idnits 2.17.1 draft-ietf-dnsext-keyrr-key-signing-flag-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The abstract seems to indicate that this document updates RFC3445, but the header doesn't have an 'Updates:' line to match this. -- The abstract seems to indicate that this document updates RFC2535, but the header doesn't have an 'Updates:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 240 has weird spacing: '...ag bits in th...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be interpreted as described in RFC2119 [1]. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 2003) is 7501 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '2' is defined on line 266, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2535 (ref. '2') (Obsoleted by RFC 4033, RFC 4034, RFC 4035) ** Obsolete normative reference: RFC 3090 (ref. '3') (Obsoleted by RFC 4033, RFC 4034, RFC 4035) ** Obsolete normative reference: RFC 3445 (ref. '4') (Obsoleted by RFC 4033, RFC 4034, RFC 4035) Summary: 4 errors (**), 0 flaws (~~), 6 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNS Extensions O. Kolkman 3 Internet-Draft RIPE NCC 4 Expires: March 1, 2004 J. Schlyter 6 E. Lewis 7 ARIN 8 September 2003 10 DNSKEY RR Secure Entry Point Flag 11 draft-ietf-dnsext-keyrr-key-signing-flag-11 13 Status of this Memo 15 This document is an Internet-Draft and is in full conformance with 16 all provisions of Section 10 of RFC2026. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that other 20 groups may also distribute working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at http:// 28 www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on March 1, 2004. 35 Copyright Notice 37 Copyright (C) The Internet Society (2003). All Rights Reserved. 39 Abstract 41 With the Delegation Signer (DS) resource record the concept of a 42 public key acting as a secure entry point has been introduced. During 43 exchanges of public keys with the parent there is a need to 44 differentiate secure entry point keys from other public keys in the 45 DNSKEY resource record (RR) set. A flag bit in the DNSKEY RR is 46 defined to indicate that DNSKEY is to be used as a secure entry 47 point. The flag bit is intended to assist in operational procedures 48 to correctly generate DS resource records, or to indicate what 49 DNSKEYs are intended for static configuration. The flag bit is not to 50 be used in the DNS verification protocol. This document updates RFC 51 2535 and RFC 3445. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. The Secure Entry Point (SEP) Flag . . . . . . . . . . . . . . . 4 57 3. DNSSEC Protocol Changes . . . . . . . . . . . . . . . . . . . . 5 58 4. Operational Guidelines . . . . . . . . . . . . . . . . . . . . . 5 59 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 60 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 61 7. Internationalization Considerations . . . . . . . . . . . . . . 6 62 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 63 Normative References . . . . . . . . . . . . . . . . . . . . . . 7 64 Informative References . . . . . . . . . . . . . . . . . . . . . 7 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 66 Intellectual Property and Copyright Statements . . . . . . . . . 9 68 1. Introduction 70 "All keys are equal but some keys are more equal than others" [6] 72 With the definition of the Delegation Signer Resource Record (DS RR) 73 [5] it has become important to differentiate between the keys in the 74 DNSKEY RR set that are (to be) pointed to by parental DS RRs and the 75 other keys in the DNSKEY RR set. We refer to these public keys as 76 Secure Entry Point (SEP) keys. A SEP key either used to generate a 77 DS RR or is distributed to resolvers that use the key as the root of 78 a trusted subtree[3]. 80 In early deployment tests, the use of two (kinds of) key pairs for 81 each zone has been prevalent. For one kind of key pair the private 82 key is used to sign just the zone's DNSKEY resource record (RR) set. 83 Its public key is intended to be referenced by a DS RR at the parent 84 or configured statically in a resolver. The private key of the other 85 kind of key pair is used to sign the rest of the zone's data sets. 86 The former key pair is called a key-signing key (KSK) and the latter 87 is called a zone-signing key (ZSK). In practice there have been 88 usually one of each kind of key pair, but there will be multiples of 89 each at times. 91 It should be noted that division of keys pairs into KSK's and ZSK's 92 is not mandatory in any definition of DNSSEC, not even with the 93 introduction of the DS RR. But, in testing, this distinction has 94 been helpful when designing key roll over (key super-cession) 95 schemes. Given that the distinction has proven helpful, the labels 96 KSK and ZSK have begun to stick. 98 There is a need to differentiate the public keys for the key pairs 99 that are used for key signing from keys that are not used key signing 100 (KSKs vs ZSKs). This need is driven by knowing which DNSKEYs are to 101 be sent for generating DS RRs, which DNSKEYs are to be distributed to 102 resolvers, and which keys are fed to the signer application at the 103 appropriate time. 105 In other words, the SEP bit provides an in-band method to communicate 106 a DNSKEY RR's intended use to third parties. As an example we present 107 3 use cases in which the bit is useful: 109 The parent is a registry, the parent and the child use secured DNS 110 queries and responses, with a preexisting trust-relation, or plain 111 DNS over a secured channel to exchange the child's DNSKEY RR 112 sets. Since a DNSKEY RR set will contain a complete DNSKEY RRset 113 the SEP bit can be used to isolate the DNSKEYs for which a DS RR 114 needs to be created. 116 An administrator has configured a DNSKEY as root for a trusted 117 subtree into security aware resolver. Using a special purpose tool 118 that queries for the KEY RRs from that domain's apex, the 119 administrator will be able to notice the roll over of the trusted 120 anchor by a change of the subset of KEY RRs with the DS flag set. 122 A signer might use the SEP bit on the public key to determine 123 which private key to use to exclusively sign the DNSKEY RRset and 124 which private key to use to sign the other RRsets in the zone. 126 As demonstrated in the above examples it is important to be able to 127 differentiate the SEP keys from the other keys in a DNSKEY RR set in 128 the flow between signer and (parental) key-collector and in the flow 129 between the signer and the resolver configuration. The SEP flag is to 130 be of no interest to the flow between the verifier and the 131 authoritative data store. 133 The reason for the term "SEP" is a result of the observation that the 134 distinction between KSK and ZSK key pairs is made by the signer, a 135 key pair could be used as both a KSK and a ZSK at the same time. To 136 be clear, the term SEP was coined to lessen the confusion caused by 137 the overlap. ( Once this label was applied, it had the side effect of 138 removing the temptation to have both a KSK flag bit and a ZSK flag 139 bit.) 141 The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", 142 "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be 143 interpreted as described in RFC2119 [1]. 145 2. The Secure Entry Point (SEP) Flag 147 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 148 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 150 | flags |S| protocol | algorithm | 151 | |E| | | 152 | |P| | | 153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 154 | / 155 / public key / 156 / / 157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 159 DNSKEY RR Format 161 This document assigns the 15'th bit [4] in the flags field as the 162 secure entry point (SEP) bit. If the the bit is set to 1 the key is 163 intended to be used as secure entry point key. One SHOULD NOT assign 164 special meaning to the key if the bit is set to 0. Operators can 165 recognize the secure entry point key by the even or odd-ness of the 166 decimal representation of the flag field. 168 3. DNSSEC Protocol Changes 170 The bit MUST NOT be used during the resolving and verification 171 process. The SEP flag is only used to provide a hint about the 172 different administrative properties of the key and therefore the use 173 of the SEP flag does not change the DNS resolution protocol or the 174 resolution process. 176 4. Operational Guidelines 178 The SEP bit is set by the key-pair-generator and MAY be used by the 179 zone signer to decide whether the public part of the key pair is to 180 be prepared for input to a DS RR generation function. The SEP bit is 181 recommended to be set (to 1) whenever the public key of the key pair 182 will be distributed to the parent zone to build the authentication 183 chain or if the public key is to be distributed for static 184 configuration in verifiers. 186 When a key pair is created, the operator needs to indicate whether 187 the SEP bit is to be set in the DNSKEY RR. As the SEP bit is within 188 the data that is used to compute the 'key tag field' in the SIG RR, 189 changing the SEP bit will change the identity of the key within DNS. 190 In other words, once a key is used to generate signatures, the 191 setting of the SEP bit is to remain constant. If not, a verifier will 192 not be able to find the relevant KEY RR. 194 When signing a zone, it is intended that the key(s) with the SEP bit 195 set (if such keys exist) are used to sign the KEY RR set of the zone. 196 The same key can be used to sign the rest of the zone data too. It 197 is conceivable that not all keys with a SEP bit set will sign the 198 DNSKEY RR set, such keys might be pending retirement or not yet in 199 use. 201 When verifying a RR set, the SEP bit is not intended to play a role. 202 How the key is used by the verifier is not intended to be a 203 consideration at key creation time. 205 Although the SEP flag provides a hint on which public key is to be 206 used as trusted root, administrators can choose to ignore the fact 207 that a DNSKEY has its SEP bit set or not when configuring a trusted 208 root for their resolvers. 210 Using the SEP flag a key roll over can be automated. The parent can 211 use an existing trust relation to verify DNSKEY RR sets in which a 212 new DNSKEY RR with the SEP flag appears. 214 5. Security Considerations 216 As stated in Section 3 the flag is not to be used in the resolution 217 protocol or to determine the security status of a key. The flag is to 218 be used for administrative purposes only. 220 No trust in a key should be inferred from this flag - trust MUST be 221 inferred from an existing chain of trust or an out-of-band exchange. 223 Since this flag might be used for automating public key exchanges, we 224 think the following consideration is in place. 226 Automated mechanisms for roll over of the DS RR might be vulnerable 227 to a class of replay attacks. This might happen after a public key 228 exchange where a DNSKEY RR set, containing two DNSKEY RRs with the 229 SEP flag set, is sent to the parent. The parent verifies the DNSKEY 230 RR set with the existing trust relation and creates the new DS RR 231 from the DNSKEY RR that the current DS RR is not pointing to. This 232 key exchange might be replayed. Parents are encouraged to implement a 233 replay defense. A simple defense can be based on a registry of keys 234 that have been used to generate DS RRs during the most recent roll 235 over. These same considerations apply to entities that configure keys 236 in resolvers. 238 6. IANA Considerations 240 IANA considerations: The flag bits in the DNSKEY RR are assigned by 241 IETF consensus. This document assigns the 15th bit in the DNSKEY RR 242 as the Secure Entry Point (SEP) bit. [Final text pending 243 clarification of the DNSKEY flag registry] 245 7. Internationalization Considerations 247 Although SEP is a popular acronym in many different languages, there 248 are no internationalization considerations. 250 8. Acknowledgments 252 The ideas documented in this document are inspired by communications 253 we had with numerous people and ideas published by other folk. Among 254 others Mark Andrews, Rob Austein, Miek Gieben, Olafur Gudmundsson, 255 Daniel Karrenberg, Dan Massey, Scott Rose, Marcos Sanz and Sam Weiler 256 have contributed ideas and provided feedback. 258 This document saw the light during a workshop on DNSSEC operations 259 hosted by USC/ISI in August 2002. 261 Normative References 263 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 264 Levels", BCP 14, RFC 2119, March 1997. 266 [2] Eastlake, D., "Domain Name System Security Extensions", RFC 267 2535, March 1999. 269 [3] Lewis, E., "DNS Security Extension Clarification on Zone 270 Status", RFC 3090, March 2001. 272 [4] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource 273 Record (RR)", RFC 3445, December 2002. 275 Informative References 277 [5] Gudmundsson, O., "Delegation Signer Resource Record", 278 draft-ietf-dnsext-delegation-signer-15 (work in progress), June 279 2003. 281 [6] Orwell, G. and R. Steadman (illustrator), "Animal Farm; a Fairy 282 Story", ISBN 0151002177 (50th anniversary edition), April 1996. 284 Authors' Addresses 286 Olaf M. Kolkman 287 RIPE NCC 288 Singel 256 289 Amsterdam 1016 AB 290 NL 292 Phone: +31 20 535 4444 293 EMail: olaf@ripe.net 294 URI: http://www.ripe.net/ 296 Jakob Schlyter 297 Karl Gustavsgatan 15 298 Goteborg SE-411 25 299 Sweden 301 EMail: jakob@schlyter.se 302 Edward P. Lewis 303 ARIN 304 3635 Concorde Parkway Suite 200 305 Chantilly, VA 20151 306 US 308 Phone: +1 703 227 9854 309 EMail: edlewis@arin.net 310 URI: http://www.arin.net/ 312 Intellectual Property Statement 314 The IETF takes no position regarding the validity or scope of any 315 intellectual property or other rights that might be claimed to 316 pertain to the implementation or use of the technology described in 317 this document or the extent to which any license under such rights 318 might or might not be available; neither does it represent that it 319 has made any effort to identify any such rights. Information on the 320 IETF's procedures with respect to rights in standards-track and 321 standards-related documentation can be found in BCP-11. Copies of 322 claims of rights made available for publication and any assurances of 323 licenses to be made available, or the result of an attempt made to 324 obtain a general license or permission for the use of such 325 proprietary rights by implementors or users of this specification can 326 be obtained from the IETF Secretariat. 328 The IETF invites any interested party to bring to its attention any 329 copyrights, patents or patent applications, or other proprietary 330 rights which may cover technology that may be required to practice 331 this standard. Please address the information to the IETF Executive 332 Director. 334 Full Copyright Statement 336 Copyright (C) The Internet Society (2003). All Rights Reserved. 338 This document and translations of it may be copied and furnished to 339 others, and derivative works that comment on or otherwise explain it 340 or assist in its implementation may be prepared, copied, published 341 and distributed, in whole or in part, without restriction of any 342 kind, provided that the above copyright notice and this paragraph are 343 included on all such copies and derivative works. However, this 344 document itself may not be modified in any way, such as by removing 345 the copyright notice or references to the Internet Society or other 346 Internet organizations, except as needed for the purpose of 347 developing Internet standards in which case the procedures for 348 copyrights defined in the Internet Standards process must be 349 followed, or as required to translate it into languages other than 350 English. 352 The limited permissions granted above are perpetual and will not be 353 revoked by the Internet Society or its successors or assignees. 355 This document and the information contained herein is provided on an 356 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 357 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 358 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 359 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 360 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 362 Acknowledgment 364 Funding for the RFC Editor function is currently provided by the 365 Internet Society.