . . . . . . . 8 4.2.2 Validation Process Changes . . . . . . . . . . . . . . 8
3.2.4 Use of the AD bit . . . . . . . . . . . . . . . . . . . . . 8 4.2.3 NSEC Record Caching . . . . . . . . . . . . . . . . . 9
4. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4.2.4 Use of the AD bit . . . . . . . . . . . . . . . . . . 9
5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6. Transition Issues . . . . . . . . . . . . . . . . . . . . . 13 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . 14 7. Transition Issues . . . . . . . . . . . . . . . . . . . . . . 13
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . 16 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 17 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
Normative References . . . . . . . . . . . . . . . . . . . . 18 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 17
Informative References . . . . . . . . . . . . . . . . . . . 19 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 19 11.1 Normative References . . . . . . . . . . . . . . . . . . . . 18
A. Implementing Opt-In using "Views" . . . . . . . . . . . . . 21 11.2 Informative References . . . . . . . . . . . . . . . . . . . 18
Intellectual Property and Copyright Statements . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19
A. Implementing Opt-In using "Views" . . . . . . . . . . . . . . 20
Intellectual Property and Copyright Statements . . . . . . . . 21
1. Definitions and Terminology 1. Definitions and Terminology
Throughout this document, familiarity with the DNS system (RFC 1035 Throughout this document, familiarity with the DNS system (RFC 1035
[1]), DNS security extensions ([3], [4], and [5], referred to in this [1]), DNS security extensions ([3], [4], and [5], referred to in this
document as "RFC 2535bis"), and DNSSEC terminology (RFC 3090 [9]) is document as "RFC 2535bis"), and DNSSEC terminology (RFC 3090 [10]) is
assumed. assumed.
The following abbreviations and terms are used in this document: The following abbreviations and terms are used in this document:
RR: is used to refer to a DNS resource record. RR: is used to refer to a DNS resource record.
RRset: refers to a Resource Record Set, as defined by [8]. In this
RRset: refers to a Resource Record Set, as defined by [7]. In this
document, the RRset is also defined to include the covering RRSIG document, the RRset is also defined to include the covering RRSIG
records, if any exist. records, if any exist.
signed name: refers to a DNS name that has, at minimum, a (signed) signed name: refers to a DNS name that has, at minimum, a (signed)
NSEC record. NSEC record.
unsigned name: refers to a DNS name that does not (at least) have a unsigned name: refers to a DNS name that does not (at least) have a
NSEC record. NSEC record.
covering NSEC record/RRset: is the NSEC record used to prove covering NSEC record/RRset: is the NSEC record used to prove
(non)existence of a particular name or RRset. This means that for (non)existence of a particular name or RRset. This means that for
a RRset or name 'N', the covering NSEC record has the name 'N', or a RRset or name 'N', the covering NSEC record has the name 'N', or
has an owner name less than 'N' and "next" name greater than 'N'. has an owner name less than 'N' and "next" name greater than 'N'.
delegation: refers to a NS RRset with a name different from the delegation: refers to a NS RRset with a name different from the
current zone apex (non-zone-apex), signifying a delegation to a current zone apex (non-zone-apex), signifying a delegation to a
subzone. subzone.
secure delegation: refers to a signed name containing a delegation secure delegation: refers to a signed name containing a delegation
(NS RRset), and a signed DS RRset, signifying a delegation to a (NS RRset), and a signed DS RRset, signifying a delegation to a
signed subzone. signed subzone.
insecure delegation: refers to a signed name containing a delegation insecure delegation: refers to a signed name containing a delegation
(NS RRset), but lacking a DS RRset, signifying a delegation to an (NS RRset), but lacking a DS RRset, signifying a delegation to an
unsigned subzone. unsigned subzone.
Opt-In insecure delegation: refers to an unsigned name containing Opt-In insecure delegation: refers to an unsigned name containing
only a delegation NS RRset. The covering NSEC record uses the only a delegation NS RRset. The covering NSEC record uses the
Opt-In methodology described in this document. Opt-In methodology described in this document.
The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [6]. document are to be interpreted as described in RFC 2119 [7].
2. Overview 2. Overview
The cost to cryptographically secure delegations to unsigned zones is The cost to cryptographically secure delegations to unsigned zones is
high for large delegation-centric zones and zones where insecure high for large delegation-centric zones and zones where insecure
delegations will be updated rapidly. For these zones, the costs of delegations will be updated rapidly. For these zones, the costs of
maintaining the NSEC record chain may be extremely high relative to maintaining the NSEC record chain may be extremely high relative to
the gain of cryptographically authenticating existence of unsecured the gain of cryptographically authenticating existence of unsecured
zones. zones.
This document describes an experimental method of eliminating the This document describes an experimental method of eliminating the
superfluous cryptography present in secure delegations to unsigned superfluous cryptography present in secure delegations to unsigned
zones. Using "Opt-In", a zone administrator can choose to remove zones. Using "Opt-In", a zone administrator can choose to remove
insecure delegations from the NSEC chain. This is accomplished by insecure delegations from the NSEC chain. This is accomplished by
extending the semantics of the NSEC record by using a redundant bit extending the semantics of the NSEC record by using a redundant bit
in the type map. in the type map.
3. Protocol Additions 3. Experimental Status
This document describes an EXPERIMENTAL extension to DNSSEC. It
interoperates with non-experimental DNSSEC using the technique
described in [6]. This experiment is identified with the following
private algorithms (using algorithm 253):
"3.optin.verisignlabs.com": is an alias for DNSSEC algorithm 3, DSA,
and
"4.optin.verisignlabs.com": is an alias for DNSSEC algorithm 5,
RSASHA1.
Servers wishing to sign and serve zones that utilize Opt-In MUST sign
the zone with one or more of these private algorithms. This requires
the signing tools and servers to support private algorithms, as well
as Opt-In.
Resolvers wishing to validate Opt-In zones MUST only do so when the
zone is signed useing one or more of these private algorithms.
The remainder of this document assumes that the servers and resolvers
involved are aware of and are involved in this experiment.
4. Protocol Additions
In RFC 2535bis, delegation NS RRsets are not signed, but are instead In RFC 2535bis, delegation NS RRsets are not signed, but are instead
accompanied by a NSEC RRset of the same name and a DS record. The accompanied by a NSEC RRset of the same name and a DS record. The
security status of the subzone is determined by the presence or security status of the subzone is determined by the presence or
absence of the DS RRset, cryptographically proven by the NSEC record. absence of the DS RRset, cryptographically proven by the NSEC record.
Opt-In expands this definition by allowing insecure delegations to Opt-In expands this definition by allowing insecure delegations to
exist within an otherwise signed zone without the corresponding NSEC exist within an otherwise signed zone without the corresponding NSEC
record at the delegation's owner name. These insecure delegations record at the delegation's owner name. These insecure delegations
are proven insecure by using a covering NSEC record. are proven insecure by using a covering NSEC record.
skipping to change at page 5, line 49 skipping to change at page 6, line 49
Opt-In, there MUST NOT be any insecure delegations (or any other Opt-In, there MUST NOT be any insecure delegations (or any other
records) between it and the RRsets indicated by the 'next domain records) between it and the RRsets indicated by the 'next domain
name' in the NSEC RDATA. If it is Opt-In, there MUST only be name' in the NSEC RDATA. If it is Opt-In, there MUST only be
insecure delegations between it and the next node indicated by the insecure delegations between it and the next node indicated by the
'next domain name' in the NSEC RDATA. 'next domain name' in the NSEC RDATA.
In summary, In summary,
o An Opt-In NSEC type is identified by a zero-valued (or o An Opt-In NSEC type is identified by a zero-valued (or
not-specified) NSEC bit in the type bit map of the NSEC record. not-specified) NSEC bit in the type bit map of the NSEC record.
o A RFC2535bis NSEC type is identified by a one-valued NSEC bit in o A RFC2535bis NSEC type is identified by a one-valued NSEC bit in
the type bit map of the NSEC record. the type bit map of the NSEC record.
and, and,
o An Opt-In NSEC record does not assert the non-existence of a name o An Opt-In NSEC record does not assert the non-existence of a name
between its owner name and "next" name, although it does assert between its owner name and "next" name, although it does assert
that any name in this span MUST be an insecure delegation. that any name in this span MUST be an insecure delegation.
o An Opt-In NSEC record does assert the (non)existence of RRsets o An Opt-In NSEC record does assert the (non)existence of RRsets
with the same owner name. with the same owner name.
3.1 Server Considerations 4.1 Server Considerations
Opt-In imposes some new requirements on authoritative DNS servers. Opt-In imposes some new requirements on authoritative DNS servers.
3.1.1 Delegations Only 4.1.1 Delegations Only
This specification dictates that only insecure delegations may exist This specification dictates that only insecure delegations may exist
between the owner and "next" names of an Opt-In tagged NSEC record. between the owner and "next" names of an Opt-In tagged NSEC record.
Signing tools SHOULD NOT generate signed zones that violate this Signing tools SHOULD NOT generate signed zones that violate this
restriction. Servers SHOULD refuse to load and/or serve zones that restriction. Servers SHOULD refuse to load and/or serve zones that
violate this restriction. violate this restriction.
3.1.2 Insecure Delegation Responses 4.1.2 Insecure Delegation Responses
When returning an Opt-In insecure delegation, the server MUST return When returning an Opt-In insecure delegation, the server MUST return
the covering NSEC RRset in the Authority section. the covering NSEC RRset in the Authority section.
In RFC 2535bis, NSEC records already must be returned along with the In RFC 2535bis, NSEC records already must be returned along with the
insecure delegation. The primary difference that this proposal insecure delegation. The primary difference that this proposal
introduces is that the Opt-In tagged NSEC record will have a introduces is that the Opt-In tagged NSEC record will have a
different owner name from the delegation RRset. This may require different owner name from the delegation RRset. This may require
implementations to do a NSEC search on cached responses. implementations to do a NSEC search on cached responses.
3.1.3 Wildcards and Opt-In 4.1.3 Wildcards and Opt-In
RFC 2535bis describes the practice of returning NSEC records to prove RFC 2535bis describes the practice of returning NSEC records to prove
the non-existence of an applicable wildcard in non-existent name the non-existence of an applicable wildcard in non-existent name
responses. This NSEC record can be described as a "negative wildcard responses. This NSEC record can be described as a "negative wildcard
proof". The use of Opt-In NSEC records changes the necessity for proof". The use of Opt-In NSEC records changes the necessity for
this practice. For non-existent name responses when the query name this practice. For non-existent name responses when the query name
(qname) is covered by an Opt-In tagged NSEC record, servers MAY (qname) is covered by an Opt-In tagged NSEC record, servers MAY
choose to omit the wildcard proof record, and clients MUST NOT treat choose to omit the wildcard proof record, and clients MUST NOT treat
the absence of this NSEC record as a validation error. the absence of this NSEC record as a validation error.
The intent of the RFC 2535bis negative wildcard proof requirement is The intent of the RFC 2535bis negative wildcard proof requirement is
to prevent malicious users from undetectably removing valid wildcard to prevent malicious users from undetectably removing valid wildcard
responses. In order for this cryptographic proof to work, the responses. In order for this cryptographic proof to work, the
resolver must be able to prove: resolver must be able to prove:
1. The exact qname does not exist. This is done by the "normal" 1. The exact qname does not exist. This is done by the "normal"
skipping to change at page 7, line 29 skipping to change at page 8, line 26
of an Opt-In insecure delegation response for a similar reason: the of an Opt-In insecure delegation response for a similar reason: the
resolver cannot prove that the qname does or does not exist, and resolver cannot prove that the qname does or does not exist, and
therefore cannot prove that a wildcard expansion is valid. therefore cannot prove that a wildcard expansion is valid.
The presence of an Opt-In tagged NSEC record does not change the The presence of an Opt-In tagged NSEC record does not change the
practice of returning a NSEC along with a wildcard expansion. Even practice of returning a NSEC along with a wildcard expansion. Even
though the Opt-In NSEC will not be able to prove that the wildcard though the Opt-In NSEC will not be able to prove that the wildcard
expansion is valid, it will prove that the wildcard expansion is not expansion is valid, it will prove that the wildcard expansion is not
masking any signed records. masking any signed records.
3.1.4 Dynamic Update 4.1.4 Dynamic Update
Opt-In changes the semantics of Secure DNS Dynamic Update [8]. In Opt-In changes the semantics of Secure DNS Dynamic Update [9]. In
particular, it introduces the need for rules that describe when to particular, it introduces the need for rules that describe when to
add or remove a delegation name from the NSEC chain. This document add or remove a delegation name from the NSEC chain. This document
does not attempt to define these rules. Until these rules are does not attempt to define these rules. Until these rules are
defined, servers MUST NOT process DNS Dynamic Update requests against defined, servers MUST NOT process DNS Dynamic Update requests against
zones that use Opt-In NSEC records. zones that use Opt-In NSEC records.
3.2 Client Considerations 4.2 Client Considerations
Opt-In imposes some new requirements on security-aware resolvers Opt-In imposes some new requirements on security-aware resolvers
(caching or otherwise). (caching or otherwise).
3.2.1 Delegations Only 4.2.1 Delegations Only
As stated in the "Server Considerations" section above, this As stated in the "Server Considerations" section above, this
specification restricts the namespace covered by Opt-In tagged NSEC specification restricts the namespace covered by Opt-In tagged NSEC
records to insecure delegations only. Thus, resolvers MUST reject as records to insecure delegations only. Thus, resolvers MUST reject as
invalid any records that fall within an Opt-In NSEC record's span invalid any records that fall within an Opt-In NSEC record's span
that are not NS records or corresponding glue records. that are not NS records or corresponding glue records.
3.2.2 Validation Process Changes 4.2.2 Validation Process Changes
This specification does not change the resolver's resolution This specification does not change the resolver's resolution
algorithm. However, it does change the DNSSEC validation process. algorithm. However, it does change the DNSSEC validation process.
Resolvers MUST be able to use Opt-In tagged NSEC records to Resolvers MUST be able to use Opt-In tagged NSEC records to
cryptographically prove the validity and security status (as cryptographically prove the validity and security status (as
insecure) of a referral. Resolvers determine the security status of insecure) of a referral. Resolvers determine the security status of
the referred-to zone as follows: the referred-to zone as follows:
o In RFC 2535bis, the security status is proven by the existence or o In RFC 2535bis, the security status is proven by the existence or
absence of a DS RRset at the same name as the delegation. The absence of a DS RRset at the same name as the delegation. The
existence of the DS RRset indicates that the referred-to zone is existence of the DS RRset indicates that the referred-to zone is
signed. The absence of the DS RRset is proven using a verified signed. The absence of the DS RRset is proven using a verified
NSEC record of the same name that does not have the DS bit set in NSEC record of the same name that does not have the DS bit set in
the type map. This NSEC record MAY also be tagged as Opt-In. the type map. This NSEC record MAY also be tagged as Opt-In.
o Using Opt-In, the security status is proven by the existence of a o Using Opt-In, the security status is proven by the existence of a
DS record (for signed) or the presence of a verified Opt-In tagged DS record (for signed) or the presence of a verified Opt-In tagged
NSEC record that covers the delegation name. That is, the NSEC NSEC record that covers the delegation name. That is, the NSEC
record does not have the NSEC bit set in the type map, and the record does not have the NSEC bit set in the type map, and the
delegation name falls between the NSEC's owner and "next" name. delegation name falls between the NSEC's owner and "next" name.
Using Opt-In does not substantially change the nature of following Using Opt-In does not substantially change the nature of following
referrals within DNSSEC. At every delegation point, the resolver referrals within DNSSEC. At every delegation point, the resolver
will have cryptographic proof that the subzone is signed or unsigned. will have cryptographic proof that the subzone is signed or unsigned.
When receiving either an Opt-In insecure delegation response or a When receiving either an Opt-In insecure delegation response or a
non-existent name response where that name is covered by an Opt-In non-existent name response where that name is covered by an Opt-In
tagged NSEC record, the resolver MUST NOT require proof (in the form tagged NSEC record, the resolver MUST NOT require proof (in the form
of a NSEC record) that a wildcard did not exist. of a NSEC record) that a wildcard did not exist.
3.2.3 NSEC Record Caching 4.2.3 NSEC Record Caching
Caching resolvers MUST be able to retrieve the appropriate covering Caching resolvers MUST be able to retrieve the appropriate covering
Opt-In NSEC record when returning referrals that need them. This Opt-In NSEC record when returning referrals that need them. This
requirement differs from RFC 2535bis in that the covering NSEC will requirement differs from RFC 2535bis in that the covering NSEC will
not have the same owner name as the delegation. Some implementations not have the same owner name as the delegation. Some implementations
may have to use new methods for finding these NSEC records. may have to use new methods for finding these NSEC records.
3.2.4 Use of the AD bit 4.2.4 Use of the AD bit
The AD bit, as defined by [2] and [5], MUST NOT be set when: The AD bit, as defined by [2] and [5], MUST NOT be set when:
o sending a non-existent name (NXDOMAIN) response where the covering o sending a non-existent name (NXDOMAIN) response where the covering
NSEC is tagged as Opt-In. NSEC is tagged as Opt-In.
o sending an Opt-In insecure delegation response, unless the o sending an Opt-In insecure delegation response, unless the
covering (Opt-In) NSEC record's owner name equals the delegation covering (Opt-In) NSEC record's owner name equals the delegation
name. name.
This rule is based on what the Opt-In NSEC record actually proves: This rule is based on what the Opt-In NSEC record actually proves:
for names that exist between the Opt-In NSEC record's owner and for names that exist between the Opt-In NSEC record's owner and
"next" names, the Opt-In NSEC record cannot prove the non-existence "next" names, the Opt-In NSEC record cannot prove the non-existence
or existence of the name. As such, not all data in the response has or existence of the name. As such, not all data in the response has
been cryptographically verified, so the AD bit cannot be set. been cryptographically verified, so the AD bit cannot be set.
4. Benefits 5. Benefits
Using Opt-In allows administrators of large and/or changing Using Opt-In allows administrators of large and/or changing
delegation-centric zones to minimize the overhead involved in delegation-centric zones to minimize the overhead involved in
maintaining the security of the zone. maintaining the security of the zone.
Opt-In accomplishes this by eliminating the need for NSEC records for Opt-In accomplishes this by eliminating the need for NSEC records for
insecure delegations. This, in a zone with a large number of insecure delegations. This, in a zone with a large number of
delegations to unsigned subzones, can lead to substantial space delegations to unsigned subzones, can lead to substantial space
savings (both in memory and on disk). Additionally, Opt-In allows for savings (both in memory and on disk). Additionally, Opt-In allows
the addition or removal of insecure delegations without modifying the for the addition or removal of insecure delegations without modifying
NSEC record chain. Zones that are frequently updating insecure the NSEC record chain. Zones that are frequently updating insecure
delegations (e.g., TLDs) can avoid the substantial overhead of delegations (e.g., TLDs) can avoid the substantial overhead of
modifying and resigning the affected NSEC records. modifying and resigning the affected NSEC records.
5. Example 6. Example
Consider the zone EXAMPLE, shown below. This is a zone where all of Consider the zone EXAMPLE, shown below. This is a zone where all of
the NSEC records are tagged as Opt-In. the NSEC records are tagged as Opt-In.
Example A: Fully Opt-In Zone. Example A: Fully Opt-In Zone.
EXAMPLE. SOA ... EXAMPLE. SOA ...
EXAMPLE. RRSIG SOA ... EXAMPLE. RRSIG SOA ...
EXAMPLE. NS FIRST-SECURE.EXAMPLE. EXAMPLE. NS FIRST-SECURE.EXAMPLE.
EXAMPLE. RRSIG NS ... EXAMPLE. RRSIG NS ...
skipping to change at page 12, line 9 skipping to change at page 12, line 9
A query for a nonexistent RRset will result in a response that A query for a nonexistent RRset will result in a response that
differs from RFC 2535bis by: the NSEC record will be tagged as differs from RFC 2535bis by: the NSEC record will be tagged as
Opt-In, there may be no NSEC record proving the non-existence of a Opt-In, there may be no NSEC record proving the non-existence of a
matching wildcard record, and the AD bit will not be set. matching wildcard record, and the AD bit will not be set.
A query for an insecure delegation RRset (or a referral) will return A query for an insecure delegation RRset (or a referral) will return
both the answer (in the Authority section) and the corresponding both the answer (in the Authority section) and the corresponding
Opt-In NSEC record to prove that it is not secure. Opt-In NSEC record to prove that it is not secure.
Example A.1: Response to query for WWW.UNSIGNED.EXAMPLE. A Example A.1: Response to query for WWW.UNSIGNED.EXAMPLE. A
RCODE=NOERROR, AD=0 RCODE=NOERROR, AD=0
Answer Section: Answer Section:
Authority Section: Authority Section:
UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE
SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DS SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DS
SECOND-SECURE.EXAMPLE. RRSIG NSEC ... SECOND-SECURE.EXAMPLE. RRSIG NSEC ...
Additional Section: Additional Section:
NS.UNSIGNED.EXAMPLE. A ... NS.UNSIGNED.EXAMPLE. A ...
In the Example A.1 zone, the EXAMPLE. node MAY use either style of In the Example A.1 zone, the EXAMPLE. node MAY use either style of
NSEC record, because there are no insecure delegations that occur NSEC record, because there are no insecure delegations that occur
between it and the next node, FIRST-SECURE.EXAMPLE. In other words, between it and the next node, FIRST-SECURE.EXAMPLE. In other words,
Example A would still be a valid zone if the NSEC record for EXAMPLE. Example A would still be a valid zone if the NSEC record for EXAMPLE.
was changed to the following RR: was changed to the following RR:
EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (SOA NS EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (SOA NS
RRSIG DNSKEY NSEC ) RRSIG DNSKEY NSEC )
However, the other NSEC records (FIRST-SECURE.EXAMPLE. and However, the other NSEC records (FIRST-SECURE.EXAMPLE. and
SECOND-SECURE.EXAMPLE.) MUST be tagged as Opt-In because there are SECOND-SECURE.EXAMPLE.) MUST be tagged as Opt-In because there are
insecure delegations in the range they define. (NOT-SECURE.EXAMPLE. insecure delegations in the range they define. (NOT-SECURE.EXAMPLE.
and UNSIGNED.EXAMPLE., respectively). and UNSIGNED.EXAMPLE., respectively).
NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that is NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that
part of the NSEC chain and also covered by an Opt-In tagged NSEC is part of the NSEC chain and also covered by an Opt-In tagged NSEC
record. Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot be record. Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot
removed from the zone without modifying and resigning the prior NSEC be removed from the zone without modifying and resigning the prior
record. Delegations with names that fall between NSEC record. Delegations with names that fall between
NOT-SECURE-2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or NOT-SECURE-2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or
removed without resigning any NSEC records. removed without resigning any NSEC records.
6. Transition Issues 7. Transition Issues
Opt-In is not backwards compatible with RFC 2535bis. RFC 2535bis Opt-In is not backwards compatible with RFC 2535bis. RFC 2535bis
compliant DNSSEC implementations will not recognize Opt-In tagged compliant DNSSEC implementations will not recognize Opt-In tagged
NSEC records as different from RFC 2535bis NSEC records. Because of NSEC records as different from RFC 2535bis NSEC records. Because of
this, RFC 2535bis implementations will reject all Opt-In insecure this, RFC 2535bis implementations will reject all Opt-In insecure
delegations within a zone as invalid. delegations within a zone as invalid.
7. Security Considerations 8. Security Considerations
Opt-In allows for unsigned names, in the form of delegations to Opt-In allows for unsigned names, in the form of delegations to
unsigned subzones, to exist within an otherwise signed zone. All unsigned subzones, to exist within an otherwise signed zone. All
unsigned names are, by definition, insecure, and their validity or unsigned names are, by definition, insecure, and their validity or
existence cannot by cryptographically proven. existence cannot by cryptographically proven.
In general: In general:
o Records with unsigned names (whether existing or not) suffer from o Records with unsigned names (whether existing or not) suffer from
the same vulnerabilities as records in an unsigned zone. These the same vulnerabilities as records in an unsigned zone. These
vulnerabilites are described in more detail in [11] (note in vulnerabilites are described in more detail in [12] (note in
particular sections 2.3, "Name Games" and 2.6, "Authenticated particular sections 2.3, "Name Games" and 2.6, "Authenticated
Denial"). Denial").
o Records with signed names have the same security whether or not o Records with signed names have the same security whether or not
Opt-In is used. Opt-In is used.
Note that with or without Opt-In, an insecure delegation may have its Note that with or without Opt-In, an insecure delegation may have its
contents undetectably altered by an attacker. Because of this, the contents undetectably altered by an attacker. Because of this, the
primary difference in security that Opt-In introduces is the loss of primary difference in security that Opt-In introduces is the loss of
the ability to prove the existence or nonexistence of an insecure the ability to prove the existence or nonexistence of an insecure
delegation within the span of an Opt-In NSEC record. delegation within the span of an Opt-In NSEC record.
In particular, this means that a malicious entity may be able to In particular, this means that a malicious entity may be able to
insert or delete records with unsigned names. These records are insert or delete records with unsigned names. These records are
normally NS records, but this also includes signed wildcard normally NS records, but this also includes signed wildcard
expansions (while the wildcard record itself is signed, its expanded expansions (while the wildcard record itself is signed, its expanded
name is an unsigned name). name is an unsigned name).
For example, if a resolver received the following response from the For example, if a resolver received the following response from the
example zone above: example zone above:
Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE. A Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE. A
RCODE=NOERROR RCODE=NOERROR
Answer Section: Answer Section:
Authority Section: Authority Section:
DOES-NOT-EXIST.EXAMPLE. NS NS.FORGED. DOES-NOT-EXIST.EXAMPLE. NS NS.FORGED.
EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. SOA NS \ EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. SOA NS \
RRSIG DNSKEY RRSIG DNSKEY
EXAMPLE. RRSIG NSEC ... EXAMPLE. RRSIG NSEC ...
Additional Section: Additional Section:
The resolver would have no choice but to believe that the referral to The resolver would have no choice but to believe that the referral to
NS.FORGED. is valid. If a wildcard existed that would have been NS.FORGED. is valid. If a wildcard existed that would have been
expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could
have undetectably removed it and replaced it with the forged have undetectably removed it and replaced it with the forged
delegation. delegation.
Note that being able to add a delegation is functionally equivalent Note that being able to add a delegation is functionally equivalent
to being able to add any record type: an attacker merely has to forge to being able to add any record type: an attacker merely has to forge
a delegation to nameserver under his/her control and place whatever a delegation to nameserver under his/her control and place whatever
records needed at the subzone apex. records needed at the subzone apex.
While in particular cases, this issue may not present a significant While in particular cases, this issue may not present a significant
security problem, in general it should not be lightly dismissed. security problem, in general it should not be lightly dismissed.
Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly. Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly.
In particular, zone signing tools SHOULD NOT default to Opt-In, and In particular, zone signing tools SHOULD NOT default to Opt-In, and
MAY choose to not support Opt-In at all. MAY choose to not support Opt-In at all.
8. IANA Considerations 9. IANA Considerations
None. None.
9. Acknowledgments 10. Acknowledgments
The contributions, suggestions and remarks of the following persons The contributions, suggestions and remarks of the following persons
(in alphabetic order) to this draft are acknowledged: (in alphabetic order) to this draft are acknowledged:
Mats Dufberg, Miek Gieben, Olafur Gudmundsson, Bob Halley, Olaf Mats Dufberg, Miek Gieben, Olafur Gudmundsson, Bob Halley, Olaf
Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill Manning, Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill Manning,
Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter, Brian Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter, Brian
Wellington. Wellington.
Normative References 11. References
11.1 Normative References
[1] Mockapetris, P., "Domain names - implementation and [1] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[2] Gudmundsson, O. and B. Wellington, "Redefinition of DNS AD bit", [2] Wellington, B. and O. Gudmundsson, "Redefinition of DNS
draft-ietf-dnsext-ad-is-secure-06 (work in progress), June 2002. Authenticated Data (AD) bit", RFC 3655, November 2003.
[3] Massey, D., Larson, M., Austein, R., Rose, S. and R. Arends, [3] Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose,
"DNS Security Introduction and Requirements", "DNS Security Introduction and Requirements",
draft-ietf-dnsext-dnssec-intro-05 (work in progress), February draft-ietf-dnsext-dnssec-intro-13 (work in progress), October
2003. 2004.
[4] Arends, R., "Resource Records for DNS Security Extensions", [4] Arends, R., "Resource Records for the DNS Security Extensions",
draft-ietf-dnsext-dnssec-records-02 (work in progress), November draft-ietf-dnsext-dnssec-records-11 (work in progress), October
2002. 2004.
[5] Arends, R., "Protocol Modifications for the DNS Security [5] Arends, R., "Protocol Modifications for the DNS Security
Extensions", draft-ietf-dnsext-dnssec-protocol-00 (work in Extensions", draft-ietf-dnsext-dnssec-protocol-09 (work in
progress), October 2002. progress), October 2004.
Informative References [6] Blacka, D., "DNSSEC Experiments",
draft-blacka-dnssec-experiments-00 (work in progress), December
2004.
[6] Bradner, S., "Key words for use in RFCs to Indicate Requirement 11.2 Informative References
[7] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[7] Elz, R. and R. Bush, "Clarifications to the DNS Specification", [8] Elz, R. and R. Bush, "Clarifications to the DNS Specification",
RFC 2181, July 1997. RFC 2181, July 1997.
[8] Eastlake, D., "Secure Domain Name System Dynamic Update", RFC [9] Eastlake, D., "Secure Domain Name System Dynamic Update", RFC
2137, April 1997. 2137, April 1997.
[9] Lewis, E., "DNS Security Extension Clarification on Zone [10] Lewis, E., "DNS Security Extension Clarification on Zone
Status", RFC 3090, March 2001. Status", RFC 3090, March 2001.
[10] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC 3225, [11] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC 3225,
December 2001. December 2001.
[11] Atkins, D. and R. Austein, "Threat Analysis Of The Domain Name [12] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
System", draft-ietf-dnsext-dns-threats-02 (work in progress), System (DNS)", RFC 3833, August 2004.
November 2002.
Authors' Addresses Authors' Addresses
Roy Arends Roy Arends
Telematica Instituut Telematica Instituut
Drienerlolaan 5 Drienerlolaan 5
7522 NB Enschede 7522 NB Enschede
NL NL
EMail: roy.arends@telin.nl EMail: roy.arends@telin.nl
skipping to change at page 20, line 4 skipping to change at page 19, line 24
Mark Kosters Mark Kosters
Verisign, Inc. Verisign, Inc.
21355 Ridgetop Circle 21355 Ridgetop Circle
Dulles, VA 20166 Dulles, VA 20166
US US
Phone: +1 703 948 3200 Phone: +1 703 948 3200
EMail: markk@verisign.com EMail: markk@verisign.com
URI: http://www.verisignlabs.com URI: http://www.verisignlabs.com
David Blacka David Blacka
Verisign, Inc. Verisign, Inc.
21355 Ridgetop Circle 21355 Ridgetop Circle
Dulles, VA 20166 Dulles, VA 20166
US US
Phone: +1 703 948 3200 Phone: +1 703 948 3200
EMail: davidb@verisign.com EMail: davidb@verisign.com
URI: http://www.verisignlabs.com URI: http://www.verisignlabs.com
Appendix A. Implementing Opt-In using "Views" Appendix A. Implementing Opt-In using "Views"
In many cases, it may be convenient to implement an Opt-In zone by In many cases, it may be convenient to implement an Opt-In zone by
combining two separately maintained "views" of a zone at request combining two separately maintained "views" of a zone at request
time. In this context, "view" refers to a particular version of a time. In this context, "view" refers to a particular version of a
zone, not to any specific DNS implementation feature. zone, not to any specific DNS implementation feature.
In this scenario, one view is the secure view, the other is the In this scenario, one view is the secure view, the other is the
insecure (or legacy) view. The secure view consists of an entirely insecure (or legacy) view. The secure view consists of an entirely
signed zone using Opt-In tagged NSEC records. The insecure view signed zone using Opt-In tagged NSEC records. The insecure view
contains no DNSSEC information. It is helpful, although not contains no DNSSEC information. It is helpful, although not
necessary, for the secure view to be a subset (minus DNSSEC records) necessary, for the secure view to be a subset (minus DNSSEC records)
of the insecure view. of the insecure view.
In addition, the only RRsets that may solely exist in the insecure In addition, the only RRsets that may solely exist in the insecure
view are non-zone-apex NS RRsets. That is, all non-NS RRsets (and the view are non-zone-apex NS RRsets. That is, all non-NS RRsets (and
zone apex NS RRset) MUST be signed and in the secure view. the zone apex NS RRset) MUST be signed and in the secure view.
These two views may be combined at request time to provide a virtual, These two views may be combined at request time to provide a virtual,
single Opt-In zone. The following algorithm is used when responding single Opt-In zone. The following algorithm is used when responding
to each query: to each query:
V_A is the secure view as described above. V_A is the secure view as described above.
V_B is the insecure view as described above. V_B is the insecure view as described above.
R_A is a response generated from V_A, following RFC 2535bis. R_A is a response generated from V_A, following RFC 2535bis.
R_B is a response generated from V_B, following DNS resolution as R_B is a response generated from V_B, following DNS resolution as
per RFC 1035 [1]. per RFC 1035 [1].
R_C is the response generated by combining R_A with R_B, as R_C is the response generated by combining R_A with R_B, as
described below. described below.
A query is DNSSEC-aware if it either has the DO bit [11] turned
A query is DNSSEC-aware if it either has the DO bit [10] turned
on, or is for a DNSSEC-specific record type. on, or is for a DNSSEC-specific record type.
1. If V_A is a subset of V_B and the query is not DNSSEC-aware, 1. If V_A is a subset of V_B and the query is not DNSSEC-aware,
generate and return R_B, otherwise generate and return R_B, otherwise
2. Generate R_A. 2. Generate R_A.
3. If R_A's RCODE != NXDOMAIN, return R_A, otherwise 3. If R_A's RCODE != NXDOMAIN, return R_A, otherwise
4. Generate R_B and combine it with R_A to form R_C: 4. Generate R_B and combine it with R_A to form R_C:
For each section (ANSWER, AUTHORITY, ADDITIONAL), copy the For each section (ANSWER, AUTHORITY, ADDITIONAL), copy the
records from R_A into R_B, EXCEPT the AUTHORITY section SOA records from R_A into R_B, EXCEPT the AUTHORITY section SOA
record, if R_B's RCODE = NOERROR. record, if R_B's RCODE = NOERROR.
5. Return R_C. 5. Return R_C.
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; nor does it represent that it has
has made any effort to identify any such rights. Information on the made any independent effort to identify any such rights. Information
IETF's procedures with respect to rights in standards-track and on the procedures with respect to rights in RFC documents can be
standards-related documentation can be found in BCP-11. Copies of found in BCP 78 and BCP 79.
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to Copies of IPR disclosures made to the IETF Secretariat and any
obtain a general license or permission for the use of such assurances of licenses to be made available, or the result of an
proprietary rights by implementors or users of this specification can attempt made to obtain a general license or permission for the use of
be obtained from the IETF Secretariat. such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF at
Director. ietf-ipr@ietf.org.
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved. Disclaimer of Validity
This document and translations of it may be copied and furnished to This document and the information contained herein are provided on an
others, and derivative works that comment on or otherwise explain it "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
or assist in its implementation may be prepared, copied, published OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
and distributed, in whole or in part, without restriction of any ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
kind, provided that the above copyright notice and this paragraph are INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
included on all such copies and derivative works. However, this INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
document itself may not be modified in any way, such as by removing WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be Copyright Statement
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an Copyright (C) The Internet Society (2004). This document is subject
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING to the rights, licenses and restrictions contained in BCP 78, and
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING except as set forth therein, the authors retain all their rights.
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 95 change blocks. 
167 lines changed or deleted 169 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/