< draft-ietf-dnsop-delegation-trust-maintainance-06.txt   draft-ietf-dnsop-delegation-trust-maintainance-07.txt >
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational O. Gudmundsson Intended status: Informational O. Gudmundsson
Expires: October 16, 2014 Shinkuro Inc. Expires: October 16, 2014 Shinkuro Inc.
G. Barwood G. Barwood
April 14, 2014 April 14, 2014
Automating DNSSEC Delegation Trust Maintenance Automating DNSSEC Delegation Trust Maintenance
draft-ietf-dnsop-delegation-trust-maintainance-06 draft-ietf-dnsop-delegation-trust-maintainance-07
Abstract Abstract
This document describes a method to allow DNS operators to more This document describes a method to allow DNS operators to more
easily update DNSSEC Key Signing Keys using the DNS as communication easily update DNSSEC Key Signing Keys using the DNS as communication
channel. This document does not address the initial configuration of channel. This document does not address the initial configuration of
trust anchors for a domain. The technique described is aimed at trust anchors for a domain. The technique described is aimed at
delegations in which it is currently hard to move information from delegations in which it is currently hard to move information from
the child to parent. the child to parent.
skipping to change at page 5, line 19 skipping to change at page 5, line 19
child has told the parent it will use to sign its DNSKEY RRset. In child has told the parent it will use to sign its DNSKEY RRset. In
DNSSEC trust relationship between zones is provided by the following DNSSEC trust relationship between zones is provided by the following
chain: chain:
parent DNSKEY --> DS --> child DNSKEY. parent DNSKEY --> DS --> child DNSKEY.
A prior proposal [I-D.auto-cpsync] suggested that the child send an A prior proposal [I-D.auto-cpsync] suggested that the child send an
"update" to the parent via a mechanism similar to Dynamic Update. "update" to the parent via a mechanism similar to Dynamic Update.
The main issue became: How does the child find the actual parental The main issue became: How does the child find the actual parental
agent/server to send the update to? While that could have been agent/server to send the update to? While that could have been
solved via technical means, the proposal died. There is also a solved via technical means, it failed to each consensus. There is
similar proposal in [I-D.parent-zones]. also a similar proposal in [I-D.parent-zones].
As the DS record can only be present at the parent (RFC4034 As the DS record can only be present at the parent ( [RFC4034]), some
[RFC4034]), some other record/method is needed to automate which other method is needed to automate which DNSKEYs are picked to be
DNSKEYs are picked to be represented in the parent zone's DS records. represented in the parent zone's DS records. One possibility is to
One possibility is to use flags in the DNSKEY record. If the SEP bit use flags in the DNSKEY record. If the SEP bit is set, this
is set, this indicates that the DNSKEY is intended for use as a indicates that the DNSKEY is intended for use as a secure entry
secure entry point. This DNSKEY signs the DNSKEY RRset, and the point. This DNSKEY signs the DNSKEY RRset, and the Parental Agent
Parental Agent can calculate DS records based on that. But this can calculate DS records based on that. But this fails to meet some
fails to meet some operating needs, including the child having no operating needs, including the child having no influence what DS
influence what DS digest algorithms are used and DS records can only digest algorithms are used and DS records can only be published for
be published for keys that are in the DNSKEY RRset, and thus this keys that are in the DNSKEY RRset, and thus this technique would not
technique would not be compatible with Double-DS key rollover. be compatible with Double-DS key rollover.
2.2. Relationship Between Parent and Child DNS Operator 2.2. Relationship Between Parent and Child DNS Operator
In practical application, there are many different relationships In practical application, there are many different relationships
between the parent and child DNS operators. The type of relationship between the parent and child DNS operators. The type of relationship
affects how the Child DNS Operator communicates with the parent. affects how the Child DNS Operator communicates with the parent.
This section will highlight some of the different situations, but is This section will highlight some of the different situations, but is
by no means a complete list. by no means a complete list.
Different communication paths: Different communication paths:
o Direct/API: The child can change the delegation information via o Direct/API: The child can change the delegation information via
automated/scripted means EPP[RFC5730] used by many TLDs is an automated/scripted means. EPP[RFC5730], used by many TLDs is an
example of this. Another example is the web service's example of this. Another example is the web service's
programmatic interfaces that Registrars make available to their programmatic interfaces that Registrars make available to their
Resellers. Resellers.
o User Interface: The Child uses a (web) site set up by the Parental o User Interface: The Child uses a (web) site set up by the Parental
Agent for updating delegation information. Agent for updating delegation information.
o Indirect: The communication has to be transmitted via out-of-band o Indirect: The communication has to be transmitted via out-of-band
between two parties, such as email, telephone etc.. This is common between two parties, such as email, telephone etc.. This is common
when the Child's DNS operator is neither the child itself nor the when the Child's DNS operator is neither the child itself nor the
skipping to change at page 6, line 20 skipping to change at page 6, line 20
o Multi-step Combinations: The information flows through an o Multi-step Combinations: The information flows through an
intermediary. It is possible, but unlikely, that all the steps intermediary. It is possible, but unlikely, that all the steps
are automated via API's and there are no humans are involved. are automated via API's and there are no humans are involved.
A domain name holder (Child) may operate its own DNS servers or A domain name holder (Child) may operate its own DNS servers or
outsource the operation. While we use the word parent as a singular, outsource the operation. While we use the word parent as a singular,
parent can consist of single entity or a composite of many discrete parent can consist of single entity or a composite of many discrete
parts that have rules and roles. We refer to the entity that the parts that have rules and roles. We refer to the entity that the
child corresponds with as the Parent. child corresponds with as the Parent.
In another common case an enterprise may delegate parts of its name- IIn another common case an organization may delegate parts of its
space to be operated by a group that is not the same as that which name-space to be operated by a group that is not the same as that
operates the enterprise's DNS servers. In this case the flow of which operates the organization's DNS servers. In this case the flow
information is frequently handled in either an ad hoc manner or via of information is frequently handled in either an ad hoc manner or
some corporate mechanism; this can range from email to fully- via some corporate mechanism; this can range from email to fully-
automated operation. The word enterprise above covers all automated operation.
organizations in which the domains are not sold on the open market
and there is some relationship between the entities.
2.2.1. Solution Space 2.2.1. Solution Space
This document is aimed at the cases in which there is an This document is aimed at the cases in which there is a separation
organizational separation of the child and parent. between the child and parent.
A further complication is when the Child DNS Operator is not the A further complication is when the Child DNS Operator is not the
Child. There are two common cases of this: Child. There are two common cases of this:
a) The Parental Agent (e.g. registrar) handles the DNS operation. a) The Parental Agent (e.g. registrar) handles the DNS operation.
b) A third party takes care of the DNS operation. b) A third party takes care of the DNS operation.
If the Parental Agent is the DNS operator, life is much easier; the If the Parental Agent is the DNS operator, life is much easier; the
Parental Agent can inject any delegation changes directly into the Parental Agent can inject any delegation changes directly into the
skipping to change at page 7, line 10 skipping to change at page 7, line 8
Some parents want the child to express their DNSKEYS in the form of Some parents want the child to express their DNSKEYS in the form of
DS records, while others want to receive the DNSKEY records and DS records, while others want to receive the DNSKEY records and
calculate the DS records themselves. There is no consensus on which calculate the DS records themselves. There is no consensus on which
method is better; both have good reasons to exist. This solution is method is better; both have good reasons to exist. This solution is
DS vs DNSKEY agnostic, and allows operation with either. DS vs DNSKEY agnostic, and allows operation with either.
2.2.2. DNSSEC key change process 2.2.2. DNSSEC key change process
After a Child DNS Operator first signs the zone, there is a need to After a Child DNS Operator first signs the zone, there is a need to
interact with the Parent, for example via the delegation account interact with the Parent, for example via a delegation account
interface, to "upload / paste-in the zone's DS information". The interface, to "upload / paste-in the zone's DS information". This
action of logging in through the delegation account user interface action of logging in through the delegation account user interface
authenticates that the user is authorized to change delegation authenticates that the user is authorized to change delegation
information for the child published in the parent zone. In the case information for the child published in the parent zone. In the case
where the "Child DNS Operator" does not have access to the where the "Child DNS Operator" does not have access to the
registration account, the Child needs to perform the action. registration account, the Child needs to perform the action.
At a later date, the Child DNS Operator may want to publish a new DS At a later date, the Child DNS Operator may want to publish a new DS
record in the parent, either because they are rolling keys, or record in the parent, either because they are rolling keys, or
because they want to publish a stand-by key. This involves because they want to publish a stand-by key. This involves
performing the same process as before. Furthermore when this is a performing the same process as before. Furthermore when this is a
skipping to change at page 7, line 35 skipping to change at page 7, line 33
The Child DNS Operator may also introduce new keys, and can do so The Child DNS Operator may also introduce new keys, and can do so
when old keys exist and can be used. The Child may also remove old when old keys exist and can be used. The Child may also remove old
keys, but this document does not support removing all keys. This is keys, but this document does not support removing all keys. This is
to avoid making signed zones unsigned. The Child may not enroll the to avoid making signed zones unsigned. The Child may not enroll the
initial key or introduce a new key when there are no old keys that initial key or introduce a new key when there are no old keys that
can be used (without some additional, out of band, validation of the can be used (without some additional, out of band, validation of the
keys), because there is no way to validate the information. keys), because there is no way to validate the information.
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions
This document specifies two new resource records, CDS and CDNSKEY. This document specifies two new DNS resource records, CDS and
These records are used to convey, from one zone to its parent, the CDNSKEY. These records are used to convey, from one zone to its
desired contents of the zone's DS resource record set residing in the parent, the desired contents of the zone's DS resource record set
parent zone. residing in the parent zone.
The CDS / CDNSKEY records are published in the child zone and gives The CDS / CDNSKEY resource records are published in the child zone
the child control of what is published for it in the parental zone. and gives the child control of what is published for it in the
The CDS / CDNSKEY RRset expresses what the child would like the DS parental zone. The CDS / CDNSKEY RRset expresses what the child
RRset to look like after the change; it is a "replace" operation, and would like the DS RRset to look like after the change; it is a
it is up to the consumer of the records to translate that into the "replace" operation, and it is up to the consumer of the records to
appropriate add/delete operations in the registration systems (and in translate that into the appropriate add/delete operations in the
the case of CDNSKEY, to generate the DS from the DNSKEY). If no CDS registration systems (and in the case of CDNSKEY, to generate the DS
/ CDNSKEY RRset is present in child, this means that no change is from the DNSKEY). If no CDS / CDNSKEY RRset is present in child,
needed. this means that no change is needed.
[[RFC Editor: Please remove this paragraph before publication] [[RFC Editor: Please remove this paragraph before publication]
Version -04 of the ID that became this working group document (http:/ Version -04 of the ID that became this working group document (http:/
/tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new /tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new
record (CTA) that could hold either a DS or a DNSKEY record (with a record (CTA) that could hold either a DS or a DNSKEY record (with a
selector to differentiate between them). In a shocking development, selector to differentiate between them). In a shocking development,
there was almost full consensus that this was horrid :-) ] there was almost full consensus that this was horrid :-) ]
3.1. CDS Resource Record Format 3.1. CDS Resource Record Format
The wire and presentation format of the CDS ("Child DS") record is The wire and presentation format of the CDS ("Child DS") resource
identical to the DS record [RFC4034]. IANA has allocated RR code 59 record is identical to the DS record [RFC4034]. IANA has allocated
for the CDS record via expert review [I-D.ds-publish]. CDS uses the RR code 59 for the CDS resource record via expert review
same registries as DS for its fields. [I-D.ds-publish]. The CDS RR uses the same registries as DS for its
fields.
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes CDS revolvers, when serving or resolving. For all practical purposes CDS
is a regular RR type. is a regular RR type.
3.2. CDNSKEY Resource Record Format 3.2. CDNSKEY Resource Record Format
The wire and presentation format of the CDNSKEY ("Child DNSKEY") The wire and presentation format of the CDNSKEY ("Child DNSKEY")
record is identical to the DNSKEY record. IANA has allocated RR code resource record is identical to the DNSKEY record. IANA has
TBA1 for the CDS record via expert review. CDNSKEY uses the same allocated RR code TBA1 for the CDNSKEY resource record via expert
registries as DNSKEY for its fields. review. The CDNSKEY RR uses the same registries as DNSKEY for its
fields.
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes revolvers, when serving or resolving. For all practical purposes
CDNSKEY is a regular RR type. CDNSKEY is a regular RR type.
4. Automating DS Maintainance With CDS/CDNSKEY records 4. Automating DS Maintainance With CDS/CDNSKEY records
CDS/CDNSKEY records are intended to be "consumed" by delegation trust CDS/CDNSKEY resource records are intended to be "consumed" by
maintainers. The use of CDS/CDNSKEY is optional. delegation trust maintainers. The use of CDS/CDNSKEY is optional.
The child SHOULD publish both CDS and CDNSKEY records. If the child The child SHOULD publish both CDS and CDNSKEY resource records. If
knows which the parent consumes, it MAY choose to only publish that the child knows which the parent consumes, it MAY choose to only
record type (for example, some children wish the parent to publish a publish that record type (for example, some children wish the parent
DS, but they wish to keep the DNSKEY "hidden" until needed). If the to publish a DS, but they wish to keep the DNSKEY "hidden" until
child publishes both, the two RRsets MUST match in content. The needed). If the child publishes both, the two RRsets MUST match in
parent should use whichever one they choose, but MUST NOT query for content. The parent should use whichever one they choose, but MUST
both and perform consistency checks between the CDS and CDNSKEY NOT query for both and perform consistency checks between the CDS and
records. CDNSKEY resource records.
4.1. CDS / CDNSKEY Processing Rules 4.1. CDS / CDNSKEY Processing Rules
If there are no CDS / CDNSKEY resource records in the child, this If there are no CDS / CDNSKEY RRset in the child, this signals that
signals that no change should be made to the current DS set. This no change should be made to the current DS set. This means that,
means that, once the child and parent are in sync, the child DNS once the child and parent are in sync, the child DNS operator MAY
operator MAY remove all CDS records from the zone. remove all CDS and CDNSKEY resource records from the zone.
Following acceptance rules are placed on the CDS / CDNSKEY records as Following acceptance rules are placed on the CDS / CDNSKEY resource
follows: records as follows:
o Location: "the CDS / CDNSKEY record MUST be at the child zone o Location: "the CDS / CDNSKEY resource records MUST be at the child
apex". zone apex".
o Signer: "MUST be signed with a key that is represented in both the o Signer: "MUST be signed with a key that is represented in both the
current DNSKEY and DS RRset's." current DNSKEY and DS RRset's."
o Continuity: "MUST NOT break the current delegation if applied to o Continuity: "MUST NOT break the current delegation if applied to
DS RRset" DS RRset"
If any these conditions fail the CDS / CDNSKEY record MUST be If any these conditions fail the CDS / CDNSKEY resource record MUST
ignored. be ignored.
5. CDS / CDNSKEY Publication 5. CDS / CDNSKEY Publication
Child DNS Operator publishes a CDS and / or CDNSKEY RRset. In order Child DNS Operator publishes a CDS and / or CDNSKEY resource records.
to be valid, the CDS / CDNSKEY RRset MUST be compliant with the rules In order to be valid, the CDS / CDNSKEY RRset MUST be compliant with
in Section 4.1. When the Parent DS is "in-sync" with the CDS / the rules in Section 4.1. When the Parent DS is "in-sync" with the
CDNSKEY, the Child DNS Operator MAY delete the CDS / CDNSKEY CDS / CDNSKEY resource records, the Child DNS Operator MAY delete the
RRset(s); the child can determine if this is the case by quering for CDS / CDNSKEY record(s); the child can determine if this is the case
DS records in the parent. Note that if the child has published a by quering for DS records in the parent. Note that if the child has
CDNSKEY RR, the Parent will have to calculate the DS (using the published a CDNSKEY RR, the Parent will have to calculate the DS
requested digest algorithm) to do the comparison. (using the requested digest algorithm) to do the comparison.
6. Parent Side CDS / CDNSKEY Consumption 6. Parent Side CDS / CDNSKEY Consumption
The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to
update the DS RRset in the parent zone. The Parental Agent for this update the DS RRset in the parent zone. The Parental Agent for this
uses a tool that understands the CDS / CDNSKEY signing rules from uses a tool that understands the CDS / CDNSKEY signing rules from
Section 4.1 so it may not be able to use a standard validator. Section 4.1 so it may not be able to use a standard validator.
The parent MUST choose to accept either CDS or CDNSKEY records (based The parent MUST choose to accept either CDS or CDNSKEY resource
upon local policy), and MUST NOT expect there to be both. A parent records (based upon local policy), and MUST NOT expect there to be
MUST NOT perform a consistency check between CDS and CDNSKEY (other both. A parent MUST NOT perform a consistency check between CDS and
than for informational / debugging use). CDNSKEY (other than for informational / debugging use) resource
records.
6.1. Detecting a Changed CDS / CDNSKEY 6.1. Detecting a Changed CDS / CDNSKEY
How the Parental Agent gets the CDS / CDNSKEY record may differ, How the Parental Agent gets the CDS / CDNSKEY RRset may differ, below
below are two examples as how this can take place. are two examples as how this can take place.
Polling The Parental Agent operates a tool that periodically checks Polling The Parental Agent operates a tool that periodically checks
each of the children that has a DS record to see if there is a each of the children that has a DS record to see if there is a
CDS or CDNSKEY record. CDS or CDNSKEY RRset.
Pushing The delegation user interface has a button {Fetch DS} when Pushing The delegation user interface has a button {Fetch DS} when
pushed preforms the CDS / CDNSKEY processing. If the Parent pushed preforms the CDS / CDNSKEY processing. If the Parent
zone does not contain DS for this delegation then the "push" zone does not contain DS for this delegation then the "push"
SHOULD be ignored. If the Parental Agent displays the contents SHOULD be ignored. If the Parental Agent displays the contents
of the CDS / CDSNKEY to the user and gets confirmation that of the CDS / CDSNKEY to the user and gets confirmation that
this represents their key, the Parental Agent MAY use this for this represents their key, the Parental Agent MAY use this for
initial enrolment (when the Parent zone does not contain the DS initial enrolment (when the Parent zone does not contain the DS
for this delgation). for this delgation).
In either case the Parental Agent MAY apply additional rules that In either case the Parental Agent MAY apply additional rules that
defer the acceptance of a CDS / CDNSKEY change, these rules may defer the acceptance of a CDS / CDNSKEY change, these rules may
include a condition that the CDS / CDNSKEY remains in place and valid include a condition that the CDS / CDNSKEY remains in place and valid
for some time period before it is accepted. It may be appropriate in for some time period before it is accepted. It may be appropriate in
the "Pushing" case to assume that the Child is ready and thus accept the "Pushing" case to assume that the Child is ready and thus accept
changes without delay. changes without delay.
6.1.1. CDS / CDNSKEY Polling 6.1.1. CDS / CDNSKEY Polling
This is the only defined use of CDS / CDNSKEY in this document. This is the only defined use of CDS / CDNSKEY resource records in
There are limits to the scaleability of polling techniques, thus some this document. There are limits to the scaleability of polling
other mechanism is likely to be specified later that addresses CDS / techniques, thus some other mechanism is likely to be specified later
CDNSKEY usage in the situation where polling does not scale to. that addresses CDS / CDNSKEY resource recod usage in the situation
Having said that Polling will work in many important cases like where polling does not scale to. Having said that Polling will work
enterprises, universities, small TLDs etc. In many regulatory in many important cases like enterprises, universities, small TLDs
environments the registry is prohibited from talking to the etc. In many regulatory environments the registry is prohibited from
registrant. In most of these cases the registrant has a business talking to the registrant. In most of these cases the registrant has
relationship with the registrar, and so the registrar can offer this a business relationship with the registrar, and so the registrar can
as a service. offer this as a service.
If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST
take no action. Specifically it MUST NOT delete or alter the take no action. Specifically it MUST NOT delete or alter the
existing DS RRset. existing DS RRset.
6.1.2. Other Mechanisms 6.1.2. Other Mechanisms
It is assumed that other mechanisms will be implemented to trigger It is assumed that other mechanisms will be implemented to trigger
the parent to look for an updated CDS / CDNSKEY record. As the CDS / the parent to look for an updated CDS / CDNSKEY RRsets. As the CDS /
CDNSKEY records are validated with DNSSEC, these mechanisms can be CDNSKEY resource records are validated with DNSSEC, these mechanisms
unauthenticated (for example, a child could telephone its parent and can be unauthenticated (for example, a child could telephone its
request that they process the new CDS or CDNSKEY record, an parent and request that they process the new CDS or CDNSKEY resource
unauthenticated POST could be made to a webserver (with rate- records, an unauthenticated POST could be made to a webserver (with
limiting), etc.) rate-limiting), etc.)
Other documents can specify the trigger conditions. Other documents can specify the trigger conditions.
6.2. Using the New CDS / CDNSKEY Records 6.2. Using the New CDS / CDNSKEY Records
Regardless of how the Parental Agent detected changes to a CDS / Regardless of how the Parental Agent detected changes to a CDS /
CDNSKEY RR, the Parental Agent SHOULD use a DNSSEC validator to CDNSKEY RRset, the Parental Agent SHOULD use a DNSSEC validator to
obtain a validated CDS / CDNSKEY RRset from the Child zone. The only obtain a validated CDS / CDNSKEY RRset from the Child zone. The only
exception to this is if the parent perfoms some additional validation exception to this is if the parent perfoms some additional validation
on the data to confirm that it is the "correct" ket. This behavior on the data to confirm that it is the "correct" key. This behavior
is NOT RECOMMENDED. is NOT RECOMMENDED.
The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY
RRset do not overwrite newer versions. This MAY be accomplished by RRset do not overwrite newer versions. This MAY be accomplished by
checking that the signature inception in the RRSIG for CDS / CDNSKEY checking that the signature inception in the RRSIG for CDS / CDNSKEY
is newer and/or the serial number on the child's SOA is greater. RRset is newer and/or the serial number on the child's SOA is
This may require the Parental Agent to maintain some state greater. This may require the Parental Agent to maintain some state
information. information.
The Parental Agent MAY take extra security measures. For example, to The Parental Agent MAY take extra security measures. For example, to
mitigate the possibility that a Child's key signing key has been mitigate the possibility that a Child's key signing key has been
compromised, the Parental Agent may, for example, inform (by email or compromised, the Parental Agent may, for example, inform (by email or
other methods ) the Child DNS Operator of the change. However the other methods ) the Child DNS Operator of the change. However the
precise out-of-band measures that a parent zone SHOULD take are precise out-of-band measures that a parent zone SHOULD take are
outside the scope of this document. outside the scope of this document.
Once the Parental Agent has obtained a valid CDS / CDNSKEY it MUST Once the Parental Agent has obtained a valid CDS / CDNSKEY RRset it
check the publication rules from section 4.1. In particular the MUST check the publication rules from section 4.1. In particular the
Parental Agent MUST double check the Continuity rule and do its best Parental Agent MUST double check the Continuity rule and do its best
not to invalidate the Child zone. Once checked and if the CDS / not to invalidate the Child zone. Once checked and if the
CDNSKEY and DS differ it may apply the changes to the parent zone. information in the CDS / CDNSKEY and DS differ it may apply the
If the parent consumes CDNSKEY, the parent should calculate the DS changes to the parent zone. If the parent consumes CDNSKEY, the
before doing this comparison. parent should calculate the DS before doing this comparison.
6.2.1. Parent Calculates DS 6.2.1. Parent Calculates DS
There are cases where the Parent wants to calculate the DS record due There are cases where the Parent wants to calculate the DS record due
to policy reasons. In this case, the Child publishes CDNSKEY records to policy reasons. In this case, the Child publishes CDNSKEY records
and the parent calculates the DS records on behalf of the children. and the parent calculates the DS records on behalf of the children.
When a Parent operates in "calculate DS" mode it can operate in one When a Parent operates in "calculate DS" mode it can operate in one
of two sub-modes of two sub-modes
full i.e. it only publishes DS records it calculates from DNSKEY full it only publishes DS records it calculates from DNSKEY records,
records,
augment i.e. it will make sure there are DS records for the digest augment it will make sure there are DS records for the digest
algorithm(s) it requires(s). algorithm(s) it requires(s).
In the case the parent fetch the CDNSKEY and calculate the DS it MAY In the case where the parent fetches the CDNSKEY RRset and calculate
be the case that the DS published in the parent zone is not identical the DS it MAY be the case that the DS published in the parent zone is
with the data in the CDS record made available by the child. not identical with the data in the CDS resource record made available
by the child.
7. IANA Considerations 7. IANA Considerations
IANA has assigned RR Type code 59 for CDS. This was done for an IANA has assigned RR Type code 59 for the CDS resource record. This
earlier version of this document[I-D.ds-publish] This document is to was done for an earlier version of this document[I-D.ds-publish] This
become the reference for CDS RRtype. document is to become the reference for CDS RRtype.
IANA is requested to assign another RR Type for the CDNSKEY, and to IANA is requested to assign another RR Type for the CDNSKEY, and to
replace TBA1 with this value (currntly 60 is still free, it would be replace TBA1 with this value (currntly 60 is still free, it would be
nice if that were assigned...) nice if that were assigned...)
8. Privacy Considerations 8. Privacy Considerations
All of the information handled / transmitted by this protocol is All of the information handled / transmitted by this protocol is
public information published in the DNS. public information published in the DNS.
skipping to change at page 12, line 35 skipping to change at page 12, line 33
This work is for the normal case; when things go wrong there is only This work is for the normal case; when things go wrong there is only
so much that automation can fix. so much that automation can fix.
If child breaks DNSSEC validation by removing all the DNSKEYs that If child breaks DNSSEC validation by removing all the DNSKEYs that
are represented in the DS set its only repair actions are to contact are represented in the DS set its only repair actions are to contact
the parent or restore the DNSKEYs in the DS set. the parent or restore the DNSKEYs in the DS set.
In the event of a compromise of the server or system generating In the event of a compromise of the server or system generating
signatures for a zone, an attacker might be able to generate and signatures for a zone, an attacker might be able to generate and
publish new CDS records. The modified CDS records will be picked up publish new CDS resource records. The modified CDS recourse records
by this technique and so may allow the attacker to extend the will be picked up by this technique and so may allow the attacker to
effective time of his attack. If there a delay in accepting changes extend the effective time of his attack. If there a delay in
to DS, as in [RFC5011], then the attacker needs to hope his activity accepting changes to DS, as in [RFC5011], then the attacker needs to
is not detected before the DS in parent is changed. If this type of hope his activity is not detected before the DS in parent is changed.
change takes place, the child needs to contact the parent (possibly If this type of change takes place, the child needs to contact the
via a registrar web interface) and remove any compromised DS keys. parent (possibly via a registrar web interface) and remove any
compromised DS keys.
A compromise of the account with the parent (e.g. registrar) will not A compromise of the account with the parent (e.g. registrar) will not
be mitigated by this technique, as the "new registrant" can delete/ be mitigated by this technique, as the "new registrant" can delete/
modify the DS records at will. modify the DS records at will.
While it may be tempting, this SHOULD NOT be used for initial While it may be tempting, this SHOULD NOT be used for initial
enrollment of keys since there is no way to ensure that the initial enrollment of keys since there is no way to ensure that the initial
key is the correct one. If is used, strict rules for inclusion of key is the correct one. If is used, strict rules for inclusion of
keys like hold down times, challenge data inclusion etc., ought to be keys like hold down times, challenge data inclusion etc., ought to be
used, along with some kind of challenge mechanism. A child cannot used, along with some kind of challenge mechanism. A child cannot
skipping to change at page 13, line 18 skipping to change at page 13, line 18
process. Since rollover is automated, updating a DS RRset by other process. Since rollover is automated, updating a DS RRset by other
means may be regarded as unusual and subject to extra security means may be regarded as unusual and subject to extra security
checks. checks.
As this introduces a new mechanism to update information in the As this introduces a new mechanism to update information in the
parent it MUST be clear who is fetching the records and creating the parent it MUST be clear who is fetching the records and creating the
appropriate records in the parent zone. Specifically some operations appropriate records in the parent zone. Specifically some operations
may use other mechanisms than what is described here. For example, a may use other mechanisms than what is described here. For example, a
registrar may assume that it is maintaining the DNSSEC key registrar may assume that it is maintaining the DNSSEC key
information in the registry, and may have this cached. If the information in the registry, and may have this cached. If the
registry is fetching the CDS / CDNSKEY then the registry and registry is fetching the CDS / CDNSKEY RRset then the registry and
registrar may have different views of the DNSSEC key material and the registrar may have different views of the DNSSEC key material and the
result of such a situation is unclear. Because of this, this result of such a situation is unclear. Therefore, this mechanism
mechanism SHOULD NOT be use to bypass intermediaries that might cache SHOULD NOT be use to bypass intermediaries that might cache
information and because of that get the wrong state. information and because of that get the wrong state.
If there is a failure in applying changes in child zone to all DNS If there is a failure in applying changes in child zone to all DNS
servers listed in either parent or child NS set it is possible that servers listed in either parent or child NS set it is possible that
the Parental agent may get confused, either because it gets different the Parental agent may get confused, either because it gets different
answers on different checks or CDS validation fails. In the worst answers on different checks or CDS RR validation fails. In the worst
case, the Parental Agent performs an action reversing a prior action case, the Parental Agent performs an action reversing a prior action
but after the child signing system decides to take the next step in but after the child signing system decides to take the next step in
rollover, resulting in a broken delegation. rollover, resulting in a broken delegation.
DNS is a loosely coherent distributed database with local caching; DNS is a loosely coherent distributed database with local caching;
therefore, it is important to allow old information to expire from therefore, it is important to allow old information to expire from
caches before deleting DS or DNSKEY records. Similarly, it is caches before deleting DS or DNSKEY records. Similarly, it is
important to allow new records to propagate through the DNS before important to allow new records to propagate through the DNS before
use, see [RFC6781] and [I-D.key-time] use, see [RFC6781] and [I-D.key-time]
It is common practice for users to outsource their DNS hosting to a It is common practice for users to outsource their DNS hosting to a
3rd party DNS provider. In order for that provider to be able to 3rd party DNS provider. In order for that provider to be able to
maintain the DNSSEC information some users give the provider their maintain the DNSSEC information some users give the provider their
registrar login credentials (which obviously has negative security registrar login credentials (which obviously has negative security
implications). Deploying the solution described in this document implications). Deploying the solution described in this document
allows the 3rd party DNS provider to maintain the DNSSEC information allows the 3rd party DNS provider to maintain the DNSSEC information
without giving them the registrar credentials, thereby improving without giving them the registrar credentials, thereby improving
security. security.
By automating the maintenance of the DNSSEC key information (and By automating the maintenance of the DNSSEC key information (and
removing humans from the process) we expect to decrease the number of removing humans from the process), we expect to decrease the number
DNSSEC related outages, which should increase DNSSEC deployment. of DNSSEC related outages, which should increase DNSSEC deployment.
10. Acknowledgements 10. Acknowledgements
We would like to thank a large number of folk, including: Mark We would like to thank a large number of folk, including: Mark
Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian
Dickinson, Paul Ebersman, Tony Finch, Jim Galvin, Paul Hoffman, Samir Dickinson, Paul Ebersman, Tony Finch, Jim Galvin, Paul Hoffman, Samir
Hussain, Tatuya Jinmei, Olaf Kolkman, Cricket Liu, Stephan Lagerholm, Hussain, Tatuya Jinmei, Olaf Kolkman, Cricket Liu, Stephan Lagerholm,
Matt Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul Matt Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul
Wouters, John Dickinson, Timothe Litt and Edward Lewis. Wouters, John Dickinson, Timothe Litt and Edward Lewis.
skipping to change at page 15, line 27 skipping to change at page 15, line 27
[I-D.ds-publish] [I-D.ds-publish]
Barwood, G., "DNS Transport", draft-barwood-dnsop-ds- Barwood, G., "DNS Transport", draft-barwood-dnsop-ds-
publish-02 (work in progress), June 2011. publish-02 (work in progress), June 2011.
[I-D.key-time] [I-D.key-time]
Mekking, W., "DNSSEC Key Timing Considerations", draft- Mekking, W., "DNSSEC Key Timing Considerations", draft-
ietf-dnsop-dnssec-key-timing-03 (work in progress), July ietf-dnsop-dnssec-key-timing-03 (work in progress), July
2012. 2012.
[I-D.parent-zones] [I-D.parent-zones]
Andrews, M., "Updating Parent Zones", November 2013. Andrews, M., "Updating Parent Zones", draft-andrews-dnsop-
update-parent-zones-04 (work in progress), November 2013.
[RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
STD 69, RFC 5730, August 2009. STD 69, RFC 5730, August 2009.
[RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS)
Security Extensions Mapping for the Extensible Security Extensions Mapping for the Extensible
Provisioning Protocol (EPP)", RFC 5910, May 2010. Provisioning Protocol (EPP)", RFC 5910, May 2010.
Appendix A. RRR background Appendix A. RRR background
In the RRR world, the different parties are frequently from different In the RRR world, the different parties are frequently from different
organizations. In the single enterprise world there are also organizations. In the single enterprise world there are also
organizational/geographical/cultural separations that affect how organizational/geographical/cultural separations that affect how
information flows from a Child to the parent. information flows from a Child to the parent.
Due to the complexity of the different roles and interconnections, Due to the complexity of the different roles and interconnections,
automation of delegation information has been punted in the past. automation of delegation information has not yet occured. There have
There have been some proposals to automate this, in order to improve been proposals to automate this, in order to improve the reliability
the reliability of the DNS. These proposals have not gained enough of the DNS. These proposals have not gained enough traction to
traction to become standards. become standards.
For example in many of the TLD cases there is the RRR model For example in many of the TLD cases there is the RRR model
(Registry, Registrar and Registrant). The Registry operates DNS for (Registry, Registrar and Registrant). The Registry operates DNS for
the TLD, the Registrars accept registrations and place information the TLD, the Registrars accept registrations and place information
into the Registries database. The Registrant only communicates with into the Registries database. The Registrant only communicates with
the Registrar; frequently the Registry is not allowed to communicate the Registrar; frequently the Registry is not allowed to communicate
with the Registrant. In that case as far as the registrant is with the Registrant. In that case as far as the registrant is
concerned the Registrar == Parent. concerned the Registrar == Parent.
In many RRR cases the Registrar and Registry communicate via In many RRR cases the Registrar and Registry communicate via
EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number
of ccTLDs there are other mechanisms in use as well as EPP, but in of ccTLDs there are other mechanisms in use as well as EPP, but in
general there seems to be a movement towards EPP usage when DNSSEC is general there seems to be a movement towards EPP usage when DNSSEC is
enabled in the TLD. enabled in the TLD.
Appendix B. Changes / Author Notes. Appendix B. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
WG-06 to WG-07
o Incorporated nits / editorial comments from Tim Wicinski.
o
* Reference for Mark's draft was incorrect, Wes Hardaker doesn't
work for ISC :-P
* Normalized CDS record / CDS resource record / records / etc.
* Language cleanup / nits / poor grammar.
* removed "punted" colloquialism.
WG-05 to WG-06 WG-05 to WG-06
o Consensus (according to me!) was that mail thread said "Child MAY o Consensus (according to me!) was that mail thread said "Child MAY
remove the CDS record". Changed to accomodate. remove the CDS record". Changed to accomodate.
o "The proposal below can operate with both models, but the child o "The proposal below can operate with both models, but the child
needs to be aware of the parental policies." - removed "but the needs to be aware of the parental policies." - removed "but the
child needs to be aware of the parental policies.". This is no child needs to be aware of the parental policies.". This is no
longer true, as we suggest publishing both CDS and CDSNKEY. longer true, as we suggest publishing both CDS and CDSNKEY.
 End of changes. 40 change blocks. 
135 lines changed or deleted 153 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/