| < draft-ietf-dnsop-dnssec-trust-history-01.txt | draft-ietf-dnsop-dnssec-trust-history-02.txt > | |||
|---|---|---|---|---|
| Domain Name System Operations W. Wijngaards | Domain Name System Operations W. Wijngaards | |||
| Internet-Draft O. Kolkman | Internet-Draft O. Kolkman | |||
| Intended status: Standards Track NLnet Labs | Intended status: Standards Track NLnet Labs | |||
| Expires: August 26, 2010 February 22, 2010 | Expires: December 31, 2010 June 29, 2010 | |||
| DNSSEC Trust Anchor History Service | DNSSEC Trust Anchor History Service | |||
| draft-ietf-dnsop-dnssec-trust-history-01 | draft-ietf-dnsop-dnssec-trust-history-02 | |||
| Abstract | Abstract | |||
| When DNS validators have trusted keys, but have been offline for a | When DNS validators have trusted keys, but have been offline for a | |||
| longer period, key rollover will fail and they are stuck with stale | longer period, key rollover will fail and they are stuck with stale | |||
| trust anchors. History service allows validators to query for older | trust anchors. History service allows validators to query for older | |||
| DNSKEY RRsets and pick up the rollover trail where they left off. | DNSKEY RRsets and pick up the rollover trail where they left off. | |||
| Requirements Language | Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF). Note that other groups may also distribute | |||
| other groups may also distribute working documents as Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | This Internet-Draft will expire on December 31, 2010. | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | ||||
| http://www.ietf.org/shadow.html. | ||||
| This Internet-Draft will expire on August 26, 2010. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the BSD License. | described in the Simplified BSD License. | |||
| 1. Introduction | 1. Introduction | |||
| This memo defines a trust history service for DNS validators -- the | This memo defines a trust history service for DNS validators -- the | |||
| component in a resolver that performs DNSSEC [RFC4034] validation, | component in a resolver that performs DNSSEC [RFC4034] validation, | |||
| validator for short. | validator for short. | |||
| A validator that has been offline or missed an (emergency) rollover | A validator that has been offline or missed an (emergency) rollover | |||
| can use this service to reconfigure themselves with the current | can use this service to reconfigure themselves with the current | |||
| trust-anchor. Using a newly defined resource record (RR) that links | trust-anchor. Using a newly defined resource record (RR) that links | |||
| old DNSKEYS together, the TALINK RR, a validator fetches old DNSKEY | old DNSKEYS together, the TALINK RR, a validator fetches old DNSKEY | |||
| RRsets and checks they form a chain to the latest key (see | RRsets and checks they form a chain to the latest key (see | |||
| Section 2). The lists of old DNSKEYS, linked with the TALINK RRs, do | Section 3). The lists of old DNSKEYS, linked with the TALINK RRs, do | |||
| not necessarily need to be published in the zone for which the DNSKEY | not necessarily need to be published in the zone for which the DNSKEY | |||
| history is being maintained but can be published in any DNS domain. | history is being maintained but can be published in any DNS domain. | |||
| We will call the entity that offers the trust history the History | We will call the entity that offers the trust history the History | |||
| Provider. The choice of the History Provider is made by the | Provider. The choice of the History Provider is made by the | |||
| maintainer of the validator, possibly based on a hint provided, using | maintainer of the validator, possibly based on a hint provided, using | |||
| the TALINK, by the zone owner. | the TALINK, by the zone owner. | |||
| Section 2 provides background on the mechanism and usage. It looks | ||||
| at the viewpoints of publishers and consumers of trust anchors, the | ||||
| use of keys with revocation flags, and SEP flags. | ||||
| The algorithm that the validator uses to construct a history and | The algorithm that the validator uses to construct a history and | |||
| reconfigure a new key is detailed in Section 3. The algorithms for | reconfigure a new key is detailed in Section 4, it uses the TALINK RR | |||
| how providers of trust history can fetch the DNSKEY data as published | type defined in Section 3. The algorithms for how providers of trust | |||
| by the zone they track and publish that are explained in Section 4. | history can fetch the DNSKEY data as published by the zone they track | |||
| and publish that are explained in Section 5. | ||||
| 2. The TALINK Resource Record | 2. Motivation and Description | |||
| Validators provide a service in DNSSEC that can be seen from two | ||||
| ways. Seen from the publisher's point of view, they provide | ||||
| assurance that the data as received is as it was when it left the | ||||
| publisher's hands. In this way of looking at things, validators | ||||
| provide a publication integrity service. The publisher can be | ||||
| confident that nobody can alter the published data (if it is | ||||
| validated), because any alteration will be detected. So it protects | ||||
| a publisher from being seen to send someone to the wrong place. | ||||
| From the consumer's point of view, validators provide a reason to | ||||
| trust the data from the network. In this view, the validator is | ||||
| making a claim about whether the data ought to be accepted or not. | ||||
| This is subtly different from the publisher's point of view, because | ||||
| the question for the consumer is not whether the data is safe while | ||||
| the consumer is not looking, but whether the data is safe for the | ||||
| consumer at the moment of consumption. Validation protects a | ||||
| consumer from going to the wrong place. | ||||
| These two slightly different ways of looking at the situation result | ||||
| in slightly different operational goals. Whereas publishers want to | ||||
| make assertions about their data, by controlling the roll over of | ||||
| keys, consumers want to get the best assurance that they can get that | ||||
| the data they are consuming is correct. | ||||
| If a validator has been offline during a key rollover event for one | ||||
| of its trust anchors, then the validator will be unable to validate | ||||
| answers that need that trust anchor. For the publisher, this state | ||||
| of affairs is acceptable: the publisher is confident that no | ||||
| validator ever consumes the wrong data. For the consumer, however, | ||||
| this state of affairs represents an outage. | ||||
| Since publishers of trust anchors already use a chained series of | ||||
| keys to perform rollovers under some circumstances (see [RFC5011]), | ||||
| it is possible to use the history of that chain to allow a validator | ||||
| to resume service for the consumer without needing to use an out-of- | ||||
| band mechanism to obtain a new trust anchor. This improves the | ||||
| experience for consumers of validated data, and increases the chances | ||||
| that DNSSEC is useful for consumers of DNS data. | ||||
| The mechanism to do this is a double-linked list that recounts a | ||||
| portion of the history of DNSKEY Resource Records. The list is used | ||||
| by a validator to catch up with the changes that the validator | ||||
| somehow missed. This approach may be thought of as replaying the | ||||
| [RFC5011] rollover history, only at a later time. | ||||
| 2.1. Considerations for Using a Revoked Key | ||||
| The keys that the publisher rolled are marked REVOKED by the RFC5011 | ||||
| protocol. At this point the publisher considers the keys revoked, | ||||
| but the validators have not yet seen this or marked the keys as | ||||
| revoked. In the RFC5011 protocol, the validators probe regularly and | ||||
| can then see if keys are revoked. If unable to probe, they will be | ||||
| unable to see if keys are revoked. Hence when using a history to | ||||
| recount rollovers, the consumer's validator has also missed a number | ||||
| of revocations. The goal is to pick up the right keys and also the | ||||
| new revocations along the way. | ||||
| Although the keys have been marked by the publisher as REVOKED a long | ||||
| time ago, for the consumer these REVOKED keys are new information. | ||||
| Their storage in the history list makes it possible for consumers to | ||||
| pick up key revocations if they missed the revocation announcement | ||||
| because they could not probe. | ||||
| This is the allowed usage of REVOKED keys. The publisher is | ||||
| announcing their presence. And the validators mark them as REVOKED | ||||
| after verification. The initial part of this verification is the | ||||
| reverse walk through the history list, which is to avoid exposing | ||||
| which key is trusted. This means that older signatures with keys | ||||
| that have in the meantime been revoked are used to construct and | ||||
| verify the history list by the validator. | ||||
| A consequence is that once a publisher marks keys as REVOKED, there | ||||
| will still be consumers who are using such keys, because they have | ||||
| not seen the revocation. From the publishers point of view they are | ||||
| revoked and the revocation is filed in the historical key list. From | ||||
| the consumers point of view, it has not seen a revocation yet, and a | ||||
| historical key list lookup algorithm is a state change where a new | ||||
| trusted key is obtained while the old key is observed to be revoked. | ||||
| 2.2. Motivation for Requiring the SEP Bit | ||||
| The SEP bit is used to differentiate Key Signing Keys from other | ||||
| keys. It is defined in [RFC3757], it is used to designate trust | ||||
| anchors in [RFC5011]. The protocol herein specified requires that | ||||
| DNSKEYs that are subject to use for the trust history service have | ||||
| the SEP bit set. The reason for this is to keep the set of keys that | ||||
| need to be stored in history small. | ||||
| 3. The TALINK Resource Record | ||||
| The DNS Resource Record type TALINK (decimal 58) ties the elements of | The DNS Resource Record type TALINK (decimal 58) ties the elements of | |||
| a linked list of DNSKEY RRs together. | a linked list of DNSKEY RRs together. | |||
| The rdata consists of two domain names. The first name is the start, | The rdata consists of two domain names. The first name is the start, | |||
| or previous name, and the other name the end or next name in the | or previous name, and the other name the end or next name in the | |||
| list. The empty label '.' is used at the endpoints of the list. | list. The empty label '.' is used at the endpoints of the list. | |||
| The presentation format is the two domain names. The wire encoding | The presentation format is the two domain names. The wire encoding | |||
| is the two domain names, with no compression so the type can be | is the two domain names, with no compression so the type can be | |||
| treated according to [RFC3597]. The list is a double linked list, | treated according to [RFC3597]. The list is a double linked list, | |||
| because this empowers low memory hosts to perform consistency checks. | because this empowers low memory hosts to perform consistency checks. | |||
| 3. Trust History Lookup | The TALINK used at the zone apex holds the endpoints of the list. | |||
| The TALINKs that form the lists hold previous and next entries. | ||||
| These TALINKs are distinguished by their usage (entrypoint or list | ||||
| connection). The double linked list is not circular, because lookups | ||||
| must stop when they reach the oldest entry. | ||||
| 4. Trust History Lookup | ||||
| This is the algorithm that a validator uses to detect and resolve the | This is the algorithm that a validator uses to detect and resolve the | |||
| situation in which a trust-anchor is out of sync with the DNSKEYs | situation in which a trust-anchor is out of sync with the DNSKEYs | |||
| published by a zone owner. The algorithm uses the TALINK RR type | published by a zone owner. The algorithm uses the TALINK RR type | |||
| which is used to link various old DNSKEYs as published by the History | which is used to link various old DNSKEYs as published by the History | |||
| Provider, to arrive from the outdated configured Trust Anchor to one | Provider, to arrive from the outdated configured Trust Anchor to one | |||
| that matches the current DNSKEY. The TALINK RR type is defined in | that matches the current DNSKEY. The TALINK RR type is defined in | |||
| Section 2. | Section 3. | |||
| When the algorithm below results in failure the trust history cannot | When the algorithm below results in failure the trust history cannot | |||
| be build and a new trust anchor will need to be re-configured using | be built and a new trust anchor will need to be re-configured using | |||
| another mechanism. | another mechanism. | |||
| Step 1: The validator performs a DNSKEY lookup to the target zone, | Step 1: The validator performs a DNSKEY lookup to the target zone, | |||
| which looks like any other initial DNSKEY lookup that the | which looks like any other initial DNSKEY lookup that the | |||
| validator needs to match a trust anchor to the currently used | validator needs to match a trust anchor to the currently used | |||
| DNSKEY RR set. If the keyset verifies with the trust anchor | DNSKEY RR set. If the keyset verifies with the trust anchor | |||
| currently held, the trust-anchor is not out of sync. Otherwise, | currently held, the trust-anchor is not out of sync. Otherwise, | |||
| store the DNSKEY RR set as result. The algorithm will | store the DNSKEY RR set as result. The algorithm will | |||
| successfully build a linked list to this DNSKEY RR, or delete the | successfully build a linked list to this DNSKEY RR, or delete the | |||
| trust point, or fail. | trust point, or fail. | |||
| All nameservers (the ones authoritative for the zone or the | All nameservers (the ones authoritative for the zone or the | |||
| upstream resolver caches when the validator is not full resolver) | upstream resolver caches when the validator is not full resolver) | |||
| SHOULD be checked to make sure the DNSKEY RR sets are the same. | SHOULD be checked to make sure the DNSKEY RR sets are the same. | |||
| The results can differ if a key-rollover is in progress and not | The results can differ if a key-rollover is in progress and not | |||
| all nameservers are in sync yet. This case can be detected by | all nameservers are in sync yet. This case can be detected by | |||
| checking that the older keyset signs the newer and take the newer | checking that the older keyset signs the newer and take the newer | |||
| as result keyset. The keysets are distinguished by the average | as result keyset. If both of the keysets sign each other, the | |||
| over the middle of the inception and expiration dates of the | result keyset has the newest rrsig that validates it using the | |||
| signatures that are validated by the keyset itself. Otherwise, | other keyset. Use the the average over the middle of the | |||
| the history lookup fails. If the check fails then the | inception and expiration dates of the signatures that are | |||
| inconsistency may be the result of spoofing, or compromise of | validated (and for serial arithmetic assume all dates on these | |||
| (DNS) infrastructure elements. | signatures lie within 2^(SERIAL_BITS-1) distance). If the keysets | |||
| do not sign each other then this is not a secure change in the | ||||
| keyset and the history lookup fails. | ||||
| Step 2: Fetch the trust history list end points. Perform a query of | Step 2: Fetch the trust history list end points. Perform a query of | |||
| QTYPE TALINK and QNAME the domain name that is configured to be | QTYPE TALINK and QNAME the domain name that is configured to be | |||
| the History Provider for the particular domain you are trying to | the History Provider for the particular domain you are trying to | |||
| update the trust-anchor for. | update the trust-anchor for. | |||
| Step 3: Go backwards through the trust history list as provided by | Step 3: Go backwards through the trust history list as provided by | |||
| the TALINK linked list. Verify that the keyset validly signs the | the TALINK linked list. Verify that the keyset validly signs the | |||
| next keyset. This is [RFC4034] validation, but the RRSIG | next keyset. This is [RFC4034] validation, but the RRSIG | |||
| expiration date is ignored. [Editor note: Are we shure that there | expiration date is ignored. Replace the owner domain name with | |||
| are no server implementations that will not serve expired RRSIG, | the target zone name for verification. One of the keys that signs | |||
| are such 'smart' servers allowed by the specs? In other words do | the next keyset MUST have the SEP bit set. The middle of | |||
| we need clarification in the DNSSEC-updates document?] Replace | inception and expiration date from the valid signature MUST be | |||
| the owner domain name with the target zone name for verification. | older than that of the signature that validates the next keys in | |||
| One of the keys that signs the next keyset MUST have the SEP bit | the list. Take the average if multiple signatures validate (and | |||
| set. The middle of inception and expiration date from the valid | for serial arithmetic assume all dates on these signatures lie | |||
| signature MUST be older than that of the signature that validates | within 2^(SERIAL_BITS-1) distance). Query type TALINK to get | |||
| the next keys in the list. Query type TALINK to get previous and | previous and next locations. | |||
| next locations. | ||||
| If all SEP keys have the REVOKE flag set at this step, and the | If all SEP keys have the REVOKE flag set at this step, and the | |||
| keyset is signed by all SEP keys, then continue but store that the | keyset is signed by all SEP keys, then continue but store that the | |||
| end result is that the trust point is deleted, see Section 5 | end result is that the trust point is deleted, see Section 5 | |||
| [RFC5011]. | [RFC5011]. | |||
| If all SEP keys are of an unknown algorithm at this step, continue | If all SEP keys are of an unknown algorithm at this step, continue | |||
| and at the next step, when you verify if the keyset signs validly: | and at the next step, when you verify if the keyset signs validly: | |||
| if false, continue with result a failure, if true, continue with | if false, continue with result a failure, if true, continue with | |||
| the end result that the trust point is deleted. Thus, the keysets | the end result that the trust point is deleted. Thus, the keysets | |||
| skipping to change at page 4, line 33 ¶ | skipping to change at page 6, line 32 ¶ | |||
| failure because the validator cannot determine if unknown | failure because the validator cannot determine if unknown | |||
| algorithm signatures are valid, until the oldest keyset with | algorithm signatures are valid, until the oldest keyset with | |||
| unknown algorithms is signed by a known algorithm and the result | unknown algorithms is signed by a known algorithm and the result | |||
| is set to deletion and step 3 continues to a known key. | is set to deletion and step 3 continues to a known key. | |||
| Step 4: When the trust anchor currently held by the validator | Step 4: When the trust anchor currently held by the validator | |||
| verifies the keyset, the algorithm is done. The validator SHOULD | verifies the keyset, the algorithm is done. The validator SHOULD | |||
| store the result on stable storage. Use the new trust anchor for | store the result on stable storage. Use the new trust anchor for | |||
| validation (if using [RFC5011], put it in state VALID). | validation (if using [RFC5011], put it in state VALID). | |||
| 4. Trust History Tracker | 5. Trust History Tracker | |||
| External trackers can poll the target zone DNSKEY RRset regularly. | External trackers can poll the target zone DNSKEY RRset regularly. | |||
| Ignore date changes in the RRSIG. Ignore changes to keys with no SEP | Ignore date changes in the RRSIG. Ignore changes to keys with no SEP | |||
| flag. Copy the newly polled DNSKEY RRset and RRSIGs, change the | flag. Copy the newly polled DNSKEY RRset and RRSIGs, change the | |||
| owner name to a new name at the history location. Publish the new | owner name to a new name at the history location. Publish the new | |||
| RRset and TALINK records to make it the last element in the list. | RRset and TALINK records to make it the last element in the list. | |||
| Update the TALINK that advertises the first and last name. | Update the TALINK that advertises the first and last name. | |||
| Integrated into the rollover, the keys are stored in the history and | Integrated into the rollover, the keys are stored in the history and | |||
| the TALINK is updated when a new key is used in the rollover process. | the TALINK is updated when a new key is used in the rollover process. | |||
| This gives the TALINK and new historical key time to propagate. | This gives the TALINK and new historical key time to propagate. | |||
| The signer can support trust history. Trust history key sets need | The signer can support trust history. Trust history key sets need | |||
| only contain SEP keys. To use older signers, move historical RRSIGs | only contain SEP keys. To use older signers, move historical RRSIGs | |||
| to another file. Sign the zone, including the TALINK and DNSKEY | to another file. Sign the zone, including the TALINK and DNSKEY | |||
| records. Append the historical RRSIGs to the result. Signing the | records. Append the historical RRSIGs to the result. Signing the | |||
| zone like this obviates the need for changes to signer and server | zone like this obviates the need for changes to signer and server | |||
| software. | software. | |||
| 5. Example | 6. Example | |||
| In this example example.com is the History Provider for example.net. | In this example the trust history for the 'example.net' zone is | |||
| The DNSKEY rdata and RRSIG rdata is omitted for brevity, it is a copy | published in the 'example.com' namespace. The DNSKEY rdata and RRSIG | |||
| and paste of the data from example.net. | rdata is omitted for brevity, it is a copy and paste of the data from | |||
| example.net. | ||||
| $ORIGIN example.com. | $ORIGIN example.com. | |||
| example.com. TALINK h0.example.com. h2.example.com. | example.com. TALINK h0.example.com. h2.example.com. | |||
| h0 TALINK . h1.example.com. | h0 TALINK . h1.example.com. | |||
| h0 DNSKEY ... | h0 DNSKEY ... | |||
| h0 RRSIG ... | h0 RRSIG ... | |||
| h1 TALINK h0.example.com. h2.example.com. | h1 TALINK h0.example.com. h2.example.com. | |||
| h1 DNSKEY ... | h1 DNSKEY ... | |||
| h1 RRSIG ... | h1 RRSIG ... | |||
| h2 TALINK h1.example.com. . | h2 TALINK h1.example.com. . | |||
| h2 DNSKEY ... | h2 DNSKEY ... | |||
| h2 RRSIG ... | h2 RRSIG ... | |||
| The example.net zone can advertise the example.com History Provider | The example.net zone can advertise the example.com History Provider | |||
| by providing the TALINK shown here at example.com at the apex of the | by providing the TALINK shown here at example.com at the apex of the | |||
| example.net zone. The TALINK at example.com is then not needed. | example.net zone. The TALINK at example.com is then not needed. | |||
| 6. Deployment | 7. Deployment | |||
| The trust history is advertised with TALINK RRs at the zone apex. | The trust history is advertised with TALINK RRs at the zone apex. | |||
| These represent alternative history sources, that can be searched in | These represent alternative history sources, that can be searched in | |||
| turn. The TALINK at the zone apex contains the first and last name | turn. The TALINK at the zone apex contains the first and last name | |||
| of the list of historical keys. | of the list of historical keys. | |||
| The historical list of keys grows perpetually. Since most validators | The historical list of keys grows perpetually. Since most validators | |||
| have recent keys, their processing time remains similar as the list | have recent keys, their processing time remains similar as the list | |||
| grows. If validators no longer have trust in the keys then they need | grows. If validators no longer have trust in the keys then they need | |||
| no longer be published. The oldest key entries can be omitted from | no longer be published. The oldest key entries can be omitted from | |||
| skipping to change at page 6, line 20 ¶ | skipping to change at page 8, line 20 ¶ | |||
| facilitate clients performing the unsecured update. If a key can not | facilitate clients performing the unsecured update. If a key can not | |||
| be trivially broken then it provides a non-trivial amount of security | be trivially broken then it provides a non-trivial amount of security | |||
| that the history lookup algorithm uses to get the current keys. | that the history lookup algorithm uses to get the current keys. | |||
| Conceivably after the update the result is stored on stable storage | Conceivably after the update the result is stored on stable storage | |||
| and the client is thereafter safe - it performs a leap of faith. The | and the client is thereafter safe - it performs a leap of faith. The | |||
| validator operator can opt for this set up after considering the | validator operator can opt for this set up after considering the | |||
| trade-off between loss of DNSSEC, loss of connectivity, and the | trade-off between loss of DNSSEC, loss of connectivity, and the | |||
| argument that perceived security is worse than no security. | argument that perceived security is worse than no security. | |||
| The history lookup can be used on its own. Then, the trust history | The history lookup can be used on its own. Then, the trust history | |||
| is used whenever the key rolls over and no polling is performed. | is used whenever the key rolls over and no polling is performed. The | |||
| This has associated risks, in that the immediate rollover without | results of trust history lookup SHOULD be stored on stable storage, | |||
| timeout that it provides could be abused, and certainly when taken | so that the trust history lookup does not need to be performed if the | |||
| together with leap-of-faith such systems SHOULD inform their user | last results are okay and for use as trusted anchor in the next | |||
| that the key has changed and urge them to do immediate checks. | history lookup. | |||
| Initially we put a hold down timer on such rollovers to mitigate the | ||||
| abuse risks but these make following normal rollovers impossible. | ||||
| If a validator is also using [RFC5011] for the target zone, then the | If a validator is also using [RFC5011] for the target zone, then the | |||
| trust history algorithm SHOULD only be invoked if the [RFC5011] | trust history algorithm SHOULD only be invoked if the [RFC5011] | |||
| algorithm failed due to the inability to perform probes. This is the | algorithm failed due to the inability to perform probes. This is the | |||
| case when the last [RFC5011] successful probe was more than 30 days | case when the last [RFC5011] successful probe was more than 30 days | |||
| ago. If a new key has been announced, invoke the history if no 2 | ago. If a new key has been announced, invoke the history if no 2 | |||
| probes succeeded during the add hold-down time and there was no | probes succeeded during the add hold-down time and there was no | |||
| successful probe after the add hold-down time passed. Therefore the | successful probe after the add hold-down time passed. Therefore the | |||
| time of the last successful probe MUST be stored on stable storage. | time of the last successful probe MUST be stored on stable storage. | |||
| For testing the potentially very infrequently used lookup, the | For testing the potentially very infrequently used lookup, the | |||
| following SHOULD be implemented. For the test the lookup is | following SHOULD be implemented. For the test the lookup is | |||
| triggered manually by allowing the system to be given a particular | triggered manually by allowing the system to be given a particular | |||
| keyset with a last successful lookup date in the past and a test | keyset with a last successful lookup date in the past and a test | |||
| History Provider. The test History Provider provides access to a | History Provider. The test History Provider provides access to a | |||
| generated back-dated test history. | generated back-dated test history. | |||
| 7. Security Considerations | 8. Security Considerations | |||
| The History Provider only provides copies of old data. If that | The History Provider only provides copies of old data. If that | |||
| historic data is altered or withheld the lookup algorithm fails | historic data is altered or withheld the lookup algorithm fails | |||
| because of validation errors in Step 3 of the algorithm. If the | because of validation errors in Step 3 of the algorithm. If the | |||
| History provider or a Man in the Middle Adversary (MIMA) has access | History provider or a Man in the Middle Adversary (MIMA) has access | |||
| to the original private keys (through theft, cryptanalisis, or | to the original private keys (through theft, cryptanalisis, or | |||
| otherwise), history can be altered without failure of the algorithm. | otherwise), history can be altered without failure of the algorithm. | |||
| Below we only consider MIMAs and assume the History Provider is a | Below we only consider MIMAs and assume the History Provider is a | |||
| trusted party. | trusted party. | |||
| skipping to change at page 7, line 43 ¶ | skipping to change at page 9, line 42 ¶ | |||
| step 1 of the lookup algorithm and presenting some fake history to a | step 1 of the lookup algorithm and presenting some fake history to a | |||
| compromised key, of course does not include key revocations and does | compromised key, of course does not include key revocations and does | |||
| extend the history to contain the compromised key, it therefore is | extend the history to contain the compromised key, it therefore is | |||
| not really useful for a History Provider to remove the key from the | not really useful for a History Provider to remove the key from the | |||
| published history. That only makes lookups fail for those validators | published history. That only makes lookups fail for those validators | |||
| who are not under attack. Useful action could be to update | who are not under attack. Useful action could be to update | |||
| validators using some other means. | validators using some other means. | |||
| Rollover with [RFC5011] revokes keys after use. If a History | Rollover with [RFC5011] revokes keys after use. If a History | |||
| Provider is used, then such revoked keys SHOULD be used to perform | Provider is used, then such revoked keys SHOULD be used to perform | |||
| history tracking and history lookup. The old keys that the validator | history tracking and history lookup. The trust anchor keys that the | |||
| starts with and final current keys MUST NOT be trusted if they are | validator has in its own storage and final current keys that it | |||
| revoked. | stores MUST NOT be trusted if they are revoked. | |||
| Depending on choices by the validator operator, it may accept a leap- | If the validator operator chooses to operate trust history without | |||
| of-faith, and possibly allow non-hold-down rollovers. Although this | also using [RFC5011] the trust anchor does not get hold-down timer | |||
| allows very fast emergency rollover if all clients are known to do | protection. This has associated risks, in that the immediate | |||
| trust-history lookups without the RFC5011-algorithm, it also allows | rollover without timeout that it provides could be abused (if private | |||
| an attacker with the private key to attempt to take over a zone | keys are compromised). Such abuse could result in the stored lookup | |||
| quickly and get validators to roll to a trust anchor of the | results to become compromised. The key changes can be logged, to | |||
| attacker's choosing. | inform operators and keep an audit trail. | |||
| The SEP bit is checked to make sure that control over the KSK is | The SEP bit is checked to make sure that control over the KSK is | |||
| necessary to change the keyset for the target zone. | necessary to change the keyset for the target zone. | |||
| The algorithm can be used to get the inception and expiration times | The algorithm can be used to get the inception and expiration times | |||
| of signatures on the current keyset, a clock. A MIMA can attempt to | of signatures on the current keyset, a clock. A MIMA can attempt to | |||
| shorten history and put back that clock, but the algorithm attempts | shorten history and put back that clock, but the algorithm attempts | |||
| to make this difficult to target and highly visible to others. | to make this difficult to target and highly visible to others. | |||
| If the clock of the validator can be influenced, then setting it | If the clock of the validator can be influenced, then setting it | |||
| forward is unlikely to give advantage, but setting it backward | forward is unlikely to give advantage, but setting it backward | |||
| enables a replay attack of old DNSSEC data and signatures. This | enables a replay attack of old DNSSEC data and signatures. This | |||
| vulnerability exists also in plain DNSSEC. | vulnerability exists also in plain DNSSEC. | |||
| 8. IANA Considerations | 9. IANA Considerations | |||
| Resource record type TALINK has been defined using RFC5395 expert | Resource record type TALINK has been defined using RFC5395 expert | |||
| review, it has RR type number 58 (decimal). | review, it has RR type number 58 (decimal). | |||
| 9. Acknowledgments | 10. Acknowledgments | |||
| Thanks to the people who provided review and suggestions, Joe Abley, | Thanks to the people who provided review and suggestions, Peter Koch, | |||
| George Barwood, Edward Lewis, Michael StJohns, Bert Hubert, Mark | Andrew Sullivan, Joe Abley, George Barwood, Edward Lewis, Michael | |||
| Andrews, Ted Lemon, Steve Crocker, Bill Manning, Eric Osterweil, | StJohns, Bert Hubert, Mark Andrews, Ted Lemon, Steve Crocker, Bill | |||
| Wolfgang Nagele, Alfred Hoenes, Olafur Gudmundsson, Roy Arends and | Manning, Eric Osterweil, Wolfgang Nagele, Alfred Hoenes, Olafur | |||
| Matthijs Mekking. | Gudmundsson, Roy Arends and Matthijs Mekking. | |||
| 10. References | 11. References | |||
| 10.1. Informative References | 11.1. Informative References | |||
| [NIST800-57] Barker, E., Barker, W., Burr, W., Polk, W., and M. | [NIST800-57] Barker, E., Barker, W., Burr, W., Polk, W., and M. | |||
| Smid, "Recommendations for Key Management", NIST | Smid, "Recommendations for Key Management", NIST | |||
| SP 800-57, March 2007. | SP 800-57, March 2007. | |||
| [RFC3757] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name | ||||
| System KEY (DNSKEY) Resource Record (RR) Secure Entry | ||||
| Point (SEP) Flag", RFC 3757, April 2004. | ||||
| [RFC5011] StJohns, M., "Automated Updates of DNS Security | [RFC5011] StJohns, M., "Automated Updates of DNS Security | |||
| (DNSSEC) Trust Anchors", RFC 5011, September 2007. | (DNSSEC) Trust Anchors", RFC 5011, September 2007. | |||
| 10.2. Normative References | 11.2. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource | [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource | |||
| Record (RR) Types", RFC 3597, September 2003. | Record (RR) Types", RFC 3597, September 2003. | |||
| [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Resource Records for the DNS Security | Rose, "Resource Records for the DNS Security | |||
| Extensions", RFC 4034, March 2005. | Extensions", RFC 4034, March 2005. | |||
| End of changes. 30 change blocks. | ||||
| 72 lines changed or deleted | 172 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||