idnits 2.17.1 

draft-ietf-dnsext-dnssec-okbit-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- Couldn't find a document date in the document -- date freshness check
     skipped.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: 'RFC1034' is defined on line 178, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2535 (Obsoleted by RFC 4033, RFC 4034,
     RFC 4035)

  ** Obsolete normative reference: RFC 2671 (Obsoleted by RFC 6891)


     Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET-DRAFT                                            David Conrad
2	draft-ietf-dnsext-dnssec-okbit-00.txt                     Nominum Inc.
3	                                                          August, 2000

5	                 Indicating Resolver Support of DNSSEC

7	Status of this Memo

9	   This document is an Internet-Draft and is in full conformance with
10	   all provisions of Section 10 of RFC2026.

12	   Internet-Drafts are working documents of the Internet Engineering
13	   Task Force (IETF), its areas, and its working groups.  Note that
14	   other groups may also distribute working documents as Internet-
15	   Drafts.

17	   Internet-Drafts are draft documents valid for a maximum of six months
18	   and may be updated, replaced, or obsoleted by other documents at any
19	   time.  It is inappropriate to use Internet-Drafts as reference
20	   material or to cite them other than as "work in progress."

22	   The list of current Internet-Drafts can be accessed at
23	   http://www.ietf.org/ietf/1id-abstracts.txt

25	   The list of Internet-Draft Shadow Directories can be accessed at
26	   http://www.ietf.org/shadow.html.

28	Abstract

30	   In order to deploy DNSSEC operationally, DNSSEC aware servers should
31	   only respond with DNSSEC RRs when there is an explicit indication
32	   that the resolver can understand those RRs. This document proposes
33	   the use of a bit in the EDNS0 header to provide that explicit
34	   indication and the necessary protocol changes to implement that
35	   notification.

37	1. Introduction

39	   DNSSEC [RFC2535] has been specified to provide data integrity and
40	   authentication to security aware resolvers and applications through
41	   the use of cryptographic digital signatures.  However, as DNSSEC is
42	   deployed, non-DNSSEC-aware clients will likely query DNSSEC-aware
43	   servers.  In such situations, the DNSSEC-aware server (responding to
44	   a request for data in a signed zone) will respond with SIG, KEY,
45	   and/or NXT records.  For reasons described in the subsequent section,
46	   such responses can have significant negative operational impacts for
47	   the DNS infrastructure.

49	   This document discusses a method to avoid these negative impacts,
50	   namely DNSSEC-aware servers should only respond with SIG, KEY, and/or
51	   NXT RRs when there is an explicit indication from the resolver that
52	   it can understand those RRs.

54	   For the purposes of this document, "DNSSEC security RRs" are
55	   considered RRs of type SIG, KEY, or NXT.

57	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
58	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
59	   document are to be interpreted as described in [RFC2119].

61	2. Rationale

63	   As DNSSEC is deployed, the vast majority of queries will be from
64	   resolvers that are not DNSSEC aware and thus do not understand or
65	   support the DNSSEC security RRs.  When a query from such a resolver
66	   is received for a DNSSEC signed zone, the DNSSEC specification
67	   indicates the nameserver must respond with the appropriate DNSSEC
68	   security RRs.  As DNS UDP datagrams are limited to 512 bytes
69	   [RFC1035], responses including DNSSEC security RRs have a high
70	   probability of resulting in a truncated response being returned and
71	   the resolver retrying the query using TCP.

73	   TCP DNS queries result in significant overhead due to connection
74	   setup and teardown.  Operationally, the impact of these TCP queries
75	   will likely be quite detrimental in terms of increased network
76	   traffic (typically five packets for a single query/response instead
77	   of two), increased latency resulting from the additional round trip
78	   times, increased incidences of queries failing due to timeouts, and
79	   significantly increased load on nameservers.

81	   In addition, in preliminary and experimental deployment of DNSSEC,
82	   there have been reports of non-DNSSEC aware resolvers being unable to
83	   handle responses which contain DNSSEC security RRs, resulting in the
84	   resolver failing (in the worst case) or entire responses being
85	   ignored (in the better case).

87	   Given these operational implications, explicitly notifying the
88	   nameserver that the client is prepared to receive (if not understand)
89	   DNSSEC security RRs would be prudent.

91	   Client-side support of DNSSEC is assumed to be binary -- either the
92	   client is willing to receive all DNSSEC security RRs or it is not
93	   willing to accept any.  As such, a single bit is sufficient to
94	   indicate client-side DNSSEC support.  As effective use of DNSSEC
95	   implies the need of EDNS0 [RFC2671], bits in the "classic" (non-EDNS
96	   enhanced DNS header) are scarce, and there may be situations in which
97	   non-compliant caching or forwarding servers inappropriately copy data
98	   from classic headers as queries are passed on to authoritative
99	   servers, the use of a bit from the EDNS0 header is proposed.

101	   An alternative approach would be to use the existance of an EDNS0
102	   header as an implicit indication of client-side support of DNSSEC.
103	   This approach was not chosen as there may be applications in which
104	   EDNS0 is supported but in which the use of DNSSEC is inappropriate.

106	3. Protocol Changes

108	   The mechanism chosen for the explicit notification of the ability of
109	   the client to accept (if not understand) DNSSEC security RRs is using
110	   the most significant bit of the Z field on the EDNS0 OPT header in
111	   the query.  This bit is referred to as the "DNSSEC OK" (DO) bit.  In
112	   the context of the EDNS0 OPT meta-RR, the DO bit is the first bit of
113	   the the third and fourth bytes of the "extended RCODE and flags"
114	   portion of the EDNS0 OPT meta-RR, structured as follows:

116	                +0 (MSB)                +1 (LSB)
117	         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
118	      0: |   EXTENDED-RCODE      |       VERSION         |
119	         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
120	      2: |DO|                    Z                       |
121	         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

123	   Setting the DO bit to one in a query indicates to the server that the
124	   resolver is able to accept DNSSEC security RRs.  The DO bit cleared
125	   (set to zero) indicates the resolver is unprepared to handle DNSSEC
126	   security RRs and those RRs MUST NOT be returned in the response
127	   (unless DNSSEC security RRs are explicitly queried for).

129	   More explicitly, in order to explicitly indicate DNSSEC security RRs
130	   are acceptible to the resolver, DNSSEC-aware nameservers (both BASIC
131	   and FULL according to [RFC2535] definitions) MUST NOT add DNSSEC
132	   security RRs to any section of a response unless at least one of the
133	   following is true:

135	   1) The DO bit of the query EDNS0 header was set on the request,
136	   indicating that the client would like DNSSEC security RRs.

138	   2) The query type is SIG, KEY, or NXT and the RRs added match the
139	   query name and query type.

141	   In case 1), response generation is as indicated in [RFC2535].

143	   In case 2), only those RRs which match the query name and query type
144	   are added.

146	   Recursive DNSSEC-aware server MUST set the DO bit on recursive
147	   requests, regardless of the status of the DO bit on the initiating
148	   resolver request.  If the initiating resolver request does not have
149	   the DO bit set, the recursive DNSSEC-aware server MUST remove DNSSEC
150	   security RRs before returning the data to the client, however cached
151	   data MUST NOT be modified.

153	   In the event a server returns a NOTIMPL, FORMERR or SERVFAIL response
154	   to a query that has the DO bit set, the resolver SHOULD NOT expect
155	   DNSSEC security RRs and SHOULD retry the query without the EDNS0 in
156	   accordance with section 5.3 of [RFC2671].

158	Security Considerations

160	   The absence of DNSSEC data in response to a query with the DO bit set
161	   MUST NOT be taken to mean no security information is available for
162	   that zone as the response may be forged or a non-forged response of
163	   an altered (DO bit cleared) query.

165	IANA Considerations

167	   Allocation of the most significant bit of the Z field in the EDNS0
168	   OPT meta-RR is required.

170	Acknowledgements

172	   This document is based on a rough draft by Bob Halley with input from
173	   Olafur Gudmundsson, Andreas Gustafsson, Brian Wellington, Randy Bush,
174	   Rob Austein, and Steve Bellovin.

176	References

178	   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
179	   RFC 1034, November 1987.

181	   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
182	   Specifications", RFC 1035, November 1987.

184	   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
185	   Requirement Levels", BCP 14, RFC 2119, March 1997.

187	   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
188	   2535, March 1999.

190	   [RFC2671] Vixie, P., Extension Mechanisms for DNS (EDNS0)", RFC 2671,
191	   August 1999

193	Author's Address
194	   David Conrad
195	   Nominum Inc.
196	   950 Charter Street
197	   Redwood City, CA 94063
198	   USA

200	   Phone: +1 650 779 6003

202	   Email: david.conrad@nominum.com

204	Full Copyright Statement

206	   Copyright (C) The Internet Society (2000).  All Rights Reserved.

208	   This document and translations of it may be copied and furnished to
209	   others, and derivative works that comment on or otherwise explain it
210	   or assist in its implmentation may be prepared, copied, published and
211	   distributed, in whole or in part, without restriction of any kind,
212	   provided that the above copyright notice and this paragraph are
213	   included on all such copies and derivative works.  However, this
214	   document itself may not be modified in any way, such as by removing
215	   the copyright notice or references to the Internet Society or other
216	   Internet organizations, except as needed for the purpose of
217	   developing Internet standards in which case the procedures for
218	   copyrights defined in the Internet Standards process must be
219	   followed, or as required to translate it into languages other than
220	   English.

222	   The limited permissions granted above are perpetual and will not be
223	   revoked by the Internet Society or its successors or assigns.

225	   This document and the information contained herein is provided on an
226	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
227	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
228	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
229	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
230	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."