idnits 2.17.1 draft-andrews-dnsop-update-parent-zones-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) == There are 4 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 7, 2013) is 3822 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2845 (Obsoleted by RFC 8945) Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Andrews 3 Internet-Draft ISC 4 Expires: May 11, 2014 November 7, 2013 6 Updating Parent Zones 7 draft-andrews-dnsop-update-parent-zones-04 9 Abstract 11 DNS UPDATE was developed to allow DNS zones to be updated. 13 There is a perception that UPDATE cannot be used in conjuction with 14 the Registry, Registar, Registrant (RRR) model to update a zone. 16 This document explains how UPDATE can be used in the RRR model. 18 Status of this Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on May 11, 2014. 35 Copyright Notice 37 Copyright (c) 2013 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 3. Translation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 4. Authentication . . . . . . . . . . . . . . . . . . . . . . . . 4 56 5. Direct to Registrar . . . . . . . . . . . . . . . . . . . . . . 4 57 6. Indirect to Registrar . . . . . . . . . . . . . . . . . . . . . 4 58 7. UPDATE Server Discovery . . . . . . . . . . . . . . . . . . . . 5 59 8. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 60 9. Normative References . . . . . . . . . . . . . . . . . . . . . 6 61 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 1. Introduction 65 UPDATE [RFC2136] is designed to update any zone in the DNS. This 66 includes updating delegating NS records, glue address records and DS 67 records. 69 While UPDATE is primarily designed to UPDATE a zone directly there in 70 no reason why UPDATE requests cannot be translated to the EPP 71 requests to perform the changes. 73 This would provide a uniform model to update parent zone regardless 74 of where they are in the DNS hierarchy or whether the zone is signed 75 or not. 77 2. Requirements 79 This document was written with the following requirements in mind: 81 o must be able to authenticate the transaction. 82 o must be able to update address records to support automated 83 renumbering. 84 o must be able to update DS records to support DNSKEY rollover buy 85 key management tools. 86 o must work for unsigned zones (parent and/or child). 87 o must work for signed zones (parent and/or child). 88 o must work for RRR managed zones. 89 o must work for non RRR managed zones. 90 o desirable support updating of NS RRsets so that nameservers can 91 ensure delegations delgation data remains consistent. 93 3. Translation 95 The Registrar would host a server that authenticates UPDATE requests 96 received directly or relayed by the Registry using TSIG [RFC2845], 97 then translate the actions in the UPDATE request into EPP transaction 98 requests. The results of those EPP transactions would be relayed to 99 the UPDATE client. 101 Requests that are not TSIG signed or fail verification must be 102 rejected. 104 The translating server would handle a restricted subset of UPDATE 105 requests, possibly ignoring the prerequiste section. UPDATE requests 106 would be limited to those supported by EPP. 108 e.g. Add NS record. Delete all NS records. Add A record. Delete 109 AAAA record. Add DS record. Delete DS record. 111 The translating server may also override/ignore the TTL in the UPDATE 112 request. 114 4. Authentication 116 Authentication would be done using TSIG. TSIG was designed to be 117 used in a environment where requests are relayed. 119 Authentication can be done down to the tuple. There 120 exist nameservers that already implement access contols down to this 121 level of granularity based on the presented TSIG. 123 This would allow nameservers to update their own address records as 124 they get renumbered without being able to update anything else. 126 This would allow DNSSEC key management software to update DS records 127 without being able to update anything else. 129 As Registrars do all the authentication and generate the signed 130 responses there is no need for the Registry to have access to the 131 private key material used in TSIG. 133 Registrars already handle shared keys in these numbers with their web 134 interfaces so it is not unreasonable to expect them to be able to 135 handle a similar number of shared TSIG keys. 137 5. Direct to Registrar 139 The hardest part of Direct to Registrar is finding where to send the 140 UPDATE request. This would most probably just be advised to the 141 Registrant. 143 6. Indirect to Registrar 145 In the indirect model the Registry would host a UPDATE relay server 146 which would examine the first record of the UPDATE section and relay 147 the request to the Registrar of record for the owner name of that 148 record. The Registrar would verify the validity if the request based 149 on the TSIG then update the registry contents using EPP if 150 appropriate. The response from the Registrar would be relayed back 151 to the client via the Registry. 153 The Registry takes no action other than to relay the request and 154 response unless it is directed to do so by the Registrar. 156 The relay can use either TCP or UDP when forwarding UPDATE requests 157 as TSIG supports changes to the DNS id field when a request/response 158 is relayed. Only the Registrar and the client (Registrant) need to 159 know the TSIG secret. 161 This is consistent with how tools like nsupdate work out where to 162 send a UPDATE request if the zone is not explicity set. They look at 163 the ownername of the first record and use it to discover the 164 containing zone. 166 7. UPDATE Server Discovery 168 UPDATE server discovery is a issue when the RRR model is in use as 169 the UPDATE may need to be directed through EPP and/or sent to a 170 Registrar. There are a number of way this could be done: 172 1) Adding a underscore infix labels to the zone which contain SRV 173 records at pointing to Registar/Registry servers for each child. 175 e.g. ._update._tcp. SRV 0 0 53 server.example.tld 177 The server pointed to could be be a relay server, as described above, 178 or a UDPATE to EPP translating server. A relay server would allow 179 for slower zone growth. 181 Using underscore infix labels requires no changes to nameservers 182 operated by Registries but does require the zone content to be 183 updated or a separate zone (e.g. _update._tcp.) to be 184 delegated to contain this information. 186 A level of indirection could be added by using CNAME records to point 187 to a domain operated by the registrar which contains the SRV record. 188 This would allow the registrar to update the SRV records without 189 having to update the zone being served by the registry. The CNAME 190 would be updated on registrar changes. Note the target name the 191 CNAME could also be managed by the registry as a way to consolidate 192 the SRV record management. 194 child._update._tcp.tld CNAME registrar._registrars.tld 195 registrar._registrars.tld SRV 0 0 53 server.example.tld 197 As with traditional use of SRV, non-support can be signaled with 199 *._update._tcp SRV 0 0 0 . 201 If the Resistry is operating a relay this can be supported with a 202 single wildcard record. 204 *._update._tcp SRV 0 0 0 server.registry.tld 206 The client can fallback to direct update to parent servers if no SRV 207 record is discovered. This allows the scheme to work outside of the 208 registry, registrar, registant model. 210 2) Extend UDPATE to return the update server. Currently the Zone 211 section of the UPDATE refers to the zone to be update and is 212 identified by the tuple. Replacing SOA with one 213 or more of DS, NS, A and AAAA would allow a nameserver to distingish 214 between a traditional UPDATE request and a request to find the UPDATE 215 servers. The tuple would contain the resource to be updated and the 216 reply would contain SRV records pointing to the UPDATE servers. As 217 there would possibly more than one parent the owner records would 218 refer to the parent zone being updated. 220 8. Security Considerations 222 The UPDATE requests are all TSIG signed. This is a proven method for 223 securing UPDATE requests in the DNS. 225 9. Normative References 227 [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, 228 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 229 RFC 2136, April 1997. 231 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D., and B. 232 Wellington, "Secret Key Transaction Authentication for DNS 233 (TSIG)", RFC 2845, May 2000. 235 Author's Address 237 M. Andrews 238 Internet Systems Consortium 239 950 Charter Street 240 Redwood City, CA 94063 241 US 243 Email: marka@isc.org