< draft-ietf-dnsop-delegation-trust-maintainance-01.txt   draft-ietf-dnsop-delegation-trust-maintainance-02.txt >
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational O. Gudmundsson Intended status: Informational O. Gudmundsson
Expires: July 8, 2014 Shinkuro Inc. Expires: August 9, 2014 Shinkuro Inc.
G. Barwood G. Barwood
January 4, 2014 February 5, 2014
Automating DNSSEC delegation trust maintenance Automating DNSSEC delegation trust maintenance
draft-ietf-dnsop-delegation-trust-maintainance-01 draft-ietf-dnsop-delegation-trust-maintainance-02
Abstract Abstract
This document describes a method to allow DNS operators to more This document describes a method to allow DNS operators to more
easily update DNSSEC Key Signing Keys using DNS as communication easily update DNSSEC Key Signing Keys using DNS as communication
channel. This document does not address the initial configuration of channel. This document does not address the initial configuration of
trust anchors for a domain. The technique described is aimed at trust anchors for a domain. The technique described is aimed at
delegations in which it is currently hard to move information from delegations in which it is currently hard to move information from
the child to parent. the child to parent.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 8, 2014. This Internet-Draft will expire on August 9, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 20 skipping to change at page 2, line 20
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Requirements notation . . . . . . . . . . . . . . . . . . 4 1.2. Requirements notation . . . . . . . . . . . . . . . . . . 4
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. DNS delegations . . . . . . . . . . . . . . . . . . . . . 4 2.1. DNS delegations . . . . . . . . . . . . . . . . . . . . . 4
2.2. Relationship between Parent and Child DNS operator . . . 5 2.2. Relationship between Parent and Child DNS operator . . . 5
2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6
2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions . . 7 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions . . 7
3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 7 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8
3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8
4. Automating DS maintainance with CDS/CDNSKEY records . . . . . 8 4. Automating DS maintainance with CDS/CDNSKEY records . . . . . 8
4.1. CDS / CDNSKEY processing rules . . . . . . . . . . . . . 8 4.1. CDS / CDNSKEY processing rules . . . . . . . . . . . . . 9
5. Child's CDS / CDNSKEY Publication . . . . . . . . . . . . . . 9 5. Child's CDS / CDNSKEY Publication . . . . . . . . . . . . . . 9
6. Parent side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9 6. Parent side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9
6.1. Detecting a changed CDS / CDNSKEY . . . . . . . . . . . . 9 6.1. Detecting a changed CDS / CDNSKEY . . . . . . . . . . . . 10
6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10
6.1.2. Other mechanisms . . . . . . . . . . . . . . . . . . 10 6.1.2. Other mechanisms . . . . . . . . . . . . . . . . . . 10
6.2. Using the new CDS / CDNSKEY records . . . . . . . . . . . 10 6.2. Using the new CDS / CDNSKEY records . . . . . . . . . . . 11
6.2.1. Parent calculates DS . . . . . . . . . . . . . . . . 11 6.2.1. Parent calculates DS . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12
9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 14 11.1. Normative References . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 14 11.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15
Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 15 Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
When a DNS operator first signs their zone, they need to communicate When a DNS operator first signs their zone, they need to communicate
their DS record(s) (or DNSKEY(s)) to their parent through some out- their DS record(s) (or DNSKEY(s)) to their parent through some out-
of-band method to complete the chain of trust. of-band method to complete the chain of trust.
Each time the child changes/rolls the key that is represented in the Each time the child changes/rolls the key that is represented in the
parent, the new and/or deleted key information has to be communicated parent, the new and/or deleted key information has to be communicated
to the parent and published there. How this information is sent to to the parent and published there. How this information is sent to
skipping to change at page 3, line 22 skipping to change at page 3, line 22
DNSSEC provides data integrity to information published in DNS; thus DNSSEC provides data integrity to information published in DNS; thus
DNS publication can be used to automate maintenance of delegation DNS publication can be used to automate maintenance of delegation
information. This document describes a method to automate information. This document describes a method to automate
publication of subsequent DS records, after the initial one has been publication of subsequent DS records, after the initial one has been
published. published.
Readers are expected to be familiar with DNSSEC, including [RFC4033], Readers are expected to be familiar with DNSSEC, including [RFC4033],
[RFC4034], [RFC4035], [RFC5011] and [RFC6781]. [RFC4034], [RFC4035], [RFC5011] and [RFC6781].
This document is a compilation of two earlier drafts: draft-barwood- This document is a compilation of two earlier drafts: draft-barwood-
dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll.
This document outlines a technique in which the parent periodically This document outlines a technique in which the parent periodically
(or upon request) polls its signed children and automatically publish (or upon request) polls its signed children and automatically publish
new DS records. To a large extent, the procedures this document new DS records. To a large extent, the procedures this document
follows are as described in [RFC6781] section 4.1.2 follows are as described in [RFC6781] section 4.1.2.
This technique is in some ways similar to RFC 5011 style rollovers, This technique is in some ways similar to RFC 5011 style rollovers,
but for sub-domains DS records, instead of trust anchors but for sub-domains DS records, instead of trust anchors.
This technique is designed to be friendly both to fully automated This technique is designed to be friendly both to fully automated
tools and humans. Fully automated tools can perform all the actions tools and humans. Fully automated tools can perform all the actions
needed without human intervention, and thus can monitor when it is needed without human intervention, and thus can monitor when it is
safe to move to the next step. safe to move to the next step.
CDS only allows transferring information about DNSSEC keys (DS and The solution described in this document only allows transferring
DNSKEY) from the child to the parental agent. It lists exactly what information about DNSSEC keys (DS and DNSKEY) from the child to the
the parent should publish, and allows for publication of stand-by parental agent. It lists exactly what the parent should publish, and
keys. A different protocol, [I-D.csync], can be used to maintain allows for publication of stand-by keys. A different protocol,
other important delegation information, such as NS and glue. These [I-D.csync], can be used to maintain other important delegation
two protocols have been kept as separate solutions because the information, such as NS and glue. These two protocols have been kept
problems are fundamentally different, and a combined solution is as separate solutions because the problems are fundamentally
overly complex. different, and a combined solution is overly complex.
This document describes a method for automating maintanance of the This document describes a method for automating maintanance of the
delegation trust information, and proposes a polled / periodic delegation trust information, and proposes a polled / periodic
trigger for simplicity. Some users may prefer a different trigger, trigger for simplicity. Some users may prefer a different trigger,
such as a button on a webpage, a REST interface, DNS NOTIFY, etc. such as a button on a webpage, a REST interface, DNS NOTIFY, etc.
These alternate / additional triggers are not discussed in this These alternate / additional triggers are not discussed in this
document. document.
1.1. Terminology 1.1. Terminology
There terminology we use is defined in this section The terminology we use is defined in this section
Highlighted roles Highlighted roles
o Child: "The entity on record that has the delegation of the domain o Child: "The entity on record that has the delegation of the domain
from the parent" from the parent"
o Parent: "The domain in which the child is registered" o Parent: "The domain in which the child is registered"
o Child DNS operator: "The entity that maintains and publishes the o Child DNS operator: "The entity that maintains and publishes the
zone information for the child DNS" zone information for the child DNS"
o Parent DNS operator: "The entity that maintains and publishes the o Parent DNS operator: "The entity that maintains and publishes the
zone information for the parent DNS" zone information for the parent DNS"
o Parental Agent: "The entity that the child has relationship with, o Parental Agent: "The entity that the child has relationship with,
to change its delegation information." to change its delegation information"
o Provisioning system: "A system that the operator of the master DNS o Provisioning system: "A system that the operator of the master DNS
server operates to maintain the information published in the DNS. server operates to maintain the information published in the DNS.
This includes the systems that sign the DNS data." This includes the systems that sign the DNS data"
RRR is our shorthand for Registry/Registrar/Registrant model of RRR is our shorthand for Registry/Registrar/Registrant model of
parent child relationship see Appendix A for more. parent child relationship see Appendix A for more.
1.2. Requirements notation 1.2. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Background 2. Background
2.1. DNS delegations 2.1. DNS delegations
DNS operation consists of delegations of authority. For each DNS operation consists of delegations of authority. For each
delegation there are (most of the time) two parties, the parent and delegation there are (most of the time) two parties: the parent and
the child. the child.
The parent publishes information about the delegations to the child; The parent publishes information about the delegations to the child;
for the name-servers it publishes an NS RRset that lists a hint for for the name-servers it publishes an NS [RFC1035] RRset that lists a
name-servers that are authoritative for the child. The child also hint for name-servers that are authoritative for the child. The
publishes a NS RRset, and this set is the authoritative list of name- child also publishes a NS RRset, and this set is the authoritative
servers to the child zone. list of name-servers to the child zone.
The second RRset the parent sometimes publishes is the DS set. The The second RRset the parent sometimes publishes is the DS [RFC4034]
DS RRset provides information about the key(s) that the child has set. The DS RRset provides information about the DNSKEY(s) that the
told the parent it will use to sign its DNSKEY RRset. In DNSSEC child has told the parent it will use to sign its DNSKEY RRset. In
trust relationship between zones is provided by the following chain: DNSSEC trust relationship between zones is provided by the following
chain:
parent DNSKEY --> DS --> child DNSKEY. parent DNSKEY --> DS --> child DNSKEY.
A prior proposal [I-D.auto-cpsync] suggested that the child send an A prior proposal [I-D.auto-cpsync] suggested that the child send an
"update" to the parent via a mechanism similar to Dynamic Update. "update" to the parent via a mechanism similar to Dynamic Update.
The main issue became: How does the child find the actual parental The main issue became: How does the child find the actual parental
agent/server to send the update to? While that could have been agent/server to send the update to? While that could have been
solved via technical means, the proposal died. solved via technical means, the proposal died. There is also a
similar proposal in [I-D.parent-zones]
As the DS record can only be present at the parent RFC4034 [RFC4034], As the DS record can only be present at the parent (RFC4034
some other record/method is needed to automate the expression of what [RFC4034]), some other record/method is needed to automate which
the parental zone DS records contents ought to be. One possibility DNSKEYs are picked to be represented in the parent zone's DS records.
is to use flags in the DNSKEY record. If the SEP bit is set, this One possibility is to use flags in the DNSKEY record. If the SEP bit
indicates that the DNSKEY is intended for use as a secure entry is set, this indicates that the DNSKEY is intended for use as a
point. This DNSKEY signs the DNSKEY RRset, and the Parental Agent secure entry point. This DNSKEY signs the DNSKEY RRset, and the
can calculate DS records based on that. But this fails to meet some Parental Agent can calculate DS records based on that. But this
operating needs, including the child having no influence what DS fails to meet some operating needs, including the child having no
digest algorithms are used and DS records can only be published for influence what DS digest algorithms are used and DS records can only
keys that are in the DNSKEY RRset. be published for keys that are in the DNSKEY RRset.
2.2. Relationship between Parent and Child DNS operator 2.2. Relationship between Parent and Child DNS operator
In the real world, there are many different relationships between the In practical application, there are many different relationships
parent and child DNS operators. The type of relationship affects how between the parent and child DNS operators. The type of relationship
the child operator communicates with the parent. This section will affects how the Child DNS Operator communicates with the parent.
highlight some of the different situations, but is by no means a This section will highlight some of the different situations, but is
complete list. by no means a complete list.
Different communication paths: Different communication paths:
o Direct/API: The child can change the delegation information via o Direct/API: The child can change the delegation information via
automated/scripted means EPP[RFC5730] used by many TLDs is an automated/scripted means EPP[RFC5730] used by many TLDs is an
example of this. Another example is the web service's example of this. Another example is the web service's
programmatic interfaces that Registrars make available to their programmatic interfaces that Registrars make available to their
Reseller's. Resellers.
o User Interface: The Child uses a (web) site set up by the Parental o User Interface: The Child uses a (web) site set up by the Parental
Agent for updating delegation information. Agent for updating delegation information.
o Indirect: The communication has to be transmitted via out-of-band o Indirect: The communication has to be transmitted via out-of-band
between two parties, such as email, telephone etc.. This is common between two parties, such as email, telephone etc.. This is common
when the Child's DNS operator is neither the child itself nor the when the Child's DNS operator is neither the child itself nor the
Registrar for the domain but a third party. Registrar for the domain but a third party.
o Multi-step Combinations: The information flows through an o Multi-step Combinations: The information flows through an
intermediary. It is possible, but unlikely, that all the steps intermediary. It is possible, but unlikely, that all the steps
are automated via API's and there are no humans are involved. are automated via API's and there are no humans are involved.
A domain name holder (Child) may operate its own DNS servers or A domain name holder (Child) may operate its own DNS servers or
outsource the operation. While we use the word parent as a singular, outsource the operation. While we use the word parent as a singular,
parent can consist of single entity or a composite of many discrete parent can consist of single entity or a composite of many discrete
parts that have rules and roles. We refer to the entity that the parts that have rules and roles. We refer to the entity that the
child corresponds with as the Parent. child corresponds with as the Parent.
Another common case is the enterprise case in which an organization In another common case an enterprise may delegate parts of its name-
may delegate parts of its name-space to be operated by a group that space to be operated by a group that is not the same as that which
is not the same as that which operates the enterprise's DNS servers. operates the enterprise's DNS servers. In this case the flow of
In this case the flow of information is frequently handled in either information is frequently handled in either an ad hoc manner or via
an ad hoc manner or via some corporate mechanism; this can range from some corporate mechanism; this can range from email to fully-
email to fully-automated operation. The word enterprise above covers automated operation. The word enterprise above covers all
all organizations where the domains are not sold on the open market organizations in which the domains are not sold on the open market
and there is some relationship between the entities. and there is some relationship between the entities.
2.2.1. Solution Space 2.2.1. Solution Space
This document is aimed at the cases in which there is an This document is aimed at the cases in which there is an
organizational separation of the child and parent. organizational separation of the child and parent.
A further complication is when the Child DNS Operation is not the A further complication is when the Child DNS operator is not the
Child. There are two common cases of this, Child. There are two common cases of this,
a) The Parental Agent (e.g. registrar) handles the DNS operation a) The Parental Agent (e.g. registrar) handles the DNS operation
b) A third party takes care of the DNS operation. b) A third party takes care of the DNS operation.
If the Parental Agent is the DNS operator, life is much easier, as If the Parental Agent is the DNS operator, life is much easier; the
the Parental Agent can inject any delegation changes directly into Parental Agent can inject any delegation changes directly into the
the Parents Provisioning system. The techniques described below are Parent's Provisioning system. The techniques described below are not
not needed in the case when Parental Agent is the DNS operator. needed in the case when Parental Agent is the DNS operator.
In the case of a third party DNS operator, the Child either needs to In the case of a third party DNS operator, the Child either needs to
relay changes in DNS delegation or give the Child Operator access to relay changes in DNS delegation or give the Child DNS Operator access
its delegation/registration account. to its delegation/registration account.
Some parents want the child to express the changes in trust anchors Some parents want the child to express their DNSKEYS in the form of
via DS records, while others want to receive DNSKEY records and DS records, while others want to receive the DNSKEY records and
calculate the DS records themselves. There is no consensus on which calculate the DS records themselves. There is no consensus on which
method is better; both have good reasons to exist. The proposal method is better; both have good reasons to exist. The proposal
below can operate with both models, but the child needs to be aware below can operate with both models, but the child needs to be aware
of the parental policies. of the parental policies.
2.2.2. DNSSEC key change process 2.2.2. DNSSEC key change process
After a Child DNS operator first signs the zone, there is a need to After a Child DNS operator first signs the zone, there is a need to
interact with the Parent, for example via the delegation account interact with the Parent, for example via the delegation account
interface, to "upload / paste-in the zone's DS information". The interface, to "upload / paste-in the zone's DS information". The
action of logging in through the delegation account user interface action of logging in through the delegation account user interface
authenticates that the user is authorized to change delegation authenticates that the user is authorized to change delegation
information published in the parent zone. In the case where the information for the child published in the parent zone. In the case
"Child DNS Operator" does not have access to the registration where the "Child DNS Operator" does not have access to the
account, the Child needs to perform the action. registration account, the Child needs to perform the action.
At a later date, the Child Operator may want to publish a new DS At a later date, the Child DNS Operator may want to publish a new DS
record in the parent, either because they are rolling keys, or record in the parent, either because they are rolling keys, or
because they want to publish a stand-by key. This involves because they want to publish a stand-by key. This involves
performing the same process as before. Furthermore when this is a performing the same process as before. Furthermore when this is a
manual process with cut and paste; operational mistakes will happen. manual process with cut and paste, operational mistakes will happen
Or worse the update action in not performed at all. -- or worse, the update action is not performed at all.
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions
This document specifies two new DNS RRtypes (CDS and CDNSKEY) that This document specifies two new DNS RRtypes (CDS and CDNSKEY) that
indicates what the Child wants to be in the parents DS RRset. It indicates what the Child wants the parent's DS RRset to contain. It
allows the Child to present DS records and / or DNSKEY records (for allows the Child to present DS records and / or DNSKEY records (for
those parents who would rather generate the DS records for their those parents who would rather generate the DS records for their
children). children).
The CDS / CDNSKEY record is published in the child zone and gives the The CDS / CDNSKEY record is published in the child zone and gives the
child control of what is published for it in the parental zone. The child control of what is published for it in the parental zone. The
CDS / CDNSKEY RRset expresses what the child would like the DS RRset CDS / CDNSKEY RRset expresses what the child would like the DS RRset
to look like after the change; it is a "replace" operation, and it is to look like after the change; it is a "replace" operation, and it is
up to the consumer of the records to translate that into the up to the consumer of the records to translate that into the
appropriate add/delete operations in the registration systems (and in appropriate add/delete operations in the registration systems (and in
the case of CDNSKEY, to generate the DS from the DNSKEY). the case of CDNSKEY, to generate the DS from the DNSKEY).
[RFC Editor: Please remove this paragraph before publication] Version [[RFC Editor: Please remove this paragraph before publication]
-04 of this document defined a new record (CTA) that could hold Version -04 of the ID that became this document (http://
either a DS or a DNSKEY record (with a selector to differentiate tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new
between them). ] record (CTA) that could hold either a DS or a DNSKEY record (with a
selector to differentiate between them). In a shocking development,
there was almost full consensus that this was horrid :-) ]
3.1. CDS Resource Record Format 3.1. CDS Resource Record Format
The wire and presentation format of the CDS ("Child DS") record is The wire and presentation format of the CDS ("Child DS") record is
identical to the DS record [RFC4034]. IANA has allocated RR code 59 identical to the DS record [RFC4034]. IANA has allocated RR code 59
for the CDS record via expert review [I-D.ds-publish]. for the CDS record via expert review [I-D.ds-publish].
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes CDS revolvers, when serving or resolving. For all practical purposes CDS
is a regular RR type. is a regular RR type.
skipping to change at page 9, line 17 skipping to change at page 9, line 29
If any these conditions fail the CDS / CDNSKEY record MUST be If any these conditions fail the CDS / CDNSKEY record MUST be
ignored. ignored.
5. Child's CDS / CDNSKEY Publication 5. Child's CDS / CDNSKEY Publication
Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it
wants to make a change to the DS RRset in the Parent. The CDS / wants to make a change to the DS RRset in the Parent. The CDS /
CDNSKEY RRset SHOULD be compliant with the rules in Section 4.1. CDNSKEY RRset SHOULD be compliant with the rules in Section 4.1.
When the Parent DS is "in-sync" with the CDS, the Child DNS Operator When the Parent DS is "in-sync" with the CDS, the Child DNS Operator
SHOULD/MUST delete the CDS RRset. Note that if the child has MAY delete the CDS RRset. Note that if the child has published a
published a DNSKEY RR in the CDS, it will have to calculate the DS DNSKEY RR in the CDS, it will have to calculate the DS (using the
(using the requested digest algorithm) to do the comparison. requested digest algorithm) to do the comparison.
A child MAY publish both CDS and CDNSKEY. If a child chooses to A child MAY publish both CDS and CDNSKEY. If a child chooses to
publish both, it SHOULD attempt to maintain consistency (a matching publish both, it SHOULD attempt to maintain consistency (a matching
CDS for each CDNSKEY) CDS for each CDNSKEY)
6. Parent side CDS / CDNSKEY Consumption 6. Parent side CDS / CDNSKEY Consumption
The CDS / CDNSKEY RRset MAY be used by the Parental Agent to update The CDS / CDNSKEY RRset MAY be used by the Parental Agent to update
the DS RRset in the parent zone. The Parental Agent for this uses a the DS RRset in the parent zone. The Parental Agent for this uses a
tool that understands the CDS / CDNSKEY signing rules from tool that understands the CDS / CDNSKEY signing rules from
skipping to change at page 10, line 21 skipping to change at page 10, line 35
6.1.1. CDS / CDNSKEY Polling 6.1.1. CDS / CDNSKEY Polling
This is the only defined use of CDS / CDNSKEY in this document. This is the only defined use of CDS / CDNSKEY in this document.
There are limits to the saleability of polling techniques, thus some There are limits to the saleability of polling techniques, thus some
other mechanism is likely to be specified later that addresses CDS / other mechanism is likely to be specified later that addresses CDS /
CDNSKEY usage in the situation where polling does not scale to. CDNSKEY usage in the situation where polling does not scale to.
Having said that Polling will work in many important cases like Having said that Polling will work in many important cases like
enterprises, universities, small TLDs etc. In many regulatory enterprises, universities, small TLDs etc. In many regulatory
environments the registry is prohibited from talking to the environments the registry is prohibited from talking to the
registrant. In most these cases the registrant has a business registrant. In most of these cases the registrant has a business
relationship with the registrar, and so the registrar can offer this relationship with the registrar, and so the registrar can offer this
as a service. as a service.
If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST
take no action. Specifically it MUST NOT delete or alter the take no action. Specifically it MUST NOT delete or alter the
existing DS RRset. existing DS RRset.
6.1.2. Other mechanisms 6.1.2. Other mechanisms
It is assume that other mechanisms will be implemented to trigger the It is assumed that other mechanisms will be implemented to trigger
parent to look for an updated CDS. As the CDS RR is validated with the parent to look for an updated CDS / CDNSKEY record. As the CDS /
DNSSEC, these mechanisms can be unauthenticated (for example, a child CDNSKEY records are validated with DNSSEC, these mechanisms can be
could call his parent and request the CDS action be performed, an unauthenticated (for example, a child could telephone its parent and
request that they process the new CDS or CDNSKEY record, an
unauthenticated POST could be made to a webserver (with rate- unauthenticated POST could be made to a webserver (with rate-
limiting), etc.) limiting), etc.)
Other documents can specify the trigger conditions. Other documents can specify the trigger conditions.
6.2. Using the new CDS / CDNSKEY records 6.2. Using the new CDS / CDNSKEY records
Regardless of how the Parental Agent detected changes to a CDS / Regardless of how the Parental Agent detected changes to a CDS /
CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain
a validated CDS / CDNSKEY RRset from the Child zone. It would be a a validated CDS / CDNSKEY RRset from the Child zone. It would be a
good idea if the Parental Agent checked all NS RRs listed at the good idea if the Parental Agent checked all NS RRs listed at the
delegation. However, due to the use of technologies such as load delegation. However, due to the use of technologies such as load
balancing and anycast, this should not be taken as proof that the new balancing and anycast, this should not be taken as proof that the new
skipping to change at page 11, line 35 skipping to change at page 12, line 4
There are cases where the Parent wants to calculate the DS record due There are cases where the Parent wants to calculate the DS record due
to policy reasons. In this case, the Child publishes CDNSKEY records to policy reasons. In this case, the Child publishes CDNSKEY records
containing DNSKEYs. containing DNSKEYs.
The parent calculates the DS records on behalf of the children. The The parent calculates the DS records on behalf of the children. The
DNS Parent needs to publish guidelines for the children as to what DNS Parent needs to publish guidelines for the children as to what
digest algorithms are acceptable in the CDS record. digest algorithms are acceptable in the CDS record.
When a Parent operates in "calculate DS" mode it can operate in one When a Parent operates in "calculate DS" mode it can operate in one
of two sub-modes of two sub-modes
full i.e. it only publishes DS records it calculates from DNSKEY full i.e. it only publishes DS records it calculates from DNSKEY
records, records,
augment i.e. it will make sure there are DS records for the digest augment i.e. it will make sure there are DS records for the digest
algorithm(s) it requires(s). algorithm(s) it requires(s).
Implications on Parental Agent are that the CDNSKEY and DS are not Implications on Parental Agent are that the CDNSKEY and DS are not
exactly the same after update thus it needs to take that into exactly the same after update thus it needs to take that into
consideration when checking CDNSKEY records. Same goes for the Child consideration when checking CDNSKEY records. Same goes for the Child
Operator, it needs to be able to detect that the new DS RRset is DNS Operator, it needs to be able to detect that the new DS RRset is
"equivalent" to the current CDNSKEY RRset, thus it can remove the "equivalent" to the current CDNSKEY RRset, thus it can remove the
CDNSKEY RRset. CDNSKEY RRset.
7. IANA Considerations 7. IANA Considerations
IANA has assigned RR Type code 59 for CDS. This was done for an IANA has assigned RR Type code 59 for CDS. This was done for an
earlier version of this document[I-D.ds-publish] This document is to earlier version of this document[I-D.ds-publish] This document is to
become the reference for CDS RRtype. become the reference for CDS RRtype.
IANA is requested to assign another RR Type for the CDNSKEY. IANA is requested to assign another RR Type for the CDNSKEY.
8. Privacy Considerations 8. Privacy Considerations
All of the information handled / transmitted by this protocol is All of the information handled / transmitted by this protocol is
public information published in the DNS. public information published in the DNS.
9. Security Considerations 9. Security Considerations
This work is for the normal case, when things go wrong there is only This work is for the normal case; when things go wrong there is only
so much that automation can fix. so much that automation can fix.
If child breaks DNSSEC validation by removing all the DNSKEYs that If child breaks DNSSEC validation by removing all the DNSKEYs that
are represented in the DS set its only repair actions are to contact are represented in the DS set its only repair actions are to contact
the parent or restore the DNSKEYs in the DS set. the parent or restore the DNSKEYs in the DS set.
In the event of a compromise of the server or system generating In the event of a compromise of the server or system generating
signatures for a zone, an attacker might be able to generate and signatures for a zone, an attacker might be able to generate and
publish new CDS records. The modified CDS records will be picked up publish new CDS records. The modified CDS records will be picked up
by this technique and so may allow the attacker to extend the by this technique and so may allow the attacker to extend the
effective time of his attack. If there a delay in accepting changes effective time of his attack. If there a delay in accepting changes
to DS, as in RFC5011, then the attacker needs to hope his activity is to DS, as in RFC5011, then the attacker needs to hope his activity is
not detected before the DS in parent is changed. If this type of not detected before the DS in parent is changed. If this type of
change takes place, the child need to contact the parent (possibly change takes place, the child needs to contact the parent (possibly
via a registrar web interface) and remove any compromised DS keys. via a registrar web interface) and remove any compromised DS keys.
A compromise of the account with the parent (e.g. registrar) will not A compromise of the account with the parent (e.g. registrar) will not
be mitigated by this technique, as the "new registrant" can delete/ be mitigated by this technique, as the "new registrant" can delete/
modify the DS records at will. modify the DS records at will.
While it may be tempting, this SHOULD NOT be used for initial While it may be tempting, this SHOULD NOT be used for initial
enrollment of keys since there is no way to ensure that the initial enrollment of keys since there is no way to ensure that the initial
key is the correct one. If is used, strict rules for inclusion of key is the correct one. If is used, strict rules for inclusion of
keys like hold down times, challenge data inclusion etc., ought to be keys like hold down times, challenge data inclusion etc., ought to be
skipping to change at page 13, line 9 skipping to change at page 13, line 20
The CDS RR type should allow for enhanced security by simplifying The CDS RR type should allow for enhanced security by simplifying
process. Since rollover is automated, updating a DS RRset by other process. Since rollover is automated, updating a DS RRset by other
means may be regarded as unusual and subject to extra security means may be regarded as unusual and subject to extra security
checks. checks.
If there is a failure in applying changes in child zone to all DNS If there is a failure in applying changes in child zone to all DNS
servers listed in either parent or child NS set it is possible that servers listed in either parent or child NS set it is possible that
the Parental agent may get confused either not perform action because the Parental agent may get confused either not perform action because
it gets different answers on different checks or CDS validation it gets different answers on different checks or CDS validation
fails. In the worst case Parental Agent performs an action reversing fails. In the worst case, Parental Agent performs an action
a prior action but after the child signing system decides to take the reversing a prior action but after the child signing system decides
next step in rollover, resulting in a broken delegation. to take the next step in rollover, resulting in a broken delegation.
DNS is a loosely coherent distributed database with local caching; DNS is a loosely coherent distributed database with local caching;
therefore it is important to allow old information to expire from therefore, it is important to allow old information to expire from
caches before deleting DS or DNSKEY records. Similarly, it is caches before deleting DS or DNSKEY records. Similarly, it is
important to allow new records to propagate through the DNS before important to allow new records to propagate through the DNS before
use, see [RFC6781] and [I-D.key-time] use, see [RFC6781] and [I-D.key-time]
It is common practice for users to outsource their DNS hosting to a It is common practice for users to outsource their DNS hosting to a
3rd party DNS provider. In order for that provider to be able to 3rd party DNS provider. In order for that provider to be able to
maintain the DNSSEC information some users give the provider their maintain the DNSSEC information some users give the provider their
registrar login credentials (which obviously has negative security registrar login credentials (which obviously has negative security
implications). Deploying the solution described in this document implications). Deploying the solution described in this document
allows the 3rd party DNS provider to maintain the DNSSEC information allows the 3rd party DNS provider to maintain the DNSSEC information
skipping to change at page 13, line 42 skipping to change at page 14, line 6
10. Acknowledgements 10. Acknowledgements
We would like to thank a large number of folk, including: Mark We would like to thank a large number of folk, including: Mark
Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian
Dickinson, Paul Ebersman, Tony Finch, Patrik Faltsrom, Jim Galvin, Dickinson, Paul Ebersman, Tony Finch, Patrik Faltsrom, Jim Galvin,
Paul Hoffman, Olaf Kolkman, Cricket Liu, Stephan Lagerholm, Matt Paul Hoffman, Olaf Kolkman, Cricket Liu, Stephan Lagerholm, Matt
Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul Wouters, Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul Wouters,
Matthijs Meeking, John Dickinson, Timothe Litt and Edward Lewis. Matthijs Meeking, John Dickinson, Timothe Litt and Edward Lewis.
Special thanks to Wes Hardaker for contributing significant text and Special thanks to Wes Hardaker for contributing significant text and
creating the complementary (CSYNC) solution, and to Paul Hoffman for creating the complementary (CSYNC) solution, and to Paul Hoffman and
some text. Mukund Sivaraman for text and review.
There were a number of other folk with whom we discussed this, There were a number of other folk with whom we discussed this,
apologies for not remembering everyone. apologies for not remembering everyone.
11. References 11. References
11.1. Normative References 11.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005. 4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005. RFC 4034, March 2005.
skipping to change at page 14, line 49 skipping to change at page 15, line 14
[I-D.ds-publish] [I-D.ds-publish]
Barwood, G., "DNS Transport", draft-barwood-dnsop-ds- Barwood, G., "DNS Transport", draft-barwood-dnsop-ds-
publish-02 (work in progress), June 2011. publish-02 (work in progress), June 2011.
[I-D.key-time] [I-D.key-time]
Mekking, W., "DNSSEC Key Timing Considerations", draft- Mekking, W., "DNSSEC Key Timing Considerations", draft-
ietf-dnsop-dnssec-key-timing-03 (work in progress), July ietf-dnsop-dnssec-key-timing-03 (work in progress), July
2012. 2012.
[I-D.parent-zones]
Andrews, M., "Updating Parent Zones", November 2013.
[RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
STD 69, RFC 5730, August 2009. STD 69, RFC 5730, August 2009.
[RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS)
Security Extensions Mapping for the Extensible Security Extensions Mapping for the Extensible
Provisioning Protocol (EPP)", RFC 5910, May 2010. Provisioning Protocol (EPP)", RFC 5910, May 2010.
Appendix A. RRR background Appendix A. RRR background
In the RRR world, the different parties are frequently from different In the RRR world, the different parties are frequently from different
skipping to change at page 15, line 40 skipping to change at page 16, line 9
In many RRR cases the Registrar and Registry communicate via In many RRR cases the Registrar and Registry communicate via
EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number
of ccTLDs there are other mechanisms in use as well as EPP, but in of ccTLDs there are other mechanisms in use as well as EPP, but in
general there seems to be a movement towards EPP usage when DNSSEC is general there seems to be a movement towards EPP usage when DNSSEC is
enabled in the TLD. enabled in the TLD.
Appendix B. Changes / Author Notes. Appendix B. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
WG-01 to WG-02
o Many nits and suggestions from Mukund.
o Matthijs: " I still think that it is too strong that the Child DNS
Operator SHOULD/MUST delete the CDS RRset when the Parent DS is
"in-sync". This should be a MAY"
WG-00 to WG-01 WG-00 to WG-01
o Addressed Vancouver: "Paul Hoffmann: NOT ready for WGLC. None of o Addressed Vancouver: "Paul Hoffmann: NOT ready for WGLC. None of
the 2 documents explain why there is a split between the two the 2 documents explain why there is a split between the two
strategies." Thanks to Paul for providing text. strategies." Thanks to Paul for providing text.
From -05 to WG-00: From -05 to WG-00:
o Nothing rchanged, resubmit under new name. o Nothing rchanged, resubmit under new name.
 End of changes. 49 change blocks. 
97 lines changed or deleted 115 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/