| < draft-ietf-dnsop-kskroll-sentinel-08.txt | draft-ietf-dnsop-kskroll-sentinel-09.txt > | |||
|---|---|---|---|---|
| DNSOP G. Huston | DNSOP G. Huston | |||
| Internet-Draft J. Damas | Internet-Draft J. Damas | |||
| Intended status: Standards Track APNIC | Intended status: Standards Track APNIC | |||
| Expires: September 25, 2018 W. Kumari | Expires: September 27, 2018 W. Kumari | |||
| March 24, 2018 | March 26, 2018 | |||
| A Root Key Trust Anchor Sentinel for DNSSEC | A Root Key Trust Anchor Sentinel for DNSSEC | |||
| draft-ietf-dnsop-kskroll-sentinel-08 | draft-ietf-dnsop-kskroll-sentinel-09 | |||
| Abstract | Abstract | |||
| The DNS Security Extensions (DNSSEC) were developed to provide origin | The DNS Security Extensions (DNSSEC) were developed to provide origin | |||
| authentication and integrity protection for DNS data by using digital | authentication and integrity protection for DNS data by using digital | |||
| signatures. These digital signatures can be verified by building a | signatures. These digital signatures can be verified by building a | |||
| chain of trust starting from a trust anchor and proceeding down to a | chain of trust starting from a trust anchor and proceeding down to a | |||
| particular node in the DNS. This document specifies a mechanism that | particular node in the DNS. This document specifies a mechanism that | |||
| will allow an end user and third parties to determine the trusted key | will allow an end user and third parties to determine the trusted key | |||
| state for the root key of the resolvers that handle that user's DNS | state for the root key of the resolvers that handle that user's DNS | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| There is an example / toy implementation of this at http://www.ksk- | There is an example / toy implementation of this at http://www.ksk- | |||
| test.net . | test.net . | |||
| [ This document is being collaborated on in Github at: | [ This document is being collaborated on in Github at: | |||
| https://github.com/APNIC-Labs/draft-kskroll-sentinel. The most | https://github.com/APNIC-Labs/draft-kskroll-sentinel. The most | |||
| recent version of the document, open issues, etc should all be | recent version of the document, open issues, etc should all be | |||
| available here. The authors (gratefully) accept pull requests. Text | available here. The authors (gratefully) accept pull requests. Text | |||
| in square brackets will be removed before publication. ] | in square brackets will be removed before publication. ] | |||
| [ NOTE: This version uses the labels "kskroll-sentinel-is-ta-<key- | [ NOTE: This version uses the labels "root-key-sentinel-is-ta-", and | |||
| tag>", "kskroll-sentinel-not-ta-<key-tag>"; older versions of this | "root-key-sentinel-not-ta-".; older versions of this document used | |||
| document used "_is-ta-<key-tag>", "_not-ta-<key-tag>". Also note | "kskroll-sentinel-is-ta-<key-tag>", "kskroll-sentinel-not-ta-<key- | |||
| that the format of the tag-index is now zero-filled decimal. | tag>", and before that, "_is-ta-<key-tag>", "_not-ta-<key-tag>". | |||
| Apolgies to those who have began implmenting.] | Also note that the format of the tag-index is now zero-filled | |||
| decimal. Apolgies to those who have began implmenting.] | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 25, 2018. | This Internet-Draft will expire on September 27, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Protocol Walkthrough Example . . . . . . . . . . . . . . . . 4 | 2. Protocol Walkthrough Example . . . . . . . . . . . . . . . . 4 | |||
| 3. Sentinel Mechanism in Resolvers . . . . . . . . . . . . . . . 7 | 3. Sentinel Mechanism in Resolvers . . . . . . . . . . . . . . . 7 | |||
| 3.1. Preconditions . . . . . . . . . . . . . . . . . . . . . . 7 | 3.1. Preconditions . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.2. Special processing . . . . . . . . . . . . . . . . . . . 8 | 3.2. Special processing . . . . . . . . . . . . . . . . . . . 8 | |||
| 4. Processing Sentinel Results . . . . . . . . . . . . . . . . . 8 | 4. Processing Sentinel Results . . . . . . . . . . . . . . . . . 8 | |||
| 5. Sentinel Test Result Considerations . . . . . . . . . . . . . 10 | 5. Sentinel Test Result Considerations . . . . . . . . . . . . . 10 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 15 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 15 | 11.2. Informative References . . . . . . . . . . . . . . . . . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Introduction | 1. Introduction | |||
| The DNS Security Extensions (DNSSEC) [RFC4033], [RFC4034] and | The DNS Security Extensions (DNSSEC) [RFC4033], [RFC4034] and | |||
| [RFC4035] were developed to provide origin authentication and | [RFC4035] were developed to provide origin authentication and | |||
| integrity protection for DNS data by using digital signatures. | integrity protection for DNS data by using digital signatures. | |||
| DNSSEC uses Key Tags to efficiently match signatures to the keys from | DNSSEC uses Key Tags to efficiently match signatures to the keys from | |||
| which they are generated. The Key Tag is a 16-bit value computed | which they are generated. The Key Tag is a 16-bit value computed | |||
| skipping to change at page 3, line 46 ¶ | skipping to change at page 3, line 46 ¶ | |||
| KSK indicated by the special names. The protocol uses the DNS | KSK indicated by the special names. The protocol uses the DNS | |||
| SERVFAIL response code (RCODE 2) for this purpose because that is the | SERVFAIL response code (RCODE 2) for this purpose because that is the | |||
| response code that is returned by resolvers when DNSSEC validation | response code that is returned by resolvers when DNSSEC validation | |||
| fails. If a browser or operating system has multiple resolvers | fails. If a browser or operating system has multiple resolvers | |||
| configured, and those resolvers have different properties (for | configured, and those resolvers have different properties (for | |||
| example, one performs DNSSEC validation and one does not), the | example, one performs DNSSEC validation and one does not), the | |||
| sentinel mechanism might search among the different resolvers, or | sentinel mechanism might search among the different resolvers, or | |||
| might not, depending on how the browser or operating system is | might not, depending on how the browser or operating system is | |||
| configured. | configured. | |||
| Note that the sentinel mechanism described here measures a very | ||||
| different (and likely more useful) metric than [RFC8145]. RFC 8145 | ||||
| relies on resolvers reporting the list of keys that they have to root | ||||
| servers. That reflects on how many resolvers will be impacted by a | ||||
| KSK roll, but not what the user impact of the KSK roll will be. | ||||
| 1.1. Terminology | 1.1. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119. | document are to be interpreted as described in RFC 2119. | |||
| 2. Protocol Walkthrough Example | 2. Protocol Walkthrough Example | |||
| [Ed note: This is currently towards the front of the document; we | [Ed note: This is currently towards the front of the document; we | |||
| will make it an appendix at publication time, but until then it is | will make it an appendix at publication time, but until then it is | |||
| skipping to change at page 6, line 44 ¶ | skipping to change at page 7, line 5 ¶ | |||
| The above description is a simplified example - it is not anticipated | The above description is a simplified example - it is not anticipated | |||
| that Bob, Charlie, Dave and Ed will actually look for the absence or | that Bob, Charlie, Dave and Ed will actually look for the absence or | |||
| presence of web resources; instead, the webpage that they load would | presence of web resources; instead, the webpage that they load would | |||
| likely contain JavaScript (or similar) which displays the result of | likely contain JavaScript (or similar) which displays the result of | |||
| the tests, sends the results to Geoff, or both. This sentinel | the tests, sends the results to Geoff, or both. This sentinel | |||
| mechanism does not rely on the web: it can equally be used by trying | mechanism does not rely on the web: it can equally be used by trying | |||
| to resolve the names (for example, using the common "dig" command) | to resolve the names (for example, using the common "dig" command) | |||
| and checking which result in a SERVFAIL. | and checking which result in a SERVFAIL. | |||
| Note that the sentinel mechanism described here measures a very | ||||
| different (and likely more useful) metric than [RFC8145]. RFC 8145 | ||||
| relies on resolvers reporting the list of keys that they have to root | ||||
| servers. That reflects on how many resolvers will be impacted by a | ||||
| KSK roll, but not what the user impact of the KSK roll will be. | ||||
| 3. Sentinel Mechanism in Resolvers | 3. Sentinel Mechanism in Resolvers | |||
| DNSSEC-Validating resolvers that implement this mechanism MUST | DNSSEC-Validating resolvers that implement this mechanism MUST | |||
| perform validation of responses in accordance with the DNSSEC | perform validation of responses in accordance with the DNSSEC | |||
| response validation specification [RFC4035]. | response validation specification [RFC4035]. | |||
| This sentinel mechanism makes use of two special labels: | This sentinel mechanism makes use of two special labels: | |||
| o root-key-sentinel-is-ta-<key-tag> | o root-key-sentinel-is-ta-<key-tag> | |||
| skipping to change at page 7, line 36 ¶ | skipping to change at page 7, line 36 ¶ | |||
| is currently trusting?" Labels containing "root-key-sentinel-not-ta- | is currently trusting?" Labels containing "root-key-sentinel-not-ta- | |||
| <key-tag>" is used to answer the question "Is this the Key Tag *not* | <key-tag>" is used to answer the question "Is this the Key Tag *not* | |||
| a trust anchor which the validating DNS resolver is currently | a trust anchor which the validating DNS resolver is currently | |||
| trusting?" | trusting?" | |||
| 3.1. Preconditions | 3.1. Preconditions | |||
| All of the following conditions must be met to trigger special | All of the following conditions must be met to trigger special | |||
| processing inside resolver code: | processing inside resolver code: | |||
| o The DNS response is DNSSEC validated and result of validation is | o The DNS response is DNSSEC validated, regardless of whether | |||
| DNSSSEC validation was requested, and result of validation is | ||||
| "Secure" | "Secure" | |||
| o The QTYPE is either A or AAAA (Query Type value 1 or 28) | o The QTYPE is either A or AAAA (Query Type value 1 or 28) | |||
| o The OPCODE is QUERY | o The OPCODE is QUERY | |||
| o The leftmost label of the QNAME is either "root-key-sentinel-is- | o The leftmost label of the original QNAME (the name sent in the | |||
| ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>" | Question Section in the orignal query) is either "root-key- | |||
| sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>" | ||||
| If any one of the preconditions is not met, the resolver MUST NOT | If any one of the preconditions is not met, the resolver MUST NOT | |||
| alter the DNS response based on the mechanism in this document. | alter the DNS response based on the mechanism in this document. | |||
| 3.2. Special processing | 3.2. Special processing | |||
| Responses which fullfill all of the preconditions in Section 3.1 | Responses which fullfill all of the preconditions in Section 3.1 | |||
| require special processing, depending on leftmost label in the QNAME. | require special processing, depending on leftmost label in the QNAME. | |||
| First, the resolver determines if the numerical value of <key-tag> is | First, the resolver determines if the numerical value of <key-tag> is | |||
| skipping to change at page 12, line 50 ¶ | skipping to change at page 12, line 50 ¶ | |||
| resolver, identified a number of places where it wasn't clear, and | resolver, identified a number of places where it wasn't clear, and | |||
| provided very helpful text to address this. | provided very helpful text to address this. | |||
| 10. Change Log | 10. Change Log | |||
| RFC Editor: Please remove this section! | RFC Editor: Please remove this section! | |||
| Note that this document is being worked on in GitHub - see Abstract. | Note that this document is being worked on in GitHub - see Abstract. | |||
| The below is mainly large changes, and is not authoritative. | The below is mainly large changes, and is not authoritative. | |||
| From -08 to -09: | ||||
| o Incorporated Paul Hoffman's PR # 15 (Two issues from the | ||||
| Hackathon) - https://github.com/APNIC-Labs/draft-kskroll-sentinel/ | ||||
| pull/15 | ||||
| o Clarifies that the match is on the *original* QNAME. | ||||
| From -08 to -07: | From -08 to -07: | |||
| o Changed title from "A Sentinel for Detecting Trusted Keys in | o Changed title from "A Sentinel for Detecting Trusted Keys in | |||
| DNSSEC" to "A Root Key Trust Anchor Sentinel for DNSSEC". | DNSSEC" to "A Root Key Trust Anchor Sentinel for DNSSEC". | |||
| o Changed magic string from "kskroll-sentinel-" to "root-key- | o Changed magic string from "kskroll-sentinel-" to "root-key- | |||
| sentinel-" -- this time for sure, Rocky! | sentinel-" -- this time for sure, Rocky! | |||
| From -07 to -06: | From -07 to -06: | |||
| End of changes. 12 change blocks. | ||||
| 20 lines changed or deleted | 31 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||