idnits 2.17.1 draft-ietf-dnsop-delegation-trust-maintainance-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 499 has weird spacing: '... full i.e. ...' == Line 502 has weird spacing: '...augment i.e. ...' -- The document date (November 13, 2013) is 3811 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-06) exists of draft-ietf-dnsop-dnssec-key-timing-03 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop W. Kumari 3 Internet-Draft Google 4 Intended status: Informational O. Gudmundsson 5 Expires: May 17, 2014 Shinkuro Inc. 6 G. Barwood 8 November 13, 2013 10 Automating DNSSEC delegation trust maintenance 11 draft-ietf-dnsop-delegation-trust-maintainance-00 13 Abstract 15 This document describes a method to allow DNS operators to more 16 easily update DNSSEC Key Signing Keys using DNS as communication 17 channel. This document does not address the initial configuration of 18 trust anchors for a domain. The technique described is aimed at 19 delegations in which it is currently hard to move information from 20 the child to parent. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on May 17, 2014. 39 Copyright Notice 41 Copyright (c) 2013 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 58 1.2. Requirements notation . . . . . . . . . . . . . . . . . . 4 59 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 2.1. DNS delegations . . . . . . . . . . . . . . . . . . . . . 4 61 2.2. Relationship between Parent and Child DNS operator . . . 5 62 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 63 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 6 64 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions . . 7 65 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 7 66 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 7 67 4. Automating DS maintainance with CDS/CDNSKEY records . . . . . 7 68 4.1. CDS / CDNSKEY processing rules . . . . . . . . . . . . . 8 69 5. Child's CDS / CDNSKEY Publication . . . . . . . . . . . . . . 8 70 6. Parent side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9 71 6.1. Detecting a changed CDS / CDNSKEY . . . . . . . . . . . . 9 72 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 9 73 6.1.2. Other mechanisms . . . . . . . . . . . . . . . . . . 10 74 6.2. Using the new CDS / CDNSKEY records . . . . . . . . . . . 10 75 6.2.1. Parent calculates DS . . . . . . . . . . . . . . . . 11 76 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 77 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 78 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 79 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 80 10.1. Normative References . . . . . . . . . . . . . . . . . . 13 81 10.2. Informative References . . . . . . . . . . . . . . . . . 13 82 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 14 83 Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 15 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 86 1. Introduction 88 When a DNS operator first signs their zone, they need to communicate 89 their DS record(s) (or DNSKEY(s)) to their parent through some out- 90 of-band method to complete the chain of trust. 92 Each time the child changes/rolls the key that is represented in the 93 parent, the new and/or deleted key information has to be communicated 94 to the parent and published there. How this information is sent to 95 the parent depends on the relationship the child has with the parent. 96 In many cases this is a manual process, and not an easy one. For 97 each key roll, there may be two interactions with the parent. Any 98 manual process is susceptible to mistakes and/or errors. In 99 addition, due to the annoyance factor of the process, operators may 100 avoid performing key rollovers or skip needed steps to publish the 101 new DS at the parent. 103 DNSSEC provides data integrity to information published in DNS; thus 104 DNS publication can be used to automate maintenance of delegation 105 information. This document describes a method to automate 106 publication of subsequent DS records, after the initial one has been 107 published. 109 Readers are expected to be familiar with DNSSEC, including [RFC4033], 110 [RFC4034], [RFC4035], [RFC5011] and [RFC6781]. 112 This document is a compilation of two earlier drafts: draft-barwood- 113 dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll 115 This document outlines a technique in which the parent periodically 116 (or upon request) polls its signed children and automatically publish 117 new DS records. To a large extent, the procedures this document 118 follows are as described in [RFC6781] section 4.1.2 120 This technique is in some ways similar to RFC 5011 style rollovers, 121 but for sub-domains DS records, instead of trust anchors 123 This technique is designed to be friendly both to fully automated 124 tools and humans. Fully automated tools can perform all the actions 125 needed without human intervention, and thus can monitor when it is 126 safe to move to the next step. 128 CDS is only appropriate for transferring information about DNSSEC 129 keys (DS and DNSKEY) from the child to the parental agent. It lists 130 exactly what the parent should publish, and allows for publication of 131 stand-by keys. There is a complementary solution [I-D.csync] for 132 maintaining the other important delegation information, such as NS 133 and glue. 135 1.1. Terminology 137 There terminology we use is defined in this section 139 Highlighted roles 141 o Child: "The entity on record that has the delegation of the domain 142 from the parent" 144 o Parent: "The domain in which the child is registered" 145 o Child DNS operator: "The entity that maintains and publishes the 146 zone information for the child DNS" 148 o Parent DNS operator: "The entity that maintains and publishes the 149 zone information for the parent DNS" 151 o Parental Agent: "The entity that the child has relationship with, 152 to change its delegation information." 154 o Provisioning system: "A system that the operator of the master DNS 155 server operates to maintain the information published in the DNS. 156 This includes the systems that sign the DNS data." 158 RRR is our shorthand for Registry/Registrar/Registrant model of 159 parent child relationship see Appendix A for more. 161 1.2. Requirements notation 163 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 164 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 165 document are to be interpreted as described in [RFC2119]. 167 2. Background 169 2.1. DNS delegations 171 DNS operation consists of delegations of authority. For each 172 delegation there are (most of the time) two parties, the parent and 173 the child. 175 The parent publishes information about the delegations to the child; 176 for the name-servers it publishes an NS RRset that lists a hint for 177 name-servers that are authoritative for the child. The child also 178 publishes a NS RRset, and this set is the authoritative list of name- 179 servers to the child zone. 181 The second RRset the parent sometimes publishes is the DS set. The 182 DS RRset provides information about the key(s) that the child has 183 told the parent it will use to sign its DNSKEY RRset. In DNSSEC 184 trust relationship between zones is provided by the following chain: 186 parent DNSKEY --> DS --> child DNSKEY. 188 A prior proposal [I-D.auto-cpsync] suggested that the child send an 189 "update" to the parent via a mechanism similar to Dynamic Update. 190 The main issue became: How does the child find the actual parental 191 agent/server to send the update to? While that could have been 192 solved via technical means, the proposal died. 194 As the DS record can only be present at the parent RFC4034 [RFC4034], 195 some other record/method is needed to automate the expression of what 196 the parental zone DS records contents ought to be. One possibility 197 is to use flags in the DNSKEY record. If the SEP bit is set, this 198 indicates that the DNSKEY is intended for use as a secure entry 199 point. This DNSKEY signs the DNSKEY RRset, and the Parental Agent 200 can calculate DS records based on that. But this fails to meet some 201 operating needs, including the child having no influence what DS 202 digest algorithms are used and DS records can only be published for 203 keys that are in the DNSKEY RRset. 205 2.2. Relationship between Parent and Child DNS operator 207 In the real world, there are many different relationships between the 208 parent and child DNS operators. The type of relationship affects how 209 the child operator communicates with the parent. This section will 210 highlight some of the different situations, but is by no means a 211 complete list. 213 Different communication paths: 215 o Direct/API: The child can change the delegation information via 216 automated/scripted means EPP[RFC5730] used by many TLDs is an 217 example of this. Another example is the web service's 218 programmatic interfaces that Registrars make available to their 219 Reseller's. 221 o User Interface: The Child uses a (web) site set up by the Parental 222 Agent for updating delegation information. 224 o Indirect: The communication has to be transmitted via out-of-band 225 between two parties, such as email, telephone etc.. This is common 226 when the Child's DNS operator is neither the child itself nor the 227 Registrar for the domain but a third party. 229 o Multi-step Combinations: The information flows through an 230 intermediary. It is possible, but unlikely, that all the steps 231 are automated via API's and there are no humans are involved. 233 A domain name holder (Child) may operate its own DNS servers or 234 outsource the operation. While we use the word parent as a singular, 235 parent can consist of single entity or a composite of many discrete 236 parts that have rules and roles. We refer to the entity that the 237 child corresponds with as the Parent. 239 Another common case is the enterprise case in which an organization 240 may delegate parts of its name-space to be operated by a group that 241 is not the same as that which operates the enterprise's DNS servers. 243 In this case the flow of information is frequently handled in either 244 an ad hoc manner or via some corporate mechanism; this can range from 245 email to fully-automated operation. The word enterprise above covers 246 all organizations where the domains are not sold on the open market 247 and there is some relationship between the entities. 249 2.2.1. Solution Space 251 This document is aimed at the cases in which there is an 252 organizational separation of the child and parent. 254 A further complication is when the Child DNS Operation is not the 255 Child. There are two common cases of this, 257 a) The Parental Agent (e.g. registrar) handles the DNS operation 259 b) A third party takes care of the DNS operation. 261 If the Parental Agent is the DNS operator, life is much easier, as 262 the Parental Agent can inject any delegation changes directly into 263 the Parents Provisioning system. The techniques described below are 264 not needed in the case when Parental Agent is the DNS operator. 266 In the case of a third party DNS operator, the Child either needs to 267 relay changes in DNS delegation or give the Child Operator access to 268 its delegation/registration account. 270 Some parents want the child to express the changes in trust anchors 271 via DS records, while others want to receive DNSKEY records and 272 calculate the DS records themselves. There is no consensus on which 273 method is better; both have good reasons to exist. The proposal 274 below can operate with both models, but the child needs to be aware 275 of the parental policies. 277 2.2.2. DNSSEC key change process 279 After a Child DNS operator first signs the zone, there is a need to 280 interact with the Parent, for example via the delegation account 281 interface, to "upload / paste-in the zone's DS information". The 282 action of logging in through the delegation account user interface 283 authenticates that the user is authorized to change delegation 284 information published in the parent zone. In the case where the 285 "Child DNS Operator" does not have access to the registration 286 account, the Child needs to perform the action. 288 At a later date, the Child Operator may want to publish a new DS 289 record in the parent, either because they are rolling keys, or 290 because they want to publish a stand-by key. This involves 291 performing the same process as before. Furthermore when this is a 292 manual process with cut and paste; operational mistakes will happen. 293 Or worse the update action in not performed at all. 295 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions 297 This document specifies two new DNS RRtypes (CDS and CDNSKEY) that 298 indicates what the Child wants to be in the parents DS RRset. It 299 allows the Child to present DS records and / or DNSKEY records (for 300 those parents who would rather generate the DS records for their 301 children). 303 The CDS / CDNSKEY record is published in the child zone and gives the 304 child control of what is published for it in the parental zone. The 305 CDS / CDNSKEY RRset expresses what the child would like the DS RRset 306 to look like after the change; it is a "replace" operation, and it is 307 up to the consumer of the records to translate that into the 308 appropriate add/delete operations in the registration systems (and in 309 the case of CDNSKEY, to generate the DS from the DNSKEY). 311 [RFC Editor: Please remove this paragraph before publication] Version 312 -04 of this document defined a new record (CTA) that could hold 313 either a DS or a DNSKEY record (with a selector to differentiate 314 between them). ] 316 3.1. CDS Resource Record Format 318 The wire and presentation format of the CDS ("Child DS") record is 319 identical to the DS record [RFC4034]. IANA has allocated RR code 59 320 for the CDS record via expert review [I-D.ds-publish]. 322 No special processing is performed by authoritative servers or by 323 revolvers, when serving or resolving. For all practical purposes CDS 324 is a regular RR type. 326 3.2. CDNSKEY Resource Record Format 328 The wire and presentation format of the CDNSKEY ("Child DNSKEY") 329 record is identical to the DNSKEY record. 331 No special processing is performed by authoritative servers or by 332 revolvers, when serving or resolving. For all practical purposes 333 CDNSKEY is a regular RR type. 335 4. Automating DS maintainance with CDS/CDNSKEY records 337 CDS/CDNSKEY records are intended to be "consumed" by delegation trust 338 maintainers. The use of CDS/CDNSKEY is optional. 340 Some parents prefer to accept DNSSEC key information in DS format, 341 some parents prefer to accept it in DNSKEY format, and calculate the 342 DS record on the child's behalf. Each method has pros and cons, both 343 technical and policy. This solution is DS vs DNSKEY agnostic, and 344 allows operation with either. 346 If the child knows what the parent prefers, they can publish the 347 parent's preferred record type. If the child does not know (or 348 simply chooses to), they can publish both CDS and CDNSKEY. If the 349 child publishes both, they SHOULD have matching CDS records for each 350 CDNSKEY record. The parent should use whichever one they choose, but 351 SHOULD NOT query for both and perform consistency checks between the 352 CDS and CDNSKEY records. 354 [Editor note: It is not an error for a child to have published CDS 355 records and not have CDNSKEYs that hash to those records, nor for 356 there to be CDNSKEY records without matching DS records. This is 357 because a child might have been publishing CDS records and then the 358 parent's policy changes to require CDNSKEY records. The child might 359 forget to remove the CDS, etc. This avoids all sorts of error 360 conditions / complexity, etc.] 362 4.1. CDS / CDNSKEY processing rules 364 Absence of CDS / CDNSKEY in child signals "No change" to the current 365 DS set. Following acceptance rules are placed on the CDS / CDNSKEY 366 records as follows: 368 o Location: "the CDS / CDNSKEY record MUST be at the child zone 369 apex". 371 o Signer: "MUST be signed with a key that is represented in both the 372 current DNSKEY and DS RRset's." 374 o Continuity: "SHOULD NOT break the current delegation if applied to 375 DS RRset" 377 If any these conditions fail the CDS / CDNSKEY record MUST be 378 ignored. 380 5. Child's CDS / CDNSKEY Publication 381 Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it 382 wants to make a change to the DS RRset in the Parent. The CDS / 383 CDNSKEY RRset SHOULD be compliant with the rules in Section 4.1. 384 When the Parent DS is "in-sync" with the CDS, the Child DNS Operator 385 SHOULD/MUST delete the CDS RRset. Note that if the child has 386 published a DNSKEY RR in the CDS, it will have to calculate the DS 387 (using the requested digest algorithm) to do the comparison. 389 A child MAY publish both CDS and CDNSKEY. If a child chooses to 390 publish both, it SHOULD attempt to maintain consistency (a matching 391 CDS for each CDNSKEY) 393 6. Parent side CDS / CDNSKEY Consumption 395 The CDS / CDNSKEY RRset MAY be used by the Parental Agent to update 396 the DS RRset in the parent zone. The Parental Agent for this uses a 397 tool that understands the CDS / CDNSKEY signing rules from 398 Section 4.1 so it may not be able to use a standard validator. 399 Parent SHOULD treat the Continuity rule as "MUST". 401 The parent MUST choose to accept either CDS or CDNSKEY records, and 402 MUST NOT expect there to be both. A parent SHOULD NOT perform a 403 consistency check between CDS and CDNSKEY (other than for 404 informational / debugging use). 406 6.1. Detecting a changed CDS / CDNSKEY 408 How the Parental Agent gets the CDS / CDNSKEY record may differ, 409 below are two examples as how this can take place. 411 Polling The Parental Agent operates a tool that periodically checks 412 each of the children that has a DS record to see if there is a 413 CDS or CDNSKEY record. 415 Pushing The delegation user interface has a button {Fetch DS} when 416 pushed preforms the CDS / CDNSKEY processing. If the Parent 417 zone does not contain DS for this delegation then the "push" 418 MUST be ignored. 420 In either case the Parental Agent MAY apply additional rules that 421 defer the acceptance of a CDS / CDNSKEY change, these rules may 422 include a condition that the CDS / CDNSKEY remains in place and valid 423 for some time period before it is accepted. It may be appropriate in 424 the "Pushing" case to assume that the Child is ready and thus accept 425 changes without delay. 427 6.1.1. CDS / CDNSKEY Polling 428 This is the only defined use of CDS / CDNSKEY in this document. 429 There are limits to the saleability of polling techniques, thus some 430 other mechanism is likely to be specified later that addresses CDS / 431 CDNSKEY usage in the situation where polling does not scale to. 432 Having said that Polling will work in many important cases like 433 enterprises, universities, small TLDs etc. In many regulatory 434 environments the registry is prohibited from talking to the 435 registrant. In most these cases the registrant has a business 436 relationship with the registrar, and so the registrar can offer this 437 as a service. 439 If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST 440 take no action. Specifically it MUST NOT delete or alter the 441 existing DS RRset. 443 6.1.2. Other mechanisms 445 It is assume that other mechanisms will be implemented to trigger the 446 parent to look for an updated CDS. As the CDS RR is validated with 447 DNSSEC, these mechanisms can be unauthenticated (for example, a child 448 could call his parent and request the CDS action be performed, an 449 unauthenticated POST could be made to a webserver (with rate- 450 limiting), etc.) 452 Other documents can specify the trigger conditions. 454 6.2. Using the new CDS / CDNSKEY records 456 Regardless of how the Parental Agent detected changes to a CDS / 457 CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain 458 a validated CDS / CDNSKEY RRset from the Child zone. It would be a 459 good idea if the Parental Agent checked all NS RRs listed at the 460 delegation. However, due to the use of technologies such as load 461 balancing and anycast, this should not be taken as proof that the new 462 CDS / CDNSKEY is present on all nodes serving the Child zone. 464 The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY 465 RRset do not overwrite newer versions. This MAY be accomplished by 466 checking that the signature inception in the RRSIG for CDS / CDNSKEY 467 is newer and/or the serial number on the child's SOA is greater. 468 This may require the Parental Agent to maintain some state 469 information. 471 The Parental Agent MAY take extra security measures. For example, to 472 mitigate the possibility that a Child's key signing key has been 473 compromised, the Parental Agent may, for example, inform (by email or 474 other methods ) the Child DNS operator of the change. However the 475 precise out-of-band measures that a parent zone SHOULD take are 476 outside the scope of this document. 478 Once the Parental Agent has obtained a valid CDS / CDNSKEY it MAY 479 double check the publication rules from section 4.1. In particular 480 the Parental Agent MUST double check the Continuity rule and do its 481 best not to invalidate the Child zone. Once checked and if the CDS / 482 CDNSKEY and DS "differ" it may apply the changes to the parent zone. 483 If the parent consumes CDNSKEY, the parent should calculate the DS 484 before doing this comparison. 486 6.2.1. Parent calculates DS 488 There are cases where the Parent wants to calculate the DS record due 489 to policy reasons. In this case, the Child publishes CDNSKEY records 490 containing DNSKEYs. 492 The parent calculates the DS records on behalf of the children. The 493 DNS Parent needs to publish guidelines for the children as to what 494 digest algorithms are acceptable in the CDS record. 496 When a Parent operates in "calculate DS" mode it can operate in one 497 of two sub-modes 499 full i.e. it only publishes DS records it calculates from DNSKEY 500 records, 502 augment i.e. it will make sure there are DS records for the digest 503 algorithm(s) it requires(s). 505 Implications on Parental Agent are that the CDNSKEY and DS are not 506 exactly the same after update thus it needs to take that into 507 consideration when checking CDNSKEY records. Same goes for the Child 508 Operator, it needs to be able to detect that the new DS RRset is 509 "equivalent" to the current CDNSKEY RRset, thus it can remove the 510 CDNSKEY RRset. 512 7. IANA Considerations 514 IANA has assigned RR Type code 59 for CDS. This was done for an 515 earlier version of this document[I-D.ds-publish] This document is to 516 become the reference for CDS RRtype. 518 IANA is requested to assign another RR Type for the CDNSKEY. 520 8. Security Considerations 522 [ This needs more work, suggestions welcome.] 524 This work is for the normal case, when things go wrong there is only 525 so much that automation can fix. 527 If child breaks DNSSEC validation by removing all the DNSKEYs that 528 are represented in the DS set its only repair actions are to contact 529 the parent or restore the DNSKEYs in the DS set. 531 In the event of a compromise of the server or system generating 532 signatures for a zone, an attacker might be able to generate and 533 publish new CDS records. The modified CDS records will be picked up 534 by this technique and so may allow the attacker to extend the 535 effective time of his attack. If there a delay in accepting changes 536 to DS, as in RFC5011, then the attacker needs to hope his activity is 537 not detected before the DS in parent is changed. If this type of 538 change takes place, the child need to contact the parent (possibly 539 via a registrar web interface) and remove any compromised DS keys. 541 A compromise of the account with the parent (e.g. registrar) will not 542 be mitigated by this technique, as the "new registrant" can delete/ 543 modify the DS records at will. 545 While it may be tempting, this SHOULD NOT be used for initial 546 enrollment of keys since there is no way to ensure that the initial 547 key is the correct one. If is used, strict rules for inclusion of 548 keys like hold down times, challenge data inclusion etc., ought to be 549 used, along with some kind of challenge mechanism. 551 The CDS RR type should allow for enhanced security by simplifying 552 process. Since rollover is automated, updating a DS RRset by other 553 means may be regarded as unusual and subject to extra security 554 checks. 556 If there is a failure in applying changes in child zone to all DNS 557 servers listed in either parent or child NS set it is possible that 558 the Parental agent may get confused either not perform action because 559 it gets different answers on different checks or CDS validation 560 fails. In the worst case Parental Agent performs an action reversing 561 a prior action but after the child signing system decides to take the 562 next step in rollover, resulting in a broken delegation. 564 DNS is a loosely coherent distributed database with local caching; 565 therefore it is important to allow old information to expire from 566 caches before deleting DS or DNSKEY records. Similarly, it is 567 important to allow new records to propagate through the DNS before 568 use, see [RFC6781] and [I-D.key-time] 570 9. Acknowledgements 572 We would like to thank a large number of folk, including: Wes 573 Hardaker, Mark Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug 574 Barton, Brian Dickinson, Paul Ebersman, Tony Finch, Patrik Faltsrom, 575 Jim Galvin, Olaf Kolkman, Cricket Liu, Stephan Lagerholm, Matt 576 Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul Wouters, 577 Matthijs Meeking, John Dickinson, Timothe Litt and Edward Lewis. 579 There were a number of other folk with whom we discussed this, 580 apologies for not remembering everyone. 582 10. References 584 10.1. Normative References 586 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 587 Requirement Levels", BCP 14, RFC 2119, March 1997. 589 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 590 Rose, "DNS Security Introduction and Requirements", RFC 591 4033, March 2005. 593 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 594 Rose, "Resource Records for the DNS Security Extensions", 595 RFC 4034, March 2005. 597 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 598 Rose, "Protocol Modifications for the DNS Security 599 Extensions", RFC 4035, March 2005. 601 [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) 602 Trust Anchors", STD 74, RFC 5011, September 2007. 604 [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC 605 Operational Practices, Version 2", RFC 6781, December 606 2012. 608 10.2. Informative References 610 [I-D.auto-cpsync] 611 Mekking, W., "Automated (DNSSEC) Child Parent 612 Synchronization using DNS UPDATE", draft-mekking-dnsop- 613 auto-cpsync-01 (work in progress), December 2010. 615 [I-D.csync] 616 Hardaker, W., "Child To Parent Synchronization in DNS", 617 draft-hardaker-dnsop-csync-02 (work in progress), July 618 2013. 620 [I-D.ds-publish] 621 Barwood, G., "DNS Transport", draft-barwood-dnsop-ds- 622 publish-02 (work in progress), June 2011. 624 [I-D.key-time] 625 Mekking, W., "DNSSEC Key Timing Considerations", draft- 626 ietf-dnsop-dnssec-key-timing-03 (work in progress), July 627 2012. 629 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 630 STD 69, RFC 5730, August 2009. 632 [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) 633 Security Extensions Mapping for the Extensible 634 Provisioning Protocol (EPP)", RFC 5910, May 2010. 636 Appendix A. RRR background 638 In the RRR world, the different parties are frequently from different 639 organizations. In the single enterprise world there are also 640 organizational/geographical/cultural separations that affect how 641 information flows from a Child to the parent. 643 Due to the complexity of the different roles and interconnections, 644 automation of delegation information has been punted in the past. 645 There have been some proposals to automate this, in order to improve 646 the reliability of the DNS. These proposals have not gained enough 647 traction to become standards. 649 For example in many of the TLD cases there is the RRR model 650 (Registry, Registrar and Registrant). The Registry operates DNS for 651 the TLD, the Registrars accept registrations and place information 652 into the Registries database. The Registrant only communicates with 653 the Registrar; frequently the Registry is not allowed to communicate 654 with the Registrant. In that case as far as the registrant is 655 concerned the Registrar == Parent. 657 In many RRR cases the Registrar and Registry communicate via 658 EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number 659 of ccTLDs there are other mechanisms in use as well as EPP, but in 660 general there seems to be a movement towards EPP usage when DNSSEC is 661 enabled in the TLD. 663 Appendix B. Changes / Author Notes. 665 [RFC Editor: Please remove this section before publication ] 667 From -05 to WG-00: 669 o Nothing useful. 671 From 04 to 05 673 o Renamed the record back to CDS. 675 From 03 to 04. 677 o Added text explaining that CDS and CSYNC complement each other, 678 not replace or compete. 680 o Changed format of record to be to allow the 681 publication of DS **or** DNSKEY. 683 o Bunch of text changed to cover the above. 685 o Added a bit more text on the polling scaling stuff, expecation 686 that other triggers will be documented, 688 From 02 to 03 690 o Applied comments by Matthijs Mekking 692 o Incorporated suggestions from Edward Lewis about structure 694 o Reworked structure to be easier for implementors to follow 696 o Applied many suggestions from a wonderful thorough review by John 697 Dickinson 699 o Removed the going Unsigned option 701 From 01 to 02 703 o Major restructuring to facilitate easier discussion 704 o Lots of comments from DNSOP mailing list incorporated, including 705 making draft DNSKEY/DS neutral, explain different relationships 706 that exists, 708 o added more people to acks. 710 o added description of enterprise situations 712 o Unified on using Parental Agent over Parental Representative 714 o Removed redundant text when possible 716 o Added text to explain what can go wrong if not all child DNS 717 servers are in sync. 719 o Reference prior work by Matthijs Mekking 721 o Added text when parent calculates DS from DNSKEY 723 From - to -1. 725 o Removed from section .1: "If a child zone has gone unsigned, i.e. 726 no DNSKEY and no RRSIG in the zone, the parental representative 727 MAY treat that as intent to go unsigned. (NEEDS DISCUSSION)." 728 Added new text at end. -- suggestion by Scott Rose 20/Feb/13. 730 o Added some background on the different DNS Delegation operating 731 situations and how they affect interaction of parties. This moved 732 some blocks of text from later sections into here. 734 o Number of textual improvements from Stephan Lagerholm 736 o Added motivation why CDS is needed in CDS definition section 738 o Unified terminology in the document. 740 o Much more background 742 Authors' Addresses 744 Warren Kumari 745 Google 746 1600 Amphitheatre Parkway 747 Mountain View, CA 94043 748 US 750 Email: warren@kumari.net 751 Olafur Gudmundsson 752 Shinkuro Inc. 753 4922 Fairmont Av, Suite 250 754 Bethesda, MD 20814 755 USA 757 Email: ogud@ogud.com 759 George Barwood 760 33 Sandpiper Close 761 Gloucester GL2 4LZ 762 United Kingdom 764 Email: george.barwood@blueyonder.co.uk