< draft-ietf-dnsop-delegation-trust-maintainance-11.txt   draft-ietf-dnsop-delegation-trust-maintainance-12.txt >
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational O. Gudmundsson Intended status: Informational O. Gudmundsson
Expires: October 18, 2014 Shinkuro Inc. Expires: October 30, 2014 Shinkuro Inc.
G. Barwood G. Barwood
April 16, 2014 April 28, 2014
Automating DNSSEC Delegation Trust Maintenance Automating DNSSEC Delegation Trust Maintenance
draft-ietf-dnsop-delegation-trust-maintainance-11 draft-ietf-dnsop-delegation-trust-maintainance-12
Abstract Abstract
This document describes a method to allow DNS operators to more This document describes a method to allow DNS operators to more
easily update DNSSEC Key Signing Keys using the DNS as communication easily update DNSSEC Key Signing Keys using the DNS as communication
channel. The technique described is aimed at delegations in which it channel. The technique described is aimed at delegations in which it
is currently hard to move information from the child to parent. is currently hard to move information from the child to parent.
Status of This Memo Status of This Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 18, 2014. This Internet-Draft will expire on October 30, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 17
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4 1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4 2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4
2.2. Relationship Between Parent and Child DNS Operator . . . 5 2.2. Relationship Between Parent and Child DNS Operator . . . 5
2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6
2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions . . 7 3. CDS / CDNSKEY (Child DS / Child DNSKEY) Record Definitions . 7
3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8
3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8
4. Automating DS Maintainance With CDS/CDNSKEY records . . . . . 8 4. Automating DS Maintenance With CDS / CDNSKEY records . . . . 8
4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 8 4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 8
5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9 5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9
6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9 6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9
6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 9 6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 9
6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10
6.1.2. Other Mechanisms . . . . . . . . . . . . . . . . . . 10 6.1.2. Polling Triggers . . . . . . . . . . . . . . . . . . 10
6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 11 6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 11
6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11 6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12
9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 14 11.1. Normative References . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 15 11.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15
skipping to change at page 2, line 49 skipping to change at page 2, line 49
1. Introduction 1. Introduction
The first time a DNS operator signs a zone, they need to communicate The first time a DNS operator signs a zone, they need to communicate
the keying material to their parent through some out-of-band method the keying material to their parent through some out-of-band method
to complete the chain of trust. Depending on the desires of the to complete the chain of trust. Depending on the desires of the
parent, the child might send their DNSKEY record, a DS record, or parent, the child might send their DNSKEY record, a DS record, or
both. both.
Each time the child changes the key that is represented in the Each time the child changes the key that is represented in the
parent, the updated and/or deleted key information has to be parent, the updated and / or deleted key information has to be
communicated to the parent and published in the parent's zone. How communicated to the parent and published in the parent's zone. How
this information is sent to the parent depends on the relationship this information is sent to the parent depends on the relationship
the child has with the parent. In many cases this is a manual the child has with the parent. In many cases this is a manual
process, and not an easy one. For each key change, there may be up process, and not an easy one. For each key change, there may be up
to two interactions with the parent. Any manual process is to two interactions with the parent. Any manual process is
susceptible to mistakes and/or errors. In addition, due to the susceptible to mistakes and / or errors. In addition, due to the
annoyance factor of the process, operators may avoid changing keys or annoyance factor of the process, operators may avoid changing keys or
skip needed steps to publish the new DS at the parent. skip needed steps to publish the new DS at the parent.
DNSSEC provides data integrity to information published in DNS; thus DNSSEC provides data integrity to information published in DNS; thus
DNS publication can be used to automate maintenance of delegation DNS publication can be used to automate maintenance of delegation
information. This document describes a method to automate information. This document describes a method to automate
publication of subsequent DS records, after the initial one has been publication of subsequent DS records, after the initial one has been
published. published.
Readers are expected to be familiar with DNSSEC, including [RFC4033], Readers are expected to be familiar with DNSSEC, including [RFC4033],
[RFC4034], [RFC4035], [RFC5011] and [RFC6781]. [RFC4034], [RFC4035], [RFC5011] and [RFC6781].
This document is a compilation of two earlier drafts: draft-barwood- This document is a compilation of two earlier drafts: draft-barwood-
dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll. dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll.
This document outlines a technique in which the parent periodically This document outlines a technique in which the parent periodically
(or upon request) polls its signed children and automatically publish (or upon request) polls its signed children and automatically
new DS records. To a large extent, the procedures this document publishes new DS records. To a large extent, the procedures this
follows are as described in [RFC6781] section 4.1.2. document follows are as described in [RFC6781] section 4.1.2.
This technique is designed to be friendly both to fully automated This technique is designed to be friendly both to fully automated
tools and humans. Fully automated tools can perform all the actions tools and humans. Fully automated tools can perform all the actions
needed without human intervention, and thus can monitor when it is needed without human intervention, and thus can monitor when it is
safe to move to the next step. safe to move to the next step.
The solution described in this document only allows transferring The solution described in this document only allows transferring
information about DNSSEC keys (DS and DNSKEY) from the child to the information about DNSSEC keys (DS and DNSKEY) from the child to the
parental agent. It lists exactly what the parent should publish, and parental agent. It lists exactly what the parent should publish, and
allows for publication of stand-by keys. A different protocol, allows for publication of stand-by keys. A different protocol,
skipping to change at page 4, line 28 skipping to change at page 4, line 28
o Child DNS Operator: "The entity that maintains and publishes the o Child DNS Operator: "The entity that maintains and publishes the
zone information for the child DNS" zone information for the child DNS"
o Parental Agent: "The entity that the child has relationship with, o Parental Agent: "The entity that the child has relationship with,
to change its delegation information" to change its delegation information"
o Provisioning system: "A system that the operator of the master DNS o Provisioning system: "A system that the operator of the master DNS
server operates to maintain the information published in the DNS. server operates to maintain the information published in the DNS.
This includes the systems that sign the DNS data" This includes the systems that sign the DNS data"
RRR is our shorthand for Registry/Registrar/Registrant model of
parent child relationship see Appendix A for more.
1.2. Requirements Notation 1.2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Background 2. Background
2.1. DNS Delegations 2.1. DNS Delegations
skipping to change at page 5, line 44 skipping to change at page 5, line 40
In practical application, there are many different relationships In practical application, there are many different relationships
between the parent and Child DNS Operators. The type of relationship between the parent and Child DNS Operators. The type of relationship
affects how the Child DNS Operator communicates with the parent. affects how the Child DNS Operator communicates with the parent.
This section will highlight some of the different situations, but is This section will highlight some of the different situations, but is
by no means a complete list. by no means a complete list.
Different communication paths: Different communication paths:
o Direct/API: The child can change the delegation information via o Direct/API: The child can change the delegation information via
automated/scripted means. EPP[RFC5730], used by many TLDs is an automated/scripted means. EPP[RFC5730], used by many TLDs is an
example of this. Another example is the web service's example of this. Other examples are web-based programmatic
programmatic interfaces that Registrars make available to their interfaces that Registrars make available to their Resellers.
Resellers.
o User Interface: The Child uses a (web) site set up by the Parental o User Interface: The Child uses a (web) site set up by the Parental
Agent for updating delegation information. Agent for updating delegation information.
o Indirect: The communication has to be transmitted via out-of-band o Indirect: The communication has to be transmitted via out-of-band
between two parties, such as by email or telephone. This is between two parties, such as by email or telephone. This is
common when the Child's DNS operator is neither the child itself common when the Child's DNS operator is neither the child itself
nor the Registrar for the domain but a third party. nor the Registrar for the domain but a third party.
o Multi-step Combinations: The information flows through an o Multi-step Combinations: The information flows through an
intermediary. It is possible, but unlikely, that all the steps intermediary. It is possible, but unlikely, that all the steps
are automated via API's and there are no humans are involved. are automated via API's and there are no humans involved.
A domain name holder (Child) may operate its own DNS servers or A domain name holder (Child) may operate its own DNS servers or
outsource the operation. While we use the word parent as a singular, outsource the operation. While we use the word parent as a singular,
parent can consist of single entity or a composite of many discrete parent can consist of single entity or a composite of many discrete
parts that have rules and roles. We refer to the entity that the parts that have rules and roles. We refer to the entity that the
child corresponds with as the Parent. child corresponds with as the Parent.
An organization (such as an enterprise) may delegate parts of its An organization (such as an enterprise) may delegate parts of its
name-space to be operated by a group that is not the same as that name-space to be operated by a group that is not the same as that
which operates the organization's DNS servers. In some of these which operates the organization's DNS servers. In some of these
skipping to change at page 6, line 45 skipping to change at page 6, line 43
If the Parental Agent is the DNS operator, life is much easier; the If the Parental Agent is the DNS operator, life is much easier; the
Parental Agent can inject any delegation changes directly into the Parental Agent can inject any delegation changes directly into the
Parent's Provisioning system. The techniques described below are not Parent's Provisioning system. The techniques described below are not
needed in the case when Parental Agent is the DNS operator. needed in the case when Parental Agent is the DNS operator.
In the case of a third party DNS operator, the Child either needs to In the case of a third party DNS operator, the Child either needs to
relay changes in DNS delegation or give the Child DNS Operator access relay changes in DNS delegation or give the Child DNS Operator access
to its delegation/registration account. to its delegation/registration account.
Some parents want the child to express their DNSKEYS in the form of Some parents want the child to express their DNSKEYs in the form of
DS records, while others want to receive the DNSKEY records and DS records, while others want to receive the DNSKEY records and
calculate the DS records themselves. There is no consensus on which calculate the DS records themselves. There is no consensus on which
method is better; both have good reasons to exist. This solution is method is better; both have good reasons to exist. This solution is
DS vs DNSKEY agnostic, and allows operation with either. DS vs DNSKEY agnostic, and allows operation with either.
2.2.2. DNSSEC key change process 2.2.2. DNSSEC key change process
After a Child DNS Operator first signs the zone, there is a need to After a Child DNS Operator first signs the zone, there is a need to
interact with the Parent, for example via a delegation account interact with the Parent, for example via a delegation account
interface, to "upload / paste-in the zone's DS information". This interface, to "upload / paste-in the zone's DS information". This
skipping to change at page 7, line 31 skipping to change at page 7, line 31
-- or worse, the update action is not performed at all. -- or worse, the update action is not performed at all.
The Child DNS Operator may also introduce new keys, and can do so The Child DNS Operator may also introduce new keys, and can do so
when old keys exist and can be used. The Child may also remove old when old keys exist and can be used. The Child may also remove old
keys, but this document does not support removing all keys. This is keys, but this document does not support removing all keys. This is
to avoid making signed zones unsigned. The Child may not enroll the to avoid making signed zones unsigned. The Child may not enroll the
initial key or introduce a new key when there are no old keys that initial key or introduce a new key when there are no old keys that
can be used (without some additional, out of band, validation of the can be used (without some additional, out of band, validation of the
keys), because there is no way to validate the information. keys), because there is no way to validate the information.
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions 3. CDS / CDNSKEY (Child DS / Child DNSKEY) Record Definitions
This document specifies two new DNS resource records, CDS and This document specifies two new DNS resource records, CDS and
CDNSKEY. These records are used to convey, from one zone to its CDNSKEY. These records are used to convey, from one zone to its
parent, the desired contents of the zone's DS resource record set parent, the desired contents of the zone's DS resource record set
residing in the parent zone. residing in the parent zone.
The CDS / CDNSKEY resource records are published in the child zone The CDS / CDNSKEY resource records are published in the child zone
and gives the child control of what is published for it in the and gives the child control of what is published for it in the
parental zone. The CDS / CDNSKEY RRset expresses what the child parental zone. The CDS / CDNSKEY RRset expresses what the child
would like the DS RRset to look like after the change; it is a would like the DS RRset to look like after the change; it is a
skipping to change at page 8, line 31 skipping to change at page 8, line 31
The wire and presentation format of the CDNSKEY ("Child DNSKEY") The wire and presentation format of the CDNSKEY ("Child DNSKEY")
resource record is identical to the DNSKEY record. IANA has resource record is identical to the DNSKEY record. IANA has
allocated RR code TBA1 for the CDNSKEY resource record via expert allocated RR code TBA1 for the CDNSKEY resource record via expert
review. The CDNSKEY RR uses the same registries as DNSKEY for its review. The CDNSKEY RR uses the same registries as DNSKEY for its
fields. fields.
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes revolvers, when serving or resolving. For all practical purposes
CDNSKEY is a regular RR type. CDNSKEY is a regular RR type.
4. Automating DS Maintainance With CDS/CDNSKEY records 4. Automating DS Maintenance With CDS / CDNSKEY records
CDS/CDNSKEY resource records are intended to be "consumed" by CDS / CDNSKEY resource records are intended to be "consumed" by
delegation trust maintainers. The use of CDS/CDNSKEY is optional. delegation trust maintainers. The use of CDS / CDNSKEY is optional.
The child SHOULD publish both CDS and CDNSKEY resource records. If The child SHOULD publish both CDS and CDNSKEY resource records. If
the child knows which the parent consumes, it MAY choose to only the child knows which the parent consumes, it MAY choose to only
publish that record type (for example, some children wish the parent publish that record type (for example, some children wish the parent
to publish a DS, but they wish to keep the DNSKEY "hidden" until to publish a DS, but they wish to keep the DNSKEY "hidden" until
needed). If the child publishes both, the two RRsets MUST match in needed). If the child publishes both, the two RRsets MUST match in
content. content.
4.1. CDS / CDNSKEY Processing Rules 4.1. CDS / CDNSKEY Processing Rules
If there are no CDS / CDNSKEY RRset in the child, this signals that If there are no CDS / CDNSKEY RRset in the child, this signals that
no change should be made to the current DS set. This means that, no change should be made to the current DS set. This means that,
once the child and parent are in sync, the Child DNS Operator MAY once the child and parent are in sync, the Child DNS Operator MAY
remove all CDS and CDNSKEY resource records from the zone The Child remove all CDS and CDNSKEY resource records from the zone. The Child
DNS Operator may choose to do this to decrease the size of the zone, DNS Operator may choose to do this to decrease the size of the zone,
or to decrease the workload for the parent (if the parent receives no or to decrease the workload for the parent (if the parent receives no
CDS / CDNSKEY records it can go back to sleep. If it does receive a CDS / CDNSKEY records it can go back to sleep). If it does receive a
CDS or CDNSKEY RRset it needs to check them against what is currently CDS or CDNSKEY RRset it needs to check them against what is currently
published - see Section 5) published - see Section 5.
Following acceptance rules are placed on the CDS / CDNSKEY resource Following acceptance rules are placed on the CDS / CDNSKEY resource
records as follows: records as follows:
o Location: "the CDS / CDNSKEY resource records MUST be at the child o Location: the CDS / CDNSKEY resource records MUST be at the child
zone apex". zone apex.
o Signer: "MUST be signed with a key that is represented in both the o Signer: MUST be signed with a key that is represented in both the
current DNSKEY and DS RRset's" (unless the parent uses the CDS / current DNSKEY and DS RRsets (unless the parent uses the CDS /
CDNSKEY RRset for initial enrollment, in that case the parent CDNSKEY RRset for initial enrollment, in that case the parent
validates the CDS / CDNSKEY though some other means (see validates the CDS / CDNSKEY through some other means (see
Section 6.1 and the Security Considerations.)) Section 6.1 and the Security Considerations.)
o Continuity: "MUST NOT break the current delegation if applied to o Continuity: MUST NOT break the current delegation if applied to DS
DS RRset" RRset.
If any these conditions fail the CDS / CDNSKEY resource record MUST If any these conditions fail the CDS / CDNSKEY resource record MUST
be ignored. be ignored.
5. CDS / CDNSKEY Publication 5. CDS / CDNSKEY Publication
Child DNS Operator publishes CDS and / or CDNSKEY resource records. Child DNS Operator publishes CDS and / or CDNSKEY resource records.
In order to be valid, the CDS / CDNSKEY RRset MUST be compliant with In order to be valid, the CDS / CDNSKEY RRset MUST be compliant with
the rules in Section 4.1. When the Parent DS is "in-sync" with the the rules in Section 4.1. When the Parent DS is "in sync" with the
CDS / CDNSKEY resource records, the Child DNS Operator MAY delete the CDS / CDNSKEY resource records, the Child DNS Operator MAY delete the
CDS / CDNSKEY record(s); the child can determine if this is the case CDS / CDNSKEY record(s); the child can determine if this is the case
by querying for DS records in the parent. by querying for DS records in the parent.
6. Parent Side CDS / CDNSKEY Consumption 6. Parent Side CDS / CDNSKEY Consumption
The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to
update the DS RRset in the parent zone. The Parental Agent for this update the DS RRset in the parent zone. The Parental Agent for this
uses a tool that understands the CDS / CDNSKEY signing rules from uses a tool that understands the CDS / CDNSKEY signing rules from
Section 4.1 so it might not be able to use a standard validator. Section 4.1 so it might not be able to use a standard validator.
skipping to change at page 10, line 10 skipping to change at page 10, line 10
6.1. Detecting a Changed CDS / CDNSKEY 6.1. Detecting a Changed CDS / CDNSKEY
How the Parental Agent gets the CDS / CDNSKEY RRset may differ, below How the Parental Agent gets the CDS / CDNSKEY RRset may differ, below
are two examples as how this can take place. are two examples as how this can take place.
Polling The Parental Agent operates a tool that periodically checks Polling The Parental Agent operates a tool that periodically checks
each of the children that has a DS record to see if there is a each of the children that has a DS record to see if there is a
CDS or CDNSKEY RRset. CDS or CDNSKEY RRset.
Pushing The delegation user interface has a button {Fetch DS} when Pushing The delegation user interface has a button {Fetch DS} when
pushed preforms the CDS / CDNSKEY processing. If the Parent pushed performs the CDS / CDNSKEY processing. If the Parent
zone does not contain DS for this delegation then the "push" zone does not contain DS for this delegation then the "push"
SHOULD be ignored. If the Parental Agent displays the contents SHOULD be ignored. If the Parental Agent displays the contents
of the CDS / CDSNKEY to the user and gets confirmation that of the CDS / CDSNKEY to the user and gets confirmation that
this represents their key, the Parental Agent MAY use this for this represents their key, the Parental Agent MAY use this for
initial enrolment (when the Parent zone does not contain the DS initial enrollment (when the Parent zone does not contain the
for this delegation). DS for this delegation).
In either case the Parental Agent MAY apply additional rules that In either case the Parental Agent MAY apply additional rules that
defer the acceptance of a CDS / CDNSKEY change, these rules may defer the acceptance of a CDS / CDNSKEY change, these rules may
include a condition that the CDS / CDNSKEY remains in place and valid include a condition that the CDS / CDNSKEY remains in place and valid
for some time period before it is accepted. It may be appropriate in for some time period before it is accepted. It may be appropriate in
the "Pushing" case to assume that the Child is ready and thus accept the "Pushing" case to assume that the Child is ready and thus accept
changes without delay. changes without delay.
6.1.1. CDS / CDNSKEY Polling 6.1.1. CDS / CDNSKEY Polling
This is the only defined use of CDS / CDNSKEY resource records in This is the only defined use of CDS / CDNSKEY resource records in
this document. There are limits to the scaleability of polling this document. There are limits to the scalability of polling
techniques, thus some other mechanism is likely to be specified later techniques, thus some other mechanism is likely to be specified later
that addresses CDS / CDNSKEY resource record usage in the situation that addresses CDS / CDNSKEY resource record usage in the situation
where polling does not scale to. Having said that Polling will work where polling does not scale to. Having said that, Polling will work
in many important cases such as enterprises, universities and smaller in many important cases such as enterprises, universities and smaller
TLDs. In many regulatory environments the registry is prohibited TLDs. In many regulatory environments the registry is prohibited
from talking to the registrant. In most of these cases the from talking to the registrant. In most of these cases the
registrant has a business relationship with the registrar, and so the registrant has a business relationship with the registrar, and so the
registrar can offer this as a service. registrar can offer this as a service.
If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST
take no action. Specifically it MUST NOT delete or alter the take no action. Specifically it MUST NOT delete or alter the
existing DS RRset. existing DS RRset.
6.1.2. Other Mechanisms 6.1.2. Polling Triggers
It is assumed that other mechanisms will be implemented to trigger It is assumed that other mechanisms will be implemented to trigger
the parent to look for an updated CDS / CDNSKEY RRsets. As the CDS / the parent to look for an updated CDS / CDNSKEY RRsets. As the CDS /
CDNSKEY resource records are validated with DNSSEC, these mechanisms CDNSKEY resource records are validated with DNSSEC, these mechanisms
can be unauthenticated (for example, a child could telephone its can be unauthenticated. As an example, a child could telephone its
parent and request that they process the new CDS or CDNSKEY resource parent and request that they process the new CDS or CDNSKEY resource
records or an unauthenticated POST could be made to a webserver (with records or an unauthenticated POST could be made to a webserver (with
rate-limiting).) rate-limiting).
Other documents can specify the trigger conditions. Other documents can specify the trigger conditions.
6.2. Using the New CDS / CDNSKEY Records 6.2. Using the New CDS / CDNSKEY Records
Regardless of how the Parental Agent detected changes to a CDS / Regardless of how the Parental Agent detected changes to a CDS /
CDNSKEY RRset, the Parental Agent SHOULD use a DNSSEC validator to CDNSKEY RRset, the Parental Agent SHOULD use a DNSSEC validator to
obtain a validated CDS / CDNSKEY RRset from the Child zone. The only obtain a validated CDS / CDNSKEY RRset from the Child zone. A NOT
exception to this is if the parent performs some additional RECOMMENDED exception to this is if the parent performs some
validation on the data to confirm that it is the "correct" key. This additional validation on the data to confirm that it is the "correct"
behavior is NOT RECOMMENDED. key.
The Parental Agent MUST ensure that previous versions of the CDS / The Parental Agent MUST ensure that previous versions of the CDS /
CDNSKEY RRset do not overwrite more recent versions. This MAY be CDNSKEY RRset do not overwrite more recent versions. This MAY be
accomplished by checking that the signature inception in the RRSIG accomplished by checking that the signature inception in the RRSIG
for CDS / CDNSKEY RRset is later and/or the serial number on the for CDS / CDNSKEY RRset is later and / or the serial number on the
child's SOA is greater. This may require the Parental Agent to child's SOA is greater. This may require the Parental Agent to
maintain some state information. maintain some state information.
The Parental Agent MAY take extra security measures. For example, to The Parental Agent MAY take extra security measures. For example, to
mitigate the possibility that a Child's key signing key has been mitigate the possibility that a Child's key signing key has been
compromised, the Parental Agent may, for example, inform (by email or compromised, the Parental Agent may, for example, inform (by email or
other methods ) the Child DNS Operator of the change. However the other methods) the Child DNS Operator of the change. However the
precise out-of-band measures that a parent zone SHOULD take are precise out-of-band measures that a parent zone SHOULD take are
outside the scope of this document. outside the scope of this document.
Once the Parental Agent has obtained a valid CDS / CDNSKEY RRset it Once the Parental Agent has obtained a valid CDS / CDNSKEY RRset it
MUST check the publication rules from section 4.1. In particular the MUST check the publication rules from section 4.1. In particular the
Parental Agent MUST check the Continuity rule and do its best not to Parental Agent MUST check the Continuity rule and do its best not to
invalidate the Child zone. Once checked and if the information in invalidate the Child zone. Once checked and if the information in
the CDS / CDNSKEY and DS differ it may apply the changes to the the CDS / CDNSKEY and DS differ it may apply the changes to the
parent zone. If the parent consumes CDNSKEY, the parent should parent zone. If the parent consumes CDNSKEY, the parent should
calculate the DS before doing this comparison. calculate the DS before doing this comparison.
6.2.1. Parent Calculates DS 6.2.1. Parent Calculates DS
There are cases where the Parent wants to calculate the DS record due There are cases where the Parent wants to calculate the DS record due
to policy reasons. In this case, the Child publishes CDNSKEY records to policy reasons. In this case, the Child publishes CDNSKEY records
and the parent calculates the DS records on behalf of the children. and the parent calculates the DS records on behalf of the children.
When a Parent operates in "calculate DS" mode it can operate in one When a Parent operates in "calculate DS" mode it can operate in one
of two sub-modes of two sub-modes:
full it only publishes DS records it calculates from DNSKEY records, full: it only publishes DS records it calculates from DNSKEY
records,
augment it will make sure there are DS records for the digest augment: it will make sure there are DS records for the digest
algorithm(s) it requires(s). algorithm(s) it requires(s).
In the case where the parent fetches the CDNSKEY RRset and calculate In the case where the parent fetches the CDNSKEY RRset and calculates
the DS it MAY be the case that the DS published in the parent zone is the DS it MAY be the case that the DS published in the parent zone is
not identical with the data in the CDS resource record made available not identical with the data in the CDS resource record made available
by the child. by the child.
7. IANA Considerations 7. IANA Considerations
IANA has assigned RR Type code 59 for the CDS resource record. This IANA has assigned RR Type code 59 for the CDS resource record. This
was done for an earlier version of this document[I-D.ds-publish] This was done for an earlier version of this document[I-D.ds-publish] This
document is to become the reference for CDS RRtype. document is to become the reference for CDS RRtype.
skipping to change at page 12, line 33 skipping to change at page 12, line 33
This work is for the normal case; when things go wrong there is only This work is for the normal case; when things go wrong there is only
so much that automation can fix. so much that automation can fix.
If child breaks DNSSEC validation by removing all the DNSKEYs that If child breaks DNSSEC validation by removing all the DNSKEYs that
are represented in the DS set its only repair actions are to contact are represented in the DS set its only repair actions are to contact
the parent or restore the DNSKEYs in the DS set. the parent or restore the DNSKEYs in the DS set.
In the event of a compromise of the server or system generating In the event of a compromise of the server or system generating
signatures for a zone, an attacker might be able to generate and signatures for a zone, an attacker might be able to generate and
publish new CDS resource records. The modified CDS recourse records publish new CDS / CDNSKEY resource records. The modified CDS /
will be picked up by this technique and so may allow the attacker to CDNSKEY records will be picked up by this technique and so may allow
extend the effective time of his attack. If there a delay in the attacker to extend the effective time of his attack. If there is
accepting changes to DS, as in [RFC5011], then the attacker needs to a delay in accepting changes to DS, as in [RFC5011], then the
hope his activity is not detected before the DS in parent is changed. attacker needs to hope his activity is not detected before the DS in
If this type of change takes place, the child needs to contact the the parent is changed. If this type of change takes place, the child
parent (possibly via a registrar web interface) and remove any needs to contact the parent (possibly via a registrar web interface)
compromised DS keys. and remove any compromised DS keys.
A compromise of the account with the parent (e.g. registrar) will not A compromise of the account with the parent (e.g. registrar) will not
be mitigated by this technique, as the "new registrant" can delete/ be mitigated by this technique, as the "new registrant" can delete /
modify the DS records at will. modify the DS records at will.
While it may be tempting, this SHOULD NOT be used for initial While it may be tempting, this SHOULD NOT be used for initial
enrollment of keys since there is no way to ensure that the initial enrollment of keys since there is no way to ensure that the initial
key is the correct one. If is used, strict rules for inclusion of key is the correct one. If is used, strict rules for inclusion of
keys such as hold down times, challenge data inclusion or similar, keys such as hold down times, challenge data inclusion or similar,
ought to be used, along with some kind of challenge mechanism. A ought to be used, along with some kind of challenge mechanism. A
child cannot use this mechanism to go from signed to unsigned child cannot use this mechanism to go from signed to unsigned
(publishing an empty CDS / CDNSKEY RRset means no-change should be (publishing an empty CDS / CDNSKEY RRset means no-change should be
made in the parent). made in the parent).
skipping to change at page 13, line 24 skipping to change at page 13, line 24
appropriate records in the parent zone. Specifically some operations appropriate records in the parent zone. Specifically some operations
may use other mechanisms than what is described here. For example, a may use other mechanisms than what is described here. For example, a
registrar may assume that it is maintaining the DNSSEC key registrar may assume that it is maintaining the DNSSEC key
information in the registry, and may have this cached. If the information in the registry, and may have this cached. If the
registry is fetching the CDS / CDNSKEY RRset then the registry and registry is fetching the CDS / CDNSKEY RRset then the registry and
registrar may have different views of the DNSSEC key material and the registrar may have different views of the DNSSEC key material and the
result of such a situation is unclear. Therefore, this mechanism result of such a situation is unclear. Therefore, this mechanism
SHOULD NOT be use to bypass intermediaries that might cache SHOULD NOT be use to bypass intermediaries that might cache
information and because of that get the wrong state. information and because of that get the wrong state.
If there is a failure in applying changes in child zone to all DNS If there is a failure in applying changes in the child zone to all
servers listed in either parent or child NS set it is possible that DNS servers listed in either parent or child NS set it is possible
the Parental agent may get confused, either because it gets different that the Parental agent may get confused, either because it gets
answers on different checks or CDS RR validation fails. In the worst different answers on different checks or CDS RR validation fails. In
case, the Parental Agent performs an action reversing a prior action the worst case, the Parental Agent performs an action reversing a
but after the child signing system decides to take the next step in prior action but after the child signing system decides to take the
the key change process, resulting in a broken delegation. next step in the key change process, resulting in a broken
delegation.
DNS is a loosely coherent distributed database with local caching; DNS is a loosely coherent distributed database with local caching;
therefore, it is important to allow old information to expire from therefore, it is important to allow old information to expire from
caches before deleting DS or DNSKEY records. Similarly, it is caches before deleting DS or DNSKEY records. Similarly, it is
important to allow new records to propagate through the DNS before important to allow new records to propagate through the DNS before
use, see [RFC6781] and [I-D.key-time] use, see [RFC6781] and [I-D.key-time]
It is common practice for users to outsource their DNS hosting to a It is common practice for users to outsource their DNS hosting to a
3rd party DNS provider. In order for that provider to be able to third-party DNS provider. In order for that provider to be able to
maintain the DNSSEC information some users give the provider their maintain the DNSSEC information some users give the provider their
registrar login credentials (which obviously has negative security registrar login credentials (which obviously has negative security
implications). Deploying the solution described in this document implications). Deploying the solution described in this document
allows the 3rd party DNS provider to maintain the DNSSEC information allows the 3rd party DNS provider to maintain the DNSSEC information
without giving them the registrar credentials, thereby improving without giving them the registrar credentials, thereby improving
security. security.
By automating the maintenance of the DNSSEC key information (and By automating the maintenance of the DNSSEC key information (and
removing humans from the process), we expect to decrease the number removing humans from the process), we expect to decrease the number
of DNSSEC related outages, which should increase DNSSEC deployment. of DNSSEC related outages, which should increase DNSSEC deployment.
skipping to change at page 14, line 16 skipping to change at page 14, line 16
We would like to thank a large number of folk, including: Mark We would like to thank a large number of folk, including: Mark
Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian
Dickson, Paul Ebersman, Tony Finch, Jim Galvin, Paul Hoffman, Samir Dickson, Paul Ebersman, Tony Finch, Jim Galvin, Paul Hoffman, Samir
Hussain, Tatuya Jinmei, Olaf Kolkman, Stephan Lagerholm, Cricket Liu, Hussain, Tatuya Jinmei, Olaf Kolkman, Stephan Lagerholm, Cricket Liu,
Matt Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul Matt Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul
Wouters, John Dickinson, Timothe Litt and Edward Lewis. Wouters, John Dickinson, Timothe Litt and Edward Lewis.
Special thanks to Wes Hardaker for contributing significant text and Special thanks to Wes Hardaker for contributing significant text and
creating the complementary (CSYNC) solution, and to Patrik Faltstrom, creating the complementary (CSYNC) solution, and to Patrik Faltstrom,
Paul Hoffman, Matthijs Mekking and Mukund Sivaraman for text and in- Paul Hoffman, Matthijs Mekking, Mukund Sivaraman and Jeremy C. Reed
depth review. for text and in-depth review.
There were a number of other folk with whom we discussed this, There were a number of other folk with whom we discussed this,
apologies for not remembering everyone. apologies for not remembering everyone.
11. References 11. References
11.1. Normative References 11.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
skipping to change at page 15, line 39 skipping to change at page 15, line 39
[RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
STD 69, RFC 5730, August 2009. STD 69, RFC 5730, August 2009.
[RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS)
Security Extensions Mapping for the Extensible Security Extensions Mapping for the Extensible
Provisioning Protocol (EPP)", RFC 5910, May 2010. Provisioning Protocol (EPP)", RFC 5910, May 2010.
Appendix A. RRR background Appendix A. RRR background
RRR is our shorthand for Registry/Registrar/Registrant model of
parent child relationship.
In the RRR world, the different parties are frequently from different In the RRR world, the different parties are frequently from different
organizations. In the single enterprise world there are also organizations. In the single enterprise world there are also
organizational/geographical/cultural separations that affect how organizational / geographical / cultural separations that affect how
information flows from a Child to the parent. information flows from a Child to the parent.
Due to the complexity of the different roles and interconnections, Due to the complexity of the different roles and interconnections,
automation of delegation information Expolhas not yet occurred. automation of delegation information has not yet occurred. There
There have been proposals to automate this, in order to improve the have been proposals to automate this, in order to improve the
reliability of the DNS. These proposals have not gained enough reliability of the DNS. These proposals have not gained enough
traction to become standards. traction to become standards.
For example in many of the TLD cases there is the RRR model For example in many of the TLD cases there is the RRR model
(Registry, Registrar and Registrant). The Registry operates DNS for (Registry, Registrar and Registrant). The Registry operates DNS for
the TLD, the Registrars accept registrations and place information the TLD, the Registrars accept registrations and place information
into the Registries database. The Registrant only communicates with into the Registries database. The Registrant only communicates with
the Registrar; frequently the Registry is not allowed to communicate the Registrar; frequently the Registry is not allowed to communicate
with the Registrant. In that case as far as the registrant is with the Registrant. In that case as far as the registrant is
concerned the Registrar == Parent. concerned the Registrar is the same entity as the Parent.
In many RRR cases the Registrar and Registry communicate via In many RRR cases the Registrar and Registry communicate via
EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number
of ccTLDs there are other mechanisms in use as well as EPP, but in of ccTLDs there are other mechanisms in use as well as EPP, but in
general there seems to be a movement towards EPP usage when DNSSEC is general there seems to be a movement towards EPP usage when DNSSEC is
enabled in the TLD. enabled in the TLD.
Appendix B. Changes / Author Notes. Appendix B. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
WG-11 to WG-12
o Many nits and helpful grammar fixes from Jeremy C. Reed.
WG-10 to WG-11 WG-10 to WG-11
o More useful text from Matthijs. o More useful text from Matthijs.
o Explained why the child might want to remove the CDS / CDNSKEY o Explained why the child might want to remove the CDS / CDNSKEY
Records. Records.
WG-09 to WG-10 WG-09 to WG-10
o Incorporated off list comments from Stephan Lagerholm. Largest o Incorporated off list comments from Stephan Lagerholm. Largest
change is fixing discrepancy between parent MAY perform OOB change is fixing discrepancy between parent MAY perform OOB
validation and the Signer rule in 4.1. Clarified by updating validation and the Signer rule in 4.1. Clarified by updating
signer rule to allow signer rule to allow enrolment if validation is performed OOB.
WG-08 to WG-09 WG-08 to WG-09
o New text from Paul Hoffman for the first paragraph of the intro. o New text from Paul Hoffman for the first paragraph of the intro.
o ... with a modification from Jaap. o And a modification from Jaap.
WG-07 to WG-08 WG-07 to WG-08
o Incorporated text from Antoin Verschuren at the end of Section 6. o Incorporated text from Antoin Verschuren at the end of Section 6.
o Comments from Paul Hoffman and Tim W o Comments from Paul Hoffman and Tim W
WG-06 to WG-07 WG-06 to WG-07
o Incorporated nits / editorial comments from Tim Wicinski. o Incorporated nits / editorial comments from Tim Wicinski.
o o
* Reference for Mark's draft was incorrect, Wes Hardaker doesn't * Reference for Mark's draft was incorrect, Wes Hardaker doesn't
work for ISC :-P work for ISC :-P
* Normalized CDS record / CDS resource record / records / etc. * Normalized CDS record / CDS resource record / records / etc.
* Language cleanup / nits / poor grammar. * Language cleanup / nits / poor grammar.
* removed "punted" colloquialism. * removed "punted" colloquialism.
WG-05 to WG-06 WG-05 to WG-06
o Consensus (according to me!) was that mail thread said "Child MAY o Consensus (according to me!) was that mail thread said "Child MAY
remove the CDS record". Changed to accomodate. remove the CDS record". Changed to accommodate.
o "The proposal below can operate with both models, but the child o "The proposal below can operate with both models, but the child
needs to be aware of the parental policies." - removed "but the needs to be aware of the parental policies." - removed "but the
child needs to be aware of the parental policies.". This is no child needs to be aware of the parental policies.". This is no
longer true, as we suggest publishing both CDS and CDSNKEY. longer true, as we suggest publishing both CDS and CDSNKEY.
o Added: "without some additional out of band process" to "The Child o Added: "without some additional out of band process" to "The Child
may not enroll the initial key or introduce a new key when there may not enroll the initial key or introduce a new key when there
are no old keys that can be used (without some additional, out of are no old keys that can be used (without some additional, out of
band, validation of the keys), because there is no way to validate band, validation of the keys), because there is no way to validate
the information." the information."
o Added a bit to the IANA section, requesting that TBA1 be replaced o Added a bit to the IANA section, requesting that TBA1 be replaced
with the IANA allocated code. with the IANA allocated code.
o Removed" Some parents prefer to accept DNSSEC key information in o Removed: "Some parents prefer to accept DNSSEC key information in
DS format, some parents prefer to accept it in DNSKEY format, and DS format, some parents prefer to accept it in DNSKEY format, and
calculate the DS record on the child's behalf. Each method has calculate the DS record on the child's behalf. Each method has
pros and cons, both technical and policy. This solution is DS vs pros and cons, both technical and policy. This solution is DS vs
DNSKEY agnostic, and allows operation with either." from Section 4 DNSKEY agnostic, and allows operation with either." from Section 4
as it is covered in Section 2.2.1 as it is covered in Section 2.2.1
o Remove a bunch of comments from the XML. I was getting tired of o Remove a bunch of comments from the XML. I was getting tired of
scrolling past them. If the authors need them back, they are in scrolling past them. If the authors need them back, they are in
SVN commit 47. SVN commit 47.
skipping to change at page 18, line 15 skipping to change at page 18, line 20
WG-03 to WG-04 WG-03 to WG-04
o Large number of comments and changes from Patrik. o Large number of comments and changes from Patrik.
WG-02 to WG-03 WG-02 to WG-03
o Fixed some references to RFC 5011 - from Samir Hussain. o Fixed some references to RFC 5011 - from Samir Hussain.
o Fixed some spelling / typos - from Samir Hussain. o Fixed some spelling / typos - from Samir Hussain.
o A number of clarifiations on the meaning on an empty / non- o A number of clarifications on the meaning on an empty / non-
existant CDS RRset - thanks to JINMEI, Tatuya existant CDS RRset - thanks to JINMEI, Tatuya
o Be consistent in mentioning both CDS and CDNSKEY throughout the o Be consistent in mentioning both CDS and CDNSKEY throughout the
document. document.
WG-01 to WG-02 WG-01 to WG-02
o Many nits and suggestions from Mukund. o Many nits and suggestions from Mukund.
o Matthijs: " I still think that it is too strong that the Child DNS o Matthijs: " I still think that it is too strong that the Child DNS
Operator SHOULD/MUST delete the CDS RRset when the Parent DS is Operator SHOULD/MUST delete the CDS RRset when the Parent DS is
"in-sync". This should be a MAY" "in sync". This should be a MAY"
WG-00 to WG-01 WG-00 to WG-01
o Addressed Vancouver: "Paul Hoffmann: NOT ready for WGLC. None of o Addressed Vancouver: "Paul Hoffmann: NOT ready for WGLC. None of
the 2 documents explain why there is a split between the two the 2 documents explain why there is a split between the two
strategies." Thanks to Paul for providing text. strategies." Thanks to Paul for providing text.
From -05 to WG-00: From -05 to WG-00:
o Nothing rchanged, resubmit under new name. o Nothing changed, resubmit under new name.
From 04 to 05 From 04 to 05
o Renamed the record back to CDS. o Renamed the record back to CDS.
From 03 to 04. From 03 to 04.
o Added text explaining that CDS and CSYNC complement each other, o Added text explaining that CDS and CSYNC complement each other,
not replace or compete. not replace or compete.
 End of changes. 58 change blocks. 
85 lines changed or deleted 90 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/