idnits 2.17.1 draft-gieben-epp-keyrelay-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 25, 2013) is 4075 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-06) exists of draft-koch-dnsop-dnssec-operator-change-04 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Gieben 3 Internet-Draft M. Groeneweg 4 Intended status: Standards Track R. Ribbers 5 Expires: August 29, 2013 A.L.J. Verschuren 6 SIDN Labs 7 February 25, 2013 9 Key Relay Mapping for the Extensible Provisioning Protocol 10 draft-gieben-epp-keyrelay-01 12 Abstract 14 This document describes an Extensible Provisioning Protocol (EPP) 15 extension mapping for the purpose of relaying DNSSEC key material 16 from one registrar to another. The mapping introduces "" 17 as a new command in EPP. 19 This command will help facilitating a transfer of a domain while 20 keeping DNSSEC's chain of trust intact. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on August 29, 2013. 39 Copyright Notice 41 Copyright (c) 2013 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Conventions Used in This Document . . . . . . . . . . . . . . 2 57 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. Relaying Key Material . . . . . . . . . . . . . . . . . . . . 3 59 4. Rational For a New Command . . . . . . . . . . . . . . . . . 4 60 5. Key Relay Interface . . . . . . . . . . . . . . . . . . . . . 4 61 5.1. Example Key Relay Interface . . . . . . . . . . . . . . . 5 62 6. Server Reply . . . . . . . . . . . . . . . . . . . . . . . . 6 63 7. Message Queue Interface . . . . . . . . . . . . . . . . . . . 6 64 7.1. Message Queue Format . . . . . . . . . . . . . . . . . . 6 65 8. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 8 66 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 67 10. Security Considerations . . . . . . . . . . . . . . . . . . . 10 68 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 69 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 70 12.1. Normative References . . . . . . . . . . . . . . . . . . 10 71 12.2. Informative References . . . . . . . . . . . . . . . . . 11 72 Appendix A. Changelog . . . . . . . . . . . . . . . . . . . . . 11 73 A.1. -00 . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 74 A.2. -01 . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 77 1. Conventions Used in This Document 79 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 80 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 81 document are to be interpreted as described in BCP 14, RFC 2119 82 [RFC2119]. 84 In examples, "C:" represents lines sent by a protocol client, and 85 "S:" represents lines returned by a protocol server. "////" is used 86 to note element values that have been shortened to better fit page 87 boundaries. Indentation and white space in examples is provided only 88 to illustrate element relationships and is not a mandatory feature of 89 this protocol. 91 XML is case sensitive. Unless stated otherwise, XML specifications 92 and examples provided in this document MUST be interpreted in the 93 character case presented in order to develop a conforming 94 implementation. 96 The term "key material" denotes one more DNSKEY resource records 97 [RFC4034]. 99 2. Introduction 101 Certain transactions for DNSSEC signed zones require an authenticated 102 exchange of DNSSEC key material between DNS operators. Often there 103 is no direct secure channel between the two or it is non-scalable. 105 One of such transactions is changing the DNS operator for DNSSEC 106 signed zones ([I-D.koch-dnsop-dnssec-operator-change]. In this 107 document we define a protocol extension for use in EPP that helps to 108 implement and automate this transaction. This protocol extension 109 introduces a new command called "". 111 3. Relaying Key Material 113 The "" command uses the existing authenticated EPP channel 114 with the registry. Both registrars can securely talk to the registry 115 and as such the registry can serve as a drop box for relaying key 116 material between them (see Figure 1). 118 +-------------------+ DNSKEY +--------------------+ 119 |losing DNS operator| <~~~~~~~ |gaining DNS operator| 120 +-------------------+ +--------------------+ 121 ^ | 122 | v 123 +-----------------+ +---------+ 124 |current registrar| |registrar| 125 +-----------------+ +---------+ 126 ^ | 127 EPP poll | | EPP keyrelay 128 | V 129 +----------------+ 130 | registry | 131 +----------------+ 133 The gaining and losing dns-operators should talk directly to each 134 other (the ~ arrow) to exchange the DNSKEY, but often there is no 135 trusted path between the two. As both can securely interact with the 136 registry through the registrar it can act as a relay for the key 137 material exchange. 139 Figure 1 141 The "" command uploads new key(s) to the registry for a 142 given domain. This key material is then relayed to the current 143 registrar's message queue. There is no need for the registry to 144 store the relayed key in the registry system, although the registry 145 MAY save the key for administrative purposes. 147 The registrar may upload multiple keys in one "" message. 148 If keys are identical (Flags Field, Protocol Field, Algorithm Field 149 and Public Key Field are equal), the duplicate key MUST be dropped. 151 There is no restriction on the type (for instance Key Signing Keys or 152 Zone Signing Keys) of keys that can be put in the message. It is up 153 to the losing DNS operator to validate the correctness of the key 154 material. 156 If for some reason the registry can not process the "" 157 command an EPP error response MUST be returned. If the registry does 158 process the "" command it MUST put all (discarding any 159 duplicates) uploaded keys on to the current registrar's message 160 queue. 162 4. Rational For a New Command 164 The "" command is different than the existing EPP commands, 165 because it allows someone to manipulate data without actually being 166 to owner of that data. The EPP transfer command comes close with 167 respect to this functionality. However we did not want to overload 168 the transfer command for this purpose, because a "" has 169 nothing to do with that operation. 171 5. Key Relay Interface 173 The Key Relay Interface uses a "" element for relaying the 174 key material. It needs a minimum of three elements: a domain name, 175 the key(s) to upload, a token which indicates a future transfer is 176 imminent and an OPTIONAL expire element. 178 Thus a "" element MUST contain the following child 179 elements: 181 o A "" element that contains the domain name for which we 182 upload the key. 184 o A "" element that contains the key material as described 185 in [RFC5910], Section 4.2. 187 o An "" that contains an authorization token ([RFC5931], 188 Section 3.2.4), this should be used as an indication that the 189 registrar had prior contact with the registrant, and a possible 190 future transfer is authorized. The registry MAY check if the 191 "" data is correct and if it does, it MUST return an EPP 192 error response if the authorization token is not correct. 194 And MAY contain: 196 o An "" element that describes the lifetime of the relayed 197 key(s). The losing DNS operator can use this to decide when to 198 remove the key material from the zone again. The element 199 MUST contain one of the following child elements: 201 * "": The policy is valid from the current date and 202 time until it expires on the specified date and time. 204 * "": The policy is valid from the current date and 205 time until the end of the specified duration. 207 The current date and time are taken from the "" service 208 message's "" element, see Section 7.1. 210 5.1. Example Key Relay Interface 212 The following is an example of the "" command, where we 213 upload two keys and use an relative expire date of one month and 13 214 days. 216 C: 220 C: 221 C: 222 C: 223 C: example.org 224 C: 225 C: 256 226 C: 3 227 C: 8 228 C: cmlraXN0aGViZXN0 229 C: 230 C: 231 C: 256 232 C: 3 233 C: 8 234 C: cmlraXN0aGViZXN0 235 C: 236 C: 237 C: JnSdBAZSxxzJ 238 C: 239 C: 240 C: P1M13D 241 C: 242 C: 243 C: 244 C: 245 C: 247 6. Server Reply 249 Example "" response: 251 S: 252 S: 253 S: 254 S: 255 S: Command completed succesfully 256 S: 257 S: 258 S: ABC-12345 259 S: 54321-ZYX 260 S: 261 S: 262 S: 264 As stated an EPP error response MUST be returned if a "" 265 command can not be processed for any reason. 267 7. Message Queue Interface 269 The message queue interface uses the interface as defined in 270 [RFC5730], Section 2.6. All elements that are present in the 271 "" EPP message are put on the message queue of the current 272 registrar for the domain in the "" element. 274 7.1. Message Queue Format 276 Example "" service message: 278 S: 282 S: 283 S: 284 S: Command completed successfully; ack to dequeue 285 S: 286 S: 287 S: 1999-04-04T22:01:00.0Z 288 S: Key Relay action completed successfully. 289 S: 290 S: 291 S: 292 S: 293 S: example.org 294 S: 295 S: 296 S: BCD-23456 297 S: 65432-WXY 298 S: 299 S: 1999-04-04T22:01:00.0Z 300 S: 301 S: 302 S: 256 303 S: 3 304 S: 8 305 S: cmlraXN0aGViZXN0 306 S: 307 S: 308 S: JnSdBAZSxxzJ 309 S: 310 S: 311 S: P24D 312 S: 313 S: 314 S: 315 S: 316 S: 317 S: BCD-23456 318 S: 65432-WXY 319 S: 320 S: 321 S: 323 8. Formal Syntax 325 An EPP object mapping is specified in XML Schema notation. The 326 formal syntax presented here is a complete schema representation of 327 the object mapping suitable for automated validation of EPP XML 328 instances. 330 "" command schema: 332 333 342 343 344 Extensible Provisioning Protocol v1.0 domain name 345 extension schema for relaying key material. 346 347 349 351 353 355 358 359 361 362 363 365 366 368 369 370 372 373 375 376 377 378 379 380 382 383 384 385 387 389 391 392 394 395 396 397 398 399 401 402 404 405 406 408 9. IANA Considerations 410 This document uses URNs to describe XML namespaces and XML schemas 411 conforming to a registry mechanism described in RFC 3688 [RFC3688]. 413 Two URI assignments must be completed by the IANA. 415 Registration request for the extension namespace: 417 URI: urn:ietf:params:xml:ns:keyrelay-1.0 419 Registrant Contact: IESG 421 XML: None. Namespace URIs do not represent an XML specification. 423 Registration request for the extension XML schema: 425 URI: urn:ietf:params:xml:schema:keyrelay-1.0 427 Registrant Contact: IESG 429 XML: See the "Formal Syntax" section of this document. 431 10. Security Considerations 433 The "" EPP extension does not allow for any object 434 transformations. 436 Any registrar can use this mechanism to put key material on the 437 message queue of another registrar, thus mounting a denial of service 438 attack. However this can, and should be detected by the registry. A 439 correct "" element can be used as an indication that 440 putting the key material on the losing registrar's message queue is 441 allowed. 443 Communication between a registrar and registry is mostly done over 444 EPP, but communication between dns-operators, registrants or 445 registrars often is not. If EPP is not used between these entities, 446 relaying the key between a dns-operator and registrar should be 447 adequately authenticated for the complete relay channel to remain 448 secure. It's out of scope for this document to describe how to 449 authenticate with other methods than EPP. 451 11. Acknowledgements 453 Maarten Wullink, Marco Davids and Ed Lewis. 455 12. References 457 12.1. Normative References 459 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 460 Requirement Levels", BCP 14, RFC 2119, March 1997. 462 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 463 January 2004. 465 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 466 Rose, "Resource Records for the DNS Security Extensions", 467 RFC 4034, March 2005. 469 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 470 STD 69, RFC 5730, August 2009. 472 [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) 473 Security Extensions Mapping for the Extensible 474 Provisioning Protocol (EPP)", RFC 5910, May 2010. 476 12.2. Informative References 478 [I-D.koch-dnsop-dnssec-operator-change] 479 Koch, P. and M. Sanz, "Changing DNS Operators for DNSSEC 480 signed Zones", draft-koch-dnsop-dnssec-operator-change-04 481 (work in progress), March 2012. 483 [RFC5931] Harkins, D. and G. Zorn, "Extensible Authentication 484 Protocol (EAP) Authentication Using Only a Password", RFC 485 5931, August 2010. 487 Appendix A. Changelog 489 [This section should be removed by the RFC editor before publishing] 491 A.1. -00 493 1. Initial document. 495 A.2. -01 497 1. Style and grammar changes; 499 2. Added an expire element; 501 3. Make the authInfo element mandatory and make the registry check 502 it. 504 Authors' Addresses 505 R. (Miek) Gieben 506 SIDN Labs 507 Meander 501 508 Arnhem 6825 MD 509 NL 511 Email: miek@miek.nl 512 URI: http://miek.nl/ 514 M. Groeneweg 515 SIDN Labs 516 Meander 501 517 Arnhem 6825 MD 518 NL 520 Email: marc.groeneweg@sidn.nl 521 URI: https://www.sidn.nl/ 523 Rik Ribbers 524 SIDN Labs 525 Meander 501 526 Arnhem 6825 MD 527 NL 529 Email: rik.ribbers@sidn.nl 530 URI: https://www.sidn.nl/ 532 Antoin Verschuren 533 SIDN Labs 534 Meander 501 535 Arnhem 6825 MD 536 NL 538 Email: antoin.verschuren@sidn.nl 539 URI: https://www.sidn.nl/