idnits 2.17.1 draft-gieben-epp-keyrelay-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 03, 2013) is 4038 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-06) exists of draft-koch-dnsop-dnssec-operator-change-04 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Gieben 3 Internet-Draft Google 4 Intended status: Standards Track M. Groeneweg 5 Expires: October 05, 2013 R. Ribbers 6 A.L.J. Verschuren 7 SIDN Labs 8 April 03, 2013 10 Key Relay Mapping for the Extensible Provisioning Protocol 11 draft-gieben-epp-keyrelay-02 13 Abstract 15 This document describes an Extensible Provisioning Protocol (EPP) 16 extension mapping for the purpose of relaying DNSSEC key material 17 from one DNS operator to another, by using the administrative 18 registration channel through the registrant, registrar and registry. 19 The mapping introduces "" as a new command in EPP. 21 This command will help facilitate changing the DNS operator of a 22 domain while keeping the DNSSEC chain of trust intact. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on October 05, 2013. 41 Copyright Notice 43 Copyright (c) 2013 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Conventions Used in This Document . . . . . . . . . . . . . . 2 59 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Relaying Key Material . . . . . . . . . . . . . . . . . . . . 3 61 4. Rational For a New Command . . . . . . . . . . . . . . . . . 4 62 5. Key Relay Interface . . . . . . . . . . . . . . . . . . . . . 5 63 5.1. Example Key Relay Interface . . . . . . . . . . . . . . . 6 64 6. Server Reply . . . . . . . . . . . . . . . . . . . . . . . . 6 65 7. Message Queue Interface . . . . . . . . . . . . . . . . . . . 7 66 7.1. Message Queue Format . . . . . . . . . . . . . . . . . . 7 67 8. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 8 68 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 69 10. Security Considerations . . . . . . . . . . . . . . . . . . . 10 70 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 71 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 72 12.1. Normative References . . . . . . . . . . . . . . . . . . 11 73 12.2. Informative References . . . . . . . . . . . . . . . . . 12 74 Appendix A. Changelog . . . . . . . . . . . . . . . . . . . . . 12 75 A.1. -00 . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 76 A.2. -01 . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 77 A.3. -02 . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 80 1. Conventions Used in This Document 82 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 83 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 84 document are to be interpreted as described in BCP 14, RFC 2119 85 [RFC2119]. 87 In examples, "C:" represents lines sent by a protocol client, and 88 "S:" represents lines returned by a protocol server. "////" is used 89 to note element values that have been shortened to better fit page 90 boundaries. Indentation and white space in examples is provided only 91 to illustrate element relationships and is not a mandatory feature of 92 this protocol. 94 XML is case sensitive. Unless stated otherwise, XML specifications 95 and examples provided in this document MUST be interpreted in the 96 character case presented in order to develop a conforming 97 implementation. 99 The term "key material" denotes one more DNSKEY resource records 100 [RFC4034]. 102 2. Introduction 104 Certain transactions for DNSSEC signed zones require an authenticated 105 exchange of DNSSEC key material between DNS operators. Often there 106 is no direct secure channel between the two or it is non-scalable. 108 One of such transactions is changing the DNS operator for DNSSEC 109 signed zones ([I-D.koch-dnsop-dnssec-operator-change]. We suggest 110 DNS operators use the administrative channel that is used to 111 bootstrap the delegation to relay the key material for the zone. In 112 this document we define a protocol extension for use in EPP that 113 helps to implement and automate this transaction. This protocol 114 extension introduces a new command called "". 116 3. Relaying Key Material 118 The "" command uses the existing authenticated EPP channel 119 with the registry. Registrars can securely talk to the registry and 120 as such the registry can serve as a drop box for relaying key 121 material between them (see Figure 1). 123 +-------------------+ DNSKEY +--------------------+ 124 |losing DNS operator| <~~~~~~~ |gaining DNS operator| 125 +-------------------+ +--------------------+ 126 ^ | 127 | v 128 +-----------------+ +---------+ 129 |current registrar| |registrar| 130 +-----------------+ +---------+ 131 ^ | 132 EPP poll | | EPP keyrelay 133 | V 134 +----------------+ 135 | registry | 136 +----------------+ 138 The gaining and losing DNS operators should talk directly to each 139 other (the ~ arrow) to exchange the DNSKEY, but often there is no 140 trusted path between the two. As both can securely interact with the 141 registry over the administrative channel through the registrar, the 142 registry can act as a relay for the key material exchange. 144 Figure 1 146 The "" command uploads new key(s) to the registry for a 147 given domain. This key material is then relayed to the current 148 registrar's message queue. This may be the same registrar as the one 149 that submitted the "" command in the situation where the 150 DNS operators change, but the registrar stays the same. There is no 151 need for the registry to store the relayed key in the registry 152 system, although the registry MAY save the key for administrative 153 purposes. 155 The registrar may upload multiple keys in one "" message. 157 There is no restriction on the type (for instance Key Signing Keys or 158 Zone Signing Keys) of keys that can be put in the message. It is up 159 to the losing DNS operator to validate the correctness of the key 160 material, and remove duplicate keys (Flags Field, Protocol Field, 161 Algorithm Field and Public Key Field are equal) when identical keys 162 are already in the zone. 164 If for some reason the registry can not process the "" 165 command an EPP error response MUST be returned. If the registry does 166 process the "" command it MUST put all uploaded keys on to 167 the current registrar's message queue. 169 4. Rational For a New Command 171 The existing commands in EPP all deal with data which either has an 172 owner, or soon will have one (EPP create). The "" command 173 is different, because it allows an upload of key material which will 174 never have an owner (in the registry system). All the "" 175 command does is relay data in preparation for one of the other 176 existing EPP commands in a processes. This way, existing commands 177 don't need to change, and backward compatibility for existing 178 commands is guaranteed. It allows the client to be flexible in 179 timing the individual steps necessary to complete a complex process 180 like changing the DNS operator for a zone. Creating a separate 181 command also allows the command to be used or extended to relay key 182 or other data for other future processes besides DNS operator 183 changes. 185 5. Key Relay Interface 187 The Key Relay Interface uses a "" element for relaying the 188 key material. It needs a minimum of three elements: a domain name, 189 the key(s) to upload, a token which indicates the request is 190 authorized by the registrant, and an OPTIONAL expire element. 192 Thus a "" element MUST contain the following child 193 elements: 195 o A "" element that contains the domain name for which we 196 upload the key. 198 o A "" element that contains the key material as described 199 in [RFC5910], Section 4.2. 201 o An "" that contains an authorization token ([RFC5731], 202 Section 3.2.4). This indicates that the registrar has 203 authorization from the registrant to change the zone data, and a 204 possible future transfer is authorized. The registry MAY check if 205 the "" data is correct and if it does, it MUST return an 206 EPP error response if the authorization token is not correct. 208 And MAY contain: 210 o An "" element that describes the expected lifetime of the 211 relayed key(s) in the zone. The losing DNS operator can use this 212 to decide when to remove the key material from the zone again. 213 The element MUST contain one of the following child 214 elements: 216 * "": The policy is valid from the current date and 217 time until it expires on the specified date and time. 219 * "": The policy is valid from the current date and 220 time until the end of the specified duration. 222 The current date and time are taken from the "" service 223 message's "" element, see Section 7.1. 225 o An "" (client transaction identifier) as described in 226 [RFC5730], Section 2.5. 228 5.1. Example Key Relay Interface 230 The following is an example of the "" command, where a key 231 is uploaded with a relative expire date of one month and 13 days. 233 C: 237 C: 238 C: 239 C: 240 C: example.org 241 C: 242 C: 256 243 C: 3 244 C: 8 245 C: cmlraXN0aGViZXN0 246 C: 247 C: 248 C: JnSdBAZSxxzJ 249 C: 250 C: 251 C: P1M13D 252 C: 253 C: 254 C: ABC-12345 255 C: 256 C: 257 C: 259 6. Server Reply 261 Example "" response: 263 S: 264 S: 265 S: 266 S: 267 S: Command completed succesfully 268 S: 269 S: 270 S: ABC-12345 271 S: 54321-ZYX 272 S: 273 S: 274 S: 276 As stated an EPP error response MUST be returned if a "" 277 command can not be processed for any reason. 279 7. Message Queue Interface 281 The message queue interface uses the interface as defined in 282 [RFC5730], Section 2.6. All elements that are present in the 283 "" EPP message are put on the message queue of the current 284 registrar for the domain in the "" element. 286 7.1. Message Queue Format 288 This is an example "" service message. Note that the 289 optional clTRID in this message is the clTRID value from the command 290 that polls the message queue. It is not the clTRID value used in the 291 EPP "" command. 293 S: 297 S: 298 S: 299 S: Command completed successfully; ack to dequeue 300 S: 301 S: 302 S: 1999-04-04T22:01:00.0Z 303 S: Key Relay action completed successfully. 304 S: 305 S: 306 S: 307 S: 308 S: example.org 309 S: 310 S: 1999-04-04T22:01:00.0Z 311 S: 312 S: 313 S: 256 314 S: 3 315 S: 8 316 S: cmlraXN0aGViZXN0 317 S: 318 S: 319 S: JnSdBAZSxxzJ 320 S: 321 S: 322 S: P24D 323 S: 324 S: ClientX 325 S: ClientY 326 S: 327 S: 328 S: 329 S: 330 S: BCD-23456 331 S: 65432-WXY 332 S: 333 S: 334 S: 336 8. Formal Syntax 338 An EPP object mapping is specified in XML Schema notation. The 339 formal syntax presented here is a complete schema representation of 340 the object mapping suitable for automated validation of EPP XML 341 instances. 343 "" command schema: 345 346 355 356 357 Extensible Provisioning Protocol v1.0 domain name 358 extension schema for relaying key material. 359 360 362 364 366 368 371 372 374 375 376 378 379 381 382 383 385 387 388 390 391 392 393 394 395 397 398 399 400 402 404 406 407 409 410 411 412 413 415 416 418 419 420 421 422 424 9. IANA Considerations 426 This document uses URNs to describe XML namespaces and XML schemas 427 conforming to a registry mechanism described in RFC 3688 [RFC3688]. 429 Two URI assignments must be completed by the IANA. 431 Registration request for the extension namespace: 433 URI: urn:ietf:params:xml:ns:keyrelay-1.0 435 Registrant Contact: IESG 437 XML: None. Namespace URIs do not represent an XML specification. 439 Registration request for the extension XML schema: 441 URI: urn:ietf:params:xml:schema:keyrelay-1.0 443 Registrant Contact: IESG 445 XML: See the "Formal Syntax" section of this document. 447 10. Security Considerations 448 The "" EPP extension does not allow for any object 449 transformations. 451 Any registrar can use this mechanism to put key material on the 452 message queue of another registrar, thus mounting a denial of service 453 attack. However this can, and should be detected by the registry. A 454 correct "" element can be used as an indication that 455 putting the key material on the losing registrar's message queue is 456 authorized by the registrant of that registrar. 458 Communication between a registrar and registry is mostly done over 459 EPP, but communication between DNS operators, registrants or 460 registrars often is not. If EPP is not used between these entities, 461 relaying the key between a DNS operator and registrar should be 462 adequately authenticated for the complete relay channel to remain 463 secure. It's out of scope for this document to describe how to 464 authenticate with other methods than EPP. 466 11. Acknowledgements 468 Maarten Wullink, Marco Davids, Ed Lewis, James Mitchell, David Peal 469 and Patrik Faltstrom for their review. 471 Klaus Malorny. Mandated authInfo, added Expiry and reID based on 472 Klaus feedback. 474 James Gould. For his review, suggestions and additional support for 475 mandatory authInfo. 477 Patrick Mevzek. He also noticed our missing clTRID in the message, 478 and gave useful feedback for clarifications. Many thanks also for 479 building the first EPP client to support keyrelay. 481 12. References 483 12.1. Normative References 485 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 486 Requirement Levels", BCP 14, RFC 2119, March 1997. 488 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 489 January 2004. 491 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 492 Rose, "Resource Records for the DNS Security Extensions", 493 RFC 4034, March 2005. 495 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 496 STD 69, RFC 5730, August 2009. 498 [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) 499 Security Extensions Mapping for the Extensible 500 Provisioning Protocol (EPP)", RFC 5910, May 2010. 502 12.2. Informative References 504 [I-D.koch-dnsop-dnssec-operator-change] 505 Koch, P. and M. Sanz, "Changing DNS Operators for DNSSEC 506 signed Zones", draft-koch-dnsop-dnssec-operator-change-04 507 (work in progress), March 2012. 509 [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 510 Domain Name Mapping", STD 69, RFC 5731, August 2009. 512 Appendix A. Changelog 514 [This section should be removed by the RFC editor before publishing] 516 A.1. -00 518 1. Initial document. 520 A.2. -01 522 1. Style and grammar changes; 524 2. Added an expire element; 526 3. Make the authInfo element mandatory and make the registry check 527 it. 529 A.3. -02 531 1. Added element to identify the relaying EPP client; 533 2. Corrected XML for missing and excess clTRID; 535 3. Added clarifications for the examples based on feedback; 537 4. Reviewed the consistency of using DNS operator versus registrar. 539 Authors' Addresses 540 R. (Miek) Gieben 541 Google 543 Email: miek@google.com 545 M. Groeneweg 546 SIDN Labs 547 Meander 501 548 Arnhem 6825 MD 549 NL 551 Email: marc.groeneweg@sidn.nl 552 URI: https://www.sidn.nl/ 554 Rik Ribbers 555 SIDN Labs 556 Meander 501 557 Arnhem 6825 MD 558 NL 560 Email: rik.ribbers@sidn.nl 561 URI: https://www.sidn.nl/ 563 Antoin Verschuren 564 SIDN Labs 565 Meander 501 566 Arnhem 6825 MD 567 NL 569 Email: antoin.verschuren@sidn.nl 570 URI: https://www.sidn.nl/