idnits 2.17.1 draft-ietf-dnsext-delegation-signer-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 141: '... DK record MUST only appear at a dele...' RFC 2119 keyword, line 143: '...ecure delegation MUST NOT have a DK re...' RFC 2119 keyword, line 144: '... record SHOULD be considered a hint t...' RFC 2119 keyword, line 145: '... Resolver MUST only trust KEY records...' RFC 2119 keyword, line 153: '...Delegating zones MUST NOT store KEY re...' (5 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The "Author's Address" (or "Authors' Addresses") section title is misspelled. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'RFC1035' on line 363 looks like a reference -- Missing reference section? 'RFC2535' on line 366 looks like a reference -- Missing reference section? 'RFC3090' on line 372 looks like a reference -- Missing reference section? 'RFC3008' on line 369 looks like a reference -- Missing reference section? 'Parent' on line 378 looks like a reference -- Missing reference section? 'OKbit' on line 165 looks like a reference -- Missing reference section? 'IDbit' on line 375 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 3 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 DNSEXT Working Group Olafur Gudmundsson 2 4 Updates: RFC 1035, RFC 2535, RFC 3008. 6 Delegation Signer record in parent. 8 Status of this Memo 10 This document is an Internet-Draft and is in full conformance with all 11 provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering Task 14 Force (IETF), its areas, and its working groups. Note that other 15 groups may also distribute working documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference 20 material or to cite them other than as ``work in progress.'' 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html 28 Comments should be sent to the authors or the DNSEXT WG mailing list 29 namedroppers@ops.ietf.org 31 This draft expires on November 30, 2001. 33 Copyright Notice 35 Copyright (C) The Internet Society (2001). All rights reserved. 37 Abstract 39 One of the biggest problems in DNS occur when records of the same type 40 can appear on both sides of an delegation. If the contents of these 41 sets differs clients can get confused. RFC2535 KEY records follows 42 the same model as for NS records, parent is responsible for the 43 records but the child is responsible for the contents. This document 44 proposes to store a different record in the parent that specifies 45 which one of the child's keys can sign the child's KEY set. This 46 change is not backwards compatible with RFC2535 but simplifies DNSSEC 47 operation. 49 1 - Introduction 51 Familiarity with the DNS system [RFC1035], DNS security extensions 52 [RFC2535] and DNSSEC terminology [RFC3090] is important. 54 When the same data can reside in two administratively different DNS 55 zones sources it is common that the data gets out of sync. NS record 56 in a zone indicates that there is a delegation at this name and the NS 57 record lists the authorative servers for the real zone. Based on 58 actual measurements 10-30% of all delegations in the Internet have 59 differing NS sets at parent and child. There are number of reasons for 60 this including lack of communication between parent and child, and 61 bogus nameservers are listed to meet registrar requirements. 63 DNSSEC [RFC2535,RFC3008,RFC3090] specifies that child must have its 64 KEY set signed by the parent to create a verifiable chain of KEYs. 65 There is some debate, where the signed KEY set should reside, 66 parent[Parent] or child[RFC2535]. If the KEY set resides at the child, 67 frequent communication is needed between the two to transmit keysets 68 up to parent and signatures down to child. If the KEY set resides at 69 the parent[Parent] the communication is reduced having only child send 70 updated key sets to parent. DNSSEC requires that the parent store NULL 71 key set for unsecure children, this complicates resolution process as 72 in many cases as servers for both parent and child need to be queried 73 for KEY set. 75 Further complication of the DNSSEC KEY model is that KEY record is 76 used to store DNS zone keys and public keys for other protocols. This 77 can lead to large key sets at delegation points. There are number of 78 potential problems with this. 79 1. KEY set may become quite large if many applications/protocols store 80 their keys at the zone apex. Example of protocols are IPSEC, HTTP, 81 SMTP, SSH etc. 82 2. Key set may require frequent updates, 83 3. Probability of compromised/lost keys increases and triggers 84 emergency key rollover. 85 4. Parent may refuse sign key sets with NON DNS zone keys. 86 5. Parent may not have QoS on key changes that meets child's 87 expectations. 89 Given these and other reasons there is good reason to explore 90 alternatives to using only KEY records to create chain of trust. 92 Some of these problems can be reduced or eliminated by operational 93 rules or protocol changes. To reduce the number of keys at apex, rule 94 to require applications to store their KEY records at the SRV name for 95 that application is one possibility. Another is to restrict KEY record 96 to DNS keys only and create a new type for all non DNS keys. Third 97 possible solution is to ban the storage of non DNS related keys at 98 zone apex. There are other possible solutions but they are outside the 99 scope of this draft. 101 1.1 - Delegation Signer Record model 103 This draft proposes an alternative to the KEY record chain of trust, 104 that uses a special record that can only reside at the parent. This 105 record will identify the key(s) that child will use to self sign its 106 KEY set. 108 The chain of trust is now established by verifying the parent KEY set, 109 the DK set from the parent and then the KEY set at the child. This is 110 cryptographically equivalent to just using KEY records. 112 Communication between the parent and child is reduced as the parent 113 only needs to know of changes in DNS zone KEY records used to sign the 114 apex KEY set. If other KEY records are stored at the zone apex, the 115 parent does not to be aware of them. 117 If child wants to have frequent key rollover for its DNS keys it is 118 possible to do that without communicating to the parent, in this case 119 the child uses on strong key to sign its apex KEY set and other 120 smaller keys to sign the zone for a short time. 122 This approach has the advantage that communication between the parent 123 and child is kept to a minimum and the child is the authority for the 124 KEY set with full control over the contents. The load on the parent 125 is reduced and it can maintain its zone as it sees fit. 127 The main disadvantage of this approach is to double the number of 128 signatures that need to be verified for the each KEY set. The 129 advantage on the other hand is that child only needs to update data in 130 parent when it changes DNS signing key. 132 1.2 - Reserved words 134 The key words "CAN", "MUST", "MUST NOT", "SHOULD", "DOES NOT" and 135 "MAY" in this document are to be interpreted as described in RFC2119. 137 2 - DK (Delegation KEY signer) record: 139 2.1 Protocol change 141 DK record MUST only appear at a delegation in the parent zone. The 142 record lists the child's keys that CAN sign the child's key set. 143 Insecure delegation MUST NOT have a DK record, the presence of DK 144 record SHOULD be considered a hint that the child might be secure. 145 Resolver MUST only trust KEY records that match a DK record. 146 NOTE: It has been suggested that NULL DK record for insecure children 147 is better than no record. The advantage is to have authenticated 148 denial of child's security status, the drawback is for large 149 delegating zones there will be many NULL DK records. 150 WG please comment on which approach is better. 152 Updates RFC2535 sections 2.3.4 and 3.4, as well as RFC3008 section 153 2.7: Delegating zones MUST NOT store KEY records for delegations. The 154 only records that can appear at delegation in parent are NS, SIG, NXT 155 and DK. 157 Zone MUST self sign its apex KEY set, it SHOULD sign it with a key 158 that corresponds to a DK record in the parent. 160 If child apex KEY RRset is not signed with one of the keys specified 161 in the DK record the child is locally secure[RFC3090] and SHOULD only 162 be considered secure the resolver has been instructed to trust the key 163 used, via preconfiguration. 165 Authorative server answering a query, that has the OK bit set[OKbit], 166 MUST include the DK set in the additional section if the answer is a 167 referral and there is space. Caching servers MAY return the DK record 168 in the additional section under the same condition. 170 2.1.1 - Comments on protocol change 172 DK record is the first DNS record to be only stored at the upper side 173 of a delegation. NS records appear at both sides as do SIG and NXT. 174 All other records can only appear at the lower side. This will cause 175 some problems as servers authorative for parent may reject DK record 176 even if the server understands unknown types. Similarly a nameserver 177 acting as a authorative for child and as a caching recursive server 178 may never return the DK record. A caching server does not care from 179 which side DK record comes from and thus should not have to be changed 180 if it supports unknown types. 182 Secure resolvers need to know about the DK record and how to interpret 183 it. In the worst case, introducing the DK record, doubles the 184 signatures that need to be checked to validate a KEY set, this is a 185 small price to pay to have a cleaner delegations structure. 187 Over the years there has been various discussions on that the 188 delegation model in DNS is broken as there is no real good way to 189 assert if delegation exists. In RFC2535 version of DNSSEC the 190 authentication of a delegation is the NS bit in the NXT bitmap at the 191 delegation point. Something more explicit is needed and the DK record 192 addresses this for secure delegations. 194 2.2 Wire format of DK record 196 There are two possible ways to represent the DK record at the parent 197 and this draft presents both for discussion, the WG is expected to 198 select one and only one. The two formats is either to reuse the RDATA 199 definition of the KEY record and the other one is to store an 200 identifier of the key. 202 2.2.1 Compact DK format 204 The DK record consists of algorithm, size, key tag and SHA-1 digest of 205 the public key KEY record allowed to sign the child's delegation. 207 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 208 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 209 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 210 | key tag | size | 211 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 212 | algorithm | SHA-1 digest | 213 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 214 | (20 bytes) | 215 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 216 | | 217 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| 218 | | 219 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| 220 | | 221 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| 222 | | 223 +-+-+-+-+-+-+-+-+ 225 The key tag is calculated as specified in RFC2535, the size is the 226 size of the public key in bits as specified in the document specifying 227 the algorithm. Algorithm MUST be an algorithm number assigned in the 228 range 1..251. The SHA-1 digest is calculated over the canonical name 229 of the delegation followed by the RDATA of the KEY record. 231 2.2.1.1 Justifications for fields 233 The algorithm and size fields are here to allow resolvers to quickly 234 identify the candidate KEY records to examine. Key Tag is to allow 235 quick check if this is a good candidate. The key tag is redundant but 236 provides some greater assurance than SHA-1 digest on its own. SHA-1 is 237 a strong cryptographic checksum, it is hard for attacker to generate a 238 KEY record that has the same SHA-1 digest. Making sure that the KEY 239 record is a valid public key is much harder. Combining the SHA-1 all 240 the checks, the task of the attacker is as hard breaking the public 241 key. Even if someone creates a database of all SHA-1 key hashes seen 242 so far, the addition of the name renders that database useless for 243 attacks. 245 2.2.2 Verbose DK format 247 The RDATA of the DK record is identical to the KEY record as specified 248 in RFC2535 sections 3.1, 3.1.2, 3.1.3 and 3.2. 250 2.3 Presentation format of DK record 252 Only one of these subsections will be used in RFC. 254 2.3.1 Presentation format for the compact DK record 256 The presentation format of DK record consists of 2 numbers, followed 257 by either the name of the signature algorithm or the algorithm number. 258 The digest is to be presented in hex. 260 2.3.2 Presentation format for the verbose DK record 262 Identical to KEY record. 264 2.4 Justifications for each format 266 2.4.1 Justification for compact format 268 This format allows concise representation of the keys that child will 269 use, thus keeping down the size of the answer for the delegation, 270 reducing the probability of packet overflow. The SHA-1 hash is strong 271 enough to uniquely identify the key. This is similar to PGP footprint. 273 Each DK record has RDATA size of 25, regardless of the size of the 274 keys, keeping the answers from the parent smaller than if public key 275 was used. The smallest currently defined KEY record RDATA is 70 bytes. 277 Compact DK format is also better suited to list trusted keys for 278 islands of security in configuration files. 280 2.4.2 Justifications for verbose format 282 Even though this format results in larger DK set the effect on 283 implementations is smaller. Supporting I/O for DK record type is a 284 matter of reusing the code for reading/writing KEY records. For 285 finding DK to KEY matches simple compare will do, instead of digesting 286 the public KEYS. 288 3 Resolver Example 290 This example uses compact notation for both DK and KEY for clarity. 292 To create a chain of trust resolver goes from trusted KEY to DK to 293 KEY. 295 Assume the key for domain example. is trusted. In zone example we 296 have 297 example. KEY 298 secure.example. DK tag=12345 size=1024 alg=dsa 299 secure.example. NS ns1.secure.example. 300 NS ns1.secure.example. 301 secure.example. NXT NS SIG NXT DK tail.example. 303 secure.example. SIG(NXT) 304 secure.example. SIG(DK) 306 In zone secure.example. we have 307 secure.example. SOA 308 secure.example. NS ns1.secure.example. 309 NS ns1.secure.example. 310 secure.example. KEY 311 KEY 312 KEY 313 secure.example. SIG(KEY) 314 secure.example. SIG(SOA) 315 secure.example. SIG(NS) 317 In this example the trusted key for example signs the DK record for 318 secure.example, making that a trusted record. The DK record states 319 what key is supposed to sign the KEY record at secure.example. In 320 this example secure.example. has three KEY records and the correct one 321 signs the KEY set, thus the key set is validated and trusted. One of 322 the other keys in the keyset actually signs the zone data, and 323 resolvers will trust the signatures as the key appears in the KEY set 324 that was correctly signed. 326 This example has only one DK record for the child but there no reason 327 to outlaw multiple DK records. More than one DK record is needed 328 during signing key rollover. 330 4 Acknowledgments 332 Number of people have over the last few years contributed number of 333 ideas that are captured in this document. 335 4 - Security Considerations: 337 This document proposes a change to the validation chain of KEY records 338 in DNS. The change in is not believed to reduce security in the 339 overall system, in RFC2535 DNSSEC child must communicate keys to 340 parent and prudent parents will require some authentication on that 341 handshake. The modified protocol will require same authentication but 342 allows the child to exert more local control over its own KEY set. 344 In the compact representation of DK record, there is a possibility 345 that an attacker can generate an valid KEY that matches all the checks 346 thus starting to forge data from the child. This is considered 347 impractical as on average more than 2**80 keys must be generated 348 before one is found that will match. 350 DK record is a change to DNSSEC protocol and there is some installed 351 base of implementations, as well as text books on how to set up 352 secured delegations. Implementations that do not understand DK record 353 will not be able to follow the KEY to DK to KEY chain and consider all 354 zone secured that way insecure. 356 5 - IANA Considerations: 358 IANA needs to allocate RR type code for DK from the standard RR type 359 space. 361 References: 363 [RFC1035] P. Mockapetris, ``Domain Names - Implementation and 364 Specification'', STD 13, RFC 1035, November 1987. 366 [RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC 367 2535, March 1999. 369 [RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing 370 Authority'', RFC 3008, November 2000. 372 [RFC3090] E. Lewis `` DNS Security Extension Clarification on Zone 373 Status'', RFC 3090, March 2001. 375 [IDbit] D. Conrad, ``Indicating Resolver Support of DNSSEC'', work in 376 progress , April 2001. 378 [Parent] R. Gieben, T. Lindgreen, ``Parent stores the child's zone 379 KEYs'', work in progress , May 2001. 382 Author Address 384 Olafur Gudmundsson 385 3826 Legation Street, NW 386 Washington, DC, 20015 387 USA 388 390 Full Copyright Statement 392 Copyright (C) The Internet Society (2001). All Rights Reserved. 394 This document and translations of it may be copied and furnished to 395 others, and derivative works that comment on or otherwise explain it 396 or assist in its implementation may be prepared, copied, published and 397 distributed, in whole or in part, without restriction of any kind, 398 provided that the above copyright notice and this paragraph are 399 included on all such copies and derivative works. However, this 400 document itself may not be modified in any way, such as by removing 401 the copyright notice or references to the Internet Society or other 402 Internet organizations, except as needed for the purpose of developing 403 Internet standards in which case the procedures for copyrights defined 404 in the Internet Standards process must be followed, or as required to 405 translate it into languages other than English. 407 The limited permissions granted above are perpetual and will not be 408 revoked by the Internet Society or its successors or assigns. 410 This document and the information contained herein is provided on an 411 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 412 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT 413 NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN 414 WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 415 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."