< draft-ietf-dnsop-delegation-trust-maintainance-07.txt   draft-ietf-dnsop-delegation-trust-maintainance-08.txt >
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational O. Gudmundsson Intended status: Informational O. Gudmundsson
Expires: October 16, 2014 Shinkuro Inc. Expires: October 17, 2014 Shinkuro Inc.
G. Barwood G. Barwood
April 14, 2014 April 15, 2014
Automating DNSSEC Delegation Trust Maintenance Automating DNSSEC Delegation Trust Maintenance
draft-ietf-dnsop-delegation-trust-maintainance-07 draft-ietf-dnsop-delegation-trust-maintainance-08
Abstract Abstract
This document describes a method to allow DNS operators to more This document describes a method to allow DNS operators to more
easily update DNSSEC Key Signing Keys using the DNS as communication easily update DNSSEC Key Signing Keys using the DNS as communication
channel. This document does not address the initial configuration of channel. This document does not address the initial configuration of
trust anchors for a domain. The technique described is aimed at trust anchors for a domain. The technique described is aimed at
delegations in which it is currently hard to move information from delegations in which it is currently hard to move information from
the child to parent. the child to parent.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 16, 2014. This Internet-Draft will expire on October 17, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 29 skipping to change at page 2, line 29
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions . . 7 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions . . 7
3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8
3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8
4. Automating DS Maintainance With CDS/CDNSKEY records . . . . . 8 4. Automating DS Maintainance With CDS/CDNSKEY records . . . . . 8
4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 8 4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 8
5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9 5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9
6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9 6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9
6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 9 6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 9
6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10
6.1.2. Other Mechanisms . . . . . . . . . . . . . . . . . . 10 6.1.2. Other Mechanisms . . . . . . . . . . . . . . . . . . 10
6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 11 6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 10
6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11 6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12
9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 14 11.1. Normative References . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 15 11.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15
Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16 Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16
skipping to change at page 3, line 5 skipping to change at page 3, line 5
When a DNS operator first signs their zone, they need to communicate When a DNS operator first signs their zone, they need to communicate
their DS record(s) (or DNSKEY(s)) to their parent through some out- their DS record(s) (or DNSKEY(s)) to their parent through some out-
of-band method to complete the chain of trust. of-band method to complete the chain of trust.
Each time the child changes the key that is represented in the Each time the child changes the key that is represented in the
parent, the updated and/or deleted key information has to be parent, the updated and/or deleted key information has to be
communicated to the parent and published in the parent's zone. How communicated to the parent and published in the parent's zone. How
this information is sent to the parent depends on the relationship this information is sent to the parent depends on the relationship
the child has with the parent. In many cases this is a manual the child has with the parent. In many cases this is a manual
process, and not an easy one. For each key roll, there may be up to process, and not an easy one. For each key change, there may be up
two interactions with the parent. Any manual process is susceptible to two interactions with the parent. Any manual process is
to mistakes and/or errors. In addition, due to the annoyance factor susceptible to mistakes and/or errors. In addition, due to the
of the process, operators may avoid performing key rollovers or skip annoyance factor of the process, operators may avoid changing keys or
needed steps to publish the new DS at the parent. skip needed steps to publish the new DS at the parent.
DNSSEC provides data integrity to information published in DNS; thus DNSSEC provides data integrity to information published in DNS; thus
DNS publication can be used to automate maintenance of delegation DNS publication can be used to automate maintenance of delegation
information. This document describes a method to automate information. This document describes a method to automate
publication of subsequent DS records, after the initial one has been publication of subsequent DS records, after the initial one has been
published. published.
Readers are expected to be familiar with DNSSEC, including [RFC4033], Readers are expected to be familiar with DNSSEC, including [RFC4033],
[RFC4034], [RFC4035], [RFC5011] and [RFC6781]. [RFC4034], [RFC4035], [RFC5011] and [RFC6781].
skipping to change at page 3, line 45 skipping to change at page 3, line 45
parental agent. It lists exactly what the parent should publish, and parental agent. It lists exactly what the parent should publish, and
allows for publication of stand-by keys. A different protocol, allows for publication of stand-by keys. A different protocol,
[I-D.csync], can be used to maintain other important delegation [I-D.csync], can be used to maintain other important delegation
information, such as NS and glue. These two protocols have been kept information, such as NS and glue. These two protocols have been kept
as separate solutions because the problems are fundamentally as separate solutions because the problems are fundamentally
different, and a combined solution is overly complex. different, and a combined solution is overly complex.
This document describes a method for automating maintanance of the This document describes a method for automating maintanance of the
delegation trust information, and proposes a polled / periodic delegation trust information, and proposes a polled / periodic
trigger for simplicity. Some users may prefer a different trigger, trigger for simplicity. Some users may prefer a different trigger,
such as a button on a webpage, a REST interface, DNS NOTIFY, etc. for example a button on a webpage, a REST interface or a DNS NOTIFY.
These alternate / additional triggers are not discussed in this These alternate / additional triggers are not discussed in this
document. document.
This proposal does not include all operations needed for the This proposal does not include all operations needed for the
maintenance of DNSSEC key material, specifically the initial maintenance of DNSSEC key material, specifically the initial
introduction or complete removal of all keys. Because of this, introduction or complete removal of all keys. Because of this,
alternate communications mechanisms must always exist, potentially alternate communications mechanisms must always exist, potentially
introducing more complexity. introducing more complexity.
1.1. Terminology 1.1. Terminology
skipping to change at page 4, line 21 skipping to change at page 4, line 21
Highlighted roles: Highlighted roles:
o Child: "The entity on record that has the delegation of the domain o Child: "The entity on record that has the delegation of the domain
from the parent" from the parent"
o Parent: "The domain in which the child is registered" o Parent: "The domain in which the child is registered"
o Child DNS Operator: "The entity that maintains and publishes the o Child DNS Operator: "The entity that maintains and publishes the
zone information for the child DNS" zone information for the child DNS"
o Parent DNS Operator: "The entity that maintains and publishes the
zone information for the parent DNS"
o Parental Agent: "The entity that the child has relationship with, o Parental Agent: "The entity that the child has relationship with,
to change its delegation information" to change its delegation information"
o Provisioning system: "A system that the operator of the master DNS o Provisioning system: "A system that the operator of the master DNS
server operates to maintain the information published in the DNS. server operates to maintain the information published in the DNS.
This includes the systems that sign the DNS data" This includes the systems that sign the DNS data"
RRR is our shorthand for Registry/Registrar/Registrant model of RRR is our shorthand for Registry/Registrar/Registrant model of
parent child relationship see Appendix A for more. parent child relationship see Appendix A for more.
skipping to change at page 5, line 32 skipping to change at page 5, line 30
As the DS record can only be present at the parent ( [RFC4034]), some As the DS record can only be present at the parent ( [RFC4034]), some
other method is needed to automate which DNSKEYs are picked to be other method is needed to automate which DNSKEYs are picked to be
represented in the parent zone's DS records. One possibility is to represented in the parent zone's DS records. One possibility is to
use flags in the DNSKEY record. If the SEP bit is set, this use flags in the DNSKEY record. If the SEP bit is set, this
indicates that the DNSKEY is intended for use as a secure entry indicates that the DNSKEY is intended for use as a secure entry
point. This DNSKEY signs the DNSKEY RRset, and the Parental Agent point. This DNSKEY signs the DNSKEY RRset, and the Parental Agent
can calculate DS records based on that. But this fails to meet some can calculate DS records based on that. But this fails to meet some
operating needs, including the child having no influence what DS operating needs, including the child having no influence what DS
digest algorithms are used and DS records can only be published for digest algorithms are used and DS records can only be published for
keys that are in the DNSKEY RRset, and thus this technique would not keys that are in the DNSKEY RRset, and thus this technique would not
be compatible with Double-DS key rollover. be compatible with Double-DS ( [RFC6781] ) key rollover.
2.2. Relationship Between Parent and Child DNS Operator 2.2. Relationship Between Parent and Child DNS Operator
In practical application, there are many different relationships In practical application, there are many different relationships
between the parent and child DNS operators. The type of relationship between the parent and Child DNS Operators. The type of relationship
affects how the Child DNS Operator communicates with the parent. affects how the Child DNS Operator communicates with the parent.
This section will highlight some of the different situations, but is This section will highlight some of the different situations, but is
by no means a complete list. by no means a complete list.
Different communication paths: Different communication paths:
o Direct/API: The child can change the delegation information via o Direct/API: The child can change the delegation information via
automated/scripted means. EPP[RFC5730], used by many TLDs is an automated/scripted means. EPP[RFC5730], used by many TLDs is an
example of this. Another example is the web service's example of this. Another example is the web service's
programmatic interfaces that Registrars make available to their programmatic interfaces that Registrars make available to their
Resellers. Resellers.
o User Interface: The Child uses a (web) site set up by the Parental o User Interface: The Child uses a (web) site set up by the Parental
Agent for updating delegation information. Agent for updating delegation information.
o Indirect: The communication has to be transmitted via out-of-band o Indirect: The communication has to be transmitted via out-of-band
between two parties, such as email, telephone etc.. This is common between two parties, such as by email or telephone. This is
when the Child's DNS operator is neither the child itself nor the common when the Child's DNS operator is neither the child itself
Registrar for the domain but a third party. nor the Registrar for the domain but a third party.
o Multi-step Combinations: The information flows through an o Multi-step Combinations: The information flows through an
intermediary. It is possible, but unlikely, that all the steps intermediary. It is possible, but unlikely, that all the steps
are automated via API's and there are no humans are involved. are automated via API's and there are no humans are involved.
A domain name holder (Child) may operate its own DNS servers or A domain name holder (Child) may operate its own DNS servers or
outsource the operation. While we use the word parent as a singular, outsource the operation. While we use the word parent as a singular,
parent can consist of single entity or a composite of many discrete parent can consist of single entity or a composite of many discrete
parts that have rules and roles. We refer to the entity that the parts that have rules and roles. We refer to the entity that the
child corresponds with as the Parent. child corresponds with as the Parent.
IIn another common case an organization may delegate parts of its In some cases an organization may delegate parts of its name-space to
name-space to be operated by a group that is not the same as that be operated by a group that is not the same as that which operates
which operates the organization's DNS servers. In this case the flow the organization's DNS servers. In this case the flow of information
of information is frequently handled in either an ad hoc manner or is frequently handled in either an ad hoc manner or via some
via some corporate mechanism; this can range from email to fully- corporate mechanism; this can range from email to fully-automated
automated operation. operation.
2.2.1. Solution Space 2.2.1. Solution Space
This document is aimed at the cases in which there is a separation This document is aimed at the cases in which there is a separation
between the child and parent. between the child and parent.
A further complication is when the Child DNS Operator is not the A further complication is when the Child DNS Operator is not the
Child. There are two common cases of this: Child. There are two common cases of this:
a) The Parental Agent (e.g. registrar) handles the DNS operation. a) The Parental Agent (e.g. registrar) handles the DNS operation.
skipping to change at page 7, line 13 skipping to change at page 7, line 13
DS vs DNSKEY agnostic, and allows operation with either. DS vs DNSKEY agnostic, and allows operation with either.
2.2.2. DNSSEC key change process 2.2.2. DNSSEC key change process
After a Child DNS Operator first signs the zone, there is a need to After a Child DNS Operator first signs the zone, there is a need to
interact with the Parent, for example via a delegation account interact with the Parent, for example via a delegation account
interface, to "upload / paste-in the zone's DS information". This interface, to "upload / paste-in the zone's DS information". This
action of logging in through the delegation account user interface action of logging in through the delegation account user interface
authenticates that the user is authorized to change delegation authenticates that the user is authorized to change delegation
information for the child published in the parent zone. In the case information for the child published in the parent zone. In the case
where the "Child DNS Operator" does not have access to the where the Child DNS Operator does not have access to the registration
registration account, the Child needs to perform the action. account, the Child needs to perform the action.
At a later date, the Child DNS Operator may want to publish a new DS At a later date, the Child DNS Operator may want to publish a new DS
record in the parent, either because they are rolling keys, or record in the parent, either because they are changing keys, or
because they want to publish a stand-by key. This involves because they want to publish a stand-by key. This involves
performing the same process as before. Furthermore when this is a performing the same process as before. Furthermore when this is a
manual process with cut and paste, operational mistakes will happen manual process with cut and paste, operational mistakes will happen
-- or worse, the update action is not performed at all. -- or worse, the update action is not performed at all.
The Child DNS Operator may also introduce new keys, and can do so The Child DNS Operator may also introduce new keys, and can do so
when old keys exist and can be used. The Child may also remove old when old keys exist and can be used. The Child may also remove old
keys, but this document does not support removing all keys. This is keys, but this document does not support removing all keys. This is
to avoid making signed zones unsigned. The Child may not enroll the to avoid making signed zones unsigned. The Child may not enroll the
initial key or introduce a new key when there are no old keys that initial key or introduce a new key when there are no old keys that
skipping to change at page 7, line 44 skipping to change at page 7, line 44
CDNSKEY. These records are used to convey, from one zone to its CDNSKEY. These records are used to convey, from one zone to its
parent, the desired contents of the zone's DS resource record set parent, the desired contents of the zone's DS resource record set
residing in the parent zone. residing in the parent zone.
The CDS / CDNSKEY resource records are published in the child zone The CDS / CDNSKEY resource records are published in the child zone
and gives the child control of what is published for it in the and gives the child control of what is published for it in the
parental zone. The CDS / CDNSKEY RRset expresses what the child parental zone. The CDS / CDNSKEY RRset expresses what the child
would like the DS RRset to look like after the change; it is a would like the DS RRset to look like after the change; it is a
"replace" operation, and it is up to the consumer of the records to "replace" operation, and it is up to the consumer of the records to
translate that into the appropriate add/delete operations in the translate that into the appropriate add/delete operations in the
registration systems (and in the case of CDNSKEY, to generate the DS provisioning systems (and in the case of CDNSKEY, to generate the DS
from the DNSKEY). If no CDS / CDNSKEY RRset is present in child, from the DNSKEY). If no CDS / CDNSKEY RRset is present in child,
this means that no change is needed. this means that no change is needed.
[[RFC Editor: Please remove this paragraph before publication] [[RFC Editor: Please remove this paragraph before publication]
Version -04 of the ID that became this working group document (http:/ Version -04 of the ID that became this working group document (http:/
/tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new /tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new
record (CTA) that could hold either a DS or a DNSKEY record (with a record (CTA) that could hold either a DS or a DNSKEY record (with a
selector to differentiate between them). In a shocking development, selector to differentiate between them). In a shocking development,
there was almost full consensus that this was horrid :-) ] there was almost full consensus that this was horrid :-) ]
skipping to change at page 8, line 41 skipping to change at page 8, line 41
4. Automating DS Maintainance With CDS/CDNSKEY records 4. Automating DS Maintainance With CDS/CDNSKEY records
CDS/CDNSKEY resource records are intended to be "consumed" by CDS/CDNSKEY resource records are intended to be "consumed" by
delegation trust maintainers. The use of CDS/CDNSKEY is optional. delegation trust maintainers. The use of CDS/CDNSKEY is optional.
The child SHOULD publish both CDS and CDNSKEY resource records. If The child SHOULD publish both CDS and CDNSKEY resource records. If
the child knows which the parent consumes, it MAY choose to only the child knows which the parent consumes, it MAY choose to only
publish that record type (for example, some children wish the parent publish that record type (for example, some children wish the parent
to publish a DS, but they wish to keep the DNSKEY "hidden" until to publish a DS, but they wish to keep the DNSKEY "hidden" until
needed). If the child publishes both, the two RRsets MUST match in needed). If the child publishes both, the two RRsets MUST match in
content. The parent should use whichever one they choose, but MUST content.
NOT query for both and perform consistency checks between the CDS and
CDNSKEY resource records.
4.1. CDS / CDNSKEY Processing Rules 4.1. CDS / CDNSKEY Processing Rules
If there are no CDS / CDNSKEY RRset in the child, this signals that If there are no CDS / CDNSKEY RRset in the child, this signals that
no change should be made to the current DS set. This means that, no change should be made to the current DS set. This means that,
once the child and parent are in sync, the child DNS operator MAY once the child and parent are in sync, the Child DNS Operator MAY
remove all CDS and CDNSKEY resource records from the zone. remove all CDS and CDNSKEY resource records from the zone.
Following acceptance rules are placed on the CDS / CDNSKEY resource Following acceptance rules are placed on the CDS / CDNSKEY resource
records as follows: records as follows:
o Location: "the CDS / CDNSKEY resource records MUST be at the child o Location: "the CDS / CDNSKEY resource records MUST be at the child
zone apex". zone apex".
o Signer: "MUST be signed with a key that is represented in both the o Signer: "MUST be signed with a key that is represented in both the
current DNSKEY and DS RRset's." current DNSKEY and DS RRset's."
skipping to change at page 9, line 38 skipping to change at page 9, line 35
published a CDNSKEY RR, the Parent will have to calculate the DS published a CDNSKEY RR, the Parent will have to calculate the DS
(using the requested digest algorithm) to do the comparison. (using the requested digest algorithm) to do the comparison.
6. Parent Side CDS / CDNSKEY Consumption 6. Parent Side CDS / CDNSKEY Consumption
The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to
update the DS RRset in the parent zone. The Parental Agent for this update the DS RRset in the parent zone. The Parental Agent for this
uses a tool that understands the CDS / CDNSKEY signing rules from uses a tool that understands the CDS / CDNSKEY signing rules from
Section 4.1 so it may not be able to use a standard validator. Section 4.1 so it may not be able to use a standard validator.
The parent MUST choose to accept either CDS or CDNSKEY resource The parent MUST choose to use either CDNSKEY or CDS resource records
records (based upon local policy), and MUST NOT expect there to be as their default updating mechanism. The parent MAY only accept
both. A parent MUST NOT perform a consistency check between CDS and either CDNSKEY or CDS, but it MAY also accept both, so it can use the
CDNSKEY (other than for informational / debugging use) resource other in the absence of the default updating mechanism, but it MUST
records. NOT expect there to be both.
6.1. Detecting a Changed CDS / CDNSKEY 6.1. Detecting a Changed CDS / CDNSKEY
How the Parental Agent gets the CDS / CDNSKEY RRset may differ, below How the Parental Agent gets the CDS / CDNSKEY RRset may differ, below
are two examples as how this can take place. are two examples as how this can take place.
Polling The Parental Agent operates a tool that periodically checks Polling The Parental Agent operates a tool that periodically checks
each of the children that has a DS record to see if there is a each of the children that has a DS record to see if there is a
CDS or CDNSKEY RRset. CDS or CDNSKEY RRset.
skipping to change at page 10, line 28 skipping to change at page 10, line 24
the "Pushing" case to assume that the Child is ready and thus accept the "Pushing" case to assume that the Child is ready and thus accept
changes without delay. changes without delay.
6.1.1. CDS / CDNSKEY Polling 6.1.1. CDS / CDNSKEY Polling
This is the only defined use of CDS / CDNSKEY resource records in This is the only defined use of CDS / CDNSKEY resource records in
this document. There are limits to the scaleability of polling this document. There are limits to the scaleability of polling
techniques, thus some other mechanism is likely to be specified later techniques, thus some other mechanism is likely to be specified later
that addresses CDS / CDNSKEY resource recod usage in the situation that addresses CDS / CDNSKEY resource recod usage in the situation
where polling does not scale to. Having said that Polling will work where polling does not scale to. Having said that Polling will work
in many important cases like enterprises, universities, small TLDs in many important cases such as enterprises, universities and smaller
etc. In many regulatory environments the registry is prohibited from TLDs. In many regulatory environments the registry is prohibited
talking to the registrant. In most of these cases the registrant has from talking to the registrant. In most of these cases the
a business relationship with the registrar, and so the registrar can registrant has a business relationship with the registrar, and so the
offer this as a service. registrar can offer this as a service.
If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST
take no action. Specifically it MUST NOT delete or alter the take no action. Specifically it MUST NOT delete or alter the
existing DS RRset. existing DS RRset.
6.1.2. Other Mechanisms 6.1.2. Other Mechanisms
It is assumed that other mechanisms will be implemented to trigger It is assumed that other mechanisms will be implemented to trigger
the parent to look for an updated CDS / CDNSKEY RRsets. As the CDS / the parent to look for an updated CDS / CDNSKEY RRsets. As the CDS /
CDNSKEY resource records are validated with DNSSEC, these mechanisms CDNSKEY resource records are validated with DNSSEC, these mechanisms
can be unauthenticated (for example, a child could telephone its can be unauthenticated (for example, a child could telephone its
parent and request that they process the new CDS or CDNSKEY resource parent and request that they process the new CDS or CDNSKEY resource
records, an unauthenticated POST could be made to a webserver (with records or an unauthenticated POST could be made to a webserver (with
rate-limiting), etc.) rate-limiting).)
Other documents can specify the trigger conditions. Other documents can specify the trigger conditions.
6.2. Using the New CDS / CDNSKEY Records 6.2. Using the New CDS / CDNSKEY Records
Regardless of how the Parental Agent detected changes to a CDS / Regardless of how the Parental Agent detected changes to a CDS /
CDNSKEY RRset, the Parental Agent SHOULD use a DNSSEC validator to CDNSKEY RRset, the Parental Agent SHOULD use a DNSSEC validator to
obtain a validated CDS / CDNSKEY RRset from the Child zone. The only obtain a validated CDS / CDNSKEY RRset from the Child zone. The only
exception to this is if the parent perfoms some additional validation exception to this is if the parent perfoms some additional validation
on the data to confirm that it is the "correct" key. This behavior on the data to confirm that it is the "correct" key. This behavior
is NOT RECOMMENDED. is NOT RECOMMENDED.
The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY The Parental Agent MUST ensure that previous versions of the CDS /
RRset do not overwrite newer versions. This MAY be accomplished by CDNSKEY RRset do not overwrite more recent versions. This MAY be
checking that the signature inception in the RRSIG for CDS / CDNSKEY accomplished by checking that the signature inception in the RRSIG
RRset is newer and/or the serial number on the child's SOA is for CDS / CDNSKEY RRset is later and/or the serial number on the
greater. This may require the Parental Agent to maintain some state child's SOA is greater. This may require the Parental Agent to
information. maintain some state information.
The Parental Agent MAY take extra security measures. For example, to The Parental Agent MAY take extra security measures. For example, to
mitigate the possibility that a Child's key signing key has been mitigate the possibility that a Child's key signing key has been
compromised, the Parental Agent may, for example, inform (by email or compromised, the Parental Agent may, for example, inform (by email or
other methods ) the Child DNS Operator of the change. However the other methods ) the Child DNS Operator of the change. However the
precise out-of-band measures that a parent zone SHOULD take are precise out-of-band measures that a parent zone SHOULD take are
outside the scope of this document. outside the scope of this document.
Once the Parental Agent has obtained a valid CDS / CDNSKEY RRset it Once the Parental Agent has obtained a valid CDS / CDNSKEY RRset it
MUST check the publication rules from section 4.1. In particular the MUST check the publication rules from section 4.1. In particular the
Parental Agent MUST double check the Continuity rule and do its best Parental Agent MUST check the Continuity rule and do its best not to
not to invalidate the Child zone. Once checked and if the invalidate the Child zone. Once checked and if the information in
information in the CDS / CDNSKEY and DS differ it may apply the the CDS / CDNSKEY and DS differ it may apply the changes to the
changes to the parent zone. If the parent consumes CDNSKEY, the parent zone. If the parent consumes CDNSKEY, the parent should
parent should calculate the DS before doing this comparison. calculate the DS before doing this comparison.
6.2.1. Parent Calculates DS 6.2.1. Parent Calculates DS
There are cases where the Parent wants to calculate the DS record due There are cases where the Parent wants to calculate the DS record due
to policy reasons. In this case, the Child publishes CDNSKEY records to policy reasons. In this case, the Child publishes CDNSKEY records
and the parent calculates the DS records on behalf of the children. and the parent calculates the DS records on behalf of the children.
When a Parent operates in "calculate DS" mode it can operate in one When a Parent operates in "calculate DS" mode it can operate in one
of two sub-modes of two sub-modes
skipping to change at page 12, line 49 skipping to change at page 12, line 47
parent (possibly via a registrar web interface) and remove any parent (possibly via a registrar web interface) and remove any
compromised DS keys. compromised DS keys.
A compromise of the account with the parent (e.g. registrar) will not A compromise of the account with the parent (e.g. registrar) will not
be mitigated by this technique, as the "new registrant" can delete/ be mitigated by this technique, as the "new registrant" can delete/
modify the DS records at will. modify the DS records at will.
While it may be tempting, this SHOULD NOT be used for initial While it may be tempting, this SHOULD NOT be used for initial
enrollment of keys since there is no way to ensure that the initial enrollment of keys since there is no way to ensure that the initial
key is the correct one. If is used, strict rules for inclusion of key is the correct one. If is used, strict rules for inclusion of
keys like hold down times, challenge data inclusion etc., ought to be keys such as hold down times, challenge data inclusion or similar,
used, along with some kind of challenge mechanism. A child cannot ought to be used, along with some kind of challenge mechanism. A
use this mechanism to go from signed to unsigned (publishing an empty child cannot use this mechanism to go from signed to unsigned
CDS / CDNSKEY RRset means no-change should be made in the parent). (publishing an empty CDS / CDNSKEY RRset means no-change should be
made in the parent).
The CDS RR type should allow for enhanced security by simplifying The CDS RR type should allow for enhanced security by simplifying
process. Since rollover is automated, updating a DS RRset by other process. Since key change is automated, updating a DS RRset by other
means may be regarded as unusual and subject to extra security means may be regarded as unusual and subject to extra security
checks. checks.
As this introduces a new mechanism to update information in the As this introduces a new mechanism to update information in the
parent it MUST be clear who is fetching the records and creating the parent it MUST be clear who is fetching the records and creating the
appropriate records in the parent zone. Specifically some operations appropriate records in the parent zone. Specifically some operations
may use other mechanisms than what is described here. For example, a may use other mechanisms than what is described here. For example, a
registrar may assume that it is maintaining the DNSSEC key registrar may assume that it is maintaining the DNSSEC key
information in the registry, and may have this cached. If the information in the registry, and may have this cached. If the
registry is fetching the CDS / CDNSKEY RRset then the registry and registry is fetching the CDS / CDNSKEY RRset then the registry and
skipping to change at page 13, line 30 skipping to change at page 13, line 28
result of such a situation is unclear. Therefore, this mechanism result of such a situation is unclear. Therefore, this mechanism
SHOULD NOT be use to bypass intermediaries that might cache SHOULD NOT be use to bypass intermediaries that might cache
information and because of that get the wrong state. information and because of that get the wrong state.
If there is a failure in applying changes in child zone to all DNS If there is a failure in applying changes in child zone to all DNS
servers listed in either parent or child NS set it is possible that servers listed in either parent or child NS set it is possible that
the Parental agent may get confused, either because it gets different the Parental agent may get confused, either because it gets different
answers on different checks or CDS RR validation fails. In the worst answers on different checks or CDS RR validation fails. In the worst
case, the Parental Agent performs an action reversing a prior action case, the Parental Agent performs an action reversing a prior action
but after the child signing system decides to take the next step in but after the child signing system decides to take the next step in
rollover, resulting in a broken delegation. the key change process, resulting in a broken delegation.
DNS is a loosely coherent distributed database with local caching; DNS is a loosely coherent distributed database with local caching;
therefore, it is important to allow old information to expire from therefore, it is important to allow old information to expire from
caches before deleting DS or DNSKEY records. Similarly, it is caches before deleting DS or DNSKEY records. Similarly, it is
important to allow new records to propagate through the DNS before important to allow new records to propagate through the DNS before
use, see [RFC6781] and [I-D.key-time] use, see [RFC6781] and [I-D.key-time]
It is common practice for users to outsource their DNS hosting to a It is common practice for users to outsource their DNS hosting to a
3rd party DNS provider. In order for that provider to be able to 3rd party DNS provider. In order for that provider to be able to
maintain the DNSSEC information some users give the provider their maintain the DNSSEC information some users give the provider their
skipping to change at page 16, line 19 skipping to change at page 16, line 19
In many RRR cases the Registrar and Registry communicate via In many RRR cases the Registrar and Registry communicate via
EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number
of ccTLDs there are other mechanisms in use as well as EPP, but in of ccTLDs there are other mechanisms in use as well as EPP, but in
general there seems to be a movement towards EPP usage when DNSSEC is general there seems to be a movement towards EPP usage when DNSSEC is
enabled in the TLD. enabled in the TLD.
Appendix B. Changes / Author Notes. Appendix B. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
WG-07 to WG-08
o Incorporated text from Antoin Verschuren at the end of Section 6.
o Comments from Paul Hoffman and Tim W
WG-06 to WG-07 WG-06 to WG-07
o Incorporated nits / editorial comments from Tim Wicinski. o Incorporated nits / editorial comments from Tim Wicinski.
o o
* Reference for Mark's draft was incorrect, Wes Hardaker doesn't * Reference for Mark's draft was incorrect, Wes Hardaker doesn't
work for ISC :-P work for ISC :-P
* Normalized CDS record / CDS resource record / records / etc. * Normalized CDS record / CDS resource record / records / etc.
 End of changes. 26 change blocks. 
62 lines changed or deleted 64 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/