| < draft-ietf-dnsop-delegation-trust-maintainance-05.txt | draft-ietf-dnsop-delegation-trust-maintainance-06.txt > | |||
|---|---|---|---|---|
| dnsop W. Kumari | dnsop W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Informational O. Gudmundsson | Intended status: Informational O. Gudmundsson | |||
| Expires: October 13, 2014 Shinkuro Inc. | Expires: October 16, 2014 Shinkuro Inc. | |||
| G. Barwood | G. Barwood | |||
| April 11, 2014 | April 14, 2014 | |||
| Automating DNSSEC Delegation Trust Maintenance | Automating DNSSEC Delegation Trust Maintenance | |||
| draft-ietf-dnsop-delegation-trust-maintainance-05 | draft-ietf-dnsop-delegation-trust-maintainance-06 | |||
| Abstract | Abstract | |||
| This document describes a method to allow DNS operators to more | This document describes a method to allow DNS operators to more | |||
| easily update DNSSEC Key Signing Keys using the DNS as communication | easily update DNSSEC Key Signing Keys using the DNS as communication | |||
| channel. This document does not address the initial configuration of | channel. This document does not address the initial configuration of | |||
| trust anchors for a domain. The technique described is aimed at | trust anchors for a domain. The technique described is aimed at | |||
| delegations in which it is currently hard to move information from | delegations in which it is currently hard to move information from | |||
| the child to parent. | the child to parent. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 13, 2014. | This Internet-Draft will expire on October 16, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 23 ¶ | skipping to change at page 2, line 23 ¶ | |||
| 1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4 | 1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4 | 2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. Relationship Between Parent and Child DNS Operator . . . 5 | 2.2. Relationship Between Parent and Child DNS Operator . . . 5 | |||
| 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 | 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7 | 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7 | |||
| 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions . . 7 | 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions . . 7 | |||
| 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 | 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 | |||
| 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 | 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 | |||
| 4. Automating DS Maintainance With CDS/CDNSKEY records . . . . . 8 | 4. Automating DS Maintainance With CDS/CDNSKEY records . . . . . 8 | |||
| 4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 9 | 4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 8 | |||
| 5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9 | 5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9 | |||
| 6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9 | 6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9 | |||
| 6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 10 | 6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 9 | |||
| 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 | 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 | |||
| 6.1.2. Other Mechanisms . . . . . . . . . . . . . . . . . . 10 | 6.1.2. Other Mechanisms . . . . . . . . . . . . . . . . . . 10 | |||
| 6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 11 | 6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 11 | |||
| 6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11 | 6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 | 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 | 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 14 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 15 | 11.2. Informative References . . . . . . . . . . . . . . . . . 15 | |||
| Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 | Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 | |||
| Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16 | Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 1. Introduction | 1. Introduction | |||
| When a DNS operator first signs their zone, they need to communicate | When a DNS operator first signs their zone, they need to communicate | |||
| their DS record(s) (or DNSKEY(s)) to their parent through some out- | their DS record(s) (or DNSKEY(s)) to their parent through some out- | |||
| of-band method to complete the chain of trust. | of-band method to complete the chain of trust. | |||
| Each time the child changes/rolls the key that is represented in the | Each time the child changes the key that is represented in the | |||
| parent, the new and/or deleted key information has to be communicated | parent, the updated and/or deleted key information has to be | |||
| to the parent and in the parent's zone. How this information is sent | communicated to the parent and published in the parent's zone. How | |||
| to the parent depends on the relationship the child has with the | this information is sent to the parent depends on the relationship | |||
| parent. In many cases this is a manual process, and not an easy one. | the child has with the parent. In many cases this is a manual | |||
| For each key roll, there may be up to two interactions with the | process, and not an easy one. For each key roll, there may be up to | |||
| parent. Any manual process is susceptible to mistakes and/or errors. | two interactions with the parent. Any manual process is susceptible | |||
| In addition, due to the annoyance factor of the process, operators | to mistakes and/or errors. In addition, due to the annoyance factor | |||
| may avoid performing key rollovers or skip needed steps to publish | of the process, operators may avoid performing key rollovers or skip | |||
| the new DS at the parent. | needed steps to publish the new DS at the parent. | |||
| DNSSEC provides data integrity to information published in DNS; thus | DNSSEC provides data integrity to information published in DNS; thus | |||
| DNS publication can be used to automate maintenance of delegation | DNS publication can be used to automate maintenance of delegation | |||
| information. This document describes a method to automate | information. This document describes a method to automate | |||
| publication of subsequent DS records, after the initial one has been | publication of subsequent DS records, after the initial one has been | |||
| published. | published. | |||
| Readers are expected to be familiar with DNSSEC, including [RFC4033], | Readers are expected to be familiar with DNSSEC, including [RFC4033], | |||
| [RFC4034], [RFC4035], [RFC5011] and [RFC6781]. | [RFC4034], [RFC4035], [RFC5011] and [RFC6781]. | |||
| skipping to change at page 7, line 4 ¶ | skipping to change at page 7, line 4 ¶ | |||
| Parent's Provisioning system. The techniques described below are not | Parent's Provisioning system. The techniques described below are not | |||
| needed in the case when Parental Agent is the DNS operator. | needed in the case when Parental Agent is the DNS operator. | |||
| In the case of a third party DNS operator, the Child either needs to | In the case of a third party DNS operator, the Child either needs to | |||
| relay changes in DNS delegation or give the Child DNS Operator access | relay changes in DNS delegation or give the Child DNS Operator access | |||
| to its delegation/registration account. | to its delegation/registration account. | |||
| Some parents want the child to express their DNSKEYS in the form of | Some parents want the child to express their DNSKEYS in the form of | |||
| DS records, while others want to receive the DNSKEY records and | DS records, while others want to receive the DNSKEY records and | |||
| calculate the DS records themselves. There is no consensus on which | calculate the DS records themselves. There is no consensus on which | |||
| method is better; both have good reasons to exist. The proposal | method is better; both have good reasons to exist. This solution is | |||
| below can operate with both models, but the child needs to be aware | DS vs DNSKEY agnostic, and allows operation with either. | |||
| of the parental policies. | ||||
| 2.2.2. DNSSEC key change process | 2.2.2. DNSSEC key change process | |||
| After a Child DNS Operator first signs the zone, there is a need to | After a Child DNS Operator first signs the zone, there is a need to | |||
| interact with the Parent, for example via the delegation account | interact with the Parent, for example via the delegation account | |||
| interface, to "upload / paste-in the zone's DS information". The | interface, to "upload / paste-in the zone's DS information". The | |||
| action of logging in through the delegation account user interface | action of logging in through the delegation account user interface | |||
| authenticates that the user is authorized to change delegation | authenticates that the user is authorized to change delegation | |||
| information for the child published in the parent zone. In the case | information for the child published in the parent zone. In the case | |||
| where the "Child DNS Operator" does not have access to the | where the "Child DNS Operator" does not have access to the | |||
| skipping to change at page 7, line 31 ¶ | skipping to change at page 7, line 30 ¶ | |||
| because they want to publish a stand-by key. This involves | because they want to publish a stand-by key. This involves | |||
| performing the same process as before. Furthermore when this is a | performing the same process as before. Furthermore when this is a | |||
| manual process with cut and paste, operational mistakes will happen | manual process with cut and paste, operational mistakes will happen | |||
| -- or worse, the update action is not performed at all. | -- or worse, the update action is not performed at all. | |||
| The Child DNS Operator may also introduce new keys, and can do so | The Child DNS Operator may also introduce new keys, and can do so | |||
| when old keys exist and can be used. The Child may also remove old | when old keys exist and can be used. The Child may also remove old | |||
| keys, but this document does not support removing all keys. This is | keys, but this document does not support removing all keys. This is | |||
| to avoid making signed zones unsigned. The Child may not enroll the | to avoid making signed zones unsigned. The Child may not enroll the | |||
| initial key or introduce a new key when there are no old keys that | initial key or introduce a new key when there are no old keys that | |||
| can be used, because there is no way to validate the information. | can be used (without some additional, out of band, validation of the | |||
| keys), because there is no way to validate the information. | ||||
| 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions | 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions | |||
| This document specifies two new resource records, CDS and CDNSKEY. | This document specifies two new resource records, CDS and CDNSKEY. | |||
| These records are used to convey, from one zone to it's parent, the | These records are used to convey, from one zone to its parent, the | |||
| desired contents of the zone's DS resource record set residing in the | desired contents of the zone's DS resource record set residing in the | |||
| parent zone. | parent zone. | |||
| The CDS / CDNSKEY records are published in the child zone and gives | The CDS / CDNSKEY records are published in the child zone and gives | |||
| the child control of what is published for it in the parental zone. | the child control of what is published for it in the parental zone. | |||
| The CDS / CDNSKEY RRset expresses what the child would like the DS | The CDS / CDNSKEY RRset expresses what the child would like the DS | |||
| RRset to look like after the change; it is a "replace" operation, and | RRset to look like after the change; it is a "replace" operation, and | |||
| it is up to the consumer of the records to translate that into the | it is up to the consumer of the records to translate that into the | |||
| appropriate add/delete operations in the registration systems (and in | appropriate add/delete operations in the registration systems (and in | |||
| the case of CDNSKEY, to generate the DS from the DNSKEY). If no CDS | the case of CDNSKEY, to generate the DS from the DNSKEY). If no CDS | |||
| skipping to change at page 8, line 23 ¶ | skipping to change at page 8, line 23 ¶ | |||
| for the CDS record via expert review [I-D.ds-publish]. CDS uses the | for the CDS record via expert review [I-D.ds-publish]. CDS uses the | |||
| same registries as DS for its fields. | same registries as DS for its fields. | |||
| No special processing is performed by authoritative servers or by | No special processing is performed by authoritative servers or by | |||
| revolvers, when serving or resolving. For all practical purposes CDS | revolvers, when serving or resolving. For all practical purposes CDS | |||
| is a regular RR type. | is a regular RR type. | |||
| 3.2. CDNSKEY Resource Record Format | 3.2. CDNSKEY Resource Record Format | |||
| The wire and presentation format of the CDNSKEY ("Child DNSKEY") | The wire and presentation format of the CDNSKEY ("Child DNSKEY") | |||
| record is identical to the DNSKEY record. CDNSKEY uses the same | record is identical to the DNSKEY record. IANA has allocated RR code | |||
| TBA1 for the CDS record via expert review. CDNSKEY uses the same | ||||
| registries as DNSKEY for its fields. | registries as DNSKEY for its fields. | |||
| No special processing is performed by authoritative servers or by | No special processing is performed by authoritative servers or by | |||
| revolvers, when serving or resolving. For all practical purposes | revolvers, when serving or resolving. For all practical purposes | |||
| CDNSKEY is a regular RR type. | CDNSKEY is a regular RR type. | |||
| 4. Automating DS Maintainance With CDS/CDNSKEY records | 4. Automating DS Maintainance With CDS/CDNSKEY records | |||
| CDS/CDNSKEY records are intended to be "consumed" by delegation trust | CDS/CDNSKEY records are intended to be "consumed" by delegation trust | |||
| maintainers. The use of CDS/CDNSKEY is optional. | maintainers. The use of CDS/CDNSKEY is optional. | |||
| Some parents prefer to accept DNSSEC key information in DS format, | ||||
| some parents prefer to accept it in DNSKEY format, and calculate the | ||||
| DS record on the child's behalf. Each method has pros and cons, both | ||||
| technical and policy. This solution is DS vs DNSKEY agnostic, and | ||||
| allows operation with either. | ||||
| The child SHOULD publish both CDS and CDNSKEY records. If the child | The child SHOULD publish both CDS and CDNSKEY records. If the child | |||
| knows which the parent consumes, it MAY choose to only publish that | knows which the parent consumes, it MAY choose to only publish that | |||
| record type (for example, some children wish the parent to publish a | record type (for example, some children wish the parent to publish a | |||
| DS, but they wish to keep the DNSKEY "hidden" until needed). If the | DS, but they wish to keep the DNSKEY "hidden" until needed). If the | |||
| child publishes both, the two RRsets MUST match in content. The | child publishes both, the two RRsets MUST match in content. The | |||
| parent should use whichever one they choose, but MUST NOT query for | parent should use whichever one they choose, but MUST NOT query for | |||
| both and perform consistency checks between the CDS and CDNSKEY | both and perform consistency checks between the CDS and CDNSKEY | |||
| records. | records. | |||
| 4.1. CDS / CDNSKEY Processing Rules | 4.1. CDS / CDNSKEY Processing Rules | |||
| If there are no CDS / CDNSKEY resource records in the child, this | If there are no CDS / CDNSKEY resource records in the child, this | |||
| signals that no change should be made to the current DS set. This | signals that no change should be made to the current DS set. This | |||
| means that, once the child and parent are in sync, the child DNS | means that, once the child and parent are in sync, the child DNS | |||
| operator SHOULD remove all CDS records from the zone. | operator MAY remove all CDS records from the zone. | |||
| Following acceptance rules are placed on the CDS / CDNSKEY records as | Following acceptance rules are placed on the CDS / CDNSKEY records as | |||
| follows: | follows: | |||
| o Location: "the CDS / CDNSKEY record MUST be at the child zone | o Location: "the CDS / CDNSKEY record MUST be at the child zone | |||
| apex". | apex". | |||
| o Signer: "MUST be signed with a key that is represented in both the | o Signer: "MUST be signed with a key that is represented in both the | |||
| current DNSKEY and DS RRset's." | current DNSKEY and DS RRset's." | |||
| o Continuity: "MUST NOT break the current delegation if applied to | o Continuity: "MUST NOT break the current delegation if applied to | |||
| DS RRset" | DS RRset" | |||
| If any these conditions fail the CDS / CDNSKEY record MUST be | If any these conditions fail the CDS / CDNSKEY record MUST be | |||
| ignored. | ignored. | |||
| 5. CDS / CDNSKEY Publication | 5. CDS / CDNSKEY Publication | |||
| Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it | Child DNS Operator publishes a CDS and / or CDNSKEY RRset. In order | |||
| wants to make a change to the DS RRset in the Parent. In order to be | to be valid, the CDS / CDNSKEY RRset MUST be compliant with the rules | |||
| valid, the CDS / CDNSKEY RRset MUST be compliant with the rules in | in Section 4.1. When the Parent DS is "in-sync" with the CDS / | |||
| Section 4.1. When the Parent DS is "in-sync" with the CDS / CDNSKEY, | CDNSKEY, the Child DNS Operator MAY delete the CDS / CDNSKEY | |||
| the Child DNS Operator SHOULD delete the CDS / CDNSKEY RRset(s). | RRset(s); the child can determine if this is the case by quering for | |||
| Note that if the child has published a CDNSKEY RR, the Parent will | DS records in the parent. Note that if the child has published a | |||
| have to calculate the DS (using the requested digest algorithm) to do | CDNSKEY RR, the Parent will have to calculate the DS (using the | |||
| the comparison. | requested digest algorithm) to do the comparison. | |||
| 6. Parent Side CDS / CDNSKEY Consumption | 6. Parent Side CDS / CDNSKEY Consumption | |||
| The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to | The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to | |||
| update the DS RRset in the parent zone. The Parental Agent for this | update the DS RRset in the parent zone. The Parental Agent for this | |||
| uses a tool that understands the CDS / CDNSKEY signing rules from | uses a tool that understands the CDS / CDNSKEY signing rules from | |||
| Section 4.1 so it may not be able to use a standard validator. | Section 4.1 so it may not be able to use a standard validator. | |||
| The parent MUST choose to accept either CDS or CDNSKEY records (based | The parent MUST choose to accept either CDS or CDNSKEY records (based | |||
| upon local policy), and MUST NOT expect there to be both. A parent | upon local policy), and MUST NOT expect there to be both. A parent | |||
| skipping to change at page 10, line 33 ¶ | skipping to change at page 10, line 24 ¶ | |||
| In either case the Parental Agent MAY apply additional rules that | In either case the Parental Agent MAY apply additional rules that | |||
| defer the acceptance of a CDS / CDNSKEY change, these rules may | defer the acceptance of a CDS / CDNSKEY change, these rules may | |||
| include a condition that the CDS / CDNSKEY remains in place and valid | include a condition that the CDS / CDNSKEY remains in place and valid | |||
| for some time period before it is accepted. It may be appropriate in | for some time period before it is accepted. It may be appropriate in | |||
| the "Pushing" case to assume that the Child is ready and thus accept | the "Pushing" case to assume that the Child is ready and thus accept | |||
| changes without delay. | changes without delay. | |||
| 6.1.1. CDS / CDNSKEY Polling | 6.1.1. CDS / CDNSKEY Polling | |||
| This is the only defined use of CDS / CDNSKEY in this document. | This is the only defined use of CDS / CDNSKEY in this document. | |||
| There are limits to the saleability of polling techniques, thus some | There are limits to the scaleability of polling techniques, thus some | |||
| other mechanism is likely to be specified later that addresses CDS / | other mechanism is likely to be specified later that addresses CDS / | |||
| CDNSKEY usage in the situation where polling does not scale to. | CDNSKEY usage in the situation where polling does not scale to. | |||
| Having said that Polling will work in many important cases like | Having said that Polling will work in many important cases like | |||
| enterprises, universities, small TLDs etc. In many regulatory | enterprises, universities, small TLDs etc. In many regulatory | |||
| environments the registry is prohibited from talking to the | environments the registry is prohibited from talking to the | |||
| registrant. In most of these cases the registrant has a business | registrant. In most of these cases the registrant has a business | |||
| relationship with the registrar, and so the registrar can offer this | relationship with the registrar, and so the registrar can offer this | |||
| as a service. | as a service. | |||
| If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST | If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST | |||
| skipping to change at page 11, line 13 ¶ | skipping to change at page 11, line 8 ¶ | |||
| unauthenticated (for example, a child could telephone its parent and | unauthenticated (for example, a child could telephone its parent and | |||
| request that they process the new CDS or CDNSKEY record, an | request that they process the new CDS or CDNSKEY record, an | |||
| unauthenticated POST could be made to a webserver (with rate- | unauthenticated POST could be made to a webserver (with rate- | |||
| limiting), etc.) | limiting), etc.) | |||
| Other documents can specify the trigger conditions. | Other documents can specify the trigger conditions. | |||
| 6.2. Using the New CDS / CDNSKEY Records | 6.2. Using the New CDS / CDNSKEY Records | |||
| Regardless of how the Parental Agent detected changes to a CDS / | Regardless of how the Parental Agent detected changes to a CDS / | |||
| CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain | CDNSKEY RR, the Parental Agent SHOULD use a DNSSEC validator to | |||
| a validated CDS / CDNSKEY RRset from the Child zone. | obtain a validated CDS / CDNSKEY RRset from the Child zone. The only | |||
| exception to this is if the parent perfoms some additional validation | ||||
| on the data to confirm that it is the "correct" ket. This behavior | ||||
| is NOT RECOMMENDED. | ||||
| The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY | The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY | |||
| RRset do not overwrite newer versions. This MAY be accomplished by | RRset do not overwrite newer versions. This MAY be accomplished by | |||
| checking that the signature inception in the RRSIG for CDS / CDNSKEY | checking that the signature inception in the RRSIG for CDS / CDNSKEY | |||
| is newer and/or the serial number on the child's SOA is greater. | is newer and/or the serial number on the child's SOA is greater. | |||
| This may require the Parental Agent to maintain some state | This may require the Parental Agent to maintain some state | |||
| information. | information. | |||
| The Parental Agent MAY take extra security measures. For example, to | The Parental Agent MAY take extra security measures. For example, to | |||
| mitigate the possibility that a Child's key signing key has been | mitigate the possibility that a Child's key signing key has been | |||
| skipping to change at page 12, line 15 ¶ | skipping to change at page 12, line 15 ¶ | |||
| In the case the parent fetch the CDNSKEY and calculate the DS it MAY | In the case the parent fetch the CDNSKEY and calculate the DS it MAY | |||
| be the case that the DS published in the parent zone is not identical | be the case that the DS published in the parent zone is not identical | |||
| with the data in the CDS record made available by the child. | with the data in the CDS record made available by the child. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| IANA has assigned RR Type code 59 for CDS. This was done for an | IANA has assigned RR Type code 59 for CDS. This was done for an | |||
| earlier version of this document[I-D.ds-publish] This document is to | earlier version of this document[I-D.ds-publish] This document is to | |||
| become the reference for CDS RRtype. | become the reference for CDS RRtype. | |||
| IANA is requested to assign another RR Type for the CDNSKEY. | IANA is requested to assign another RR Type for the CDNSKEY, and to | |||
| replace TBA1 with this value (currntly 60 is still free, it would be | ||||
| nice if that were assigned...) | ||||
| 8. Privacy Considerations | 8. Privacy Considerations | |||
| All of the information handled / transmitted by this protocol is | All of the information handled / transmitted by this protocol is | |||
| public information published in the DNS. | public information published in the DNS. | |||
| 9. Security Considerations | 9. Security Considerations | |||
| This work is for the normal case; when things go wrong there is only | This work is for the normal case; when things go wrong there is only | |||
| so much that automation can fix. | so much that automation can fix. | |||
| skipping to change at page 13, line 24 ¶ | skipping to change at page 13, line 26 ¶ | |||
| registrar may assume that it is maintaining the DNSSEC key | registrar may assume that it is maintaining the DNSSEC key | |||
| information in the registry, and may have this cached. If the | information in the registry, and may have this cached. If the | |||
| registry is fetching the CDS / CDNSKEY then the registry and | registry is fetching the CDS / CDNSKEY then the registry and | |||
| registrar may have different views of the DNSSEC key material and the | registrar may have different views of the DNSSEC key material and the | |||
| result of such a situation is unclear. Because of this, this | result of such a situation is unclear. Because of this, this | |||
| mechanism SHOULD NOT be use to bypass intermediaries that might cache | mechanism SHOULD NOT be use to bypass intermediaries that might cache | |||
| information and because of that get the wrong state. | information and because of that get the wrong state. | |||
| If there is a failure in applying changes in child zone to all DNS | If there is a failure in applying changes in child zone to all DNS | |||
| servers listed in either parent or child NS set it is possible that | servers listed in either parent or child NS set it is possible that | |||
| the Parental agent may get confused either not perform action because | the Parental agent may get confused, either because it gets different | |||
| it gets different answers on different checks or CDS validation | answers on different checks or CDS validation fails. In the worst | |||
| fails. In the worst case, Parental Agent performs an action | case, the Parental Agent performs an action reversing a prior action | |||
| reversing a prior action but after the child signing system decides | but after the child signing system decides to take the next step in | |||
| to take the next step in rollover, resulting in a broken delegation. | rollover, resulting in a broken delegation. | |||
| DNS is a loosely coherent distributed database with local caching; | DNS is a loosely coherent distributed database with local caching; | |||
| therefore, it is important to allow old information to expire from | therefore, it is important to allow old information to expire from | |||
| caches before deleting DS or DNSKEY records. Similarly, it is | caches before deleting DS or DNSKEY records. Similarly, it is | |||
| important to allow new records to propagate through the DNS before | important to allow new records to propagate through the DNS before | |||
| use, see [RFC6781] and [I-D.key-time] | use, see [RFC6781] and [I-D.key-time] | |||
| It is common practice for users to outsource their DNS hosting to a | It is common practice for users to outsource their DNS hosting to a | |||
| 3rd party DNS provider. In order for that provider to be able to | 3rd party DNS provider. In order for that provider to be able to | |||
| maintain the DNSSEC information some users give the provider their | maintain the DNSSEC information some users give the provider their | |||
| skipping to change at page 16, line 18 ¶ | skipping to change at page 16, line 18 ¶ | |||
| In many RRR cases the Registrar and Registry communicate via | In many RRR cases the Registrar and Registry communicate via | |||
| EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number | EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number | |||
| of ccTLDs there are other mechanisms in use as well as EPP, but in | of ccTLDs there are other mechanisms in use as well as EPP, but in | |||
| general there seems to be a movement towards EPP usage when DNSSEC is | general there seems to be a movement towards EPP usage when DNSSEC is | |||
| enabled in the TLD. | enabled in the TLD. | |||
| Appendix B. Changes / Author Notes. | Appendix B. Changes / Author Notes. | |||
| [RFC Editor: Please remove this section before publication ] | [RFC Editor: Please remove this section before publication ] | |||
| WG-05 to WG-06 | ||||
| o Consensus (according to me!) was that mail thread said "Child MAY | ||||
| remove the CDS record". Changed to accomodate. | ||||
| o "The proposal below can operate with both models, but the child | ||||
| needs to be aware of the parental policies." - removed "but the | ||||
| child needs to be aware of the parental policies.". This is no | ||||
| longer true, as we suggest publishing both CDS and CDSNKEY. | ||||
| o Added: "without some additional out of band process" to "The Child | ||||
| may not enroll the initial key or introduce a new key when there | ||||
| are no old keys that can be used (without some additional, out of | ||||
| band, validation of the keys), because there is no way to validate | ||||
| the information." | ||||
| o Added a bit to the IANA section, requesting that TBA1 be replaced | ||||
| with the IANA allocated code. | ||||
| o Removed" Some parents prefer to accept DNSSEC key information in | ||||
| DS format, some parents prefer to accept it in DNSKEY format, and | ||||
| calculate the DS record on the child's behalf. Each method has | ||||
| pros and cons, both technical and policy. This solution is DS vs | ||||
| DNSKEY agnostic, and allows operation with either." from Section 4 | ||||
| as it is covered in Section 2.2.1 | ||||
| o Remove a bunch of comments from the XML. I was getting tired of | ||||
| scrolling past them. If the authors need them back, they are in | ||||
| SVN commit 47. | ||||
| WG-04 to WG-05 | WG-04 to WG-05 | |||
| o More comments from Patrik, Paul and Ed. | o More comments from Patrik, Paul and Ed. | |||
| o Many nits and fixes from Matthijs Mekking. | o Many nits and fixes from Matthijs Mekking. | |||
| o Outstanding question: Should we remove the "Child SHOULD remove | o Outstanding question: Should we remove the "Child SHOULD remove | |||
| the CDS record" text? Mail sent to list. | the CDS record" text? Mail sent to list. | |||
| WG-03 to WG-04 | WG-03 to WG-04 | |||
| End of changes. 20 change blocks. | ||||
| 47 lines changed or deleted | 77 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||