idnits 2.17.1 draft-dupont-dnsop-rfc2845bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. -- The draft header indicates that this document obsoletes RFC4635, but the abstract doesn't seem to directly say this. It does mention RFC4635 though, so this could be OK. -- The draft header indicates that this document obsoletes RFC2845, but the abstract doesn't seem to directly say this. It does mention RFC2845 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 408 has weird spacing: '... Signed in ...' == Line 440 has weird spacing: '...AC Data octe...' == Line 697 has weird spacing: '...ptional gss...' == Line 698 has weird spacing: '...ndatory hmac...' == Line 699 has weird spacing: '...ptional hma...' == (3 more instances...) == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 30, 2017) is 2341 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS180-4' ** Obsolete normative reference: RFC 2845 (Obsoleted by RFC 8945) ** Obsolete normative reference: RFC 4635 (Obsoleted by RFC 8945) Summary: 2 errors (**), 0 flaws (~~), 9 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force F. Dupont, Ed. 3 Internet-Draft S. Morris 4 Obsoletes: 2845, 4635 (if approved) ISC 5 Intended status: Standards Track October 30, 2017 6 Expires: May 3, 2018 8 Secret Key Transaction Authentication for DNS (TSIG) 9 draft-dupont-dnsop-rfc2845bis-00 11 Abstract 13 This protocol allows for transaction level authentication using 14 shared secrets and one way hashing. It can be used to authenticate 15 dynamic updates as coming from an approved client, or to authenticate 16 responses as coming from an approved recursive name server. 18 No provision has been made here for distributing the shared secrets: 19 it is expected that a network administrator will statically configure 20 name servers and clients using some out of band mechanism such as 21 sneaker-net until a secure automated mechanism for key distribution 22 is available. 24 This document includes revised original TSIG specifications (RFC2845) 25 and the extension for HMAC-SHA (RFC4635). 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on May 3, 2018. 44 Copyright Notice 46 Copyright (c) 2017 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (https://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 This document may contain material from IETF Documents or IETF 60 Contributions published or made publicly available before November 61 10, 2008. The person(s) controlling the copyright in some of this 62 material may not have granted the IETF Trust the right to allow 63 modifications of such material outside the IETF Standards Process. 64 Without obtaining an adequate license from the person(s) controlling 65 the copyright in such materials, this document may not be modified 66 outside the IETF Standards Process, and derivative works of it may 67 not be created outside the IETF Standards Process, except to format 68 it for publication as an RFC or to translate it into languages other 69 than English. 71 Table of Contents 73 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 74 2. Key words . . . . . . . . . . . . . . . . . . . . . . . . . . 4 75 3. New Assigned Numbers . . . . . . . . . . . . . . . . . . . . 4 76 4. TSIG RR Format . . . . . . . . . . . . . . . . . . . . . . . 5 77 4.1. TSIG RR Type . . . . . . . . . . . . . . . . . . . . . . 5 78 4.2. TSIG Calculation . . . . . . . . . . . . . . . . . . . . 5 79 4.3. TSIG Record Format . . . . . . . . . . . . . . . . . . . 5 80 4.3.1. TSIG RDATA Wire Format . . . . . . . . . . . . . . . 6 81 4.4. Example . . . . . . . . . . . . . . . . . . . . . . . . . 7 82 5. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 8 83 5.1. Effects of adding TSIG to outgoing message . . . . . . . 8 84 5.2. TSIG processing on incoming messages . . . . . . . . . . 8 85 5.3. Time values used in TSIG calculations . . . . . . . . . . 8 86 5.4. TSIG Variables and Coverage . . . . . . . . . . . . . . . 9 87 5.4.1. DNS Message . . . . . . . . . . . . . . . . . . . . . 9 88 5.4.2. TSIG Variables . . . . . . . . . . . . . . . . . . . 9 89 5.4.3. Request MAC . . . . . . . . . . . . . . . . . . . . . 10 90 5.5. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 10 91 6. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10 92 6.1. TSIG generation on requests . . . . . . . . . . . . . . . 10 93 6.2. TSIG on Answers . . . . . . . . . . . . . . . . . . . . . 10 94 6.3. TSIG on TSIG Error returns . . . . . . . . . . . . . . . 11 95 6.4. TSIG on TCP connection . . . . . . . . . . . . . . . . . 11 96 6.5. Server TSIG checks . . . . . . . . . . . . . . . . . . . 12 97 6.5.1. Key check and error handling . . . . . . . . . . . . 12 98 6.5.2. Specifying Truncation . . . . . . . . . . . . . . . . 12 99 6.5.3. MAC check and error handling . . . . . . . . . . . . 13 100 6.5.4. Time check and error handling . . . . . . . . . . . . 13 101 6.5.5. Truncation check and error handling . . . . . . . . . 13 102 6.6. Client processing of answer . . . . . . . . . . . . . . . 13 103 6.6.1. Key error handling . . . . . . . . . . . . . . . . . 14 104 6.6.2. MAC error handling . . . . . . . . . . . . . . . . . 14 105 6.6.3. Time error handling . . . . . . . . . . . . . . . . . 14 106 6.6.4. Truncation error handling . . . . . . . . . . . . . . 14 107 6.7. Special considerations for forwarding servers . . . . . . 14 108 7. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 15 109 8. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 15 110 9. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 16 111 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 112 11. Security Considerations . . . . . . . . . . . . . . . . . . . 17 113 11.1. Issue fixed in this document . . . . . . . . . . . . . . 18 114 11.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 18 115 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 116 12.1. Normative References . . . . . . . . . . . . . . . . . . 19 117 12.2. Informative References . . . . . . . . . . . . . . . . . 20 118 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 22 119 Appendix B. Change History . . . . . . . . . . . . . . . . . . . 22 120 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 122 1. Introduction 124 In 2017, security problems in two nameservers strictly following 125 [RFC2845] and [RFC4635] (i.e., TSIG and HMAC-SHA extension) 126 specifications were discovered. The implementations were fixed but, 127 to avoid similar problems in the future, the two documents were 128 updated and merged, producing these revised specifications for TSIG. 130 The Domain Name System (DNS) [RFC1034], [RFC1035] is a replicated 131 hierarchical distributed database system that provides information 132 fundamental to Internet operations, such as name <=> address 133 translation and mail handling information. 135 This document specifies use of a message authentication code (MAC), 136 either HMAC-MD5 or HMAC-SHA (keyed hash functions), to provide an 137 efficient means of point-to-point authentication and integrity 138 checking for transactions. 140 The second area where the secret key based MACs specified in this 141 document can be used is to authenticate DNS update requests as well 142 as transaction responses, providing a lightweight alternative to the 143 protocol described by [RFC3007]. 145 A further use of this mechanism is to protect zone transfers. In 146 this case the data covered would be the whole zone transfer including 147 any glue records sent. The protocol described by DNSSEC does not 148 protect glue records and unsigned records unless SIG(0) (transaction 149 signature) is used. 151 The authentication mechanism proposed in this document uses shared 152 secret keys to establish a trust relationship between two entities. 153 Such keys must be protected in a fashion similar to private keys, 154 lest a third party masquerade as one of the intended parties (forge 155 MACs). There is an urgent need to provide simple and efficient 156 authentication between clients and local servers and this proposal 157 addresses that need. This proposal is unsuitable for general server 158 to server authentication for servers which speak with many other 159 servers, since key management would become unwieldy with the number 160 of shared keys going up quadratically. But it is suitable for many 161 resolvers on hosts that only talk to a few recursive servers. 163 A server acting as an indirect caching resolver -- a "forwarder" in 164 common usage -- might use transaction-based authentication when 165 communicating with its small number of preconfigured "upstream" 166 servers. Other uses of DNS secret key authentication and possible 167 systems for automatic secret key distribution may be proposed in 168 separate future documents. 170 Note that use of TSIG presumes prior agreement between the resolver 171 and server involved as to the algorithm and key to be used. 173 Since the publication of first version of this document ([RFC2845]) a 174 mechanism based on asymmetric signatures using the SIG RR was 175 specified (SIG(0) [RFC2931]) when this document uses symmetric 176 authentication codes calculated by HMAC [RFC2104] using strong hash 177 functions. 179 2. Key words 181 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 182 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 183 "OPTIONAL" in this document are to be interpreted as described in BCP 184 14 [RFC2119] [RFC8174] when, and only when, they appear in all 185 capitals, as shown here. 187 3. New Assigned Numbers 189 RRTYPE = TSIG (250) 190 ERROR = 0..15 (a DNS RCODE) 191 ERROR = 16 (BADSIG) 192 ERROR = 17 (BADKEY) 193 ERROR = 18 (BADTIME) 194 ERROR = 22 (BADTRUNC) 196 4. TSIG RR Format 198 4.1. TSIG RR Type 200 To provide secret key authentication, we use a new RR type whose 201 mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and 202 MUST NOT be cached. TSIG RRs are used for authentication between DNS 203 entities that have established a shared secret key. TSIG RRs are 204 dynamically computed to cover a particular DNS transaction and are 205 not DNS RRs in the usual sense. 207 4.2. TSIG Calculation 209 As the TSIG RRs are related to one DNS request/response, there is no 210 value in storing or retransmitting them, thus the TSIG RR is 211 discarded once it has been used to authenticate a DNS message. All 212 multi-octet integers in the TSIG record are sent in network byte 213 order (see [RFC1035] 2.3.2). 215 4.3. TSIG Record Format 217 NAME The name of the key used in domain name syntax. The name 218 should reflect the names of the hosts and uniquely identify the 219 key among a set of keys these two hosts may share at any given 220 time. If hosts A.site.example and B.example.net share a key, 221 possibilities for the key name include .A.site.example, 222 .B.example.net, and .A.site.example.B.example.net. It 223 should be possible for more than one key to be in simultaneous 224 use among a set of interacting hosts. The name only needs to 225 be meaningful to the communicating hosts but a meaningful 226 mnemonic name as above is strongly recommended. 228 The name may be used as a local index to the key involved and 229 it is recommended that it be globally unique. Where a key is 230 just shared between two hosts, its name actually only need only 231 be meaningful to them but it is recommended that the key name 232 be mnemonic and incorporate the resolver and server host names 233 in that order. 235 TYPE TSIG (250: Transaction SIGnature) 237 CLASS ANY 239 TTL 0 240 RdLen (variable) 242 RDATA 244 4.3.1. TSIG RDATA Wire Format 246 The RDATA for a TSIG RR consists of an octet stream Algorithm Name 247 field, a uint48_t Time Signed field, a uint16_t Fudge field, a 248 uint16_t MAC Size field, a octet stream MAC field, a uint16_t 249 Original ID, a uint16_t Error field, a uint16_t Other Len field and 250 an octet stream of Other Data. 252 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 253 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 254 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 255 / Algorithm Name / 256 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 257 | | 258 | Time Signed +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 259 | | Fudge | 260 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 261 | MAC Size | / 262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MAC / 263 / / 264 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 265 | Original ID | Error | 266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 267 | Other Len | / 268 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data / 269 / / 270 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 272 4.3.1.1. The Algorithm Name Field 274 The Algorithm Name field identifies the TSIG algorithm name in the 275 domain name syntax. 277 4.3.1.2. The Time Signed Field 279 The Time Signed field specifies seconds since 1970-01-01 UTC. 281 4.3.1.3. The Fudge Field 283 The Fudge field specifies allowed time difference in seconds 284 permitted in the Time Signed field. 286 4.3.1.4. The MAC Size Field 288 The MAC Size field specifies the length of MAC field in octets. 289 Truncation is indicated by a MAC size less than the HMAC size. 291 4.3.1.5. The MAC Field 293 The MAC field contents are defined by the used Algorithm. 295 4.3.1.6. The Error field 297 The Error field contains the Expanded RCODE covering TSIG processing. 299 4.3.1.7. The Other Len Field 301 The Other Len field specifies the length of Other Data in octets. 303 4.3.1.8. The Other Data Field 305 The Other Data field is empty unless Error == BADTIME. 307 4.4. Example 309 NAME HOST.EXAMPLE. 311 TYPE TSIG 313 CLASS ANY 315 TTL 0 317 RdLen As appropriate 319 RDATA 321 Field Name Contents 322 -------------- ------------------- 323 Algorithm Name SAMPLE-ALG.EXAMPLE. 324 Time Signed 853804800 325 Fudge 300 326 MAC Size As appropriate 327 MAC As appropriate 328 Original ID As appropriate 329 Error 0 (NOERROR) 330 Other Len 0 331 Other Data Empty 333 5. Protocol Operation 335 5.1. Effects of adding TSIG to outgoing message 337 Once the outgoing message has been constructed, the keyed message 338 digest operation can be performed. The resulting message digest will 339 then be stored in a TSIG which is appended to the additional data 340 section (the ARCOUNT is incremented to reflect this). If the TSIG 341 record cannot be added without causing the message to be truncated, 342 the server MUST alter the response so that a TSIG can be included. 343 This response consists of only the question and a TSIG record, and 344 has the TC bit set and RCODE 0 (NOERROR). The client SHOULD at this 345 point retry the request using TCP (per [RFC1035] 4.2.2). 347 5.2. TSIG processing on incoming messages 349 If an incoming message contains a TSIG record, it MUST be the last 350 record in the additional section. Multiple TSIG records are not 351 allowed. If a TSIG record is present in any other position, the 352 packet is dropped and a response with RCODE 1 (FORMERR) MUST be 353 returned. Upon receipt of a message with a correctly placed TSIG RR, 354 the TSIG RR is copied to a safe location, removed from the DNS 355 Message, and decremented out of the DNS message header's ARCOUNT. At 356 this point the keyed message digest operation is performed: until 357 this operation concludes that the signature is valid, the signature 358 MUST be considered to be invalid. If the algorithm name or key name 359 is unknown to the recipient, or if the message digests do not match, 360 the whole DNS message MUST be discarded. If the message is a query, 361 a response with RCODE 9 (NOTAUTH) MUST be sent back to the originator 362 with TSIG ERROR 17 (BADKEY) or TSIG ERROR 16 (BADSIG). If no key is 363 available to sign this message it MUST be sent unsigned (MAC size == 364 0 and empty MAC). A message to the system operations log SHOULD be 365 generated, to warn the operations staff of a possible security 366 incident in progress. Care should be taken to ensure that logging of 367 this type of event does not open the system to a denial of service 368 attack. 370 5.3. Time values used in TSIG calculations 372 The data digested includes the two timer values in the TSIG header in 373 order to defend against replay attacks. If this were not done, an 374 attacker could replay old messages but update the "Time Signed" and 375 "Fudge" fields to make the message look new. This data is named 376 "TSIG Timers", and for the purpose of digest calculation they are 377 invoked in their "on the wire" format, in the following order: first 378 Time Signed, then Fudge. For example: 380 Field Name Value Wire Format Meaning 381 ----------- --------- ----------------- ------------------------ 382 Time Signed 853804800 00 00 32 e4 07 00 Tue Jan 21 00:00:00 1997 383 Fudge 300 01 2C 5 minutes 385 5.4. TSIG Variables and Coverage 387 When generating or verifying the contents of a TSIG record, the 388 following data are digested, in network byte order or wire format, as 389 appropriate: 391 5.4.1. DNS Message 393 A whole and complete DNS message in wire format, before the TSIG RR 394 has been added to the additional data section and before the DNS 395 Message Header's ARCOUNT field has been incremented to contain the 396 TSIG RR. If the message ID differs from the original message ID, the 397 original message ID is substituted for the message ID. This could 398 happen when forwarding a dynamic update request, for example. 400 5.4.2. TSIG Variables 402 Source Field Name Notes 403 ---------- -------------- ----------------------------------------- 404 TSIG RR NAME Key name, in canonical wire format 405 TSIG RR CLASS (Always ANY in the current specification) 406 TSIG RR TTL (Always 0 in the current specification) 407 TSIG RDATA Algorithm Name in canonical wire format 408 TSIG RDATA Time Signed in network byte order 409 TSIG RDATA Fudge in network byte order 410 TSIG RDATA Error in network byte order 411 TSIG RDATA Other Len in network byte order 412 TSIG RDATA Other Data exactly as transmitted 414 The RR RDLEN and RDATA MAC Length are not included in the hash since 415 they are not guaranteed to be knowable before the MAC is generated. 417 The Original ID field is not included in this section, as it has 418 already been substituted for the message ID in the DNS header and 419 hashed. 421 For each label type, there must be a defined "Canonical wire format" 422 that specifies how to express a label in an unambiguous way. For 423 label type 00, this is defined in [RFC4034], for label type 01, this 424 is defined in [RFC6891]. The use of label types other than 00 and 01 425 is not defined for this specification. 427 5.4.3. Request MAC 429 When generating the MAC to be included in a response, the validated 430 request MAC MUST be included in the digest. If the request MAC 431 failed to validate, an unsigned error message MUST be returned 432 instead. (Section 6.3). 434 The request's MAC is digested in wire format, including the following 435 fields: 437 Field Type Description 438 ---------- ------------ ---------------------- 439 MAC Length uint16_t in network byte order 440 MAC Data octet stream exactly as transmitted 442 5.5. Padding 444 Digested components are fed into the hashing function as a continuous 445 octet stream with no interfield padding. 447 6. Protocol Details 449 6.1. TSIG generation on requests 451 Client performs the message digest operation and appends a TSIG 452 record to the additional data section and transmits the request to 453 the server. The client MUST store the message digest from the 454 request while awaiting an answer. The digest components for a 455 request are: 457 DNS Message (request) 458 TSIG Variables (request) 460 Note that some older name servers will not accept requests with a 461 nonempty additional data section. Clients SHOULD only attempt signed 462 transactions with servers who are known to support TSIG and share 463 some secret key with the client -- so, this is not a problem in 464 practice. 466 6.2. TSIG on Answers 468 When a server has generated a response to a signed request, it signs 469 the response using the same algorithm and key. The server MUST NOT 470 generate a signed response to an unsigned request or a request that 471 fails validation. The digest components are: 473 Request MAC 474 DNS Message (response) 475 TSIG Variables (response) 477 6.3. TSIG on TSIG Error returns 479 When a server detects an error relating to the key or MAC, the server 480 SHOULD send back an unsigned error message (MAC size == 0 and empty 481 MAC). If an error is detected relating to the TSIG validity period 482 or the MAC is too short for the local policy, the server SHOULD send 483 back a signed error message. The digest components are: 485 Request MAC (if the request MAC validated) 486 DNS Message (response) 487 TSIG Variables (response) 489 The reason that the request is not included in this digest in some 490 cases is to make it possible for the client to verify the error. If 491 the error is not a TSIG error the response MUST be generated as 492 specified in Section 6.2. 494 6.4. TSIG on TCP connection 496 A DNS TCP session can include multiple DNS envelopes. This is, for 497 example, commonly used by zone transfer. Using TSIG on such a 498 connection can protect the connection from hijacking and provide data 499 integrity. The TSIG MUST be included on the first and last DNS 500 envelopes. It can be optionally placed on any intermediary 501 envelopes. It is expensive to include it on every envelopes, but it 502 MUST be placed on at least every 100'th envelope. The first envelope 503 is processed as a standard answer, and subsequent messages have the 504 following digest components: 506 Prior Digest (running) 507 DNS Messages (any unsigned messages since the last TSIG) 508 TSIG Timers (current message) 510 This allows the client to rapidly detect when the session has been 511 altered; at which point it can close the connection and retry. If a 512 client TSIG verification fails, the client MUST close the connection. 513 If the client does not receive TSIG records frequently enough (as 514 specified above) it SHOULD assume the connection has been hijacked 515 and it SHOULD close the connection. The client SHOULD treat this the 516 same way as they would any other interrupted transfer (although the 517 exact behavior is not specified). 519 6.5. Server TSIG checks 521 Upon receipt of a message, server will check if there is a TSIG RR. 522 If one exists, the server is REQUIRED to return a TSIG RR in the 523 response. The server MUST perform the following checks in the 524 following order, check Key, check MAC, check Time values, check 525 Truncation policy. 527 6.5.1. Key check and error handling 529 If a non-forwarding server does not recognize the key used by the 530 client, the server MUST generate an error response with RCODE 9 531 (NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be unsigned 532 as specified in Section 6.3. The server SHOULD log the error. 534 6.5.2. Specifying Truncation 536 When space is at a premium and the strength of the full length of an 537 HMAC is not needed, it is reasonable to truncate the HMAC and use the 538 truncated value for authentication. HMAC SHA-1 truncated to 96 bits 539 is an option available in several IETF protocols, including IPsec and 540 TLS. 542 Processing of a truncated MAC follows these rules 544 1. If "MAC size" field is greater than HMAC output length: 546 This case MUST NOT be generated and, if received, MUST cause the 547 packet to be dropped and RCODE 1 (FORMERR) to be returned. 549 2. If "MAC size" field equals HMAC output length: 551 The entire output HMAC output is present and used. 553 3. "MAC size" field is less than HMAC output length but greater than 554 that specified in case 4, below: 556 This is sent when the signer has truncated the HMAC output to an 557 allowable length, as described in [RFC2104], taking initial 558 octets and discarding trailing octets. TSIG truncation can only 559 be to an integral number of octets. On receipt of a packet with 560 truncation thus indicated, the locally calculated MAC is 561 similarly truncated and only the truncated values are compared 562 for authentication. The request MAC used when calculating the 563 TSIG MAC for a reply is the truncated request MAC. 565 4. "MAC size" field is less than the larger of 10 (octets) and half 566 the length of the hash function in use: 568 With the exception of certain TSIG error messages described in 569 Section 6.3, where it is permitted that the MAC size be zero, 570 this case MUST NOT be generated and, if received, MUST cause the 571 packet to be dropped and RCODE 1 (FORMERR) to be returned. 573 6.5.3. MAC check and error handling 575 If a TSIG fails to verify, the server MUST generate an error response 576 as specified in Section 6.3 with RCODE 9 (NOTAUTH) and TSIG ERROR 16 577 (BADSIG). This response MUST be unsigned as specified in 578 Section 6.3. The server SHOULD log the error. 580 6.5.4. Time check and error handling 582 If the server time is outside the time interval specified by the 583 request (which is: Time Signed, plus/minus Fudge), the server MUST 584 generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18 585 (BADTIME). The server SHOULD also cache the most recent time signed 586 value in a message generated by a key, and SHOULD return BADTIME if a 587 message received later has an earlier time signed value. A response 588 indicating a BADTIME error MUST be signed by the same key as the 589 request. It MUST include the client's current time in the time 590 signed field, the server's current time (a uint48_t) in the other 591 data field, and 6 in the other data length field. This is done so 592 that the client can verify a message with a BADTIME error without the 593 verification failing due to another BADTIME error. The data signed 594 is specified in Section 6.3. The server SHOULD log the error. 596 6.5.5. Truncation check and error handling 598 If a TSIG is received with truncation that is permitted under 599 Section 6.5.2 above but the MAC is too short for the local policy in 600 force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be 601 returned. The server SHOULD log the error. 603 6.6. Client processing of answer 605 When a client receives a response from a server and expects to see a 606 TSIG, it first checks if the TSIG RR is present in the response. 607 Otherwise, the response is treated as having a format error and 608 discarded. The client then extracts the TSIG, adjusts the ARCOUNT, 609 and calculates the keyed digest in the same way as the server, 610 applying the same rules to decide if truncated MAC is valid. If the 611 TSIG does not validate, that response MUST be discarded, unless the 612 RCODE is 9 (NOTAUTH), in which case the client SHOULD attempt to 613 verify the response as if it were a TSIG Error response, as specified 614 in Section 6.3. A message containing an unsigned TSIG record or a 615 TSIG record which fails verification SHOULD NOT be considered an 616 acceptable response; the client SHOULD log an error and continue to 617 wait for a signed response until the request times out. 619 6.6.1. Key error handling 621 If an RCODE on a response is 9 (NOTAUTH), and the response TSIG 622 validates, and the TSIG key is different from the key used on the 623 request, then this is a Key error. The client MAY retry the request 624 using the key specified by the server. This should never occur, as a 625 server MUST NOT sign a response with a different key than signed the 626 request. 628 6.6.2. MAC error handling 630 If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG), 631 this is a MAC error, and client MAY retry the request with a new 632 request ID but it would be better to try a different shared key if 633 one is available. Clients SHOULD keep track of how many MAC errors 634 are associated with each key. Clients SHOULD log this event. 636 6.6.3. Time error handling 638 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18 639 (BADTIME), or the current time does not fall in the range specified 640 in the TSIG record, then this is a Time error. This is an indication 641 that the client and server clocks are not synchronized. In this case 642 the client SHOULD log the event. DNS resolvers MUST NOT adjust any 643 clocks in the client based on BADTIME errors, but the server's time 644 in the other data field SHOULD be logged. 646 6.6.4. Truncation error handling 648 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22 649 (BADTRUNC) the this is a Truncation error. The client MAY retry with 650 lesser truncation up to the full HMAC output (no truncation), using 651 the truncation used in the response as a hint for what the server 652 policy allowed (Section 8). Clients SHOULD log this event. 654 6.7. Special considerations for forwarding servers 656 A server acting as a forwarding server of a DNS message SHOULD check 657 for the existence of a TSIG record. If the name on the TSIG is not 658 of a secret that the server shares with the originator the server 659 MUST forward the message unchanged including the TSIG. If the name 660 of the TSIG is of a key this server shares with the originator, it 661 MUST process the TSIG. If the TSIG passes all checks, the forwarding 662 server MUST, if possible, include a TSIG of his own, to the 663 destination or the next forwarder. If no transaction security is 664 available to the destination and the response has the AD flag (see 665 [RFC4035]), the forwarder MUST unset the AD flag before adding the 666 TSIG to the answer. 668 7. Algorithms and Identifiers 670 The only message digest algorithm specified in the first version of 671 these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321], 672 [RFC2104]). The "HMAC-MD5" algorithm is mandatory to implement for 673 interoperability. 675 The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as 676 compared to the 128 bits for MD5), and additional hash algorithms in 677 the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384, 678 and 512 bits may be preferred in some cases. This is because 679 increasingly successful cryptanalytic attacks are being made on the 680 shorter hashes. 682 Use of TSIG between a DNS resolver and server is by mutual agreement. 683 That agreement can include the support of additional algorithms and 684 criteria as to which algorithms and truncations are acceptable, 685 subject to the restriction and guidelines in Section 6.5.2 above. 686 Key agreement can be by the TKEY mechanism [RFC2930] or some other 687 mutually agreeable method. 689 The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig identifiers are 690 included in the table below for convenience. Implementations that 691 support TSIG MUST also implement HMAC SHA1 and HMAC SHA256 and MAY 692 implement gss-tsig and the other algorithms listed below. 694 Requirement Name 695 ----------- ------------------------ 696 Mandatory HMAC-MD5.SIG-ALG.REG.INT 697 Optional gss-tsig 698 Mandatory hmac-sha1 699 Optional hmac-sha224 700 Mandatory hmac-sha256 701 Optional hmac-sha384 702 Optional hmac-sha512 704 SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented. 706 8. TSIG Truncation Policy 708 Use of TSIG is by mutual agreement between a resolver and server. 709 Implicit in such an "agreement" are criteria as to acceptable keys 710 and algorithms and, with the extensions in this document, 711 truncations. Note that it is common for implementations to bind the 712 TSIG secret key or keys that may be in place at a resolver and server 713 to particular algorithms. Thus, such implementations only permit the 714 use of an algorithm if there is an associated key in place. Receipt 715 of an unknown, unimplemented, or disabled algorithm typically results 716 in a BADKEY error. 718 Local policies MAY require the rejection of TSIGs, even though they 719 use an algorithm for which implementation is mandatory. 721 When a local policy permits acceptance of a TSIG with a particular 722 algorithm and a particular non-zero amount of truncation, it SHOULD 723 also permit the use of that algorithm with lesser truncation (a 724 longer MAC) up to the full HMAC output. 726 Regardless of a lower acceptable truncated MAC length specified by 727 local policy, a reply SHOULD be sent with a MAC at least as long as 728 that in the corresponding request. Note if the request specified a 729 MAC length longer than the HMAC output it will be rejected by 730 processing rules Section 6.5.2 case 1. 732 Implementations permitting multiple acceptable algorithms and/or 733 truncations SHOULD permit this list to be ordered by presumed 734 strength and SHOULD allow different truncations for the same 735 algorithm to be treated as separate entities in this list. When so 736 implemented, policies SHOULD accept a presumed stronger algorithm and 737 truncation than the minimum strength required by the policy. 739 9. Shared Secrets 741 Secret keys are very sensitive information and all available steps 742 should be taken to protect them on every host on which they are 743 stored. Generally such hosts need to be physically protected. If 744 they are multi-user machines, great care should be taken that 745 unprivileged users have no access to keying material. Resolvers 746 often run unprivileged, which means all users of a host would be able 747 to see whatever configuration data is used by the resolver. 749 A name server usually runs privileged, which means its configuration 750 data need not be visible to all users of the host. For this reason, 751 a host that implements transaction-based authentication should 752 probably be configured with a "stub resolver" and a local caching and 753 forwarding name server. This presents a special problem for 754 [RFC2136] which otherwise depends on clients to communicate only with 755 a zone's authoritative name servers. 757 Use of strong random shared secrets is essential to the security of 758 TSIG. See [RFC4086] for a discussion of this issue. The secret 759 SHOULD be at least as long as the keyed message digest, i.e., 16 760 bytes for HMAC-MD5 or 20 bytes for HMAC-SHA1. 762 10. IANA Considerations 764 IANA maintains a registry of algorithm names to be used as "Algorithm 765 Names" as defined in Section 4.3. Algorithm names are text strings 766 encoded using the syntax of a domain name. There is no structure 767 required other than names for different algorithms must be unique 768 when compared as DNS names, i.e., comparison is case insensitive. 769 Previous specifications [RFC2845] and [RFC4635] defined values for 770 HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an 771 identifier for TSIG authentication where the cryptographic operations 772 are delegated to the Generic Security Service (GSS) [RFC3645]. 774 New algorithms are assigned using the IETF Consensus policy defined 775 in [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like 776 a fully-qualified domain name for historical reasons; other algorithm 777 names are simple (i.e., single-component) names. 779 IANA maintains a registry of "TSIG Error values" to be used for 780 "Error" values as defined in Section 4.3. Initial values should be 781 those defined in Section 3. New TSIG error codes for the TSIG error 782 field are assigned using the IETF Consensus policy defined in 783 [RFC8126]. 785 11. Security Considerations 787 The approach specified here is computationally much less expensive 788 than the signatures specified in DNSSEC. As long as the shared 789 secret key is not compromised, strong authentication is provided for 790 the last hop from a local name server to the user resolver. 792 Secret keys should be changed periodically. If the client host has 793 been compromised, the server should suspend the use of all secrets 794 known to that client. If possible, secrets should be stored in 795 encrypted form. Secrets should never be transmitted in the clear 796 over any network. This document does not address the issue on how to 797 distribute secrets. Secrets should never be shared by more than two 798 entities. 800 This mechanism does not authenticate source data, only its 801 transmission between two parties who share some secret. The original 802 source data can come from a compromised zone master or can be 803 corrupted during transit from an authentic zone master to some 804 "caching forwarder." However, if the server is faithfully performing 805 the full DNSSEC security checks, then only security checked data will 806 be available to the client. 808 A fudge value that is too large may leave the server open to replay 809 attacks. A fudge value that is too small may cause failures if 810 machines are not time synchronized or there are unexpected network 811 delays. The recommended value in most situation is 300 seconds. 813 For all of the message authentication code algorithms listed in this 814 document, those producing longer values are believed to be stronger; 815 however, while there have been some arguments that mild truncation 816 can strengthen a MAC by reducing the information available to an 817 attacker, excessive truncation clearly weakens authentication by 818 reducing the number of bits an attacker has to try to break the 819 authentication by brute force [RFC2104]. 821 Significant progress has been made recently in cryptanalysis of hash 822 functions of the types used here, all of which ultimately derive from 823 the design of MD4. While the results so far should not effect HMAC, 824 the stronger SHA-1 and SHA-256 algorithms are being made mandatory 825 due to caution. Note that today SHA-3 [FIPS202] is available as an 826 alternative to SHA-2 using a very different design. 828 See also the Security Considerations section of [RFC2104] from which 829 the limits on truncation in this RFC were taken. 831 11.1. Issue fixed in this document 833 To bind an answer with its corresponding request the MAC of the 834 answer is computed using the MAC request. Unfortunately original 835 specifications [RFC2845] failed to clearly require the MAC request to 836 be successfully validated. 838 This document proposes the principle that the MAC must be considered 839 to be invalid until it was validated. This leads to the requirement 840 that only a validated request MAC is included in a signed answer. Or 841 with other words when the request MAC was not validated the answer 842 must be unsigned with a BADKEY or BADSIG TSIG error. 844 11.2. Why not DNSSEC? 846 This section from the original document [RFC2845] analyzes DNSSEC in 847 order to justify the introduction of TSIG. 849 DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and 850 [RFC4035]) to provide for data origin authentication, and public key 851 distribution, all based on public key cryptography and public key 852 based digital signatures. To be practical, this form of security 853 generally requires extensive local caching of keys and tracing of 854 authentication through multiple keys and signatures to a pre-trusted 855 locally configured key. 857 One difficulty with the DNSSEC scheme is that common DNS 858 implementations include simple "stub" resolvers which do not have 859 caches. Such resolvers typically rely on a caching DNS server on 860 another host. It is impractical for these stub resolvers to perform 861 general DNSSEC authentication and they would naturally depend on 862 their caching DNS server to perform such services for them. To do so 863 securely requires secure communication of queries and responses. 864 DNSSEC provides public key transaction signatures to support this, 865 but such signatures are very expensive computationally to generate. 866 In general, these require the same complex public key logic that is 867 impractical for stubs. 869 A second area where use of straight DNSSEC public key based 870 mechanisms may be impractical is authenticating dynamic update 871 [RFC2136] requests. DNSSEC provides for request signatures but with 872 DNSSEC they, like transaction signatures, require computationally 873 expensive public key cryptography and complex authentication logic. 874 Secure Domain Name System Dynamic Update ([RFC3007]) describes how 875 different keys are used in dynamically updated zones. 877 12. References 879 12.1. Normative References 881 [FIPS180-4] 882 National Institute of Standards and Technology, "Secure 883 Hash Standard (SHS)", FIPS PUB 180-4, August 2015. 885 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 886 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 887 . 889 [RFC1035] Mockapetris, P., "Domain names - implementation and 890 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 891 November 1987, . 893 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 894 Requirement Levels", BCP 14, RFC 2119, 895 DOI 10.17487/RFC2119, March 1997, 896 . 898 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. 899 Wellington, "Secret Key Transaction Authentication for DNS 900 (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000, 901 . 903 [RFC4635] Eastlake 3rd, D., "HMAC SHA (Hashed Message Authentication 904 Code, Secure Hash Algorithm) TSIG Algorithm Identifiers", 905 RFC 4635, DOI 10.17487/RFC4635, August 2006, 906 . 908 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 909 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 910 May 2017, . 912 12.2. Informative References 914 [FIPS202] National Institute of Standards and Technology, "SHA-3 915 Standard", FIPS PUB 202, August 2015. 917 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 918 DOI 10.17487/RFC1321, April 1992, 919 . 921 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 922 Hashing for Message Authentication", RFC 2104, 923 DOI 10.17487/RFC2104, February 1997, 924 . 926 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 927 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 928 RFC 2136, DOI 10.17487/RFC2136, April 1997, 929 . 931 [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY 932 RR)", RFC 2930, DOI 10.17487/RFC2930, September 2000, 933 . 935 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures 936 ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September 937 2000, . 939 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 940 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 941 . 943 [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 944 (SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001, 945 . 947 [RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J., 948 and R. Hall, "Generic Security Service Algorithm for 949 Secret Key Transaction Authentication for DNS (GSS-TSIG)", 950 RFC 3645, DOI 10.17487/RFC3645, October 2003, 951 . 953 [RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224", 954 RFC 3874, DOI 10.17487/RFC3874, September 2004, 955 . 957 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 958 Rose, "DNS Security Introduction and Requirements", 959 RFC 4033, DOI 10.17487/RFC4033, March 2005, 960 . 962 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 963 Rose, "Resource Records for the DNS Security Extensions", 964 RFC 4034, DOI 10.17487/RFC4034, March 2005, 965 . 967 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 968 Rose, "Protocol Modifications for the DNS Security 969 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 970 . 972 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 973 "Randomness Requirements for Security", BCP 106, RFC 4086, 974 DOI 10.17487/RFC4086, June 2005, 975 . 977 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 978 (SHA and SHA-based HMAC and HKDF)", RFC 6234, 979 DOI 10.17487/RFC6234, May 2011, 980 . 982 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 983 for DNS (EDNS(0))", STD 75, RFC 6891, 984 DOI 10.17487/RFC6891, April 2013, 985 . 987 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 988 Writing an IANA Considerations Section in RFCs", BCP 26, 989 RFC 8126, DOI 10.17487/RFC8126, June 2017, 990 . 992 Appendix A. Acknowledgments 994 This document just consolidates and updates the earlier documents by 995 the authors of [RFC2845] (Paul Vixie, Olafur Gudmundsson, Donald E. 996 Eastlake 3rd and Brian Wellington) and [RFC4635] (Donald E. Eastlake 997 3rd). It would not be possible without their original work. 999 The security problem addressed by this document was reported by 1000 Clement Berthaux from Synacktiv. 1002 Note for the RFC Editor (to be removed before publication): the first 1003 'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9. 1004 I do not know if xml2rfc supports non ASCII characters so I prefer to 1005 not experiment with it. BTW I am French too too so I can help if you 1006 have questions like correct spelling... 1008 Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund 1009 Sivaraman and Ralph Dolmans participated in the discussions that 1010 prompted this document. 1012 Appendix B. Change History 1014 draft-dupont-dnsop-rfc2845bis-00 1016 [RFC4635] was merged. 1018 Authors of original documents were moved to Acknowledgments 1019 (Appendix A). 1021 Section 2 was updated to [RFC8174] style. 1023 Spit references into normative and informative references and 1024 updated them. 1026 Added a text explaining why this document was written in the 1027 Abstract and at the beginning of the introduction. 1029 Clarified the layout of TSIG RDATA. 1031 Moved the text about using DNSSEC from the Introduction to the end 1032 of Security Considerations. 1034 Added the security clarifications: 1036 1. Emphasized that MAC is invalid until it is successfully 1037 validated. 1039 2. Added requirement that a request MAC that has not been 1040 successfully validated MUST NOT be included into a response. 1042 3. Added requirement that a request that has not been validated 1043 to the MUST NOT generate a signed response. 1045 4. Added note about MAC too short for the local policy to the 1046 Section 6.3. 1048 5. Changed the order of server checks and swapped corresponding 1049 sections. 1051 6. Removed the truncation size limit "also case" as it does not 1052 apply and added confusion. 1054 7. Relocated the error provision for TSIG truncation to the new 1055 Section 6.5.5. Moved from RCODE 22 to RCODE 9 and TSIG ERROR 1056 22, i.e., aligned with other TSIG error cases. 1058 8. Added Section 6.6.4 about truncation error handling by 1059 clients. 1061 9. Removed the limit to HMAC output in replies as a request 1062 which specified a MAC length longer than the HMAC output is 1063 invalid according the the first processing rule in 1064 Section 6.5.2. 1066 10. Promoted the requirement that a secret length should be at 1067 least as long as the keyed message digest to a SHOULD 1068 [RFC2119] key word. 1070 11. Added a short text to explain the security issue. 1072 Authors' Addresses 1074 Francis Dupont (editor) 1075 Internet Software Consortium 1076 950 Charter Street 1077 Redwood City, CA 94063 1078 United States 1080 Email: Francis.Dupont@fdupont.fr 1081 Stephen Morris 1082 Internet Software Consortium 1083 950 Charter Street 1084 Redwood City, CA 94063 1085 United States 1087 Email: stephen@isc.org 1088 URI: http://www.isc.org