< draft-ietf-dnsop-delegation-trust-maintainance-04.txt   draft-ietf-dnsop-delegation-trust-maintainance-05.txt >
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational O. Gudmundsson Intended status: Informational O. Gudmundsson
Expires: October 12, 2014 Shinkuro Inc. Expires: October 13, 2014 Shinkuro Inc.
G. Barwood G. Barwood
April 10, 2014 April 11, 2014
Automating DNSSEC delegation trust maintenance Automating DNSSEC Delegation Trust Maintenance
draft-ietf-dnsop-delegation-trust-maintainance-04 draft-ietf-dnsop-delegation-trust-maintainance-05
Abstract Abstract
This document describes a method to allow DNS operators to more This document describes a method to allow DNS operators to more
easily update DNSSEC Key Signing Keys using the DNS as communication easily update DNSSEC Key Signing Keys using the DNS as communication
channel. This document does not address the initial configuration of channel. This document does not address the initial configuration of
trust anchors for a domain. The technique described is aimed at trust anchors for a domain. The technique described is aimed at
delegations in which it is currently hard to move information from delegations in which it is currently hard to move information from
the child to parent. the child to parent.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 12, 2014. This Internet-Draft will expire on October 13, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Requirements notation . . . . . . . . . . . . . . . . . . 4 1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. DNS delegations . . . . . . . . . . . . . . . . . . . . . 4 2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4
2.2. Relationship between Parent and Child DNS operator . . . 5 2.2. Relationship Between Parent and Child DNS Operator . . . 5
2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6
2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions . . 7 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions . . 7
3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8
3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8
4. Automating DS maintainance with CDS/CDNSKEY records . . . . . 8 4. Automating DS Maintainance With CDS/CDNSKEY records . . . . . 8
4.1. CDS / CDNSKEY processing rules . . . . . . . . . . . . . 9 4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 9
5. Child's CDS / CDNSKEY Publication . . . . . . . . . . . . . . 9 5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9
6. Parent side CDS / CDNSKEY Consumption . . . . . . . . . . . . 10 6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9
6.1. Detecting a changed CDS / CDNSKEY . . . . . . . . . . . . 10 6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 10
6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10
6.1.2. Other mechanisms . . . . . . . . . . . . . . . . . . 11 6.1.2. Other Mechanisms . . . . . . . . . . . . . . . . . . 10
6.2. Using the new CDS / CDNSKEY records . . . . . . . . . . . 11 6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 11
6.2.1. Parent calculates DS . . . . . . . . . . . . . . . . 12 6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12
9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 14 11.1. Normative References . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 15 11.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15
Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16 Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
When a DNS operator first signs their zone, they need to communicate When a DNS operator first signs their zone, they need to communicate
their DS record(s) (or DNSKEY(s)) to their parent through some out- their DS record(s) (or DNSKEY(s)) to their parent through some out-
of-band method to complete the chain of trust. of-band method to complete the chain of trust.
Each time the child changes/rolls the key that is represented in the Each time the child changes/rolls the key that is represented in the
parent, the new and/or deleted key information has to be communicated parent, the new and/or deleted key information has to be communicated
to the parent and published there. How this information is sent to to the parent and in the parent's zone. How this information is sent
the parent depends on the relationship the child has with the parent. to the parent depends on the relationship the child has with the
parent. In many cases this is a manual process, and not an easy one.
In many cases this is a manual process, and not an easy one. For For each key roll, there may be up to two interactions with the
each key roll, there may be two interactions with the parent. Any parent. Any manual process is susceptible to mistakes and/or errors.
manual process is susceptible to mistakes and/or errors. In In addition, due to the annoyance factor of the process, operators
addition, due to the annoyance factor of the process, operators may may avoid performing key rollovers or skip needed steps to publish
avoid performing key rollovers or skip needed steps to publish the the new DS at the parent.
new DS at the parent.
DNSSEC provides data integrity to information published in DNS; thus DNSSEC provides data integrity to information published in DNS; thus
DNS publication can be used to automate maintenance of delegation DNS publication can be used to automate maintenance of delegation
information. This document describes a method to automate information. This document describes a method to automate
publication of subsequent DS records, after the initial one has been publication of subsequent DS records, after the initial one has been
published. published.
Readers are expected to be familiar with DNSSEC, including [RFC4033], Readers are expected to be familiar with DNSSEC, including [RFC4033],
[RFC4034], [RFC4035], [RFC5011] and [RFC6781]. [RFC4034], [RFC4035], [RFC5011] and [RFC6781].
This document is a compilation of two earlier drafts: draft-barwood- This document is a compilation of two earlier drafts: draft-barwood-
dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll. dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll.
This document outlines a technique in which the parent periodically This document outlines a technique in which the parent periodically
(or upon request) polls its signed children and automatically publish (or upon request) polls its signed children and automatically publish
new DS records. To a large extent, the procedures this document new DS records. To a large extent, the procedures this document
follows are as described in [RFC6781] section 4.1.2. follows are as described in [RFC6781] section 4.1.2.
This technique is in some ways similar to [RFC5011] style rollovers,
but for sub-domains DS records, instead of trust anchors.
This technique is designed to be friendly both to fully automated This technique is designed to be friendly both to fully automated
tools and humans. Fully automated tools can perform all the actions tools and humans. Fully automated tools can perform all the actions
needed without human intervention, and thus can monitor when it is needed without human intervention, and thus can monitor when it is
safe to move to the next step. safe to move to the next step.
The solution described in this document only allows transferring The solution described in this document only allows transferring
information about DNSSEC keys (DS and DNSKEY) from the child to the information about DNSSEC keys (DS and DNSKEY) from the child to the
parental agent. It lists exactly what the parent should publish, and parental agent. It lists exactly what the parent should publish, and
allows for publication of stand-by keys. A different protocol, allows for publication of stand-by keys. A different protocol,
[I-D.csync], can be used to maintain other important delegation [I-D.csync], can be used to maintain other important delegation
information, such as NS and glue. These two protocols have been kept information, such as NS and glue. These two protocols have been kept
as separate solutions because the problems are fundamentally as separate solutions because the problems are fundamentally
different, and a combined solution is overly complex. different, and a combined solution is overly complex.
This document describes a method for automating maintanance of the This document describes a method for automating maintanance of the
delegation trust information, and proposes a polled / periodic delegation trust information, and proposes a polled / periodic
trigger for simplicity. Some users may prefer a different trigger, trigger for simplicity. Some users may prefer a different trigger,
such as a button on a webpage, a REST interface, DNS NOTIFY, etc. such as a button on a webpage, a REST interface, DNS NOTIFY, etc.
These alternate / additional triggers are not discussed in this These alternate / additional triggers are not discussed in this
document. This proposal does not include all operations needed for document.
the maintenance of DNSSEC key material, specifically the introduction
or complete removal of all keys. Because of this, alternate This proposal does not include all operations needed for the
communications mechanisms must always exist, potentially introducing maintenance of DNSSEC key material, specifically the initial
more complexity. introduction or complete removal of all keys. Because of this,
alternate communications mechanisms must always exist, potentially
introducing more complexity.
1.1. Terminology 1.1. Terminology
The terminology we use is defined in this section The terminology we use is defined in this section.
Highlighted roles Highlighted roles:
o Child: "The entity on record that has the delegation of the domain o Child: "The entity on record that has the delegation of the domain
from the parent" from the parent"
o Parent: "The domain in which the child is registered" o Parent: "The domain in which the child is registered"
o Child DNS Operator: "The entity that maintains and publishes the o Child DNS Operator: "The entity that maintains and publishes the
zone information for the child DNS" zone information for the child DNS"
o Parent DNS Operator: "The entity that maintains and publishes the o Parent DNS Operator: "The entity that maintains and publishes the
skipping to change at page 4, line 35 skipping to change at page 4, line 34
o Parental Agent: "The entity that the child has relationship with, o Parental Agent: "The entity that the child has relationship with,
to change its delegation information" to change its delegation information"
o Provisioning system: "A system that the operator of the master DNS o Provisioning system: "A system that the operator of the master DNS
server operates to maintain the information published in the DNS. server operates to maintain the information published in the DNS.
This includes the systems that sign the DNS data" This includes the systems that sign the DNS data"
RRR is our shorthand for Registry/Registrar/Registrant model of RRR is our shorthand for Registry/Registrar/Registrant model of
parent child relationship see Appendix A for more. parent child relationship see Appendix A for more.
1.2. Requirements notation 1.2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Background 2. Background
2.1. DNS delegations 2.1. DNS Delegations
DNS operation consists of delegations of authority. For each DNS operation consists of delegations of authority. For each
delegation there are (most of the time) two parties: the parent and delegation there are (most of the time) two parties: the parent and
the child. the child.
The parent publishes information about the delegations to the child; The parent publishes information about the delegations to the child;
for the name-servers it publishes an NS [RFC1035] RRset that lists a for the name servers it publishes an NS [RFC1035] RRset that lists a
hint for name-servers that are authoritative for the child. The hint for name servers that are authoritative for the child. The
child also publishes a NS RRset, and this set is the authoritative child also publishes a NS RRset, and this set is the authoritative
list of name-servers to the child zone. list of name servers to the child zone.
The second RRset the parent sometimes publishes is the DS [RFC4034] The second RRset the parent sometimes publishes is the DS [RFC4034]
set. The DS RRset provides information about the DNSKEY(s) that the set. The DS RRset provides information about the DNSKEY(s) that the
child has told the parent it will use to sign its DNSKEY RRset. In child has told the parent it will use to sign its DNSKEY RRset. In
DNSSEC trust relationship between zones is provided by the following DNSSEC trust relationship between zones is provided by the following
chain: chain:
parent DNSKEY --> DS --> child DNSKEY. parent DNSKEY --> DS --> child DNSKEY.
A prior proposal [I-D.auto-cpsync] suggested that the child send an A prior proposal [I-D.auto-cpsync] suggested that the child send an
"update" to the parent via a mechanism similar to Dynamic Update. "update" to the parent via a mechanism similar to Dynamic Update.
The main issue became: How does the child find the actual parental The main issue became: How does the child find the actual parental
agent/server to send the update to? While that could have been agent/server to send the update to? While that could have been
solved via technical means, the proposal died. There is also a solved via technical means, the proposal died. There is also a
similar proposal in [I-D.parent-zones] similar proposal in [I-D.parent-zones].
As the DS record can only be present at the parent (RFC4034 As the DS record can only be present at the parent (RFC4034
[RFC4034]), some other record/method is needed to automate which [RFC4034]), some other record/method is needed to automate which
DNSKEYs are picked to be represented in the parent zone's DS records. DNSKEYs are picked to be represented in the parent zone's DS records.
One possibility is to use flags in the DNSKEY record. If the SEP bit One possibility is to use flags in the DNSKEY record. If the SEP bit
is set, this indicates that the DNSKEY is intended for use as a is set, this indicates that the DNSKEY is intended for use as a
secure entry point. This DNSKEY signs the DNSKEY RRset, and the secure entry point. This DNSKEY signs the DNSKEY RRset, and the
Parental Agent can calculate DS records based on that. But this Parental Agent can calculate DS records based on that. But this
fails to meet some operating needs, including the child having no fails to meet some operating needs, including the child having no
influence what DS digest algorithms are used and DS records can only influence what DS digest algorithms are used and DS records can only
be published for keys that are in the DNSKEY RRset. be published for keys that are in the DNSKEY RRset, and thus this
technique would not be compatible with Double-DS key rollover.
2.2. Relationship between Parent and Child DNS operator 2.2. Relationship Between Parent and Child DNS Operator
In practical application, there are many different relationships In practical application, there are many different relationships
between the parent and child DNS operators. The type of relationship between the parent and child DNS operators. The type of relationship
affects how the Child DNS Operator communicates with the parent. affects how the Child DNS Operator communicates with the parent.
This section will highlight some of the different situations, but is This section will highlight some of the different situations, but is
by no means a complete list. by no means a complete list.
Different communication paths: Different communication paths:
o Direct/API: The child can change the delegation information via o Direct/API: The child can change the delegation information via
skipping to change at page 6, line 35 skipping to change at page 6, line 35
automated operation. The word enterprise above covers all automated operation. The word enterprise above covers all
organizations in which the domains are not sold on the open market organizations in which the domains are not sold on the open market
and there is some relationship between the entities. and there is some relationship between the entities.
2.2.1. Solution Space 2.2.1. Solution Space
This document is aimed at the cases in which there is an This document is aimed at the cases in which there is an
organizational separation of the child and parent. organizational separation of the child and parent.
A further complication is when the Child DNS Operator is not the A further complication is when the Child DNS Operator is not the
Child. There are two common cases of this, Child. There are two common cases of this:
a) The Parental Agent (e.g. registrar) handles the DNS operation a) The Parental Agent (e.g. registrar) handles the DNS operation.
b) A third party takes care of the DNS operation. b) A third party takes care of the DNS operation.
If the Parental Agent is the DNS operator, life is much easier; the If the Parental Agent is the DNS operator, life is much easier; the
Parental Agent can inject any delegation changes directly into the Parental Agent can inject any delegation changes directly into the
Parent's Provisioning system. The techniques described below are not Parent's Provisioning system. The techniques described below are not
needed in the case when Parental Agent is the DNS operator. needed in the case when Parental Agent is the DNS operator.
In the case of a third party DNS operator, the Child either needs to In the case of a third party DNS operator, the Child either needs to
relay changes in DNS delegation or give the Child DNS Operator access relay changes in DNS delegation or give the Child DNS Operator access
skipping to change at page 7, line 28 skipping to change at page 7, line 28
At a later date, the Child DNS Operator may want to publish a new DS At a later date, the Child DNS Operator may want to publish a new DS
record in the parent, either because they are rolling keys, or record in the parent, either because they are rolling keys, or
because they want to publish a stand-by key. This involves because they want to publish a stand-by key. This involves
performing the same process as before. Furthermore when this is a performing the same process as before. Furthermore when this is a
manual process with cut and paste, operational mistakes will happen manual process with cut and paste, operational mistakes will happen
-- or worse, the update action is not performed at all. -- or worse, the update action is not performed at all.
The Child DNS Operator may also introduce new keys, and can do so The Child DNS Operator may also introduce new keys, and can do so
when old keys exist and can be used. The Child may also remove old when old keys exist and can be used. The Child may also remove old
keys, but we do not support removing all keys. This is to avoid keys, but this document does not support removing all keys. This is
making signed zones unsigned. to avoid making signed zones unsigned. The Child may not enroll the
initial key or introduce a new key when there are no old keys that
The Child may not introduce a new key when no old keys can be used, can be used, because there is no way to validate the information.
and nor may it remove the last key from the RRSet of the zone apex.
The Child may not enroll the initial key or introduce a new key when
there are no old keys that can be used, because there is no way to
validate the information. [TODO ADD TEXT RE REMOVAL)
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions
This document specifies two new resource records, CDS and CDNSKEY. This document specifies two new resource records, CDS and CDNSKEY.
These records are used to convey, from one zone to it's parent, the These records are used to convey, from one zone to it's parent, the
desired contents of the zone's DS resource record set residing in the desired contents of the zone's DS resource record set residing in the
parent zone. parent zone.
The CDS / CDNSKEY records are published in the child zone and gives The CDS / CDNSKEY records are published in the child zone and gives
the child control of what is published for it in the parental zone. the child control of what is published for it in the parental zone.
The CDS / CDNSKEY RRset expresses what the child would like the DS The CDS / CDNSKEY RRset expresses what the child would like the DS
RRset to look like after the change; it is a "replace" operation, and RRset to look like after the change; it is a "replace" operation, and
skipping to change at page 8, line 19 skipping to change at page 8, line 14
/tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new /tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new
record (CTA) that could hold either a DS or a DNSKEY record (with a record (CTA) that could hold either a DS or a DNSKEY record (with a
selector to differentiate between them). In a shocking development, selector to differentiate between them). In a shocking development,
there was almost full consensus that this was horrid :-) ] there was almost full consensus that this was horrid :-) ]
3.1. CDS Resource Record Format 3.1. CDS Resource Record Format
The wire and presentation format of the CDS ("Child DS") record is The wire and presentation format of the CDS ("Child DS") record is
identical to the DS record [RFC4034]. IANA has allocated RR code 59 identical to the DS record [RFC4034]. IANA has allocated RR code 59
for the CDS record via expert review [I-D.ds-publish]. CDS uses the for the CDS record via expert review [I-D.ds-publish]. CDS uses the
same registries as DS for its fields same registries as DS for its fields.
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes CDS revolvers, when serving or resolving. For all practical purposes CDS
is a regular RR type. is a regular RR type.
3.2. CDNSKEY Resource Record Format 3.2. CDNSKEY Resource Record Format
The wire and presentation format of the CDNSKEY ("Child DNSKEY") The wire and presentation format of the CDNSKEY ("Child DNSKEY")
record is identical to the DNSKEY record. CDNSKEY uses the same record is identical to the DNSKEY record. CDNSKEY uses the same
registries as DNSKEY for its fields. registries as DNSKEY for its fields.
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes revolvers, when serving or resolving. For all practical purposes
CDNSKEY is a regular RR type. CDNSKEY is a regular RR type.
4. Automating DS maintainance with CDS/CDNSKEY records 4. Automating DS Maintainance With CDS/CDNSKEY records
CDS/CDNSKEY records are intended to be "consumed" by delegation trust CDS/CDNSKEY records are intended to be "consumed" by delegation trust
maintainers. The use of CDS/CDNSKEY is optional. maintainers. The use of CDS/CDNSKEY is optional.
Some parents prefer to accept DNSSEC key information in DS format, Some parents prefer to accept DNSSEC key information in DS format,
some parents prefer to accept it in DNSKEY format, and calculate the some parents prefer to accept it in DNSKEY format, and calculate the
DS record on the child's behalf. Each method has pros and cons, both DS record on the child's behalf. Each method has pros and cons, both
technical and policy. This solution is DS vs DNSKEY agnostic, and technical and policy. This solution is DS vs DNSKEY agnostic, and
allows operation with either. allows operation with either.
If the child knows what the parent prefers, they can publish the The child SHOULD publish both CDS and CDNSKEY records. If the child
parent's preferred record type. If the child does not know (or knows which the parent consumes, it MAY choose to only publish that
simply chooses to), they can publish both CDS and CDNSKEY. If the record type (for example, some children wish the parent to publish a
child publishes both, the two RRsets they MUST match in content. The DS, but they wish to keep the DNSKEY "hidden" until needed). If the
parent should use whichever one they choose, but SHOULD NOT query for child publishes both, the two RRsets MUST match in content. The
parent should use whichever one they choose, but MUST NOT query for
both and perform consistency checks between the CDS and CDNSKEY both and perform consistency checks between the CDS and CDNSKEY
records. records.
[Editor note: It is not an error for a child to have published CDS 4.1. CDS / CDNSKEY Processing Rules
records and not have CDNSKEYs that hash to those records, nor for
there to be CDNSKEY records without matching DS records. This is
because a child might have been publishing CDS records and then the
parent's policy changes to require CDNSKEY records. The child might
forget to remove the CDS, etc. This avoids all sorts of error
conditions / complexity, etc.]
4.1. CDS / CDNSKEY processing rules
If there are no CDS / CDNSKEY resource records in the child, this If there are no CDS / CDNSKEY resource records in the child, this
signals that no change should be made to the current DS set. This signals that no change should be made to the current DS set. This
means that, once the child and parent are in sync, the child DNS means that, once the child and parent are in sync, the child DNS
operator SHOULD remove all CDS records from the zone. operator SHOULD remove all CDS records from the zone.
Following acceptance rules are placed on the CDS / CDNSKEY records as Following acceptance rules are placed on the CDS / CDNSKEY records as
follows: follows:
o Location: "the CDS / CDNSKEY record MUST be at the child zone o Location: "the CDS / CDNSKEY record MUST be at the child zone
skipping to change at page 9, line 37 skipping to change at page 9, line 27
o Signer: "MUST be signed with a key that is represented in both the o Signer: "MUST be signed with a key that is represented in both the
current DNSKEY and DS RRset's." current DNSKEY and DS RRset's."
o Continuity: "MUST NOT break the current delegation if applied to o Continuity: "MUST NOT break the current delegation if applied to
DS RRset" DS RRset"
If any these conditions fail the CDS / CDNSKEY record MUST be If any these conditions fail the CDS / CDNSKEY record MUST be
ignored. ignored.
5. Child's CDS / CDNSKEY Publication 5. CDS / CDNSKEY Publication
Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it
wants to make a change to the DS RRset in the Parent. In order to be wants to make a change to the DS RRset in the Parent. In order to be
valid, the CDS / CDNSKEY RRset MUST be compliant with the rules in valid, the CDS / CDNSKEY RRset MUST be compliant with the rules in
Section 4.1. When the Parent DS is "in-sync" with the CDS / CDNSKEY, Section 4.1. When the Parent DS is "in-sync" with the CDS / CDNSKEY,
the Child DNS Operator SHOULD delete the CDS / CDNSKEY RRset(s). the Child DNS Operator SHOULD delete the CDS / CDNSKEY RRset(s).
Note that if the child has published a CDNSKEY RR, the Parent will Note that if the child has published a CDNSKEY RR, the Parent will
have to calculate the DS (using the requested digest algorithm) to do have to calculate the DS (using the requested digest algorithm) to do
the comparison. the comparison.
A child MAY publish both CDS and CDNSKEY. If a child chooses to 6. Parent Side CDS / CDNSKEY Consumption
publish both, it MUST attempt to maintain consistency (a matching CDS
for each CDNSKEY).
6. Parent side CDS / CDNSKEY Consumption
The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to
update the DS RRset in the parent zone. The Parental Agent for this update the DS RRset in the parent zone. The Parental Agent for this
uses a tool that understands the CDS / CDNSKEY signing rules from uses a tool that understands the CDS / CDNSKEY signing rules from
Section 4.1 so it may not be able to use a standard validator. Section 4.1 so it may not be able to use a standard validator.
The parent MUST choose to accept either CDS or CDNSKEY records, and The parent MUST choose to accept either CDS or CDNSKEY records (based
MUST NOT expect there to be both. A parent SHOULD NOT perform a upon local policy), and MUST NOT expect there to be both. A parent
consistency check between CDS and CDNSKEY (other than for MUST NOT perform a consistency check between CDS and CDNSKEY (other
informational / debugging use). than for informational / debugging use).
6.1. Detecting a changed CDS / CDNSKEY 6.1. Detecting a Changed CDS / CDNSKEY
How the Parental Agent gets the CDS / CDNSKEY record may differ, How the Parental Agent gets the CDS / CDNSKEY record may differ,
below are two examples as how this can take place. below are two examples as how this can take place.
Polling The Parental Agent operates a tool that periodically checks Polling The Parental Agent operates a tool that periodically checks
each of the children that has a DS record to see if there is a each of the children that has a DS record to see if there is a
CDS or CDNSKEY record. CDS or CDNSKEY record.
Pushing The delegation user interface has a button {Fetch DS} when Pushing The delegation user interface has a button {Fetch DS} when
pushed preforms the CDS / CDNSKEY processing. If the Parent pushed preforms the CDS / CDNSKEY processing. If the Parent
zone does not contain DS for this delegation then the "push" zone does not contain DS for this delegation then the "push"
MUST be ignored. SHOULD be ignored. If the Parental Agent displays the contents
of the CDS / CDSNKEY to the user and gets confirmation that
this represents their key, the Parental Agent MAY use this for
initial enrolment (when the Parent zone does not contain the DS
for this delgation).
In either case the Parental Agent MAY apply additional rules that In either case the Parental Agent MAY apply additional rules that
defer the acceptance of a CDS / CDNSKEY change, these rules may defer the acceptance of a CDS / CDNSKEY change, these rules may
include a condition that the CDS / CDNSKEY remains in place and valid include a condition that the CDS / CDNSKEY remains in place and valid
for some time period before it is accepted. It may be appropriate in for some time period before it is accepted. It may be appropriate in
the "Pushing" case to assume that the Child is ready and thus accept the "Pushing" case to assume that the Child is ready and thus accept
changes without delay. changes without delay.
6.1.1. CDS / CDNSKEY Polling 6.1.1. CDS / CDNSKEY Polling
skipping to change at page 11, line 9 skipping to change at page 10, line 47
enterprises, universities, small TLDs etc. In many regulatory enterprises, universities, small TLDs etc. In many regulatory
environments the registry is prohibited from talking to the environments the registry is prohibited from talking to the
registrant. In most of these cases the registrant has a business registrant. In most of these cases the registrant has a business
relationship with the registrar, and so the registrar can offer this relationship with the registrar, and so the registrar can offer this
as a service. as a service.
If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST
take no action. Specifically it MUST NOT delete or alter the take no action. Specifically it MUST NOT delete or alter the
existing DS RRset. existing DS RRset.
6.1.2. Other mechanisms 6.1.2. Other Mechanisms
It is assumed that other mechanisms will be implemented to trigger It is assumed that other mechanisms will be implemented to trigger
the parent to look for an updated CDS / CDNSKEY record. As the CDS / the parent to look for an updated CDS / CDNSKEY record. As the CDS /
CDNSKEY records are validated with DNSSEC, these mechanisms can be CDNSKEY records are validated with DNSSEC, these mechanisms can be
unauthenticated (for example, a child could telephone its parent and unauthenticated (for example, a child could telephone its parent and
request that they process the new CDS or CDNSKEY record, an request that they process the new CDS or CDNSKEY record, an
unauthenticated POST could be made to a webserver (with rate- unauthenticated POST could be made to a webserver (with rate-
limiting), etc.) limiting), etc.)
Other documents can specify the trigger conditions. Other documents can specify the trigger conditions.
6.2. Using the new CDS / CDNSKEY records 6.2. Using the New CDS / CDNSKEY Records
Regardless of how the Parental Agent detected changes to a CDS / Regardless of how the Parental Agent detected changes to a CDS /
CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain
a validated CDS / CDNSKEY RRset from the Child zone. It would be a a validated CDS / CDNSKEY RRset from the Child zone.
good idea if the Parental Agent checked all NS RRs listed at the
delegation.
The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY
RRset do not overwrite newer versions. This MAY be accomplished by RRset do not overwrite newer versions. This MAY be accomplished by
checking that the signature inception in the RRSIG for CDS / CDNSKEY checking that the signature inception in the RRSIG for CDS / CDNSKEY
is newer and/or the serial number on the child's SOA is greater. is newer and/or the serial number on the child's SOA is greater.
This may require the Parental Agent to maintain some state This may require the Parental Agent to maintain some state
information. information.
The Parental Agent MAY take extra security measures. For example, to The Parental Agent MAY take extra security measures. For example, to
mitigate the possibility that a Child's key signing key has been mitigate the possibility that a Child's key signing key has been
compromised, the Parental Agent may, for example, inform (by email or compromised, the Parental Agent may, for example, inform (by email or
other methods ) the Child DNS Operator of the change. However the other methods ) the Child DNS Operator of the change. However the
precise out-of-band measures that a parent zone SHOULD take are precise out-of-band measures that a parent zone SHOULD take are
outside the scope of this document. outside the scope of this document.
Once the Parental Agent has obtained a valid CDS / CDNSKEY it MUST Once the Parental Agent has obtained a valid CDS / CDNSKEY it MUST
double check the publication rules from section 4.1. In particular check the publication rules from section 4.1. In particular the
the Parental Agent MUST double check the Continuity rule and do its Parental Agent MUST double check the Continuity rule and do its best
best not to invalidate the Child zone. Once checked and if the CDS / not to invalidate the Child zone. Once checked and if the CDS /
CDNSKEY and DS "differ" it may apply the changes to the parent zone. CDNSKEY and DS differ it may apply the changes to the parent zone.
If the parent consumes CDNSKEY, the parent should calculate the DS If the parent consumes CDNSKEY, the parent should calculate the DS
before doing this comparison. before doing this comparison.
6.2.1. Parent calculates DS 6.2.1. Parent Calculates DS
There are cases where the Parent wants to calculate the DS record due There are cases where the Parent wants to calculate the DS record due
to policy reasons. In this case, the Child publishes CDNSKEY records to policy reasons. In this case, the Child publishes CDNSKEY records
and the parent calculates the DS records on behalf of the children. and the parent calculates the DS records on behalf of the children.
When a Parent operates in "calculate DS" mode it can operate in one When a Parent operates in "calculate DS" mode it can operate in one
of two sub-modes of two sub-modes
full i.e. it only publishes DS records it calculates from DNSKEY full i.e. it only publishes DS records it calculates from DNSKEY
records, records,
augment i.e. it will make sure there are DS records for the digest augment i.e. it will make sure there are DS records for the digest
algorithm(s) it requires(s). algorithm(s) it requires(s).
IIn the case the parent fetch the CDNSKEY and calculate the DS it MAY In the case the parent fetch the CDNSKEY and calculate the DS it MAY
be the case that the DS published in the parent zone is not identical be the case that the DS published in the parent zone is not identical
with the data in the CDS record made available by the child. with the data in the CDS record made available by the child.
7. IANA Considerations 7. IANA Considerations
IANA has assigned RR Type code 59 for CDS. This was done for an IANA has assigned RR Type code 59 for CDS. This was done for an
earlier version of this document[I-D.ds-publish] This document is to earlier version of this document[I-D.ds-publish] This document is to
become the reference for CDS RRtype. become the reference for CDS RRtype.
IANA is requested to assign another RR Type for the CDNSKEY. IANA is requested to assign another RR Type for the CDNSKEY.
skipping to change at page 14, line 19 skipping to change at page 14, line 9
security. security.
By automating the maintenance of the DNSSEC key information (and By automating the maintenance of the DNSSEC key information (and
removing humans from the process) we expect to decrease the number of removing humans from the process) we expect to decrease the number of
DNSSEC related outages, which should increase DNSSEC deployment. DNSSEC related outages, which should increase DNSSEC deployment.
10. Acknowledgements 10. Acknowledgements
We would like to thank a large number of folk, including: Mark We would like to thank a large number of folk, including: Mark
Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian
Dickinson, Paul Ebersman, Tony Finch, Patrik Faltstrom, Jim Galvin, Dickinson, Paul Ebersman, Tony Finch, Jim Galvin, Paul Hoffman, Samir
Paul Hoffman, Samir Hussain, Tatuya Jinmei, Olaf Kolkman, Cricket Hussain, Tatuya Jinmei, Olaf Kolkman, Cricket Liu, Stephan Lagerholm,
Liu, Stephan Lagerholm, Matt Larson, Marco Sanz, Antoin Verschuren, Matt Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul
Suzanne Woolf, Paul Wouters, Matthijs Meeking, John Dickinson, Wouters, John Dickinson, Timothe Litt and Edward Lewis.
Timothe Litt and Edward Lewis.
Special thanks to Wes Hardaker for contributing significant text and Special thanks to Wes Hardaker for contributing significant text and
creating the complementary (CSYNC) solution, and to Paul Hoffman and creating the complementary (CSYNC) solution, and to Patrik Faltstrom,
Mukund Sivaraman for text and review. Paul Hoffman, Matthijs Mekking and Mukund Sivaraman for text and in-
depth review.
There were a number of other folk with whom we discussed this, There were a number of other folk with whom we discussed this,
apologies for not remembering everyone. apologies for not remembering everyone.
11. References 11. References
11.1. Normative References 11.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
skipping to change at page 16, line 29 skipping to change at page 16, line 18
In many RRR cases the Registrar and Registry communicate via In many RRR cases the Registrar and Registry communicate via
EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number
of ccTLDs there are other mechanisms in use as well as EPP, but in of ccTLDs there are other mechanisms in use as well as EPP, but in
general there seems to be a movement towards EPP usage when DNSSEC is general there seems to be a movement towards EPP usage when DNSSEC is
enabled in the TLD. enabled in the TLD.
Appendix B. Changes / Author Notes. Appendix B. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
WG-04 to WG-05
o More comments from Patrik, Paul and Ed.
o Many nits and fixes from Matthijs Mekking.
o Outstanding question: Should we remove the "Child SHOULD remove
the CDS record" text? Mail sent to list.
WG-03 to WG-04 WG-03 to WG-04
o Large number of comments and changes from Patrik. o Large number of comments and changes from Patrik.
WG-02 to WG-03 WG-02 to WG-03
o Fixed some references to RFC 5011 - from Samir Hussain. o Fixed some references to RFC 5011 - from Samir Hussain.
o Fixed some spelling / typos - from Samir Hussain. o Fixed some spelling / typos - from Samir Hussain.
 End of changes. 43 change blocks. 
101 lines changed or deleted 96 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/