< draft-kumari-ogud-dnsop-cds-04.txt   draft-kumari-ogud-dnsop-cds-05.txt >
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational O. Gudmundsson Intended status: Informational O. Gudmundsson
Expires: April 05, 2014 Shinkuro Inc. Expires: April 08, 2014 Shinkuro Inc.
G. Barwood G. Barwood
October 02, 2013 October 05, 2013
Automating DNSSEC delegation trust maintenance Automating DNSSEC delegation trust maintenance
draft-kumari-ogud-dnsop-cds-04 draft-kumari-ogud-dnsop-cds-05
Abstract Abstract
This document describes a method to allow DNS operators to more This document describes a method to allow DNS operators to more
easily update DNSSEC Key Signing Keys using DNS as communication easily update DNSSEC Key Signing Keys using DNS as communication
channel. This document does not address the initial configuration of channel. This document does not address the initial configuration of
trust anchors for a domain. The technique described is aimed at trust anchors for a domain. The technique described is aimed at
delegations in which it is currently hard to move information from delegations in which it is currently hard to move information from
the child to parent. the child to parent.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 05, 2014. This Internet-Draft will expire on April 08, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Requirements notation . . . . . . . . . . . . . . . . . . 4 1.2. Requirements notation . . . . . . . . . . . . . . . . . . 4
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. DNS delegations . . . . . . . . . . . . . . . . . . . . . 4 2.1. DNS delegations . . . . . . . . . . . . . . . . . . . . . 4
2.2. Relationship between Parent and Child DNS operator . . . 5 2.2. Relationship between Parent and Child DNS operator . . . 5
2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6
2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 6 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 6
3. CTA (Child Trust Anchor) record definition . . . . . . . . . 7 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions . . 7
3.1. CTA Resource Record Format . . . . . . . . . . . . . . . 7 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 7
3.1.1. CTA Wire Format . . . . . . . . . . . . . . . . . . . 7 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 7
3.1.2. CTA Presentation Format . . . . . . . . . . . . . . . 8 4. Automating DS maintainance with CDS/CDNSKEY records . . . . . 7
4. Automating DS maintainance with CTA records . . . . . . . . . 9 4.1. CDS / CDNSKEY processing rules . . . . . . . . . . . . . 8
4.1. CTA processing rules . . . . . . . . . . . . . . . . . . 9 5. Child's CDS / CDNSKEY Publication . . . . . . . . . . . . . . 8
5. Child's CTA Publication . . . . . . . . . . . . . . . . . . . 9 6. Parent side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9
6. Parent side CTA Consumption . . . . . . . . . . . . . . . . . 9 6.1. Detecting a changed CDS / CDNSKEY . . . . . . . . . . . . 9
6.1. Detecting a changed CTA . . . . . . . . . . . . . . . . . 9 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 9
6.1.1. CTA Polling . . . . . . . . . . . . . . . . . . . . . 10
6.1.2. Other mechanisms . . . . . . . . . . . . . . . . . . 10 6.1.2. Other mechanisms . . . . . . . . . . . . . . . . . . 10
6.2. Usign the new CTA . . . . . . . . . . . . . . . . . . . . 11 6.2. Using the new CDS / CDNSKEY records . . . . . . . . . . . 10
6.2.1. Parent calculates DS . . . . . . . . . . . . . . . . 11 6.2.1. Parent calculates DS . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Normative References . . . . . . . . . . . . . . . . . . 13 10.1. Normative References . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . 14 10.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 14
Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 15 Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
When a DNS operator first signs their zone, they need to communicate When a DNS operator first signs their zone, they need to communicate
their DS record(s) (or DNSKEY(s)) to their parent through some out- their DS record(s) (or DNSKEY(s)) to their parent through some out-
of-band method to complete the chain of trust. of-band method to complete the chain of trust.
Each time the child changes/rolls the key that is represented in the Each time the child changes/rolls the key that is represented in the
parent, the new and/or deleted key information has to be communicated parent, the new and/or deleted key information has to be communicated
to the parent and published there. How this information is sent to to the parent and published there. How this information is sent to
skipping to change at page 3, line 37 skipping to change at page 3, line 35
follows are as described in [RFC6781] section 4.1.2 follows are as described in [RFC6781] section 4.1.2
This technique is in some ways similar to RFC 5011 style rollovers, This technique is in some ways similar to RFC 5011 style rollovers,
but for sub-domains DS records, instead of trust anchors but for sub-domains DS records, instead of trust anchors
This technique is designed to be friendly both to fully automated This technique is designed to be friendly both to fully automated
tools and humans. Fully automated tools can perform all the actions tools and humans. Fully automated tools can perform all the actions
needed without human intervention, and thus can monitor when it is needed without human intervention, and thus can monitor when it is
safe to move to the next step. safe to move to the next step.
CTA is only appropriate for transferring information about DNSSEC CDS is only appropriate for transferring information about DNSSEC
keys (DS and DNSKEY) from the child to the parental agent. It lists keys (DS and DNSKEY) from the child to the parental agent. It lists
exactly what the parent should publish, and allows for publication of exactly what the parent should publish, and allows for publication of
stand-by keys. There is a complementary solution [I-D.csync] for stand-by keys. There is a complementary solution [I-D.csync] for
maintaining the other important delegation information, such as NS maintaining the other important delegation information, such as NS
and glue. and glue.
1.1. Terminology 1.1. Terminology
There terminology we use is defined in this section There terminology we use is defined in this section
skipping to change at page 4, line 34 skipping to change at page 4, line 31
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Background 2. Background
2.1. DNS delegations 2.1. DNS delegations
DNS operation consists of delegations of authority. For each DNS operation consists of delegations of authority. For each
delegation there are (most of the time) two parties the parent and delegation there are (most of the time) two parties, the parent and
child. the child.
In DNS, the parent publishes information about the delegations to the The parent publishes information about the delegations to the child;
child; for the name-servers it publishes an NS RRset that lists a for the name-servers it publishes an NS RRset that lists a hint for
hint for name-servers that are authoritative for the child. The name-servers that are authoritative for the child. The child also
child also publishes a NS RRset, and this set is the authoritative publishes a NS RRset, and this set is the authoritative list of name-
list of name-servers to the child zone. servers to the child zone.
The second RRset the parent sometimes publishes is the DS set. The The second RRset the parent sometimes publishes is the DS set. The
DS RRset provides information about the key(s) that the child has DS RRset provides information about the key(s) that the child has
told the parent it will use to sign its DNSKEY RRset. In DNSSEC told the parent it will use to sign its DNSKEY RRset. In DNSSEC
trust relationship between zones is provided by the following chain: trust relationship between zones is provided by the following chain:
parent DNSKEY --> DS --> child DNSKEY. parent DNSKEY --> DS --> child DNSKEY.
A prior proposal [I-D.auto-cpsync] suggested that the child send an A prior proposal [I-D.auto-cpsync] suggested that the child send an
"update" to the parent via a mechanism similar to Dynamic Update. "update" to the parent via a mechanism similar to Dynamic Update.
skipping to change at page 6, line 49 skipping to change at page 6, line 46
below can operate with both models, but the child needs to be aware below can operate with both models, but the child needs to be aware
of the parental policies. of the parental policies.
2.2.2. DNSSEC key change process 2.2.2. DNSSEC key change process
After a Child DNS operator first signs the zone, there is a need to After a Child DNS operator first signs the zone, there is a need to
interact with the Parent, for example via the delegation account interact with the Parent, for example via the delegation account
interface, to "upload / paste-in the zone's DS information". The interface, to "upload / paste-in the zone's DS information". The
action of logging in through the delegation account user interface action of logging in through the delegation account user interface
authenticates that the user is authorized to change delegation authenticates that the user is authorized to change delegation
information published in the parent zone. In the case where "Child information published in the parent zone. In the case where the
DNS Operator" does not have access to the registration account, the "Child DNS Operator" does not have access to the registration
Child needs to perform the action. account, the Child needs to perform the action.
At a later date, the Child Operator may want to publish a new DS At a later date, the Child Operator may want to publish a new DS
record in the parent, either because they are rolling keys, or record in the parent, either because they are rolling keys, or
because they want to publish a stand-by key. This involves because they want to publish a stand-by key. This involves
performing the same process as before. Furthermore when this is a performing the same process as before. Furthermore when this is a
manual process with cut and paste; operational mistakes will happen. manual process with cut and paste; operational mistakes will happen.
Or worse the update action in not performed at all. Or worse the update action in not performed at all.
3. CTA (Child Trust Anchor) record definition 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions
This document specifies a new DNS RRtype CTA that indicates what the This document specifies two new DNS RRtypes (CDS and CDNSKEY) that
Child wants to be in the parents DS RRset. It allows the child to indicates what the Child wants to be in the parents DS RRset. It
present DS records or DNSKEY records (for those parents who would allows the Child to present DS records and / or DNSKEY records (for
rather generate the DS records for their children). those parents who would rather generate the DS records for their
children).
The CTA record is published in the child zone and gives the child The CDS / CDNSKEY record is published in the child zone and gives the
control of what is published for it in the parental zone. The CTA child control of what is published for it in the parental zone. The
RRset expresses what the child would like the DS RRset to look like CDS / CDNSKEY RRset expresses what the child would like the DS RRset
after the change; it is a "replace" operation, and it is up to the to look like after the change; it is a "replace" operation, and it is
consumer of the records to translate that into the appropriate add/ up to the consumer of the records to translate that into the
delete operations in the registration systems (and to generate the DS appropriate add/delete operations in the registration systems (and in
from the DNSKEY, if needed). the case of CDNSKEY, to generate the DS from the DNSKEY).
The IANA allocated RR code 59 for an earlier version of this draft / [RFC Editor: Please remove this paragraph before publication] Version
idea (the CDS record via expert review [I-D.ds-publish]). [Ed: We -04 of this document defined a new record (CTA) that could hold
would like to continue to use this RR code (after review).] either a DS or a DNSKEY record (with a selector to differentiate
between them). ]
3.1. CTA Resource Record Format 3.1. CDS Resource Record Format
[RFC Editor: Please remove this paragraph before publication] This The wire and presentation format of the CDS ("Child DS") record is
document used to specify a CDS record that contains *DS* records. identical to the DS record [RFC4034]. IANA has allocated RR code 59
After discussions with a number of folk we are changing this to CTA. for the CDS record via expert review [I-D.ds-publish].
The CTA RR allows publication of DS records or DNSKEY records, for
those registries who prefer to calculate the DS for their children.
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes CTA revolvers, when serving or resolving. For all practical purposes CDS
is a regular RR type. is a regular RR type.
3.1.1. CTA Wire Format 3.2. CDNSKEY Resource Record Format
The CTA DNS resource record (RR) consists of a one-octet Selector
field and a variable length Key Data field.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Selector | /
+-+-+-+-+-+-+-+-+-+ /
/ Key Data /
/ /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The selector field specifies how the Key Data field should be
interpreted.
If the Selector field contains the value 0 then the Key Data field
contains a DS record [RFC4034] in wire format.
If the Selector field contains any other value then the Key Data
field contains a DNSKEY record in wire format. This allows the child
to present a DNSKEY and have the parent calculate the DS for it (as
required by some registries). The selector field indicates to the
parent which hash algorithm (from the IANA "Delegation Signer (DS)
Resource Record (RR) Type Digest Algorithms" registry) the child
would like the parent to use when calculating the DS record. The
child is responsible for knowing which digest algorithms are
acceptable to the parent.
[Editor: Question: I have written this to allow the child to indicate The wire and presentation format of the CDNSKEY ("Child DNSKEY")
what algorithm it would like the parent to use when generating DS record is identical to the DNSKEY record.
from DNSKEY. This is to address cases where the child only supports
e.g algorithms 1, 2, 3 but not 4 (SHA-384). If the parent generates
a SHA-384 DS, the child will have no way of verifying that the
associated DS has been published. If folk would prefer, can easily
change this to be "selector 0 is DS, selector 1 is DNSKEY", and the
child must just support whatever the parent needs. Which would the
WG prefer? ]
3.1.2. CTA Presentation Format No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes
CDNSKEY is a regular RR type.
The presentation format of the RDATA portion (as defined in 4. Automating DS maintainance with CDS/CDNSKEY records
[RFC1035]) is as follows:
o The selector field should be represented as an 8-bit unsigned CDS/CDNSKEY records are intended to be "consumed" by delegation trust
integer. maintainers. The use of CDS/CDNSKEY is optional.
o The key data field representation depends upon what the selector Some parents prefer to accept DNSSEC key information in DS format,
specifies is in the key data filed. If it is a DS record, the key some parents prefer to accept it in DNSKEY format, and calculate the
data filed should be presented as a DS record (as specified in DS record on the child's behalf. Each method has pros and cons, both
[RFC3658]). If the selector specifies that the key data filed technical and policy. This solution is DS vs DNSKEY agnostic, and
contains a DNSKEY RR, it should be presented as a DNSKEY RR (as allows operation with either.
specified in [RFC4034])
4. Automating DS maintainance with CTA records If the child knows what the parent prefers, they can publish the
parent's preferred record type. If the child does not know (or
simply chooses to), they can publish both CDS and CDNSKEY. If the
child publishes both, they SHOULD have matching CDS records for each
CDNSKEY record. The parent should use whichever one they choose, but
SHOULD NOT query for both and perform consistency checks between the
CDS and CDNSKEY records.
CTA records are intended to be "consumed" by delegation trust [Editor note: It is not an error for a child to have published CDS
maintainers. The use of CTA is optional. records and not have CDNSKEYs that hash to those records, nor for
there to be CDNSKEY records without matching DS records. This is
because a child might have been publishing CDS records and then the
parent's policy changes to require CDNSKEY records. The child might
forget to remove the CDS, etc. This avoids all sorts of error
conditions / complexity, etc.]
4.1. CTA processing rules 4.1. CDS / CDNSKEY processing rules
Absence of CTA in child signals "No change" to the current DS set. Absence of CDS / CDNSKEY in child signals "No change" to the current
Following acceptance rules are placed on the CTA record as follows: DS set. Following acceptance rules are placed on the CDS / CDNSKEY
records as follows:
o Location: "the CTA record MUST be at the child zone apex". Q: is o Location: "the CDS / CDNSKEY record MUST be at the child zone
"_cta.example. a better location for .example? apex".
o Signer: "MUST be signed with a key that is represented in both the o Signer: "MUST be signed with a key that is represented in both the
current DNSKEY and DS RRset's." current DNSKEY and DS RRset's."
o Continuity: "SHOULD not break the current delegation if applied to o Continuity: "SHOULD not break the current delegation if applied to
DS RRset" DS RRset"
o If the child has presented a DNSKEY record, the digest algorithm If any these conditions fail the CDS / CDNSKEY record MUST be
MUST be one acceptable to the parent. ignored.
If any these conditions fail the CTA record MUST be ignored. 5. Child's CDS / CDNSKEY Publication
Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it
wants to make a change to the DS RRset in the Parent. The CDS /
CDNSKEY RRset SHOULD be compliant with the rules in Section 4.1.
When the Parent DS is "in-sync" with the CDS, the Child DNS Operator
SHOULD/MUST delete the CDS RRset. Note that if the child has
published a DNSKEY RR in the CDS, it will have to calculate the DS
(using the requested digest algorithm) to do the comparison.
5. Child's CTA Publication A child MAY publish both CDS and CDNSKEY. If a child chooses to
publish both, it SHOULD attempt to maintain consistency (a matching
CDS for each CDNSKEY)
Child DNS Operator SHOULD only publish a CTA RRset when it wants to 6. Parent side CDS / CDNSKEY Consumption
make a change to the DS RRset in the Parent. The CTA RRset SHOULD be
compliant with the rules in Section 4.1. When the Parent DS is "in-
sync" with the CTA, the Child DNS Operator SHOULD/MUST delete the CTA
RRset. Note that if the child has published a DNSKEY RR in the CTA,
it will have to calculate the DS (using the requested digest
algorithm) to do the comparison.
6. Parent side CTA Consumption The CDS / CDNSKEY RRset MAY be used by the Parental Agent to update
the DS RRset in the parent zone. The Parental Agent for this uses a
tool that understands the CDS / CDNSKEY signing rules from
Section 4.1 so it may not be able to use a standard validator.
Parent SHOULD treat the Continuity rule as "MUST".
The CTA RRset MAY be used by the Parental Agent to update the DS The parent MUST choose to accept either CDS or CDNSKEY records, and
RRset in the parent zone. The Parental Agent for this uses a tool MUST NOT expect there to be both. A parent SHOULD NOT perform a
that understands the CTA signing rules from Section 4.1 so it may not consistency check between CDS and CDNSKEY (other than for
be able to use a standard validator. Parent SHOULD treat the informational / debugging use).
Continuity rule as "MUST". If the parent discovers multiple CTA
records it should first calculate the DS records from any CTA recods
that contain DNSKEY records, and then remove duplicates from the set.
6.1. Detecting a changed CTA 6.1. Detecting a changed CDS / CDNSKEY
How the Parental Agent gets the CTA record may differ, below are two How the Parental Agent gets the CDS / CDNSKEY record may differ,
examples as how this can take place. below are two examples as how this can take place.
Polling The Parental Agent operates a tool that periodically checks Polling The Parental Agent operates a tool that periodically checks
each of the children that has a DS record to see if there is a each of the children that has a DS record to see if there is a
CTA record. CDS or CDNSKEY record.
Pushing The delegation user interface has a button {Fetch DS} when Pushing The delegation user interface has a button {Fetch DS} when
pushed preforms the CTA processing. If the Parent zone does pushed preforms the CDS / CDNSKEY processing. If the Parent
not contain DS for this delegation then the "push" MUST be zone does not contain DS for this delegation then the "push"
ignored. MUST be ignored.
In either case the Parental Agent MAY apply additional rules that In either case the Parental Agent MAY apply additional rules that
defer the acceptance of a CTA change, these rules may include a defer the acceptance of a CDS / CDNSKEY change, these rules may
condition that the CTA remains in place and valid for some time include a condition that the CDS / CDNSKEY remains in place and valid
period before it is accepted. It may be appropriate in the "Pushing" for some time period before it is accepted. It may be appropriate in
case to assume that the Child is ready and thus accept changes the "Pushing" case to assume that the Child is ready and thus accept
without delay. changes without delay.
6.1.1. CTA Polling
This is the only defined use of CTA in this document. There are 6.1.1. CDS / CDNSKEY Polling
limits to the saleability of polling techniques, thus some other This is the only defined use of CDS / CDNSKEY in this document.
mechanism is likely to be specified later that addresses CTA usage in There are limits to the saleability of polling techniques, thus some
the situation where polling does not scale to. Having said that other mechanism is likely to be specified later that addresses CDS /
Polling will work in many important cases like enterprises, CDNSKEY usage in the situation where polling does not scale to.
universities, small TLDs etc. In many regulatory environments the Having said that Polling will work in many important cases like
registry is prohibited from talking to the registrant. In most these enterprises, universities, small TLDs etc. In many regulatory
cases the registrant has a business relationship with the registrar, environments the registry is prohibited from talking to the
and so the registrar can offer this as a service. registrant. In most these cases the registrant has a business
relationship with the registrar, and so the registrar can offer this
as a service.
If the CTA RRset does not exist, the Parental Agent MUST take no If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST
action. Specifically it MUST NOT delete or alter the existing DS take no action. Specifically it MUST NOT delete or alter the
RRset. existing DS RRset.
6.1.2. Other mechanisms 6.1.2. Other mechanisms
It is assume that other mechanisms will be implemented to trigger the It is assume that other mechanisms will be implemented to trigger the
parent to look for an updated CTA. As the CTA RR is validated with parent to look for an updated CDS. As the CDS RR is validated with
DNSSEC, these mechanisms can be unauthenticated (for example, a child DNSSEC, these mechanisms can be unauthenticated (for example, a child
could call his parent and request the CTA action be performed, an could call his parent and request the CDS action be performed, an
unauthenticated POST could be made to a webserver (with rate- unauthenticated POST could be made to a webserver (with rate-
limiting), etc.) limiting), etc.)
Other documents can specify the trigger conditions. Other documents can specify the trigger conditions.
6.2. Usign the new CTA 6.2. Using the new CDS / CDNSKEY records
Regardless of how the Parental Agent detected changes to a CTA RR, Regardless of how the Parental Agent detected changes to a CDS /
the Parental Agent MUST use a DNSSEC validator to obtain a validated CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain
CTA RRset from the Child zone. It would be a good idea if the a validated CDS / CDNSKEY RRset from the Child zone. It would be a
Parental Agent checked all NS RRs listed at the delegation. However, good idea if the Parental Agent checked all NS RRs listed at the
due to the use of technologies such as load balancing and anycast, delegation. However, due to the use of technologies such as load
this should not be taken as proof that the new CTA is present on all balancing and anycast, this should not be taken as proof that the new
nodes serving the Child zone. CDS / CDNSKEY is present on all nodes serving the Child zone.
The Parental Agent MUST ensure that old versions of the CTA RRset do The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY
not overwrite newer versions. This MAY be accomplished by checking RRset do not overwrite newer versions. This MAY be accomplished by
that the signature inception in the RRSIG for CTA is newer and/or the checking that the signature inception in the RRSIG for CDS / CDNSKEY
serial number on the child's SOA is greater. This may require the is newer and/or the serial number on the child's SOA is greater.
Parental Agent to maintain some state information. This may require the Parental Agent to maintain some state
information.
The Parental Agent MAY take extra security measures. For example, to The Parental Agent MAY take extra security measures. For example, to
mitigate the possibility that a Child's key signing key has been mitigate the possibility that a Child's key signing key has been
compromised, the Parental Agent may, for example, inform (by email or compromised, the Parental Agent may, for example, inform (by email or
other methods ) the Child DNS operator of the change. However the other methods ) the Child DNS operator of the change. However the
precise out-of-band measures that a parent zone SHOULD take are precise out-of-band measures that a parent zone SHOULD take are
outside the scope of this document. outside the scope of this document.
Once the Parental Agent has obtained a valid CTA it MAY double check Once the Parental Agent has obtained a valid CDS / CDNSKEY it MAY
the publication rules from section 4.1. In particular the Parental double check the publication rules from section 4.1. In particular
Agent MUST double check the Continuity rule and do its best not to the Parental Agent MUST double check the Continuity rule and do its
invalidate the Child zone. Once checked and if the CTA and DS best not to invalidate the Child zone. Once checked and if the CDS /
"differ" it may apply the changes to the parent zone. In cases where CDNSKEY and DS "differ" it may apply the changes to the parent zone.
the CTA record contains DNSKEYs, the parent should calculate the DS If the parent consumes CDNSKEY, the parent should calculate the DS
before doing this comparison. before doing this comparison.
6.2.1. Parent calculates DS 6.2.1. Parent calculates DS
There are cases where the Parent wants to calculate the DS record due There are cases where the Parent wants to calculate the DS record due
to policy reasons. In this case, the Child publishes CTA records to policy reasons. In this case, the Child publishes CDNSKEY records
containing DNSKEYs. containing DNSKEYs.
The parent calculates the DS records on behalf of the children. The The parent calculates the DS records on behalf of the children. The
DNS Parent needs to publish guidelines for the children as to what DNS Parent needs to publish guidelines for the children as to what
digest algorithms are acceptable in the CTA record. digest algorithms are acceptable in the CDS record.
When a Parent operates in "calculate DS" mode it can operate in one When a Parent operates in "calculate DS" mode it can operate in one
of two sub-modes of two sub-modes
full i.e. it only publishes DS records it calculates from DNSKEY full i.e. it only publishes DS records it calculates from DNSKEY
records, records,
augment i.e. it will make sure there are DS records for the digest augment i.e. it will make sure there are DS records for the digest
algorithm(s) it requires(s). algorithm(s) it requires(s).
Implications on Parental Agent are that the CTA and DS are not Implications on Parental Agent are that the CDNSKEY and DS are not
exactly the same after update thus it needs to take that into exactly the same after update thus it needs to take that into
consideration when checking CTA records. Same goes for the Child consideration when checking CDNSKEY records. Same goes for the Child
Operator, it needs to be able to detect that the new DS RRset is Operator, it needs to be able to detect that the new DS RRset is
"equivalent" to the current CTA RRset, thus it can remove the CTA "equivalent" to the current CDNSKEY RRset, thus it can remove the
RRset. CDNSKEY RRset.
7. IANA Considerations 7. IANA Considerations
IANA has assigned RR Type code 59 for CDS. This was done for an IANA has assigned RR Type code 59 for CDS. This was done for an
earlier version of this document[I-D.ds-publish] This document is to earlier version of this document[I-D.ds-publish] This document is to
become the reference for CDS RRtype (pending DNS-Dir confirmation become the reference for CDS RRtype.
that this is acceptable, as we have somewhat changed the format.)
IANA is requested to assign another RR Type for the CDNSKEY.
8. Security Considerations 8. Security Considerations
[ This needs more work, suggestions welcome.] [ This needs more work, suggestions welcome.]
This work is for the normal case, when things go wrong there is only This work is for the normal case, when things go wrong there is only
so much that automation can fix. so much that automation can fix.
If child breaks DNSSEC validation by removing all the DNSKEYs that If child breaks DNSSEC validation by removing all the DNSKEYs that
are represented in the DS set its only repair actions are to contact are represented in the DS set its only repair actions are to contact
the parent or restore the DNSKEYs in the DS set. the parent or restore the DNSKEYs in the DS set.
In the event of a compromise of the server or system generating In the event of a compromise of the server or system generating
signatures for a zone, an attacker might be able to generate and signatures for a zone, an attacker might be able to generate and
publish new CTA records. The modified CTA records will be picked up publish new CDS records. The modified CDS records will be picked up
by this technique and so may allow the attacker to extend the by this technique and so may allow the attacker to extend the
effective time of his attack. If there a delay in accepting changes effective time of his attack. If there a delay in accepting changes
to DS, as in RFC5011, then the attacker needs to hope his activity is to DS, as in RFC5011, then the attacker needs to hope his activity is
not detected before the DS in parent is changed. If this type of not detected before the DS in parent is changed. If this type of
change takes place, the child need to contact the parent (possibly change takes place, the child need to contact the parent (possibly
via a registrar web interface) and remove any compromised DS keys. via a registrar web interface) and remove any compromised DS keys.
A compromise of the account with the parent (e.g. registrar) will not A compromise of the account with the parent (e.g. registrar) will not
be mitigated by this technique, as the "new registrant" can delete/ be mitigated by this technique, as the "new registrant" can delete/
modify the DS records at will. modify the DS records at will.
While it may be tempting, this SHOULD NOT be used for initial While it may be tempting, this SHOULD NOT be used for initial
enrollment of keys since there is no way to ensure that the initial enrollment of keys since there is no way to ensure that the initial
key is the correct one. If is used, strict rules for inclusion of key is the correct one. If is used, strict rules for inclusion of
keys like hold down times, challenge data inclusion etc., ought to be keys like hold down times, challenge data inclusion etc., ought to be
used, along with some kind of challenge mechanism. used, along with some kind of challenge mechanism.
The CTA RR type should allow for enhanced security by simplifying The CDS RR type should allow for enhanced security by simplifying
process. Since rollover is automated, updating a DS RRset by other process. Since rollover is automated, updating a DS RRset by other
means may be regarded as unusual and subject to extra security means may be regarded as unusual and subject to extra security
checks. checks.
If there is a failure in applying changes in child zone to all DNS If there is a failure in applying changes in child zone to all DNS
servers listed in either parent or child NS set it is possible that servers listed in either parent or child NS set it is possible that
the Parental agent may get confused either not perform action because the Parental agent may get confused either not perform action because
it gets different answers on different checks or CTA validation it gets different answers on different checks or CDS validation
fails. In the worst case Parental Agent performs an action reversing fails. In the worst case Parental Agent performs an action reversing
a prior action but after the child signing system decides to take the a prior action but after the child signing system decides to take the
next step in rollover, resulting in a broken delegation. next step in rollover, resulting in a broken delegation.
DNS is a loosely coherent distributed database with local caching; DNS is a loosely coherent distributed database with local caching;
therefore it is important to allow old information to expire from therefore it is important to allow old information to expire from
caches before deleting DS or DNSKEY records. Similarly, it is caches before deleting DS or DNSKEY records. Similarly, it is
important to allow new records to propagate through the DNS before important to allow new records to propagate through the DNS before
use, see [RFC6781] and [I-D.key-time] use, see [RFC6781] and [I-D.key-time]
skipping to change at page 15, line 40 skipping to change at page 15, line 23
In many RRR cases the Registrar and Registry communicate via In many RRR cases the Registrar and Registry communicate via
EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number
of ccTLDs there are other mechanisms in use as well as EPP, but in of ccTLDs there are other mechanisms in use as well as EPP, but in
general there seems to be a movement towards EPP usage when DNSSEC is general there seems to be a movement towards EPP usage when DNSSEC is
enabled in the TLD. enabled in the TLD.
Appendix B. Changes / Author Notes. Appendix B. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
From 04 to 05
o Renamed the record back to CDS.
From 03 to 04. From 03 to 04.
o Added text explaining the [CDS/CTA] complement [CSYNC], not o Added text explaining the [CDS] complement [CSYNC], not replace or
replace or compete with it. compete with it.
o Changed format of record to be <selector> <data> to allow the o Changed format of record to be <selector> <data> to allow the
publication of DS **or** DNSKEY. publication of DS **or** DNSKEY.
o Bunch of text changed to cover the above. o Bunch of text changed to cover the above.
o Added a bit more text on the polling scaling stuff, expecation o Added a bit more text on the polling scaling stuff, expecation
that other triggers will be documented, that other triggers will be documented,
From 02 to 03 From 02 to 03
 End of changes. 61 change blocks. 
188 lines changed or deleted 173 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/