| < draft-ietf-dnsop-kskroll-sentinel-13.txt | draft-ietf-dnsop-kskroll-sentinel-14.txt > | |||
|---|---|---|---|---|
| DNSOP G. Huston | DNSOP G. Huston | |||
| Internet-Draft J. Damas | Internet-Draft J. Damas | |||
| Intended status: Standards Track APNIC | Intended status: Standards Track APNIC | |||
| Expires: December 6, 2018 W. Kumari | Expires: December 13, 2018 W. Kumari | |||
| June 4, 2018 | June 11, 2018 | |||
| A Root Key Trust Anchor Sentinel for DNSSEC | A Root Key Trust Anchor Sentinel for DNSSEC | |||
| draft-ietf-dnsop-kskroll-sentinel-13 | draft-ietf-dnsop-kskroll-sentinel-14 | |||
| Abstract | Abstract | |||
| The DNS Security Extensions (DNSSEC) were developed to provide origin | The DNS Security Extensions (DNSSEC) were developed to provide origin | |||
| authentication and integrity protection for DNS data by using digital | authentication and integrity protection for DNS data by using digital | |||
| signatures. These digital signatures can be verified by building a | signatures. These digital signatures can be verified by building a | |||
| chain of trust starting from a trust anchor and proceeding down to a | chain of trust starting from a trust anchor and proceeding down to a | |||
| particular node in the DNS. This document specifies a mechanism that | particular node in the DNS. This document specifies a mechanism that | |||
| will allow an end user and third parties to determine the trusted key | will allow an end user and third parties to determine the trusted key | |||
| state for the root key of the resolvers that handle that user's DNS | state for the root key of the resolvers that handle that user's DNS | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 46 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 6, 2018. | This Internet-Draft will expire on December 13, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 38 ¶ | skipping to change at page 2, line 38 ¶ | |||
| 3.1. Forwarders . . . . . . . . . . . . . . . . . . . . . . . 8 | 3.1. Forwarders . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4. Sentinel Tests for a Set of Resolvers . . . . . . . . . . . . 9 | 4. Sentinel Tests for a Set of Resolvers . . . . . . . . . . . . 9 | |||
| 4.1. Test Scenario and Objective . . . . . . . . . . . . . . . 9 | 4.1. Test Scenario and Objective . . . . . . . . . . . . . . . 9 | |||
| 4.2. Test Assumptions . . . . . . . . . . . . . . . . . . . . 10 | 4.2. Test Assumptions . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.3. Test Procedure . . . . . . . . . . . . . . . . . . . . . 10 | 4.3. Test Procedure . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 | 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 7. Implementation Experience . . . . . . . . . . . . . . . . . . 12 | 7. Implementation Experience . . . . . . . . . . . . . . . . . . 12 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 16 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 17 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 17 | 11.2. Informative References . . . . . . . . . . . . . . . . . 18 | |||
| Appendix A. Protocol Walkthrough Example . . . . . . . . . . . . 17 | Appendix A. Protocol Walkthrough Example . . . . . . . . . . . . 18 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 1. Introduction | 1. Introduction | |||
| The DNS Security Extensions (DNSSEC) [RFC4033], [RFC4034] and | The DNS Security Extensions (DNSSEC) [RFC4033], [RFC4034] and | |||
| [RFC4035] were developed to provide origin authentication and | [RFC4035] were developed to provide origin authentication and | |||
| integrity protection for DNS data by using digital signatures. | integrity protection for DNS data by using digital signatures. | |||
| DNSSEC uses Key Tags to efficiently match signatures to the keys from | DNSSEC uses Key Tags to efficiently match signatures to the keys from | |||
| which they are generated. The Key Tag is a 16-bit value computed | which they are generated. The Key Tag is a 16-bit value computed | |||
| from the RDATA portion of a DNSKEY RR using a formula found in "Key | from the RDATA portion of a DNSKEY RR using a formula found in "Key | |||
| Tag Calculation" (Appendix B of "Resource Records for the DNS | Tag Calculation" (Appendix B of "Resource Records for the DNS | |||
| skipping to change at page 10, line 4 ¶ | skipping to change at page 10, line 4 ¶ | |||
| when the root zone is signed with KSK-new. | when the root zone is signed with KSK-new. | |||
| The objective of the test is to determine if the user will be | The objective of the test is to determine if the user will be | |||
| negatively impacted by the KSK roll. A "negative impact" for the | negatively impacted by the KSK roll. A "negative impact" for the | |||
| user is defined such that all the configured resolvers are security- | user is defined such that all the configured resolvers are security- | |||
| aware resolvers that perform validation of DNSSEC-signed responses, | aware resolvers that perform validation of DNSSEC-signed responses, | |||
| and none of these resolvers have loaded KSK-new into their local | and none of these resolvers have loaded KSK-new into their local | |||
| trust anchor set. In this situation, it is anticipated that once the | trust anchor set. In this situation, it is anticipated that once the | |||
| KSK is rolled the entire set of the user's resolvers will not be able | KSK is rolled the entire set of the user's resolvers will not be able | |||
| to validate the contents of the root zone and the user is likely to | to validate the contents of the root zone and the user is likely to | |||
| loose DNS service as a result of this inability to perform successful | lose DNS service as a result of this inability to perform successful | |||
| DNSSEC validation. | DNSSEC validation. | |||
| 4.2. Test Assumptions | 4.2. Test Assumptions | |||
| There are a number of assumptions about the DNS environment used in | There are a number of assumptions about the DNS environment used in | |||
| this test. Where these assumptions do not hold, the results of the | this test. Where these assumptions do not hold, the results of the | |||
| test will be indeterminate. | test will be indeterminate. | |||
| o When a recursive resolver returns SERVFAIL to the user's stub | o When a recursive resolver returns SERVFAIL to the user's stub | |||
| resolver, the stub resolver will send the same query to the next | resolver, the stub resolver will send the same query to the next | |||
| skipping to change at page 10, line 39 ¶ | skipping to change at page 10, line 39 ¶ | |||
| There is no current published measurement data that indicates to what | There is no current published measurement data that indicates to what | |||
| extent the first two assumptions listed here are valid, and how many | extent the first two assumptions listed here are valid, and how many | |||
| end users may be impacted by these assumptions. In particular, the | end users may be impacted by these assumptions. In particular, the | |||
| first assumption, that a consistent SERFAIL response will cause the | first assumption, that a consistent SERFAIL response will cause the | |||
| local stub DNS resolution environment to query all of its configured | local stub DNS resolution environment to query all of its configured | |||
| recursive resolvers before concluding that the name cannot be | recursive resolvers before concluding that the name cannot be | |||
| resolved, is a very critical assumption for this test. | resolved, is a very critical assumption for this test. | |||
| 4.3. Test Procedure | 4.3. Test Procedure | |||
| The sentinel detection process test a DNS resolution environment with | The sentinel detection process tests a DNS resolution environment | |||
| three query names: | with three query names: | |||
| o A query name that is signed with a DNSSEC signature that cannot be | o A query name that is signed with a DNSSEC signature that cannot be | |||
| validated (described as a "bogus" RRset in Section 5 of [RFC4033], | validated (described as a "bogus" RRset in Section 5 of [RFC4033], | |||
| when, for example, an RRset is not signed with a valid RRSIG | when, for example, an RRset is not signed with a valid RRSIG | |||
| record). | record). | |||
| o A query name containing the left-most label "root-key-sentinel- | o A query name containing the left-most label "root-key-sentinel- | |||
| not-ta-<key-tag-of-KSK-current>". This name MUST be a validly- | not-ta-<key-tag-of-KSK-current>". This name MUST be a validly- | |||
| signed. Any validly-signed DNS zone can be used for this test. | signed. Any validly-signed DNS zone can be used for this test. | |||
| skipping to change at page 12, line 38 ¶ | skipping to change at page 12, line 38 ¶ | |||
| based advertisements or javascript in web pages), can, under certain | based advertisements or javascript in web pages), can, under certain | |||
| specific circumstances that includes additional knowledge of the | specific circumstances that includes additional knowledge of the | |||
| resolvers that are invoked by the user, determine which trust anchors | resolvers that are invoked by the user, determine which trust anchors | |||
| are configured in these resolvers. Without this additional | are configured in these resolvers. Without this additional | |||
| knowledge, the third party can infer the aggregate capabilities of | knowledge, the third party can infer the aggregate capabilities of | |||
| the user's DNS resolution environment, but cannot necessarily infer | the user's DNS resolution environment, but cannot necessarily infer | |||
| the trust configuration of any recursive name server. | the trust configuration of any recursive name server. | |||
| 7. Implementation Experience | 7. Implementation Experience | |||
| Petr Spacek implemented early versions of this technique into the | [ RFC Editor: Please remove before publication. As this section will | |||
| Knot resolver, and identified a number of places where it wasn't | be removed, it is more conversational than would appear in a | |||
| clear, and provided very helpful text to address this. | published doc. ] | |||
| Ondrej Sury of ISC has reported to the DNSOP Working Group in April | List of known resolver implementations (alphabetical): | |||
| 2018 that this technique was peer-reviewed and merged into BIND | ||||
| master branch with the intent to backport the feature into older | ||||
| release branches. | ||||
| Benno Overeinder of NLnet Labs reported to the DNSOP Working Group in | BIND Ondrej Sury of ISC reported to the DNSOP Working Group in | |||
| April 2018 an intention to support this technique in Unbound in the | April 2018 that this technique was peer-reviewed and merged into | |||
| near future. | BIND master branch with the intent to backport the feature into | |||
| older release branches. The merge request: | ||||
| https://gitlab.isc.org/isc-projects/bind9/merge_requests/123 | ||||
| Information on configuring this can be found in the BIND 9.13.0 | ||||
| Administrator Reference Manual (ARM), available at | ||||
| https://ftp.isc.org/isc/bind9/9.13.0/doc/arm/Bv9ARM.pdf | ||||
| An implementation of the client side of this protocol is available | Knot resolver Petr Spacek implemented early versions of this | |||
| at: http://www.ksk-test.net | technique into the Knot resolver, identified a number of places | |||
| where it wasn't clear, and provided very helpful text to address | ||||
| these issues and make the document mode clear. Petr also | ||||
| identified an embarrassingly large number of typos (and similar) | ||||
| in the ksk-test setup. More information is at http://knot- | ||||
| resolver.readthedocs.io/en/stable/modules.html#sentinel-for- | ||||
| detecting-trusted-keys | ||||
| Unbound Benno Overeinder of NLnet Labs reported to the DNSOP Working | ||||
| Group in April 2018 an intention to support this technique in | ||||
| Unbound in the near future. This is now implemented in Unbound | ||||
| version 1.7.1, available from http://unbound.nlnetlabs.nl/ | ||||
| download.html . Configuration information is at | ||||
| http://unbound.nlnetlabs.nl/documentation/unbound.conf.html | ||||
| A (partial) list of "client" / user side implementations (the author | ||||
| was keeping a more complete list of implementations, but has | ||||
| misplaced it - apologies, I'm happy to re-add them if you send me a | ||||
| note.): | ||||
| http://www.ksk-test.net An Javascript implementation of the client | ||||
| side of this protocol is available at: http://www.ksk-test.net | ||||
| http://test.kskroll.dnssec.lab.nic.cl/ Hugo Salgado-Hernandez has | ||||
| created an implementation at | ||||
| http://test.kskroll.dnssec.lab.nic.cl/ | ||||
| http://sentinel.research.icann.org/ The code for this implementation | ||||
| is published at https://github.com/paulehoffman/sentinel-testbed | ||||
| 8. IANA Considerations | 8. IANA Considerations | |||
| [Note to IANA, to be removed prior to publication: there are no IANA | [Note to IANA, to be removed prior to publication: there are no IANA | |||
| considerations stated in this version of the document.] | considerations stated in this version of the document.] | |||
| 9. Acknowledgements | 9. Acknowledgements | |||
| This document has borrowed extensively from [RFC8145] for the | This document has borrowed extensively from [RFC8145] for the | |||
| introductory text, and the authors would like to acknowledge and | introductory text, and the authors would like to acknowledge and | |||
| thank the authors of that document both for some text excerpts and | thank the authors of that document both for some text excerpts and | |||
| for the more general stimulation of thoughts about monitoring the | for the more general stimulation of thoughts about monitoring the | |||
| progress of a roll of the KSK of the root zone of the DNS. | progress of a roll of the KSK of the root zone of the DNS. | |||
| The authors would like to thank Joe Abley, Mehmet Akcin, Mark | The authors would like to thank Joe Abley, Mehmet Akcin, Mark | |||
| Andrews, Richard Barnes, Ray Bellis, Stephane Bortzmeyer, David | Andrews, Richard Barnes, Ray Bellis, Stephane Bortzmeyer, David | |||
| Conrad, Ralph Dolmans, John Dickinson, Steinar Haug, Bob Harold, Wes | Conrad, Ralph Dolmans, John Dickinson, Steinar Haug, Bob Harold, Wes | |||
| Hardaker, Paul Hoffman, Matt Larson, Jinmei Tatuya, Edward Lewis, | Hardaker, Paul Hoffman, Matt Larson, Jinmei Tatuya, Edward Lewis, | |||
| George Michaelson, Benno Overeinder, Matthew Pounsett, Andreas | George Michaelson, Benno Overeinder, Matthew Pounsett, Hugo Salgado- | |||
| Schulze, Mukund Sivaraman, Petr Spacek, Job Snijders, Andrew | Hernandez, Andreas Schulze, Mukund Sivaraman, Petr Spacek, Job | |||
| Sullivan, Ondrej Sury, Paul Vixie, Duane Wessels and Paul Wouters for | Snijders, Andrew Sullivan, Ondrej Sury, Paul Vixie, Duane Wessels and | |||
| their helpful feedback. | Paul Wouters for their helpful feedback. | |||
| The authors would like to especially call out Paul Hoffman and Duane | The authors would like to especially call out Paul Hoffman and Duane | |||
| Wessels for providing comments in the form of a pull request. | Wessels for providing comments in the form of a pull request. | |||
| 10. Change Log | 10. Change Log | |||
| RFC Editor: Please remove this section! | RFC Editor: Please remove this section! | |||
| Note that this document is being worked on in GitHub - see Abstract. | Note that this document is being worked on in GitHub - see Abstract. | |||
| The below is mainly large changes, and is not authoritative. | The below is mainly large changes, and is not authoritative. | |||
| From -13 to -14: | ||||
| o Addressed nits from Bob Harold - | ||||
| https://mailarchive.ietf.org/arch/msg/dnsop/ | ||||
| j4Serw0z24o470AnlD8ISo8o9k4 | ||||
| o Formatting changes (and a bit more text) in the implementation | ||||
| section. | ||||
| o Closes PR #21: Clarify indeterminate and resolution systems, | ||||
| o Closes PR #22: Updates to -13 describing the test procedure for a | ||||
| set of resolvers | ||||
| o Closes PR #23: Fix sundry typos, | ||||
| o Closes PR #24: Editorial and clarifications to the new text | ||||
| o Closes PR #25: Clarified when the test can be run | ||||
| From -12 to -13: | From -12 to -13: | |||
| o Merged Paul Hoffmans PR#19, PR#20. | o Merged Paul Hoffmans PR#19, PR#20. | |||
| o Moved toy ksk-test.net to implmentation section. | o Moved toy ksk-test.net to implementation section. | |||
| o Split the test procedures between the test of a single DNS | o Split the test procedures between the test of a single DNS | |||
| resolvers and the test of a collection of DNS resolvers as would | resolvers and the test of a collection of DNS resolvers as would | |||
| be found in an end user environment. | be found in an end user environment. | |||
| From -11 to -12: | From -11 to -12: | |||
| o Moved the Walkthrough Example to the end of the document as an | o Moved the Walkthrough Example to the end of the document as an | |||
| appendix. | appendix. | |||
| End of changes. 14 change blocks. | ||||
| 30 lines changed or deleted | 80 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||