idnits 2.17.1 draft-ietf-dnsop-delegation-trust-maintainance-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 10, 2014) is 3607 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop W. Kumari 3 Internet-Draft Google 4 Intended status: Informational O. Gudmundsson 5 Expires: December 12, 2014 Shinkuro Inc. 6 G. Barwood 8 June 10, 2014 10 Automating DNSSEC Delegation Trust Maintenance 11 draft-ietf-dnsop-delegation-trust-maintainance-14 13 Abstract 15 This document describes a method to allow DNS operators to more 16 easily update DNSSEC Key Signing Keys using the DNS as communication 17 channel. The technique described is aimed at delegations in which it 18 is currently hard to move information from the child to parent. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on December 12, 2014. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 56 1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4 57 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4 59 2.2. Relationship Between Parent and Child DNS Operator . . . 5 60 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 61 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 6 62 3. CDS / CDNSKEY (Child DS / Child DNSKEY) Record Definitions . 7 63 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 64 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 65 4. Automating DS Maintenance With CDS / CDNSKEY records . . . . 8 66 4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 8 67 5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9 68 6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9 69 6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 9 70 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 71 6.1.2. Polling Triggers . . . . . . . . . . . . . . . . . . 10 72 6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 11 73 6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11 74 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 75 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 76 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 77 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 78 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 79 11.1. Normative References . . . . . . . . . . . . . . . . . . 14 80 11.2. Informative References . . . . . . . . . . . . . . . . . 15 81 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 82 Appendix B. CDS key rollover example . . . . . . . . . . . . . . 16 83 Appendix C. Changes / Author Notes. . . . . . . . . . . . . . . 17 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 86 1. Introduction 88 The first time a DNS operator signs a zone, they need to communicate 89 the keying material to their parent through some out-of-band method 90 to complete the chain of trust. Depending on the desires of the 91 parent, the child might send their DNSKEY record, a DS record, or 92 both. 94 Each time the child changes the key that is represented in the 95 parent, the updated and / or deleted key information has to be 96 communicated to the parent and published in the parent's zone. How 97 this information is sent to the parent depends on the relationship 98 the child has with the parent. In many cases this is a manual 99 process, and not an easy one. For each key change, there may be up 100 to two interactions with the parent. Any manual process is 101 susceptible to mistakes and / or errors. In addition, due to the 102 annoyance factor of the process, operators may avoid changing keys or 103 skip needed steps to publish the new DS at the parent. 105 DNSSEC provides data integrity to information published in DNS; thus 106 DNS publication can be used to automate maintenance of delegation 107 information. This document describes a method to automate 108 publication of subsequent DS records, after the initial one has been 109 published. 111 Readers are expected to be familiar with DNSSEC, including [RFC4033], 112 [RFC4034], [RFC4035], [RFC5011] and [RFC6781]. 114 This document outlines a technique in which the parent periodically 115 (or upon request) polls its signed children and automatically 116 publishes new DS records. To a large extent, the procedures this 117 document follows are as described in [RFC6781] section 4.1.2. 119 This technique is designed to be friendly both to fully automated 120 tools and humans. Fully automated tools can perform all the actions 121 needed without human intervention, and thus can monitor when it is 122 safe to move to the next step. 124 The solution described in this document only allows transferring 125 information about DNSSEC keys (DS and DNSKEY) from the child to the 126 parental agent. It lists exactly what the parent should publish, and 127 allows for publication of stand-by keys. A different protocol, 128 [I-D.csync], can be used to maintain other important delegation 129 information, such as NS and glue. These two protocols have been kept 130 as separate solutions because the problems are fundamentally 131 different, and a combined solution is overly complex. 133 This document describes a method for automating maintenance of the 134 delegation trust information, and proposes a polled / periodic 135 trigger for simplicity. Some users may prefer a different trigger, 136 for example a button on a webpage, a REST interface or a DNS NOTIFY. 137 These alternate / additional triggers are not discussed in this 138 document. 140 This proposal does not include all operations needed for the 141 maintenance of DNSSEC key material, specifically the initial 142 introduction or complete removal of all keys. Because of this, 143 alternate communications mechanisms must always exist, potentially 144 introducing more complexity. 146 1.1. Terminology 148 The terminology we use is defined in this section. 150 Highlighted roles: 152 o Child: "The entity on record that has the delegation of the domain 153 from the parent" 155 o Parent: "The domain in which the child is registered" 157 o Child DNS Operator: "The entity that maintains and publishes the 158 zone information for the child DNS" 160 o Parental Agent: "The entity that the child has relationship with, 161 to change its delegation information" 163 o Provisioning system: "A system that the operator of the master DNS 164 server operates to maintain the information published in the DNS. 165 This includes the systems that sign the DNS data" 167 1.2. Requirements Notation 169 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 170 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 171 "OPTIONAL" in this document are to be interpreted as described in 172 [RFC2119]. 174 2. Background 176 2.1. DNS Delegations 178 DNS operation consists of delegations of authority. For each 179 delegation there are (most of the time) two parties: the parent and 180 the child. 182 The parent publishes information about the delegations to the child; 183 for the name servers it publishes an NS [RFC1035] RRset that lists a 184 hint for name servers that are authoritative for the child. The 185 child also publishes a NS RRset, and this set is the authoritative 186 list of name servers to the child zone. 188 The second RRset the parent sometimes publishes is the DS [RFC4034] 189 set. The DS RRset provides information about the DNSKEY(s) that the 190 child has told the parent it will use to sign its DNSKEY RRset. In 191 DNSSEC trust relationship between zones is provided by the following 192 chain: 194 parent DNSKEY --> DS --> child DNSKEY. 196 A prior proposal [I-D.auto-cpsync] suggested that the child send an 197 "update" to the parent via a mechanism similar to Dynamic Update. 198 The main issue became: How does the child find the actual parental 199 agent/server to send the update to? While that could have been 200 solved via technical means, it failed to reach consensus. There is 201 also a similar proposal in [I-D.parent-zones]. 203 As the DS record can only be present at the parent ( [RFC4034]), some 204 other method is needed to automate which DNSKEYs are picked to be 205 represented in the parent zone's DS records. One possibility is to 206 use flags in the DNSKEY record. If the SEP bit is set, this 207 indicates that the DNSKEY is intended for use as a secure entry 208 point. This DNSKEY signs the DNSKEY RRset, and the Parental Agent 209 can calculate DS records based on that. But this fails to meet some 210 operating needs, including the child having no influence what DS 211 digest algorithms are used and DS records can only be published for 212 keys that are in the DNSKEY RRset, and thus this technique would not 213 be compatible with Double-DS ( [RFC6781] ) key rollover. 215 2.2. Relationship Between Parent and Child DNS Operator 217 In practical application, there are many different relationships 218 between the parent and Child DNS Operators. The type of relationship 219 affects how the Child DNS Operator communicates with the parent. 220 This section will highlight some of the different situations, but is 221 by no means a complete list. 223 Different communication paths: 225 o Direct/API: The child can change the delegation information via 226 automated/scripted means. EPP[RFC5730], used by many TLDs is an 227 example of this. Other examples are web-based programmatic 228 interfaces that Registrars make available to their Resellers. 230 o User Interface: The Child uses a (web) site set up by the Parental 231 Agent for updating delegation information. 233 o Indirect: The communication has to be transmitted via out-of-band 234 between two parties, such as by email or telephone. This is 235 common when the Child's DNS operator is neither the child itself 236 nor the Registrar for the domain but a third party. 238 o Multi-step Combinations: The information flows through an 239 intermediary. It is possible, but unlikely, that all the steps 240 are automated via API's and there are no humans involved. 242 A domain name holder (Child) may operate its own DNS servers or 243 outsource the operation. While we use the word parent as a singular, 244 parent can consist of single entity or a composite of many discrete 245 parts that have rules and roles. We refer to the entity that the 246 child corresponds with as the Parent. 248 An organization (such as an enterprise) may delegate parts of its 249 name-space to be operated by a group that is not the same as that 250 which operates the organization's DNS servers. In some of these 251 cases the flow of information is handled in either an ad hoc manner 252 or via some corporate mechanism; this can range from email to fully- 253 automated operation. 255 2.2.1. Solution Space 257 This document is aimed at the cases in which there is a separation 258 between the child and parent. 260 A further complication is when the Child DNS Operator is not the 261 Child. There are two common cases of this: 263 a) The Parental Agent (e.g. registrar) handles the DNS operation. 265 b) A third party takes care of the DNS operation. 267 If the Parental Agent is the DNS operator, life is much easier; the 268 Parental Agent can inject any delegation changes directly into the 269 Parent's Provisioning system. The techniques described below are not 270 needed in the case when Parental Agent is the DNS operator. 272 In the case of a third party DNS operator, the Child either needs to 273 relay changes in DNS delegation or give the Child DNS Operator access 274 to its delegation/registration account. 276 Some parents want the child to express their DNSKEYs in the form of 277 DS records, while others want to receive the DNSKEY records and 278 calculate the DS records themselves. There is no consensus on which 279 method is better; both have good reasons to exist. This solution is 280 DS vs DNSKEY agnostic, and allows operation with either. 282 2.2.2. DNSSEC key change process 284 After a Child DNS Operator first signs the zone, there is a need to 285 interact with the Parent, for example via a delegation account 286 interface, to "upload / paste-in the zone's DS information". This 287 action of logging in through the delegation account user interface 288 authenticates that the user is authorized to change delegation 289 information for the child published in the parent zone. In the case 290 where the Child DNS Operator does not have access to the registration 291 account, the Child needs to perform the action. 293 At a later date, the Child DNS Operator may want to publish a new DS 294 record in the parent, either because they are changing keys, or 295 because they want to publish a stand-by key. This involves 296 performing the same process as before. Furthermore when this is a 297 manual process with cut and paste, operational mistakes will happen 298 -- or worse, the update action is not performed at all. 300 The Child DNS Operator may also introduce new keys, and can do so 301 when old keys exist and can be used. The Child may also remove old 302 keys, but this document does not support removing all keys. This is 303 to avoid making signed zones unsigned. The Child may not enroll the 304 initial key or introduce a new key when there are no old keys that 305 can be used (without some additional, out of band, validation of the 306 keys), because there is no way to validate the information. 308 3. CDS / CDNSKEY (Child DS / Child DNSKEY) Record Definitions 310 This document specifies two new DNS resource records, CDS and 311 CDNSKEY. These records are used to convey, from one zone to its 312 parent, the desired contents of the zone's DS resource record set 313 residing in the parent zone. 315 The CDS / CDNSKEY resource records are published in the child zone 316 and gives the child control of what is published for it in the 317 parental zone. The child can publish these manually, or they can be 318 automatically maintained by DNS provisioning tools. The CDS / 319 CDNSKEY RRset expresses what the child would like the DS RRset to 320 look like after the change; it is a "replace" operation, and it is up 321 to the software that consumes the records to translate that into the 322 appropriate add/delete operations in the provisioning systems (and in 323 the case of CDNSKEY, to generate the DS from the DNSKEY). If no CDS 324 / CDNSKEY RRset is present in child, this means that no change is 325 needed. 327 [[RFC Editor: Please remove this paragraph before publication] 328 Version -04 of the ID that became this working group document 329 (http://tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined 330 a new record (CTA) that could hold either a DS or a DNSKEY record 331 (with a selector to differentiate between them). In a shocking 332 development, there was almost full consensus that this was horrid :-) 333 ] 335 3.1. CDS Resource Record Format 337 The wire and presentation format of the CDS ("Child DS") resource 338 record is identical to the DS record [RFC4034]. IANA has allocated 339 RR code 59 for the CDS resource record via expert review 340 [I-D.ds-publish]. The CDS RR uses the same registries as DS for its 341 fields. 343 No special processing is performed by authoritative servers or by 344 resolvers, when serving or resolving. For all practical purposes CDS 345 is a regular RR type. 347 3.2. CDNSKEY Resource Record Format 349 The wire and presentation format of the CDNSKEY ("Child DNSKEY") 350 resource record is identical to the DNSKEY record. IANA has 351 allocated RR code TBA1 for the CDNSKEY resource record via expert 352 review. The CDNSKEY RR uses the same registries as DNSKEY for its 353 fields. 355 No special processing is performed by authoritative servers or by 356 resolvers, when serving or resolving. For all practical purposes 357 CDNSKEY is a regular RR type. 359 4. Automating DS Maintenance With CDS / CDNSKEY records 361 CDS / CDNSKEY resource records are intended to be "consumed" by 362 delegation trust maintainers. The use of CDS / CDNSKEY is OPTIONAL. 364 If the child publishes either the CDS or the CDNSKEY resource record, 365 it SHOULD publish both. If the child knows which the parent 366 consumes, it MAY choose to only publish that record type (for 367 example, some children wish the parent to publish a DS, but they wish 368 to keep the DNSKEY "hidden" until needed). If the child publishes 369 both, the two RRsets MUST match in content. 371 4.1. CDS / CDNSKEY Processing Rules 373 If there are no CDS / CDNSKEY RRset in the child, this signals that 374 no change should be made to the current DS set. This means that, 375 once the child and parent are in sync, the Child DNS Operator MAY 376 remove all CDS and CDNSKEY resource records from the zone. The Child 377 DNS Operator may choose to do this to decrease the size of the zone, 378 or to decrease the workload for the parent (if the parent receives no 379 CDS / CDNSKEY records it can go back to sleep). If it does receive a 380 CDS or CDNSKEY RRset it needs to check them against what is currently 381 published - see Section 5. 383 Following acceptance rules are placed on the CDS / CDNSKEY resource 384 records as follows: 386 o Location: the CDS / CDNSKEY resource records MUST be at the child 387 zone apex. 389 o Signer: MUST be signed with a key that is represented in both the 390 current DNSKEY and DS RRsets (unless the parent uses the CDS / 391 CDNSKEY RRset for initial enrollment, in that case the parent 392 validates the CDS / CDNSKEY through some other means (see 393 Section 6.1 and the Security Considerations.) 395 o Continuity: MUST NOT break the current delegation if applied to DS 396 RRset. 398 If any these conditions fail the CDS / CDNSKEY resource record MUST 399 be ignored, and this error SHOULD be logged. 401 5. CDS / CDNSKEY Publication 403 The Child DNS Operator publishes CDS and / or CDNSKEY resource 404 records. In order to be valid, the CDS / CDNSKEY RRset MUST be 405 compliant with the rules in Section 4.1. When the Parent DS is "in 406 sync" with the CDS / CDNSKEY resource records, the Child DNS Operator 407 MAY delete the CDS / CDNSKEY record(s); the child can determine if 408 this is the case by querying for DS records in the parent 410 6. Parent Side CDS / CDNSKEY Consumption 412 The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to 413 update the DS RRset in the parent zone. The Parental Agent for this 414 uses a tool that understands the CDS / CDNSKEY signing rules from 415 Section 4.1 so it might not be able to use a standard validator. 417 The parent MUST choose to use either CDNSKEY or CDS resource records 418 as their default updating mechanism. The parent MAY only accept 419 either CDNSKEY or CDS, but it MAY also accept both, so it can use the 420 other in the absence of the default updating mechanism, but it MUST 421 NOT expect there to be both. 423 6.1. Detecting a Changed CDS / CDNSKEY 425 How the Parental Agent gets the CDS / CDNSKEY RRset may differ, below 426 are two examples as how this can take place. 428 Polling The Parental Agent operates a tool that periodically checks 429 each of the children that has a DS record to see if there is a 430 CDS or CDNSKEY RRset. 432 Pushing The delegation user interface has a button {Fetch DS} when 433 pushed performs the CDS / CDNSKEY processing. If the Parent 434 zone does not contain DS for this delegation then the "push" 435 SHOULD be ignored. If the Parental Agent displays the contents 436 of the CDS / CDSNKEY to the user and gets confirmation that 437 this represents their key, the Parental Agent MAY use this for 438 initial enrollment (when the Parent zone does not contain the 439 DS for this delegation). 441 In either case the Parental Agent MAY apply additional rules that 442 defer the acceptance of a CDS / CDNSKEY change, these rules may 443 include a condition that the CDS / CDNSKEY remains in place and valid 444 for some time period before it is accepted. It may be appropriate in 445 the "Pushing" case to assume that the Child is ready and thus accept 446 changes without delay. 448 6.1.1. CDS / CDNSKEY Polling 450 This is the only defined use of CDS / CDNSKEY resource records in 451 this document. There are limits to the scalability of polling 452 techniques, thus some other mechanism is likely to be specified later 453 that addresses CDS / CDNSKEY resource record usage in the situation 454 where polling does not scale to. Having said that, Polling will work 455 in many important cases such as enterprises, universities and smaller 456 TLDs. In many regulatory environments the registry is prohibited 457 from talking to the registrant. In most of these cases the 458 registrant has a business relationship with the registrar, and so the 459 registrar can offer this as a service. 461 If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST 462 take no action. Specifically it MUST NOT delete or alter the 463 existing DS RRset. 465 6.1.2. Polling Triggers 467 It is assumed that other mechanisms will be implemented to trigger 468 the parent to look for an updated CDS / CDNSKEY RRsets. As the CDS / 469 CDNSKEY resource records are validated with DNSSEC, these mechanisms 470 can be unauthenticated. As an example, a child could telephone its 471 parent and request that they process the new CDS or CDNSKEY resource 472 records or an unauthenticated POST could be made to a webserver (with 473 rate-limiting). 475 Other documents can specify the trigger conditions. 477 6.2. Using the New CDS / CDNSKEY Records 479 Regardless of how the Parental Agent detected changes to a CDS / 480 CDNSKEY RRset, the Parental Agent SHOULD use a DNSSEC validator to 481 obtain a validated CDS / CDNSKEY RRset from the Child zone. A NOT 482 RECOMMENDED exception to this is if the parent performs some 483 additional validation on the data to confirm that it is the "correct" 484 key. 486 The Parental Agent MUST ensure that previous versions of the CDS / 487 CDNSKEY RRset do not overwrite more recent versions. This MAY be 488 accomplished by checking that the signature inception in the RRSIG 489 for CDS / CDNSKEY RRset is later and / or the serial number on the 490 child's SOA is greater. This may require the Parental Agent to 491 maintain some state information. 493 The Parental Agent MAY take extra security measures. For example, to 494 mitigate the possibility that a Child's key signing key has been 495 compromised, the Parental Agent may, for example, inform (by email or 496 other methods) the Child DNS Operator of the change. However the 497 precise out-of-band measures that a parent zone takes are outside the 498 scope of this document. 500 Once the Parental Agent has obtained a valid CDS / CDNSKEY RRset it 501 MUST check the publication rules from section 4.1. In particular the 502 Parental Agent MUST check the Continuity rule and do its best not to 503 invalidate the Child zone. Once checked and if the information in 504 the CDS / CDNSKEY and DS differ it may apply the changes to the 505 parent zone. If the parent consumes CDNSKEY, the parent should 506 calculate the DS before doing this comparison. 508 6.2.1. Parent Calculates DS 510 There are cases where the Parent wants to calculate the DS record due 511 to policy reasons. In this case, the Child publishes CDNSKEY records 512 and the parent calculates the DS records on behalf of the children. 514 When a Parent operates in "calculate DS" mode it can operate in one 515 of two sub-modes: 517 full: it only publishes DS records it calculates from DNSKEY 518 records, 520 augment: it will make sure there are DS records for the digest 521 algorithm(s) it requires(s). 523 In the case where the parent fetches the CDNSKEY RRset and calculates 524 the DS the resulting DS can differ from the CDS published by the 525 child. It is expected that the differences are only due different 526 set of digest algorithms used. 528 7. IANA Considerations 530 IANA has assigned RR Type code 59 for the CDS resource record. This 531 was done for an earlier version of this document[I-D.ds-publish] This 532 document is to become the reference for CDS RRtype. 534 IANA is requested to assign an RR Type for the CDNSKEY, see below 536 Type: CDNSKEY 538 Value: TBD1 (60 suggested) 540 Meaning: DNSKEY(s) the child wants reflected in DS 542 Reference: This document 544 8. Privacy Considerations 546 All of the information handled / transmitted by this protocol is 547 public information published in the DNS. 549 9. Security Considerations 551 This work is for the normal case; when things go wrong there is only 552 so much that automation can fix. 554 If child breaks DNSSEC validation by removing all the DNSKEYs that 555 are represented in the DS set its only repair actions are to contact 556 the parent or restore the DNSKEYs in the DS set. 558 In the event of a compromise of the server or system generating 559 signatures for a zone, an attacker might be able to generate and 560 publish new CDS / CDNSKEY resource records. The modified CDS / 561 CDNSKEY records will be picked up by this technique and so may allow 562 the attacker to extend the effective time of his attack. If there is 563 a delay in accepting changes to DS, as in [RFC5011], then the 564 attacker needs to hope his activity is not detected before the DS in 565 the parent is changed. If this type of change takes place, the child 566 needs to contact the parent (possibly via a registrar web interface) 567 and remove any compromised DS keys. 569 A compromise of the account with the parent (e.g. registrar) will not 570 be mitigated by this technique, as the "new registrant" can delete / 571 modify the DS records at will. 573 While it may be tempting, this SHOULD NOT be used for initial 574 enrollment of keys since there is no way to ensure that the initial 575 key is the correct one. If is used, strict rules for inclusion of 576 keys such as hold down times, challenge data inclusion or similar, 577 MUST be used, along with some kind of challenge mechanism. A child 578 cannot use this mechanism to go from signed to unsigned (publishing 579 an empty CDS / CDNSKEY RRset means no-change should be made in the 580 parent). 582 The CDS RR type should allow for enhanced security by simplifying 583 process. Since key change is automated, updating a DS RRset by other 584 means may be regarded as unusual and subject to extra security 585 checks. 587 As this introduces a new mechanism to update information in the 588 parent it MUST be clear who is fetching the records and creating the 589 appropriate records in the parent zone. Specifically some operations 590 may use other mechanisms than what is described here. For example, a 591 registrar may assume that it is maintaining the DNSSEC key 592 information in the registry, and may have this cached. If the 593 registry is fetching the CDS / CDNSKEY RRset then the registry and 594 registrar may have different views of the DNSSEC key material and the 595 result of such a situation is unclear. Therefore, this mechanism 596 SHOULD NOT be use to bypass intermediaries that might cache 597 information and because of that get the wrong state. 599 If there is a failure in applying changes in the child zone to all 600 DNS servers listed in either parent or child NS set it is possible 601 that the Parental agent may get confused, either because it gets 602 different answers on different checks or CDS RR validation fails. In 603 the worst case, the Parental Agent performs an action reversing a 604 prior action but after the child signing system decides to take the 605 next step in the key change process, resulting in a broken 606 delegation. 608 DNS is a loosely coherent distributed database with local caching; 609 therefore, it is important to allow old information to expire from 610 caches before deleting DS or DNSKEY records. Similarly, it is 611 important to allow new records to propagate through the DNS before 612 use, see [RFC6781]. 614 It is common practice for users to outsource their DNS hosting to a 615 third-party DNS provider. In order for that provider to be able to 616 maintain the DNSSEC information some users give the provider their 617 registrar login credentials (which obviously has negative security 618 implications). Deploying the solution described in this document 619 allows the 3rd party DNS provider to maintain the DNSSEC information 620 without giving them the registrar credentials, thereby improving 621 security. 623 By automating the maintenance of the DNSSEC key information (and 624 removing humans from the process), we expect to decrease the number 625 of DNSSEC related outages, which should increase DNSSEC deployment. 627 10. Acknowledgements 629 We would like to thank a large number of folk, including: Mark 630 Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian 631 Dickson, Paul Ebersman, Tony Finch, Jim Galvin, Paul Hoffman, Samir 632 Hussain, Tatuya Jinmei, Olaf Kolkman, Stephan Lagerholm, Cricket Liu, 633 Matt Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul 634 Wouters, John Dickinson, Timothe Litt and Edward Lewis. 636 Special thanks to Wes Hardaker for contributing significant text and 637 creating the complementary (CSYNC) solution, and to Patrik Faltstrom, 638 Paul Hoffman, Matthijs Mekking, Mukund Sivaraman and Jeremy C. Reed 639 for text and in-depth review. Brian Carpender provided a good Gen- 640 Art review. 642 There were a number of other folk with whom we discussed this, 643 apologies for not remembering everyone. 645 11. References 647 11.1. Normative References 649 [RFC1035] Mockapetris, P., "Domain names - implementation and 650 specification", STD 13, RFC 1035, November 1987. 652 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 653 Requirement Levels", BCP 14, RFC 2119, March 1997. 655 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 656 Rose, "DNS Security Introduction and Requirements", RFC 657 4033, March 2005. 659 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 660 Rose, "Resource Records for the DNS Security Extensions", 661 RFC 4034, March 2005. 663 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 664 Rose, "Protocol Modifications for the DNS Security 665 Extensions", RFC 4035, March 2005. 667 [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) 668 Trust Anchors", STD 74, RFC 5011, September 2007. 670 [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC 671 Operational Practices, Version 2", RFC 6781, December 672 2012. 674 11.2. Informative References 676 [I-D.auto-cpsync] 677 Mekking, W., "Automated (DNSSEC) Child Parent 678 Synchronization using DNS UPDATE", draft-mekking-dnsop- 679 auto-cpsync-01 (work in progress), December 2010. 681 [I-D.csync] 682 Hardaker, W., "Child To Parent Synchronization in DNS", 683 draft-hardaker-dnsop-csync-02 (work in progress), July 684 2013. 686 [I-D.ds-publish] 687 Barwood, G., "DNS Transport", draft-barwood-dnsop-ds- 688 publish-02 (work in progress), June 2011. 690 [I-D.parent-zones] 691 Andrews, M., "Updating Parent Zones", draft-andrews-dnsop- 692 update-parent-zones-04 (work in progress), November 2013. 694 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 695 STD 69, RFC 5730, August 2009. 697 [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) 698 Security Extensions Mapping for the Extensible 699 Provisioning Protocol (EPP)", RFC 5910, May 2010. 701 Appendix A. RRR background 703 RRR is our shorthand for Registry/Registrar/Registrant model of 704 parent child relationship. 706 In the RRR world, the different parties are frequently from different 707 organizations. In the single enterprise world there are also 708 organizational / geographical / cultural separations that affect how 709 information flows from a Child to the parent. 711 Due to the complexity of the different roles and interconnections, 712 automation of delegation information has not yet occurred. There 713 have been proposals to automate this, in order to improve the 714 reliability of the DNS. These proposals have not gained enough 715 traction to become standards. 717 For example in many of the TLD cases there is the RRR model 718 (Registry, Registrar and Registrant). The Registry operates DNS for 719 the TLD, the Registrars accept registrations and place information 720 into the Registries database. The Registrant only communicates with 721 the Registrar; frequently the Registry is not allowed to communicate 722 with the Registrant. In that case as far as the registrant is 723 concerned the Registrar is the same entity as the Parent. 725 In many RRR cases the Registrar and Registry communicate via 726 EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number 727 of ccTLDs there are other mechanisms in use as well as EPP, but in 728 general there seems to be a movement towards EPP usage when DNSSEC is 729 enabled in the TLD. 731 Appendix B. CDS key rollover example 733 This section shows an example on how CDS is used when performing a 734 KSK rollover, this example will demonstrate the the double DS 735 rollover method from section 4.1.2 in [RFC6781]. Other rollovers 736 using CDNSKEY and double KSK are left as an exercise to the reader. 737 The table below does not reflect the ZSK keys they just do not matter 738 during KSK rollovers. The wait states below highlight what RRset 739 needs to expire from caches before progressing to the next step. 741 +------+---------------+---------+---------+--------------+---------+ 742 | Step | State | Parent | Child | DNSKEY and | Child | 743 | | | DS | KSK | CDS signer | CDS | 744 +------+---------------+---------+---------+--------------+---------+ 745 | | Beginning | A | A | A | | 746 | 1 | Add CDS | A | A | A | AB | 747 | Wait | for DS change | A | A | A | AB | 748 | 2 | Updated DS | AB | A | A | AB | 749 | Wait | > DS TTL | AB | A | A | AB | 750 | 3 | Actual | AB | B | B | AB | 751 | | Rollover | | | | | 752 | Wait | > DNSKEY TTL | AB | B | B | AB | 753 | 4 | Child Cleanup | AB | B | B | B | 754 | 5 | Parent cleans | B | B | B | B | 755 | 6 | Optional CDS | B | B | B | | 756 | | delete | | | | | 757 +------+---------------+---------+---------+--------------+---------+ 759 Table 1: States 761 Appendix C. Changes / Author Notes. 763 [RFC Editor: Please remove this section before publication ] 765 WG-13 to WG-14 IETF Last call and IESG processing 767 o Applied text fixes from Phil Pennock 769 o Addressed comments from Brian Carpender GEN-ART review. 771 o Barry Leiba wanted better IANA considerations and suggested some 772 text changes in 6.1 and 6.2.1 774 o Reformatted the Appendix B table to be clearer. 776 WG-12 to WG-13 778 o Added appendix B showing Key rollover using CDS. 780 WG-11 to WG-12 782 o Many nits and helpful grammar fixes from Jeremy C. Reed. 784 WG-10 to WG-11 786 o More useful text from Matthijs. 788 o Explained why the child might want to remove the CDS / CDNSKEY 789 Records. 791 WG-09 to WG-10 793 o Incorporated off list comments from Stephan Lagerholm. Largest 794 change is fixing discrepancy between parent MAY perform OOB 795 validation and the Signer rule in 4.1. Clarified by updating 796 signer rule to allow enrolment if validation is performed OOB. 798 WG-08 to WG-09 800 o New text from Paul Hoffman for the first paragraph of the intro. 802 o And a modification from Jaap. 804 WG-07 to WG-08 806 o Incorporated text from Antoin Verschuren at the end of Section 6. 808 o Comments from Paul Hoffman and Tim W 809 WG-06 to WG-07 811 o Incorporated nits / editorial comments from Tim Wicinski. 813 o 815 * Reference for Mark's draft was incorrect, Wes Hardaker doesn't 816 work for ISC :-P 818 * Normalized CDS record / CDS resource record / records / etc. 820 * Language cleanup / nits / poor grammar. 822 * removed "punted" colloquialism. 824 WG-05 to WG-06 826 o Consensus (according to me!) was that mail thread said "Child MAY 827 remove the CDS record". Changed to accommodate. 829 o "The proposal below can operate with both models, but the child 830 needs to be aware of the parental policies." - removed "but the 831 child needs to be aware of the parental policies.". This is no 832 longer true, as we suggest publishing both CDS and CDSNKEY. 834 o Added: "without some additional out of band process" to "The Child 835 may not enroll the initial key or introduce a new key when there 836 are no old keys that can be used (without some additional, out of 837 band, validation of the keys), because there is no way to validate 838 the information." 840 o Added a bit to the IANA section, requesting that TBA1 be replaced 841 with the IANA allocated code. 843 o Removed: "Some parents prefer to accept DNSSEC key information in 844 DS format, some parents prefer to accept it in DNSKEY format, and 845 calculate the DS record on the child's behalf. Each method has 846 pros and cons, both technical and policy. This solution is DS vs 847 DNSKEY agnostic, and allows operation with either." from Section 4 848 as it is covered in Section 2.2.1 850 o Remove a bunch of comments from the XML. I was getting tired of 851 scrolling past them. If the authors need them back, they are in 852 SVN commit 47. 854 WG-04 to WG-05 856 o More comments from Patrik, Paul and Ed. 858 o Many nits and fixes from Matthijs Mekking. 860 o Outstanding question: Should we remove the "Child SHOULD remove 861 the CDS record" text? Mail sent to list. 863 WG-03 to WG-04 865 o Large number of comments and changes from Patrik. 867 WG-02 to WG-03 869 o Fixed some references to RFC 5011 - from Samir Hussain. 871 o Fixed some spelling / typos - from Samir Hussain. 873 o A number of clarifications on the meaning on an empty / non- 874 existant CDS RRset - thanks to JINMEI, Tatuya 876 o Be consistent in mentioning both CDS and CDNSKEY throughout the 877 document. 879 WG-01 to WG-02 881 o Many nits and suggestions from Mukund. 883 o Matthijs: " I still think that it is too strong that the Child DNS 884 Operator SHOULD/MUST delete the CDS RRset when the Parent DS is 885 "in sync". This should be a MAY" 887 WG-00 to WG-01 889 o Addressed Vancouver: "Paul Hoffmann: NOT ready for WGLC. None of 890 the 2 documents explain why there is a split between the two 891 strategies." Thanks to Paul for providing text. 893 From -05 to WG-00: 895 o Nothing changed, resubmit under new name. 897 From 04 to 05 899 o Renamed the record back to CDS. 901 From 03 to 04. 903 o Added text explaining that CDS and CSYNC complement each other, 904 not replace or compete. 906 o Changed format of record to be to allow the 907 publication of DS **or** DNSKEY. 909 o Bunch of text changed to cover the above. 911 o Added a bit more text on the polling scaling stuff, expectation 912 that other triggers will be documented. 914 From 02 to 03 916 o Applied comments by Matthijs Mekking 918 o Incorporated suggestions from Edward Lewis about structure 920 o Reworked structure to be easier for implementors to follow 922 o Applied many suggestions from a wonderful thorough review by John 923 Dickinson 925 o Removed the going Unsigned option 927 From 01 to 02 929 o Major restructuring to facilitate easier discussion 931 o Lots of comments from DNSOP mailing list incorporated, including 932 making draft DNSKEY/DS neutral, explain different relationships 933 that exists, 935 o added more people to acks. 937 o added description of enterprise situations 939 o Unified on using Parental Agent over Parental Representative 941 o Removed redundant text when possible 943 o Added text to explain what can go wrong if not all child DNS 944 servers are in sync. 946 o Reference prior work by Matthijs Mekking 948 o Added text when parent calculates DS from DNSKEY 950 From - to -1. 952 o Removed from section .1: "If a child zone has gone unsigned, i.e. 953 no DNSKEY and no RRSIG in the zone, the parental representative 954 MAY treat that as intent to go unsigned. (NEEDS DISCUSSION)." 955 Added new text at end. -- suggestion by Scott Rose 20/Feb/13. 957 o Added some background on the different DNS Delegation operating 958 situations and how they affect interaction of parties. This moved 959 some blocks of text from later sections into here. 961 o Number of textual improvements from Stephan Lagerholm 963 o Added motivation why CDS is needed in CDS definition section 965 o Unified terminology in the document. 967 o Much more background 969 Authors' Addresses 971 Warren Kumari 972 Google 973 1600 Amphitheatre Parkway 974 Mountain View, CA 94043 975 US 977 Email: warren@kumari.net 979 Olafur Gudmundsson 980 Shinkuro Inc. 981 4922 Fairmont Av, Suite 250 982 Bethesda, MD 20814 983 USA 985 Email: ogud@ogud.com 987 George Barwood 988 33 Sandpiper Close 989 Gloucester GL2 4LZ 990 United Kingdom 992 Email: george.barwood@blueyonder.co.uk