< draft-ietf-dnsext-delegation-signer-14.txt   draft-ietf-dnsext-delegation-signer-15.txt >
DNSEXT Working Group Olafur Gudmundsson DNSEXT Working Group Olafur Gudmundsson
INTERNET-DRAFT May 2003 INTERNET-DRAFT June 2003
<draft-ietf-dnsext-delegation-signer-14.txt> <draft-ietf-dnsext-delegation-signer-15.txt>
Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090. Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090.
Delegation Signer Resource Record Delegation Signer Resource Record
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.'' material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the authors or the DNSEXT WG mailing list This draft expires on January 19, 2004.
namedroppers@ops.ietf.org
This draft expires on December 6, 2003.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2003). All rights reserved. Copyright (C) The Internet Society (2003). All rights reserved.
Abstract Abstract
The delegation signer (DS) resource record is inserted at a zone cut The delegation signer (DS) resource record is inserted at a zone cut
(i.e., a delegation point) to indicate that the delegated zone is (i.e., a delegation point) to indicate that the delegated zone is
digitally signed and that the delegated zone recognizes the indicated digitally signed and that the delegated zone recognizes the indicated
key as a valid zone key for the delegated zone. The DS RR is a key as a valid zone key for the delegated zone. The DS RR is a
modification to the DNS Security Extensions definition, motivated by modification to the DNS Security Extensions definition, motivated by
operational considerations. The intent is to use this resource record operational considerations. The intent is to use this resource record
as an explicit statement about the delegation, rather than relying on as an explicit statement about the delegation, rather than relying on
inference. inference.
This document defines the DS RR, gives examples of how it is used and This document defines the DS RR, gives examples of how it is used and
the implications of this record on resolvers. This change is not describes the implications on resolvers. This change is not backwards
backwards compatible with RFC 2535. compatible with RFC 2535.
This document updates RFC1035, RFC2535, RFC3008 and RFC3090. This document updates RFC1035, RFC2535, RFC3008 and RFC3090.
1 Introduction Table of contents
Familiarity with the DNS system [RFC1035], DNS security extensions Status of this Memo . . . . . . . . . . . . . . . . . . . . . . . . 1
[RFC2535] and DNSSEC terminology [RFC3090] is important. Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Table of contents . . . . . . . . . . . . . . . . . . . . . . . . . 2
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Reserved Words" . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Specification of the Delegation key Signer" . . . . . . . . . . . 4
2.1 Delegation Signer Record Model" . . . . . . . . . . . . . . . . 4
2.2 Protocol Change" . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1 RFC2535 2.3.4 and 3.4: Special Considerations at
Delegation Points" . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1.1 Special processing for DS queries" . . . . . . . . . . . . 6
2.2.1.2 Special processing when child and an ancestor share
server" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.1.3 Modification on use of KEY RR in the construction of
Responses" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.2 Signer's Name (replaces RFC3008 section 2.7)" . . . . . . . . 9
2.2.3 Changes to RFC3090" . . . . . . . . . . . . . . . . . . . . . 9
2.2.3.1 RFC3090: Updates to section 1: Introduction" . . . . . . . . 9
2.2.3.2 RFC3090 section 2.1: Globally Secured" . . . . . . . . . . . 9
2.2.3.3 RFC3090 section 3: Experimental Status." . . . . . . . . . 10
2.2.4 NULL KEY elimination" . . . . . . . . . . . . . . . . . . . . 10
2.3 Comments on Protocol Changes" . . . . . . . . . . . . . . . . . 10
2.4 Wire Format of the DS record" . . . . . . . . . . . . . . . . . 11
2.4.1 Justifications for Fields" . . . . . . . . . . . . . . . . . . 12
2.5 Presentation Format of the DS Record" . . . . . . . . . . . . . 12
2.6 Transition Issues for Installed Base" . . . . . . . . . . . . . 12
2.6.1 Backwards compatibility with RFC2535 and RFC1035" . . . . . . 12
2.7 KEY and corresponding DS record example" . . . . . . . . . . . . 13
3 Resolver" . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1 DS Example" . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 Resolver Cost Estimates for DS Records" . . . . . . . . . . . . 15
4 Security Considerations: " . . . . . . . . . . . . . . . . . . . . 15
5 IANA Considerations: " . . . . . . . . . . . . . . . . . . . . . . 16
6 Acknowledgments" . . . . . . . . . . . . . . . . . . . . . . . . . 16
Normative References: " . . . . . . . . . . . . . . . . . . . . . . 16
Informational References" " . . . . . . . . . . . . . . . . . . . . 17
Author Address" . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Full Copyright Statement" . . . . . . . . . . . . . . . . . . . . . 17
1 Introduction
Experience shows that when the same data can reside in two Familiarity with the DNS system [RFC1035], DNS security extensions
administratively different DNS zones, the data frequently gets out of [RFC2535] and DNSSEC terminology [RFC3090] is important.
sync. The presence of an NS RRset in a zone anywhere other than at
the apex indicates a zone cut or delegation. The RDATA of the NS
RRset specifies the authoritative servers for the delegated or
"child" zone. Based on actual measurements, 10-30% of all delegations
on the Internet have differing NS RRsets at parent and child. There
are a number of reasons for this, including a lack of communication
between parent and child and bogus name servers being listed to meet
registry requirements.
DNSSEC [RFC2535,RFC3008,RFC3090] specifies that a child zone needs to Experience shows that when the same data can reside in two
have its KEY RRset signed by its parent to create a verifiable chain administratively different DNS zones, the data frequently gets out of
of KEYs. There has been some debate on where the signed KEY RRset sync. The presence of an NS RRset in a zone anywhere other than at
should reside, whether at the child [RFC2535] or at the parent. If the apex indicates a zone cut or delegation. The RDATA of the NS
the KEY RRset resides at the child, maintaining the signed KEY RRset RRset specifies the authoritative servers for the delegated or
in the child requires frequent two-way communication between the two "child" zone. Based on actual measurements, 10-30% of all delegations
parties. First the child transmits the KEY RRset to the parent and on the Internet have differing NS RRsets at parent and child. There
then the parent sends the signature(s) to the child. Storing the KEY are a number of reasons for this, including a lack of communication
RRset at the parent was thought to simplify the communication. between parent and child and bogus name servers being listed to meet
registry requirements.
DNSSEC [RFC2535] requires that the parent store a NULL KEY record for DNSSEC [RFC2535,RFC3008,RFC3090] specifies that a child zone needs to
an unsecure child zone to indicate that the child is unsecure. A NULL have its KEY RRset signed by its parent to create a verifiable chain
KEY record is a waste: an entire signed RRset is used to communicate of KEYs. There has been some debate on where the signed KEY RRset
effectively one bit of information--that the child is unsecure. should reside, whether at the child [RFC2535] or at the parent. If
Chasing down NULL KEY RRsets complicates the resolution process in the KEY RRset resides at the child, maintaining the signed KEY RRset
many cases, because servers for both parent and child need to be in the child requires frequent two-way communication between the two
queried for the KEY RRset if the child server does not return it. parties. First the child transmits the KEY RRset to the parent and
Storing the KEY RRset only in the parent zone simplifies this and then the parent sends the signature(s) to the child. Storing the KEY
would allow the elimination of the NULL KEY RRsets entirely. For RRset at the parent was thought to simplify the communication.
large delegation zones the cost of NULL keys is a significant barrier
to deployment.
Another complication of the DNSSEC key model is that the KEY record DNSSEC [RFC2535] requires that the parent store a NULL KEY record for
can be used to store public keys for other protocols in addition to an unsecure child zone to indicate that the child is unsecure. A NULL
DNSSEC keys. There are number of potential problems with this, KEY record is a waste: an entire signed RRset is used to communicate
including: effectively one bit of information--that the child is unsecure.
1. The KEY RRset can become quite large if many applications and Chasing down NULL KEY RRsets complicates the resolution process in
protocols store their keys at the zone apex. Possible protocols many cases, because servers for both parent and child need to be
are IPSEC, HTTP, SMTP, SSH and others that use public key queried for the KEY RRset if the child server does not return it.
cryptography. Storing the KEY RRset only in the parent zone simplifies this and
2. The KEY RRset may require frequent updates. would allow the elimination of the NULL KEY RRsets entirely. For
3. The probability of compromised or lost keys, which trigger large delegation zones the cost of NULL keys is a significant barrier
emergency key rollover procedures, increases. to deployment.
4. The parent may refuse sign KEY RRsets with non-DNSSEC zone keys.
5. The parent may not meet the child's expectations in turnaround
time for resigning the KEY RRset.
Given these reasons, SIG@parent isn't any better than SIG/KEY@Child. Prior to the restrictions imposed by RFC3445[RFC3445], another
implication of the DNSSEC key model is that the KEY record could be
used to store public keys for other protocols in addition to DNSSEC
keys. There are number of potential problems with this, including:
1. The KEY RRset can become quite large if many applications and
protocols store their keys at the zone apex. Possible protocols
are IPSEC, HTTP, SMTP, SSH and others that use public key
cryptography.
2. The KEY RRset may require frequent updates.
3. The probability of compromised or lost keys, which trigger
emergency key rollover procedures, increases.
1.2 Reserved Words 4. The parent may refuse to sign KEY RRsets with non-DNSSEC zone
keys.
5. The parent may not meet the child's expectations of turnaround
time for resigning the KEY RRset.
The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", Given these reasons, SIG@parent isn't any better than SIG/KEY@Child.
"RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
interpreted as described in RFC2119.
2 Specification of the Delegation key Signer 1.2 Reserved Words
This section defines the Delegation Signer (DS) RR type (type code The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
TBD) and the changes to DNS to accommodate it. "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
interpreted as described in RFC2119.
2.1 Delegation Signer Record Model 2 Specification of the Delegation key Signer
This document presents a replacement for the DNSSEC KEY record chain This section defines the Delegation Signer (DS) RR type (type code
of trust [RFC2535] that uses a new RR that resides only at the TBD) and the changes to DNS to accommodate it.
parent. This record identifies the key(s) that the child uses to
self-sign its own KEY RRset.
The chain of trust is now established by verifying the parent KEY 2.1 Delegation Signer Record Model
RRset, the DS RRset from the parent and the KEY RRset at the child.
This is cryptographically equivalent to using just KEY records.
Communication between the parent and child is greatly reduced, since This document presents a replacement for the DNSSEC KEY record chain
the child only needs to notify the parent about changes in keys that of trust [RFC2535] that uses a new RR that resides only at the
sign its apex KEY RRset. The parent is ignorant of all other keys in parent. This record identifies the key(s) that the child uses to
the child's apex KEY RRset. Furthermore, the child maintains full self-sign its own KEY RRset.
control over the apex KEY RRset and its content. The child can
maintain any policies regarding its KEY usage for DNSSEC with minimal
impact on the parent. Thus if the child wants to have frequent key
rollover for its DNS zone keys, the parent does not need to be aware
of it. The child can use one key to sign only its apex KEY RRset and
a different key to sign the other RRsets in the zone.
This model fits well with a slow roll out of DNSSEC and the islands Even though DS identifies two roles for KEYs, Key Signing Key (KSK)
of security model. In this model, someone who trusts "good.example." and Zone Signing Key (ZSK), there is no requirement that zone use two
can preconfigure a key from "good.example." as a trusted key, and different keys for these roles. It is expected that many small zones
from then on trusts any data signed by that key or that has a chain will only use one key, while larger zones will be more likely to use
of trust to that key. If "example." starts advertising DS records, multiple keys.
"good.example." does not have to change operations by suspending
self-signing. DS records can also be used to identify trusted keys
instead of KEY records. Another significant advantage is that the
amount of information stored in large delegation zones is reduced:
rather than the NULL KEY record at every unsecure delegation required
by RFC 2535, only secure delegations require additional information
in the form of a signed DS RRset.
The main disadvantage of this approach is that verifying a zone's KEY The chain of trust is now established by verifying the parent KEY
RRset requires two signature verification operations instead of the RRset, the DS RRset from the parent and the KEY RRset at the child.
one required by RFC 2535. There is no impact on the number of This is cryptographically equivalent to using just KEY records.
signatures verified for other types of RRsets.
Even though DS identifies two roles for KEY's, Key Signing Key (KSK) Communication between the parent and child is greatly reduced, since
and Zone Signing Key (ZSK), there is no requirement that zone use two the child only needs to notify the parent about changes in keys that
different keys for these roles. It is expected that many small zones sign its apex KEY RRset. The parent is ignorant of all other keys in
will only use one key, while larger organizations will be more likely the child's apex KEY RRset. Furthermore, the child maintains full
to use multiple keys. control over the apex KEY RRset and its content. The child can
maintain any policies regarding its KEY usage for DNSSEC with minimal
impact on the parent. Thus if the child wants to have frequent key
rollover for its DNS zone keys, the parent does not need to be aware
of it. The child can use one key to sign only its apex KEY RRset and
a different key to sign the other RRsets in the zone.
2.2 Protocol Change This model fits well with a slow roll out of DNSSEC and the islands
of security model. In this model, someone who trusts "good.example."
can preconfigure a key from "good.example." as a trusted key, and
from then on trusts any data signed by that key or that has a chain
of trust to that key. If "example." starts advertising DS records,
"good.example." does not have to change operations by suspending
self-signing. DS records can be used in configuration files to
identify trusted keys instead of KEY records. Another significant
advantage is that the amount of information stored in large
delegation zones is reduced: rather than the NULL KEY record at every
unsecure delegation demanded by RFC 2535, only secure delegations
require additional information in the form of a signed DS RRset.
All DNS servers and resolvers that support DS MUST support the OK bit The main disadvantage of this approach is that verifying a zone's KEY
[RFC3225] and a larger message size [RFC3226]. In order for a RRset requires two signature verification operations instead of the
delegation to be considered secure the delegation MUST contain a DS one in RFC 2535 chain of trust. There is no impact on the number of
RRset. If a query contains the OK bit, a server returning a referral signatures verified for other types of RRsets.
for the delegation MUST include the following RRsets in the authority
section in this order:
If DS RRset is present:
parents copy of childs NS RRset
DS and SIG(DS)
If no DS RRset is present:
parents copy of childs NS RRset
parents zone NXT and SIG(NXT)
This increases the size of referral messages and possilbly causing 2.2 Protocol Change
some or all glue to be omitted. If the DS or NXT RRsets with
signatures do not fit in the DNS message, the TC bit MUST be set.
Additional section processing is not changed.
A DS RRset accompanying a NS RRset indicates that the child zone is All DNS servers and resolvers that support DS MUST support the OK bit
secure. If a NS RRset exists without a DS RRset, the child zone is [RFC3225] and a larger message size [RFC3226]. In order for a
unsecure (from the parents point of view). DS RRsets MUST NOT appear delegation to be considered secure the delegation MUST contain a DS
at non-delegation points or at a zone's apex. RRset. If a query contains the OK bit, a server returning a referral
for the delegation MUST include the following RRsets in the authority
section in this order:
If DS RRset is present:
parent's copy of child's NS RRset
DS and SIG(DS)
If no DS RRset is present:
parent's copy of child's NS RRset
parent's zone NXT and SIG(NXT)
Section 2.2.1 defines special considerations related to authoritative This increases the size of referral messages, possibly causing some
servers responding to DS queries and replaces RFC2535 sections 2.3.4 or all glue to be omitted. If the DS or NXT RRsets with signatures do
and 3.4. Section 2.2.2 replaces RFC3008 section 2.7, and section not fit in the DNS message, the TC bit MUST be set. Additional
2.2.3 updates RFC3090. section processing is not changed.
2.2.1 RFC2535 2.3.4 and 3.4: Special Considerations at Delegation Points A DS RRset accompanying a NS RRset indicates that the child zone is
secure. If a NS RRset exists without a DS RRset, the child zone is
unsecure (from the parents point of view). DS RRsets MUST NOT appear
at non-delegation points or at a zone's apex.
DNS security views each zone as a unit of data completely under the Section 2.2.1 defines special considerations related to authoritative
control of the zone owner with each entry (RRset) signed by a special servers responding to DS queries and replaces RFC2535 sections 2.3.4
private key held by the zone manager. But the DNS protocol views the and 3.4. Section 2.2.2 replaces RFC3008 section 2.7, and section
leaf nodes in a zone that are also the apex nodes of a child zone 2.2.3 updates RFC3090.
(i.e., delegation points) as "really" belonging to the child zone.
The corresponding domain names appear in two master files and might
have RRsets signed by both the parent and child zones' keys. A
retrieval could get a mixture of these RRsets and SIGs, especially
since one server could be serving both the zone above and below a
delegation point [RFC 2181].
Each DS RRset stored in the parent zone MUST be signed by at least 2.2.1 RFC2535 2.3.4 and 3.4: Special Considerations at Delegation Points
one of the parent zone's private key. The parent zone MUST NOT
contain a KEY RRset at any delegation point. Delegations in the
parent MAY contain only the following RR types: NS, DS, NXT and SIG.
The NS RRset MUST NOT be signed. The NXT RRset is the exceptional
case: it will always appear differently and authoritatively in both
the parent and child zones if both are secure.
A secure zone MUST contain a self-signed KEY RRset at its apex. Upon DNS security views each zone as a unit of data completely under the
verifying the DS RRset from the parent, a resolver MAY trust any KEY control of the zone owner with each entry (RRset) signed by a special
identified in the DS RRset as a valid signer of the child's apex KEY private key held by the zone manager. But the DNS protocol views the
RRset. Resolvers configured to trust one of the keys signing the KEY leaf nodes in a zone that are also the apex nodes of a child zone
RRset MAY now treat any data signed by the zone keys in the KEY RRset (i.e., delegation points) as "really" belonging to the child zone.
as secure. In all other cases resolvers MUST consider the zone The corresponding domain names appear in two master files and might
unsecure. A DS RRset MUST NOT appear at a zone's apex. have RRsets signed by both the parent and child zones' keys. A
retrieval could get a mixture of these RRsets and SIGs, especially
since one server could be serving both the zone above and below a
delegation point [RFC 2181].
An authoritative server queried for type DS MUST return the DS RRset Each DS RRset stored in the parent zone MUST be signed by at least
in the answer section. one of the parent zone's private keys. The parent zone MUST NOT
contain a KEY RRset at any delegation point. Delegations in the
parent MAY contain only the following RR types: NS, DS, NXT and SIG.
The NS RRset MUST NOT be signed. The NXT RRset is the exceptional
case: it will always appear differently and authoritatively in both
the parent and child zones if both are secure.
2.2.1.1 Special processing for DS queries A secure zone MUST contain a self-signed KEY RRset at its apex. Upon
verifying the DS RRset from the parent, a resolver MAY trust any KEY
identified in the DS RRset as a valid signer of the child's apex KEY
RRset. Resolvers configured to trust one of the keys signing the KEY
RRset MAY now treat any data signed by the zone keys in the KEY RRset
as secure. In all other cases resolvers MUST consider the zone
unsecure. A DS RRset MUST NOT appear at a zone's apex.
When a server is authoritative for the parent zone at a delegation An authoritative server queried for type DS MUST return the DS RRset
point and receives a query for the DS record at that name, it will in the answer section.
return the DS from the parent zone. This is true whether or not it
is also authoritative for the child zone.
When the server is authoritative for the child zone at a delegation 2.2.1.1 Special processing for DS queries
point but not the parent zone, there is no natural response, since
the child zone is not authoritative for the DS record at the zone's
apex. As these queries are only expected to originate from recursive
servers which are not DS-aware, the authoritative server MUST answer
with:
RCODE: NOERROR
AA bit: set
Answer Section: Empty
Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)]
That is, it answers as if it is authoritative and the DS record does When a server is authoritative for the parent zone at a delegation
not exist. DS-aware recursive servers will query the parent zone at point and receives a query for the DS record at that name, it MUST
delegation points, so will not be affected by this. answer based on data in the parent zone, return DS or negative
answer. This is true whether or not it is also authoritative for the
child zone.
A server authoritative for only the child zone at a delegation point When the server is authoritative for the child zone at a delegation
that is also a caching server MAY (if the RD bit is set in the query) point but not the parent zone, there is no natural response, since
perform recursion to find the DS record at the delegation point, and the child zone is not authoritative for the DS record at the zone's
may return the DS record from its cache. In this case, the AA bit apex. As these queries are only expected to originate from recursive
MUST not be set in the response. servers which are not DS-aware, the authoritative server MUST answer
with:
RCODE: NOERROR
AA bit: set
Answer Section: Empty
Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)]
2.2.1.2 Special processing when child and an ancestor share server" That is, it answers as if it is authoritative and the DS record does
not exist. DS-aware recursive servers will query the parent zone at
delegation points, so will not be affected by this.
Special rules are needed to permit DS RR aware servers to gracefully A server authoritative for only the child zone, that is also a
interact with older caches which otherwise might falsely label a caching server MAY (if the RD bit is set in the query) perform
server as lame because of the new placement of the DS RR set. recursion to find the DS record at the delegation point, or MAY
return the DS record from its cache. In this case, the AA bit MUST
not be set in the response.
Such a situation might arise when a server is authoritative for both 2.2.1.2 Special processing when child and an ancestor share server
a zone and it's grandparent, but not the parent. This sounds like an
obscure example, but it is very real. The root zone is currently
served on 13 machines, and "root-servers.net." is served on 4 of the
same 13, but "net." is served elsewhere.
When a server receives a query for (<QNAME>, DS, IN), the response Special rules are needed to permit DS RR aware servers to gracefully
MUST be determined from reading these rules in order: interact with older caches which otherwise might falsely label a
server as lame because of the placement of the DS RR set.
1) If the server is authoritative for the zone that holds the DS RR Such a situation might arise when a server is authoritative for both
set (i.e., the zone that delegates <QNAME> away, aka the "parent" a zone and it's grandparent, but not the parent. This sounds like an
zone), the response contains the DS RR set as an authoritative obscure example, but it is very real. The root zone is currently
answer. served on 13 machines, and "root-servers.net." is served on 4 of the
same 13, but "net." is served elsewhere.
2) If the server is offering recursive service and the RD bit is set When a server receives a query for (<QNAME>, DS, <QCLASS>), the
in the query, the server performs the query itself (according to the response MUST be determined from reading these rules in order:
rules for resolvers described below) and returns it's findings.
3) If the server is authoritative for the zone that holds the 1) If the server is authoritative for the zone that holds the DS RR
<QNAME>'s SOA RR set, the response is an authoritative negative set (i.e., the zone that delegates <QNAME>, aka the "parent" zone),
answer as described in 2.2.1.1. the response contains the DS RR set as an authoritative answer.
4) If the server is authoritative for a zone or zones above the 2) If the server is offering recursive service and the RD bit is set
QNAME, a referral to the most enclosing zone's servers is made. in the query, the server performs the query itself (according to the
rules for resolvers described below) and returns its findings.
5) If the server is not authoritative for any part of the QNAME, a 3) If the server is authoritative for the zone that holds the
response indicating a lame server for QNAME is given. <QNAME>'s SOA RR set, the response is an authoritative negative
answer as described in 2.2.1.1.
Using these rules will require some special processing on the part of 4) If the server is authoritative for a zone or zones above the
a DS RR aware resolver. To illustrate this, an example is used. QNAME, a referral to the most enclosing zone's servers is made.
Assuming a server is authoritative for roots.example.net. and for the 5) If the server is not authoritative for any part of the QNAME, a
root zone but not the intervening two zones (or the intervening two response indicating a lame server for QNAME is given.
label deep zone). Assume that QNAME=roots.example.net., QTYPE=DS,
and QCLASS=IN.
The resolver will issue this request (assuming no cached data) Using these rules will require some special processing on the part of
expecting a referral to a net. server. Instead, rule number 3 above a DS RR aware resolver. To illustrate this, an example is used.
applies and a negative answer is returned by the server. The
reaction by the resolver is not to accept this answer as final as it
can determine from the SOA RR in the negative answer the context
within which the server has answered.
A solution to this is to instruct the resolver to hunt for the Assuming a server is authoritative for roots.example.net. and for the
authoritative zone of the data in a brute force manner. root zone but not the intervening two zones (or the intervening two
label deep zone). Assume that QNAME=roots.example.net., QTYPE=DS,
and QCLASS=IN.
This can be accomplished by taking the owner name of the returned SOA The resolver will issue this request (assuming no cached data)
RR and strip off enough left-hand labels until a successful NS expecting a referral to a net. server. Instead, rule number 3 above
response is obtained. A successful response here means that the applies and a negative answer is returned by the server. The
answer has NS records in it. (Entertaining the possibility that a reaction by the resolver is not to accept this answer as final as it
cut point may be two labels down in a zone.) can determine from the SOA RR in the negative answer the context
within which the server has answered.
Returning to the example, the response will include a negative answer A solution to this is to instruct the resolver to hunt for the
with either the SOA RR for "roots.example.net." or "example.net." authoritative zone of the data in a brute force manner.
depending on whether roots.example.net is a delegated domain. In
either case, removing the least significant label of the SOA owner
name will lead to the location of the desired data.
2.2.1.3 Modification on KEY RR in the construction of Responses This can be accomplished by taking the owner name of the returned SOA
RR and striping off enough left-hand labels until a successful NS
response is obtained. A successful response here means that the
answer has NS records in it. (Entertaining the possibility that a
cut point can be two labels down in a zone.)
This section updates RFC2535 section 3.5 by replacing it with the Returning to the example, the response will include a negative answer
following: with either the SOA RR for "roots.example.net." or "example.net."
depending on whether roots.example.net is a delegated domain. In
either case, removing the left most label of the SOA owner name will
lead to the location of the desired data.
An query for KEY RR MUST NOT trigger any additional section 2.2.1.3 Modification on use of KEY RR in the construction of Responses
processing. Security aware resolver will include corresponding SIG
records in the answer section.
KEY records SHOULD NOT be added to additional records section in This section updates RFC2535 section 3.5 by replacing it with the
response to any query. following:
RFC2535 included rules to in add KEY records to additional section A query for KEY RR MUST NOT trigger any additional section
when SOA or NS records where included in an answer. The is was done processing. Security aware resolvers will include corresponding SIG
to reduce round trips (in the case of SOA) and to force out NULL records in the answer section.
KEY's (in the NS case), as this document obsoletes NULL keys there is
no need for the second case, the first case causes redundant
transfers of KEY RRset as SOA is included in the authority section of
negative answers.
RFC2535 section 3.5 also included rule for adding KEY RRset to query KEY records SHOULD NOT be added to the additional records section in
for A and AAAA, as Restrict KEY[RFC3445] eliminated use of KEY RR by response to any query.
all applications therfore the rule is not needed anymore.
2.2.2 Signer's Name (replaces RFC3008 section 2.7) RFC2535 specified that KEY records be added to the additional section
when SOA or NS records where included in an answer. This was done to
reduce round trips (in the case of SOA) and to force out NULL KEYs
(in the NS case). As this document obsoletes NULL keys there is no
need for the inclusion of KEYs with NSs. Furthermore as SOAs are
included in the authority section of negative answers, including the
KEYs each time will cause redundant transfers of KEYs.
The signer's name field of a SIG RR MUST contain the name of the zone RFC2535 section 3.5 also included rule for adding the KEY RRset to
to which the data and signature belong. The combination of signer's the response for a query for A and AAAA types. As Restrict
name, key tag, and algorithm MUST identify a zone key if the SIG is KEY[RFC3445] eliminated use of KEY RR by all applications this rule
to be considered material. This document defines a standard policy is no longer needed.
for DNSSEC validation; local policy may override the standard policy.
There are no restrictions on the signer field of a SIG(0) record. 2.2.2 Signer's Name (replaces RFC3008 section 2.7)
The combination of signer's name, key tag, and algorithm MUST
identify a key if this SIG(0) is to be processed.
2.2.3 Changes to RFC3090 The signer's name field of a SIG RR MUST contain the name of the zone
to which the data and signature belong. The combination of signer's
name, key tag, and algorithm MUST identify a zone key if the SIG is
to be considered material. This document defines a standard policy
for DNSSEC validation; local policy MAY override the standard policy.
A number of sections of RFC3090 need to be updated to reflect the DS There are no restrictions on the signer field of a SIG(0) record.
record. The combination of signer's name, key tag, and algorithm MUST
identify a key if this SIG(0) is to be processed.
2.2.3.1 RFC3090: Updates to section 1: Introduction 2.2.3 Changes to RFC3090
Most of the text is still relevant but the words ``NULL key'' are to A number of sections of RFC3090 need to be updated to reflect the DS
be replaced with ``missing DS RRset''. In section 1.3 the last three record.
paragraphs discuss the confusion in sections of RFC 2535 that are
replaced in section 2.2.1 above. Therefore, these paragraphs are now
obsolete.
2.2.3.2 RFC3090 section 2.1: Globally Secured 2.2.3.1 RFC3090: Updates to section 1: Introduction
Rule 2.1.b is replaced by the following rule: Most of the text is still relevant but the words ``NULL key'' are to
be replaced with ``missing DS RRset''. In section 1.3 the last three
paragraphs discuss the confusion in sections of RFC 2535 that are
replaced in section 2.2.1 above. Therefore, these paragraphs are now
obsolete.
2.1.b. The KEY RRset at a zone's apex MUST be self-signed by a 2.2.3.2 RFC3090 section 2.1: Globally Secured
private key whose public counterpart MUST appear in a zone signing
KEY RR (2.a) owned by the zone's apex and specifying a mandatory-to-
implement algorithm. This KEY RR MUST be identified by a DS RR in a
signed DS RRset in the parent zone.
If a zone cannot get its parent to advertise a DS record for it, the Rule 2.1.b is replaced by the following rule:
child zone cannot be considered globally secured. The only exception
to this is the root zone, for which there is no parent zone.
2.2.3.3 RFC3090 section 3: Experimental Status. 2.1.b. The KEY RRset at a zone's apex MUST be self-signed by a
private key whose public counterpart MUST appear in a zone signing
KEY RR (2.a) owned by the zone's apex and specifying a mandatory-to-
implement algorithm. This KEY RR MUST be identified by a DS RR in a
signed DS RRset in the parent zone.
The only difference between experimental status and globally secured If a zone cannot get its parent to advertise a DS record for it, the
is the missing DS RRset in the parent zone. All locally secured zones child zone cannot be considered globally secured. The only exception
are experimental. to this is the root zone, for which there is no parent zone.
2.2.4 NULL KEY elimination 2.2.3.3 RFC3090 section 3: Experimental Status.
RFC3445 section 3 elminates the top two bits in the flags field of The only difference between experimental status and globally secured
KEY RR. These two bits where used to indicate NULL KEY or NO KEY. is the missing DS RRset in the parent zone. All locally secured zones
RFC3090 defines that zone that defines that zone is either secure or are experimental.
not, eliminates the possible need to put NULL keys in the zone apex
to indicate that the zone is not secured for a algorithm. Along with
this document these other two elminate all uses for the NULL KEY,
Thus this document obsoletes NULL KEY.
2.3 Comments on Protocol Changes 2.2.4 NULL KEY elimination
Over the years there have been various discussions surrounding the RFC3445 section 3 eliminates the top two bits in the flags field of
DNS delegation model, declaring it to be broken because there is no KEY RR. These two bits were used to indicate NULL KEY or NO KEY.
good way to assert if a delegation exists. In the RFC2535 version of RFC3090 defines that zone is either secure or not, these rules
DNSSEC, the presence of the NS bit in the NXT bit map proves there is eliminates the possible need to put NULL keys in the zone apex to
a delegation at this name. Something more explicit is needed and the indicate that the zone is not secured for a algorithm. Along with
DS record addresses this need for secure delegations. this document these other two eliminate all uses for the NULL KEY,
This document obsoletes NULL KEY.
The DS record is a major change to DNS: it is the first resource 2.3 Comments on Protocol Changes
record that can appear only on the upper side of a delegation. Adding
it will cause interoperabilty problems and requires a flag day for
DNSSEC. Many old servers and resolvers MUST be upgraded to take
advantage of DS. Some old servers will be able to be authoritative
for zones with DS records but will not add the NXT or DS records to
the authority section. The same is true for caching servers; in
fact, some may even refuse to pass on the DS or NXT records.
2.4 Wire Format of the DS record Over the years there have been various discussions surrounding the
DNS delegation model, declaring it to be broken because there is no
good way to assert if a delegation exists. In the RFC2535 version of
DNSSEC, the presence of the NS bit in the NXT bit map proves there is
a delegation at this name. Something more explicit is needed and the
DS record addresses this need for secure delegations.
The DS (type=TDB) record contains these fields: key tag, algorithm, The DS record is a major change to DNS: it is the first resource
digest type, and the digest of a public key KEY record that is record that can appear only on the upper side of a delegation. Adding
allowed and/or used to sign the child's apex KEY RRset. Other keys it will cause interoperabilty problems and requires a flag day for
MAY sign the child's apex KEY RRset. DNSSEC. Many old servers and resolvers MUST be upgraded to take
advantage of DS. Some old servers will be able to be authoritative
for zones with DS records but will not add the NXT or DS records to
the authority section. The same is true for caching servers; in
fact, some might even refuse to pass on the DS or NXT records.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 2.4 Wire Format of the DS record
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| key tag | algorithm | Digest type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| digest (length depends on type) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (SHA-1 digest is 20 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The key tag is calculated as specified in RFC2535. Algorithm MUST be The DS (type=TDB) record contains these fields: key tag, algorithm,
an algorithm number assigned in the range 1..251 and the algorithm digest type, and the digest of a public key KEY record that is
MUST be allowed to sign DNS data. The digest type is an identifier allowed and/or used to sign the child's apex KEY RRset. Other keys
for the digest algorithm used. The digest is calculated over the MAY sign the child's apex KEY RRset.
canonical name of the delegated domain name followed by the whole
RDATA of the KEY record (all four fields).
digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata) 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| key tag | algorithm | Digest type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| digest (length depends on type) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (SHA-1 digest is 20 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key The key tag is calculated as specified in RFC2535. Algorithm MUST be
an algorithm number assigned in the range 1..251 and the algorithm
MUST be allowed to sign DNS data. The digest type is an identifier
for the digest algorithm used. The digest is calculated over the
canonical name of the delegated domain name followed by the whole
RDATA of the KEY record (all four fields).
Digest type value 0 is reserved, value 1 is SHA-1, and reserving digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata)
other types requires IETF standards action. For interoperabilty
reasons, as few digest algorithms as possible should be reserved. The
only reason to reserve additional digest types is to increase
security.
DS records MUST point to zone KEY records that are allowed to KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key
authenticate DNS data. The indicated KEY record's protocol field
MUST be set to 3; flag field bit 7 MUST be set to 1. The value of
other flag bits is not significant for the purposes of this document.
The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless Digest type value 0 is reserved, value 1 is SHA-1, and reserving
of key size, new digest types probably will have larger digests. other types requires IETF standards action. For interoperabilty
reasons, keeping number of digest algorithms low is strongly
RECOMMENDED. The only reason to reserve additional digest types is
to increase security.
2.4.1 Justifications for Fields DS records MUST point to zone KEY records that are allowed to
authenticate DNS data. The indicated KEY records protocol field MUST
be set to 3; flag field bit 7 MUST be set to 1. The value of other
flag bits is not significant for the purposes of this document.
The algorithm and key tag fields are present to allow resolvers to The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless
quickly identify the candidate KEY records to examine. SHA-1 is a of key size. New digest types probably will have larger digests.
strong cryptographic checksum: it is computationally infeasible for
an attacker to generate a KEY record that has the same SHA-1 digest.
Combining the name of the key and the key rdata as input to the
digest provides stronger assurance of the binding. Having the key
tag in the DS record adds greater assurance than the SHA-1 digest
alone, as there are now two different mapping functions that a KEY RR
must match.
This format allows concise representation of the keys that the child 2.4.1 Justifications for Fields
will use, thus keeping down the size of the answer for the
delegation, reducing the probability of DNS message overflow. The
SHA-1 hash is strong enough to uniquely identify the key and is
similar to the PGP key footprint. The digest type field is present
for possible future expansion.
The DS record is well suited to listing trusted keys for islands of The algorithm and key tag fields are present to allow resolvers to
security in configuration files. quickly identify the candidate KEY records to examine. SHA-1 is a
strong cryptographic checksum: it is computationally infeasible for
an attacker to generate a KEY record that has the same SHA-1 digest.
Combining the name of the key and the key rdata as input to the
digest provides stronger assurance of the binding. Having the key
tag in the DS record adds greater assurance than the SHA-1 digest
alone, as there are now two different mapping functions.
2.5 Presentation Format of the DS Record This format allows concise representation of the keys that the child
will use, thus keeping down the size of the answer for the
delegation, reducing the probability of DNS message overflow. The
SHA-1 hash is strong enough to uniquely identify the key and is
similar to the PGP key footprint. The digest type field is present
for possible future expansion.
The presentation format of the DS record consists of three numbers The DS record is well suited to listing trusted keys for islands of
(key tag, algorithm and digest type) followed by the digest itself security in configuration files.
presented in hex:
example. DS 12345 3 1 123456789abcdef67890123456789abcdef67890
2.6 Transition Issues for Installed Base 2.5 Presentation Format of the DS Record
No backwards compatibility with RFC2535 is provided. The presentation format of the DS record consists of three numbers
(key tag, algorithm and digest type) followed by the digest itself
presented in hex:
example. DS 12345 3 1 123456789abcdef67890123456789abcdef67890
RFC2535-compliant resolvers will assume that all DS-secured 2.6 Transition Issues for Installed Base
delegations are locally secure. This is bad, but the DNSEXT Working
Group has determined that rather than dealing with both
RFC2535-secured zones and DS-secured zones, a rapid adoption of DS is
preferable. Thus the only option for early adopters is to upgrade to
DS as soon as possible.
2.6.1 Backwards compatibility with RFC2535 and RFC1035 No backwards compatibility with RFC2535 is provided.
This section documents how a resolver determines the type of RFC2535-compliant resolvers will assume that all DS-secured
delegation. delegations are locally secure. This is bad, but the DNSEXT Working
RFC1035 delegation (in parent) has: Group has determined that rather than dealing with both
RFC2535-secured zones and DS-secured zones, a rapid adoption of DS is
preferable. Thus the only option for early adopters is to upgrade to
DS as soon as possible.
RFC1035 NS 2.6.1 Backwards compatibility with RFC2535 and RFC1035
RFC2535 adds the following two cases: This section documents how a resolver determines the type of
delegation.
RFC1035 delegation (in parent) has:
Secure RFC2535: NS + NXT + SIG(NXT) RFC1035 NS
NXT bit map contains: NS SIG NXT
Unsecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
NXT bit map contains: NS SIG KEY NXT
KEY must be a NULL key.
DNSSEC with DS has the following two states: RFC2535 adds the following two cases:
Secure DS: NS + DS + SIG(DS) Secure RFC2535: NS + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT DS NXT bit map contains: NS SIG NXT
Unsecure DS: NS + NXT + SIG(NXT) Unsecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT NXT bit map contains: NS SIG KEY NXT
KEY must be a NULL key.
It is difficult for a resolver to determine if a delegation is secure DNSSEC with DS has the following two states:
RFC 2535 or unsecure DS. This could be overcome by adding a flag to
the NXT bit map, but only upgraded resolvers would understand this
flag, anyway. Having both parent and child signatures for a KEY RRset
might allow old resolvers to accept a zone as secure, but the cost of
doing this for a long time is much higher than just prohibiting RFC
2535-style signatures at child zone apexes and forcing rapid
deployment of DS-enabled servers and resolvers.
RFC 2535 and DS can in theory be deployed in parallel, but this would Secure DS: NS + DS + SIG(DS)
require resolvers to deal with RFC 2535 configurations forever. This NXT bit map contains: NS SIG NXT DS
document obsoletes the NULL KEY in parent zones, which is a difficult Unsecure DS: NS + NXT + SIG(NXT)
enough change that a flag day is required. NXT bit map contains: NS SIG NXT
2.7 KEY and corresponding DS record example It is difficult for a resolver to determine if a delegation is secure
RFC 2535 or unsecure DS. This could be overcome by adding a flag to
the NXT bit map, but only upgraded resolvers would understand this
flag, anyway. Having both parent and child signatures for a KEY RRset
might allow old resolvers to accept a zone as secure, but the cost of
doing this for a long time is much higher than just prohibiting RFC
2535-style signatures at child zone apexes and forcing rapid
deployment of DS-enabled servers and resolvers.
This is an example of a KEY record and the corresponding DS record. RFC 2535 and DS can in theory be deployed in parallel, but this would
require resolvers to deal with RFC 2535 configurations forever. This
document obsoletes the NULL KEY in parent zones, which is a difficult
enough change that to cause a flag day.
dskey.example. KEY 256 3 1 ( 2.7 KEY and corresponding DS record example
AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj
4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt
) ; key id = 28668
DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
3 Resolver This is an example of a KEY record and the corresponding DS record.
3.1 DS Example dskey.example. KEY 256 3 1 (
AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj
4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt
) ; key id = 28668
DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
To create a chain of trust, a resolver goes from trusted KEY to DS to 3 Resolver
KEY.
Assume the key for domain "example." is trusted. Zone "example." 3.1 DS Example
contains at least the following records:
example. SOA <soa stuff>
example. NS ns.example.
example. KEY <stuff>
example. NXT NS SOA KEY SIG NXT secure.example.
example. SIG(SOA)
example. SIG(NS)
example. SIG(NXT)
example. SIG(KEY)
secure.example. NS ns1.secure.example.
secure.example. DS tag=12345 alg=3 digest_type=1 <foofoo>
secure.example. NXT NS SIG NXT DS unsecure.example.
secure.example. SIG(NXT)
secure.example. SIG(DS)
unsecure.example NS ns1.unsecure.example.
unsecure.example. NXT NS SIG NXT example.
unsecure.example. SIG(NXT)
In zone "secure.example." following records exist: To create a chain of trust, a resolver goes from trusted KEY to DS to
secure.example. SOA <soa stuff> KEY.
secure.example. NS ns1.secure.example.
secure.example. KEY <tag=12345 alg=3>
secure.example. KEY <tag=54321 alg=5>
secure.example. NXT <nxt stuff>
secure.example. SIG(KEY) <key-tag=12345 alg=3>
secure.example. SIG(SOA) <key-tag=54321 alg=5>
secure.example. SIG(NS) <key-tag=54321 alg=5>
secure.example. SIG(NXT) <key-tag=54321 alg=5>
In this example the private key for "example." signs the DS record Assume the key for domain "example." is trusted. Zone "example."
for "secure.example.", making that a secure delegation. The DS record contains at least the following records:
states which key is expected to sign the KEY RRset at example. SOA <soa stuff>
"secure.example.". Here "secure.example." signs its KEY RRset with example. NS ns.example.
the KEY identified in the DS RRset, thus the KEY RRset is validated example. KEY <stuff>
and trusted. example. NXT NS SOA KEY SIG NXT secure.example.
example. SIG(SOA)
example. SIG(NS)
example. SIG(NXT)
example. SIG(KEY)
secure.example. NS ns1.secure.example.
secure.example. DS tag=12345 alg=3 digest_type=1 <foofoo>
secure.example. NXT NS SIG NXT DS unsecure.example.
secure.example. SIG(NXT)
secure.example. SIG(DS)
unsecure.example NS ns1.unsecure.example.
unsecure.example. NXT NS SIG NXT example.
unsecure.example. SIG(NXT)
This example has only one DS record for the child, but parents MUST In zone "secure.example." following records exist:
allow multiple DS records to facilitate key rollover and multiple KEY secure.example. SOA <soa stuff>
algorithms. secure.example. NS ns1.secure.example.
secure.example. KEY <tag=12345 alg=3>
secure.example. KEY <tag=54321 alg=5>
secure.example. NXT <nxt stuff>
secure.example. SIG(KEY) <key-tag=12345 alg=3>
secure.example. SIG(SOA) <key-tag=54321 alg=5>
secure.example. SIG(NS) <key-tag=54321 alg=5>
secure.example. SIG(NXT) <key-tag=54321 alg=5>
The resolver determines the security status of "unsecure.example." by In this example the private key for "example." signs the DS record
examining the parent zone's NXT record for this name. The absence of for "secure.example.", making that a secure delegation. The DS record
the DS bit indicates an unsecure delegation. Note the NXT record states which key is expected to sign the KEY RRset at
SHOULD only be examined after verifying the corresponding signature. "secure.example.". Here "secure.example." signs its KEY RRset with
the KEY identified in the DS RRset, thus the KEY RRset is validated
and trusted.
3.1 Resolver Cost Estimates for DS Records This example has only one DS record for the child, but parents MUST
allow multiple DS records to facilitate key rollover and multiple KEY
algorithms.
From a RFC2535 resolver point of view, for each delegation followed The resolver determines the security status of "unsecure.example." by
to chase down an answer, one KEY RRset has to be verified. examining the parent zone's NXT record for this name. The absence of
Additional RRsets might also need to be verified based on local the DS bit indicates an unsecure delegation. Note the NXT record
policy (e.g., the contents of the NS RRset). Once the resolver gets SHOULD only be examined after verifying the corresponding signature.
to the appropriate delegation, validating the answer might require
verifying one or more signatures. A simple A record lookup requires
at least N delegations to be verified and one RRset. For a DS-enabled
resolver, the cost is 2N+1. For an MX record, where the target of
the MX record is in the same zone as the MX record, the costs are N+2
and 2N+2, for RFC 2535 and DS, respectively. In the case of negatives
answer the same ratios hold true.
The resolver may require an extra query to get the DS record and this 3.2 Resolver Cost Estimates for DS Records
may add to the overall cost of the query, but this is never worse
than chasing down NULL KEY records from the parent in RFC2535 DNSSEC.
DS adds processing overhead on resolvers and increases the size of From a RFC2535 resolver point of view, for each delegation followed
delegation answers, but much less than storing signatures in the to chase down an answer, one KEY RRset has to be verified.
parent zone. Additional RRsets might also need to be verified based on local
policy (e.g., the contents of the NS RRset). Once the resolver gets
to the appropriate delegation, validating the answer might require
verifying one or more signatures. A simple A record lookup requires
at least N delegations to be verified and one RRset. For a DS-enabled
resolver, the cost is 2N+1. For an MX record, where the target of
the MX record is in the same zone as the MX record, the costs are N+2
and 2N+2, for RFC 2535 and DS, respectively. In the case of negatives
answer the same ratios hold true.
4 Security Considerations: The resolver have to do an extra query to get the DS record and this
increases the overall cost of resolving this question, but this is
never worse than chasing down NULL KEY records from the parent in
RFC2535 DNSSEC.
This document proposes a change to the validation chain of KEY DS adds processing overhead on resolvers and increases the size of
records in DNSSEC. The change is not believed to reduce security in delegation answers, but much less than storing signatures in the
the overall system. In RFC2535 DNSSEC, the child zone has to parent zone.
communicate keys to its parent and prudent parents will require some
authentication with that transaction. The modified protocol will
require the same authentication, but allows the child to exert more
local control over its own KEY RRset.
There is a remote possibility that an attacker could generate a valid 4 Security Considerations:
KEY that matches all the DS fields, of a specific DS set, and thus
forge data from the child. This possibility is considered
impractical, as on average more than
2 ^ (160 - <Number of keys in DS set>)
keys would have to be generated before a match would be found.
An attacker that wants to match any DS record will have to generate This document proposes a change to the validation chain of KEY
on average at least 2^80 keys. records in DNSSEC. The change is not believed to reduce security in
the overall system. In RFC2535 DNSSEC, the child zone has to
communicate keys to its parent and prudent parents will require some
authentication with that transaction. The modified protocol will
require the same authentication, but allows the child to exert more
local control over its own KEY RRset.
The DS record represents a change to the DNSSEC protocol and there is There is a remote possibility that an attacker could generate a valid
an installed base of implementations, as well as textbooks on how to KEY that matches all the DS fields, of a specific DS set, and thus
set up secure delegations. Implementations that do not understand the forge data from the child. This possibility is considered
DS record will not be able to follow the KEY to DS to KEY chain and impractical, as on average more than
will consider all zones secured that way as unsecure. 2 ^ (160 - <Number of keys in DS set>)
keys would have to be generated before a match would be found.
5 IANA Considerations: An attacker that wants to match any DS record will have to generate
on average at least 2^80 keys.
IANA needs to allocate an RR type code for DS from the standard RR The DS record represents a change to the DNSSEC protocol and there is
type space (type 43 requested). an installed base of implementations, as well as textbooks on how to
set up secure delegations. Implementations that do not understand the
DS record will not be able to follow the KEY to DS to KEY chain and
will consider all zones secured that way as unsecure.
IANA needs to open a new registry for the DS RR type for digest 5 IANA Considerations:
algorithms. Defined types are:
0 is Reserved,
1 is SHA-1.
Adding new reservations requires IETF standards action.
6 Acknowledgments IANA needs to allocate an RR type code for DS from the standard RR
type space (type 43 requested).
Over the last few years a number of people have contributed ideas IANA needs to open a new registry for the DS RR type for digest
that are captured in this document. The core idea of using one key to algorithms. Defined types are:
sign only the KEY RRset comes from discussions with Bill Manning and 0 is Reserved,
Perry Metzger on how to put in a single root key in all resolvers. 1 is SHA-1.
Alexis Yushin, Brian Wellington, Sam Weiler, Paul Vixie, Jakob Adding new reservations requires IETF standards action.
Schlyter, Scott Rose, Edward Lewis, Lars-Johan Liman, Matt Larson,
Mark Kosters, Dan Massey, Olaf Kolman, Phillip Hallam-Baker, Miek
Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David
Blacka, Steve Bellovin, Rob Austein, Derek Atkins, Roy Arends, Mark
Andrews, Harald Alvestrand, and others have provided useful comments.
Normative References: 6 Acknowledgments
[RFC1035] P. Mockapetris, ``Domain Names - Implementation and Over the last few years a number of people have contributed ideas
Specification'', STD 13, RFC 1035, November 1987. that are captured in this document. The core idea of using one key to
sign only the KEY RRset comes from discussions with Bill Manning and
Perry Metzger on how to put in a single root key in all resolvers.
Alexis Yushin, Brian Wellington, Sam Weiler, Paul Vixie, Jakob
Schlyter, Scott Rose, Edward Lewis, Lars-Johan Liman, Matt Larson,
Mark Kosters, Dan Massey, Olaf Kolman, Phillip Hallam-Baker, Miek
Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David
Blacka, Steve Bellovin, Rob Austein, Derek Atkins, Roy Arends, Mark
Andrews, Harald Alvestrand, and others have provided useful comments.
[RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC Normative References:
2535, March 1999.
[RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing [RFC1035] P. Mockapetris, ``Domain Names - Implementation and
Authority'', RFC 3008, November 2000. Specification'', STD 13, RFC 1035, November 1987.
[RFC3090] E. Lewis `` DNS Security Extension Clarification on Zone [RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC
Status'', RFC 3090, March 2001. 2535, March 1999.
[RFC3225] D. Conrad, ``Indicating Resolver Support of DNSSEC'', RFC [RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing
3225, December 2001. Authority'', RFC 3008, November 2000.
[RFC3445] D. Massey, S. Rose ``Limiting the scope of the KEY Resource [RFC3090] E. Lewis `` DNS Security Extension Clarification on Zone
Record (RR)``, RFC 3445, December 2002. Status'', RFC 3090, March 2001.
Informational References [RFC3225] D. Conrad, ``Indicating Resolver Support of DNSSEC'', RFC
3225, December 2001.
[RFC2181] R. Elz, R. Bush, ``Clarifications to the DNS Specification'', [RFC3445] D. Massey, S. Rose ``Limiting the scope of the KEY Resource
RFC 2181, July 1997. Record (RR)``, RFC 3445, December 2002.
[RFC3226] O. Gudmundsson, ``DNSSEC and IPv6 A6 aware server/resolver Informational References
message size requirements'', RFC 3226, December 2001.
Author Address [RFC2181] R. Elz, R. Bush, ``Clarifications to the DNS Specification'',
RFC 2181, July 1997.
Olafur Gudmundsson [RFC3226] O. Gudmundsson, ``DNSSEC and IPv6 A6 aware server/resolver
3821 Village Park Drive message size requirements'', RFC 3226, December 2001.
Chevy Chase, MD, 20815
USA
<ogud@ogud.com>
Full Copyright Statement Author Address
Copyright (C) The Internet Society (2003). All Rights Reserved. Olafur Gudmundsson
3821 Village Park Drive
Chevy Chase, MD, 20815
USA
<ogud@ogud.com>
This document and translations of it may be copied and furnished to Full Copyright Statement
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be Copyright (C) The Internet Society (2003). All Rights Reserved.
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and translations of it may be copied and furnished to
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING others, and derivative works that comment on or otherwise explain it
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING or assist in its implementation may be prepared, copied, published
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION and distributed, in whole or in part, without restriction of any
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF kind, provided that the above copyright notice and this paragraph are
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
 End of changes. 144 change blocks. 
550 lines changed or deleted 573 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/