idnits 2.17.1 draft-ietf-dnsop-rfc2845bis-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the document. -- The draft header indicates that this document obsoletes RFC4635, but the abstract doesn't seem to directly say this. It does mention RFC4635 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 361 has weird spacing: '...AC Data octe...' == Line 393 has weird spacing: '... Signed in ...' == Line 744 has weird spacing: '...ptional gss...' == Line 745 has weird spacing: '...ndatory hmac...' == Line 746 has weird spacing: '...ptional hma...' == (3 more instances...) == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 20, 2020) is 1527 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS180-4' ** Obsolete normative reference: RFC 2845 (Obsoleted by RFC 8945) ** Obsolete normative reference: RFC 4635 (Obsoleted by RFC 8945) Summary: 2 errors (**), 0 flaws (~~), 9 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force F. Dupont 3 Internet-Draft S. Morris 4 Obsoletes: 2845, 4635 (if approved) ISC 5 Intended status: Standards Track P. Vixie 6 Expires: August 23, 2020 Farsight 7 D. Eastlake 3rd 8 Futurewei 9 O. Gudmundsson 10 Cloudflare 11 B. Wellington 12 Akamai 13 February 20, 2020 15 Secret Key Transaction Authentication for DNS (TSIG) 16 draft-ietf-dnsop-rfc2845bis-07 18 Abstract 20 This document describes a protocol for transaction level 21 authentication using shared secrets and one way hashing. It can be 22 used to authenticate dynamic updates as coming from an approved 23 client, or to authenticate responses as coming from an approved name 24 server. 26 No recommendation is made here for distributing the shared secrets: 27 it is expected that a network administrator will statically configure 28 name servers and clients using some out of band mechanism. 30 This document obsoletes RFC2845 and RFC4635. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at https://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on August 23, 2020. 49 Copyright Notice 51 Copyright (c) 2020 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (https://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 This document may contain material from IETF Documents or IETF 65 Contributions published or made publicly available before November 66 10, 2008. The person(s) controlling the copyright in some of this 67 material may not have granted the IETF Trust the right to allow 68 modifications of such material outside the IETF Standards Process. 69 Without obtaining an adequate license from the person(s) controlling 70 the copyright in such materials, this document may not be modified 71 outside the IETF Standards Process, and derivative works of it may 72 not be created outside the IETF Standards Process, except to format 73 it for publication as an RFC or to translate it into languages other 74 than English. 76 Table of Contents 78 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 79 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . 3 80 1.2. Protocol Overview . . . . . . . . . . . . . . . . . . . . 4 81 1.3. Document History . . . . . . . . . . . . . . . . . . . . 4 82 2. Key Words . . . . . . . . . . . . . . . . . . . . . . . . . . 5 83 3. Assigned Numbers . . . . . . . . . . . . . . . . . . . . . . 5 84 4. TSIG RR Format . . . . . . . . . . . . . . . . . . . . . . . 5 85 4.1. TSIG RR Type . . . . . . . . . . . . . . . . . . . . . . 5 86 4.2. TSIG Record Format . . . . . . . . . . . . . . . . . . . 6 87 4.3. MAC Computation . . . . . . . . . . . . . . . . . . . . . 8 88 4.3.1. Request MAC . . . . . . . . . . . . . . . . . . . . . 8 89 4.3.2. DNS Message . . . . . . . . . . . . . . . . . . . . . 9 90 4.3.3. TSIG Variables . . . . . . . . . . . . . . . . . . . 9 91 5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10 92 5.1. Generation of TSIG on Requests . . . . . . . . . . . . . 10 93 5.2. Server Processing of Request . . . . . . . . . . . . . . 10 94 5.2.1. Key Check and Error Handling . . . . . . . . . . . . 11 95 5.2.2. MAC Check and Error Handling . . . . . . . . . . . . 11 96 5.2.3. Time Check and Error Handling . . . . . . . . . . . . 12 97 5.2.4. Truncation Check and Error Handling . . . . . . . . . 12 98 5.3. Generation of TSIG on Answers . . . . . . . . . . . . . . 13 99 5.3.1. TSIG on Zone Transfer Over a TCP Connection . . . . . 13 100 5.3.2. Generation of TSIG on Error Returns . . . . . . . . . 14 101 5.4. Client Processing of Answer . . . . . . . . . . . . . . . 14 102 5.4.1. Key Error Handling . . . . . . . . . . . . . . . . . 15 103 5.4.2. MAC Error Handling . . . . . . . . . . . . . . . . . 15 104 5.4.3. Time Error Handling . . . . . . . . . . . . . . . . . 15 105 5.4.4. Truncation Error Handling . . . . . . . . . . . . . . 15 106 5.5. Special Considerations for Forwarding Servers . . . . . . 16 107 6. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 16 108 7. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 17 109 8. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 17 110 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 111 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 112 10.1. Issue Fixed in this Document . . . . . . . . . . . . . . 19 113 10.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 20 114 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 115 11.1. Normative References . . . . . . . . . . . . . . . . . . 20 116 11.2. Informative References . . . . . . . . . . . . . . . . . 21 117 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 23 118 Appendix B. Change History (to be removed before publication) . 23 119 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 121 1. Introduction 123 1.1. Background 125 The Domain Name System (DNS, [RFC1034], [RFC1035]) is a replicated 126 hierarchical distributed database system that provides information 127 fundamental to Internet operations, such as name to address 128 translation and mail handling information. 130 This document specifies use of a message authentication code (MAC), 131 generated using certain keyed hash functions, to provide an efficient 132 means of point-to-point authentication and integrity checking for DNS 133 transactions. Such transactions include DNS update requests and 134 responses for which this can provide a lightweight alternative to the 135 secure DNS dynamic update protocol described by [RFC3007]. 137 A further use of this mechanism is to protect zone transfers. In 138 this case the data covered would be the whole zone transfer including 139 any glue records sent. The protocol described by DNSSEC ([RFC4033], 140 [RFC4034], [RFC4035]) does not protect glue records and unsigned 141 records unless SIG(0) (transaction signature) is used. 143 The authentication mechanism proposed in this document uses shared 144 secret keys to establish a trust relationship between two entities. 146 Such keys must be protected in a manner similar to private keys, lest 147 a third party masquerade as one of the intended parties (by forging 148 the MAC). There was a need to provide simple and efficient 149 authentication between clients and local servers and this proposal 150 addresses that need. The proposal is unsuitable for general server 151 to server authentication for servers which speak with many other 152 servers, since key management would become unwieldy with the number 153 of shared keys going up quadratically. But it is suitable for many 154 resolvers on hosts that only talk to a few recursive servers. 156 1.2. Protocol Overview 158 Secret Key Transaction Authentication makes use of signatures on 159 messages sent between the parties involved (e.g. resolver and 160 server). These are known as "transaction signatures", or TSIG. For 161 historical reasons, in this document they are referred to as message 162 authentication codes (MAC). 164 Use of TSIG presumes prior agreement between the two parties involved 165 (e.g., resolver and server) as to any algorithm and key to be used. 166 The way that this agreement is reached is outside the scope of the 167 document. 169 A DNS message exchange involves the sending of a query and the 170 receipt of one of more DNS messages in response. For the query, the 171 MAC is calculated based on the hash of the contents and the agreed 172 TSIG key. The MAC for the response is similar, but also includes the 173 MAC of the query as part of the calculation. Where a response 174 comprises multiple packets, the calculation of the MAC associated 175 with the second and subsequent packets includes in its inputs the MAC 176 for the preceding packet. In this way it is possible to detect any 177 interruption in the packet sequence. 179 The MAC is contained in a TSIG resource record included in the 180 Additional Section of the DNS message. 182 1.3. Document History 184 TSIG was originally specified by [RFC2845]. In 2017, two nameservers 185 strictly following that document (and the related [RFC4635]) were 186 discovered to have security problems related to this feature. The 187 implementations were fixed but, to avoid similar problems in the 188 future, the two documents were updated and merged, producing this 189 revised specification for TSIG. 191 While TSIG implemented according to this RFC provides for enhanced 192 security, there are no changes in interoperability. TSIG is on the 193 wire still the same mechanism described in [RFC2845]; only the 194 checking semantics have been changed. See Section 10.1 for further 195 details. 197 2. Key Words 199 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 200 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 201 "OPTIONAL" in this document are to be interpreted as described in BCP 202 14 [RFC2119] [RFC8174] when, and only when, they appear in all 203 capitals, as shown here. 205 3. Assigned Numbers 207 This document defines the following RR type and associated value: 209 TSIG (250) 211 In addition, the document also defines the following DNS RCODEs and 212 associated names: 214 16 (BADSIG) 215 17 (BADKEY) 216 18 (BADTIME) 217 22 (BADTRUNC) 219 (See [RFC6895] Section 2.3 concerning the assignment of the value 16 220 to BADSIG.) 222 These RCODES may appear within the "Error" field of a TSIG RR. 224 4. TSIG RR Format 226 4.1. TSIG RR Type 228 To provide secret key authentication, we use an RR type whose 229 mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and 230 MUST NOT be cached. TSIG RRs are used for authentication between DNS 231 entities that have established a shared secret key. TSIG RRs are 232 dynamically computed to cover a particular DNS transaction and are 233 not DNS RRs in the usual sense. 235 As the TSIG RRs are related to one DNS request/response, there is no 236 value in storing or retransmitting them, thus the TSIG RR is 237 discarded once it has been used to authenticate a DNS message. 239 4.2. TSIG Record Format 241 The fields of the TSIG RR are described below. As is usual, all 242 multi-octet integers in the record are sent in network byte order 243 (see [RFC1035] 2.3.2). 245 NAME The name of the key used, in domain name syntax. The name 246 should reflect the names of the hosts and uniquely identify the 247 key among a set of keys these two hosts may share at any given 248 time. For example, if hosts A.site.example and B.example.net 249 share a key, possibilities for the key name include 250 .A.site.example, .B.example.net, and 251 .A.site.example.B.example.net. It should be possible for 252 more than one key to be in simultaneous use among a set of 253 interacting hosts. 255 The name may be used as a local index to the key involved and 256 it is recommended that it be globally unique. Where a key is 257 just shared between two hosts, its name actually need only be 258 meaningful to them but it is recommended that the key name be 259 mnemonic and incorporates the names of participating agents or 260 resources as suggested above. 262 TYPE This MUST be TSIG (250: Transaction SIGnature) 264 CLASS This MUST be ANY 266 TTL This MUST be 0 268 RdLen (variable) 270 RDATA The RDATA for a TSIG RR consists of a number of fields, 271 described below: 273 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 274 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 275 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 276 / Algorithm Name / 277 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 278 | | 279 | Time Signed +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 280 | | Fudge | 281 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 282 | MAC Size | / 283 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MAC / 284 / / 285 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 286 | Original ID | Error | 287 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 288 | Other Len | / 289 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data / 290 / / 291 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 293 The contents of the RDATA fields are: 295 * Algorithm Name - a octet sequence identifying the TSIG 296 algorithm name in the domain name syntax. (Allowed names 297 are listed in Table 1.) The name is stored in the DNS name 298 wire format as described in [RFC1034]. As per [RFC3597], 299 this name MUST NOT be compressed. 301 * Time Signed - an unsigned 48-bit integer containing the time 302 signed as seconds since 00:00 on 1970-01-01 UTC, ignoring 303 leap seconds. 305 * Fudge - an unsigned 16-bit integer specifying the allowed 306 time difference in seconds permitted in the Time Signed 307 field. 309 * MAC Size - an unsigned 16-bit integer giving the length of 310 MAC field in octets. Truncation is indicated by a MAC size 311 less than the size of the keyed hash produced by the 312 algorithm specified by the Algorithm Name. 314 * MAC - a sequence of octets whose contents are defined by the 315 TSIG algorithm used, possibly truncated as specified by MAC 316 Size. The length of this field is given by the Mac Size. 317 Calculation of the MAC is detailed in Section 4.3. 319 * Original ID - An unsigned 16-bit integer holding the message 320 ID of the original request message. For a TSIG RR on a 321 request, it is set equal to the DNS message ID. In a TSIG 322 attached to a response - or in cases such as the forwarding 323 of a dynamic update request - the field contains the ID of 324 the original DNS request. 326 * Error - an unsigned 16-bit integer containing the extended 327 RCODE covering TSIG processing. 329 * Other Len - an unsigned 16-bit integer specifying the length 330 of the "Other Data" field in octets. 332 * Other Data - this unsigned 48-bit integer field will be 333 empty unless the content of the Error field is BADTIME, in 334 which case it will contain the server's current time as the 335 number of seconds since 00:00 on 1970-01-01 UTC, ignoring 336 leap seconds (see Section 5.2.3). 338 4.3. MAC Computation 340 When generating or verifying the contents of a TSIG record, the data 341 listed in the rest of this section are passed, in the order listed 342 below, as input to MAC computation. The data are passed in network 343 byte order or wire format, as appropriate, and are fed into the 344 hashing function as a continuous octet sequence with no interfield 345 separator or padding. 347 4.3.1. Request MAC 349 Only included in the computation of a MAC for a response message (or 350 the first message in a multi-message response), the validated request 351 MAC MUST be included in the MAC computation. If the request MAC 352 failed to validate, an unsigned error message MUST be returned 353 instead. (Section 5.3.2). 355 The request's MAC, comprising the following fields, is digested in 356 wire format: 358 Field Type Description 359 ---------- ----------------------- ---------------------- 360 MAC Length Unsigned 16-bit integer in network byte order 361 MAC Data octet sequence exactly as transmitted 363 Special considerations apply to the TSIG calculation for the second 364 and subsequent messages a response that consists of multiple DNS 365 messages (e.g. a zone transfer). These are described in 366 Section 5.3.1. 368 4.3.2. DNS Message 370 A whole and complete DNS message in wire format. When creating a 371 TSIG, this is the message before the TSIG RR has been added to the 372 additional data section and before the DNS Message Header's ARCOUNT 373 field has been incremented to contain the TSIG RR. 375 When verifying an incoming message, this is the message after the 376 TSIG RR and been removed and the ARCOUNT field has been decremented. 377 If the message ID differs from the original message ID, the original 378 message ID is substituted for the message ID. (This could happen, 379 for example, when forwarding a dynamic update request.) 381 4.3.3. TSIG Variables 383 Also included in the digest is certain information present in the 384 TSIG RR. Adding this data provides further protection against an 385 attempt to interfere with the message. 387 Source Field Name Notes 388 ---------- -------------- ----------------------------------------- 389 TSIG RR NAME Key name, in canonical wire format 390 TSIG RR CLASS (Always ANY in the current specification) 391 TSIG RR TTL (Always 0 in the current specification) 392 TSIG RDATA Algorithm Name in canonical wire format 393 TSIG RDATA Time Signed in network byte order 394 TSIG RDATA Fudge in network byte order 395 TSIG RDATA Error in network byte order 396 TSIG RDATA Other Len in network byte order 397 TSIG RDATA Other Data exactly as transmitted 399 The RR RDLEN and RDATA MAC Length are not included in the input to 400 MAC computation since they are not guaranteed to be knowable before 401 the MAC is generated. 403 The Original ID field is not included in this section, as it has 404 already been substituted for the message ID in the DNS header and 405 hashed. 407 For each label type, there must be a defined "Canonical wire format" 408 that specifies how to express a label in an unambiguous way. For 409 label type 00, this is defined in [RFC4034] Section 6.1. The use of 410 label types other than 00 is not defined for this specification. 412 4.3.3.1. Time Values Used in TSIG Calculations 414 The data digested includes the two timer values in the TSIG header in 415 order to defend against replay attacks. If this were not done, an 416 attacker could replay old messages but update the "Time Signed" and 417 "Fudge" fields to make the message look new. This data is named 418 "TSIG Timers", and for the purpose of MAC calculation, they are 419 hashed in their "on the wire" format, in the following order: first 420 Time Signed, then Fudge. 422 5. Protocol Details 424 5.1. Generation of TSIG on Requests 426 Once the outgoing record has been constructed, the client performs 427 the keyed hash (HMAC) computation, appends a TSIG record with the 428 calculated MAC to the Additional Data section (incrementing the 429 ARCOUNT to reflect the additional RR), and transmits the request to 430 the server. This TSIG record MUST be the only TSIG RR in the message 431 and MUST be last record in the Additional Data section. The client 432 MUST store the MAC and the key name from the request while awaiting 433 an answer. 435 The digest components for a request are: 437 DNS Message (request) 438 TSIG Variables (request) 440 Note that some older name servers will not accept requests with a 441 nonempty additional data section. Clients SHOULD only attempt signed 442 transactions with servers who are known to support TSIG and share 443 some algorithm and secret key with the client -- so, this is not a 444 problem in practice. 446 5.2. Server Processing of Request 448 If an incoming message contains a TSIG record, it MUST be the last 449 record in the additional section. Multiple TSIG records are not 450 allowed. If multiple TSIG records are detected or a TSIG record is 451 present in any other position, the DNS message is dropped and a 452 response with RCODE 1 (FORMERR) MUST be returned. Upon receipt of a 453 message with exactly one correctly placed TSIG RR, the TSIG RR is 454 copied to a safe location, removed from the DNS Message, and 455 decremented out of the DNS message header's ARCOUNT. 457 If the TSIG RR cannot be understood, the server MUST regard the 458 message as corrupt and return a FORMERR to the server. Otherwise the 459 server is REQUIRED to return a TSIG RR in the response. 461 To validate the received TSIG RR, the server MUST perform the 462 following checks in the following order: 464 1. Check KEY 465 2. Check MAC 466 3. Check TIME values 467 4. Check Truncation policy 469 5.2.1. Key Check and Error Handling 471 If a non-forwarding server does not recognize the key or algorithm 472 used by the client (or recognises the algorithm but does not 473 implement it), the server MUST generate an error response with RCODE 474 9 (NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be 475 unsigned as specified in Section 5.3.2. The server SHOULD log the 476 error. (Special considerations apply to forwarding servers, see 477 Section 5.5.) 479 5.2.2. MAC Check and Error Handling 481 Using the information in the TSIG, the server should verify the MAC 482 by doing its own calculation and comparing the result with the MAC 483 received. If the MAC fails to verify, the server MUST generate an 484 error response as specified in Section 5.3.2 with RCODE 9 (NOTAUTH) 485 and TSIG ERROR 16 (BADSIG). This response MUST be unsigned as 486 specified in Section 5.3.2. The server SHOULD log the error. 488 5.2.2.1. MAC Truncation 490 When space is at a premium and the strength of the full length of a 491 MAC is not needed, it is reasonable to truncate the keyed hash and 492 use the truncated value for authentication. HMAC SHA-1 truncated to 493 96 bits is an option available in several IETF protocols, including 494 IPsec and TLS. 496 Processing of a truncated MAC follows these rules: 498 1. If "MAC size" field is greater than keyed hash output length: 500 This case MUST NOT be generated and, if received, MUST cause the 501 DNS message to be dropped and RCODE 1 (FORMERR) to be returned. 503 2. If "MAC size" field equals keyed hash output length: 505 The entire output keyed hash output is present and used. 507 3. "MAC size" field is less than the larger of 10 (octets) and half 508 the length of the hash function in use: 510 With the exception of certain TSIG error messages described in 511 Section 5.3.2, where it is permitted that the MAC size be zero, 512 this case MUST NOT be generated and, if received, MUST cause the 513 DNS message to be dropped and RCODE 1 (FORMERR) to be returned. 515 4. Otherwise: 517 This is sent when the signer has truncated the keyed hash output 518 to an allowable length, as described in [RFC2104], taking initial 519 octets and discarding trailing octets. TSIG truncation can only 520 be to an integral number of octets. On receipt of a DNS message 521 with truncation thus indicated, the locally calculated MAC is 522 similarly truncated and only the truncated values are compared 523 for authentication. The request MAC used when calculating the 524 TSIG MAC for a reply is the truncated request MAC. 526 5.2.3. Time Check and Error Handling 528 If the server time is outside the time interval specified by the 529 request (which is: Time Signed, plus/minus Fudge), the server MUST 530 generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18 531 (BADTIME). The server SHOULD also cache the most recent time signed 532 value in a message generated by a key, and SHOULD return BADTIME if a 533 message received later has an earlier time signed value. A response 534 indicating a BADTIME error MUST be signed by the same key as the 535 request. It MUST include the client's current time in the time 536 signed field, the server's current time (an unsigned 48-bit integer) 537 in the other data field, and 6 in the other data length field. This 538 is done so that the client can verify a message with a BADTIME error 539 without the verification failing due to another BADTIME error. In 540 addition, the fudge field MUST be set to the fudge value received 541 from the client. The data signed is specified in Section 5.3.2. The 542 server SHOULD log the error. 544 Caching the most recent time signed value and rejecting requests with 545 an earlier one could lead to valid messages being rejected if transit 546 through the network led to UDP packets arriving in a different order 547 to the one in which they were sent. Implementations should be aware 548 of this possibility and be prepared to deal with it, e.g. by 549 retransmitting the rejected request with a new TSIG once outstanding 550 requests have completed or the time given by their time signed plus 551 fudge value has passed. 553 5.2.4. Truncation Check and Error Handling 555 If a TSIG is received with truncation that is permitted under 556 Section 5.2.2.1 above but the MAC is too short for the local policy 557 in force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be 558 returned. The server SHOULD log the error. 560 5.3. Generation of TSIG on Answers 562 When a server has generated a response to a signed request, it signs 563 the response using the same algorithm and key. The server MUST NOT 564 generate a signed response to a request if either the KEY is invalid 565 (e.g. key name or algorithm name are unknown), or the MAC fails 566 validation: see Section 5.3.2 for details of responding in these 567 cases. 569 It also MUST NOT not generate a signed response to an unsigned 570 request, except in the case of a response to a client's unsigned TKEY 571 request if the secret key is established on the server side after the 572 server processed the client's request. Signing responses to unsigned 573 TKEY requests MUST be explicitly specified in the description of an 574 individual secret key establishment algorithm [RFC3645]. 576 The digest components used to generate a TSIG on a response are: 578 Request MAC 579 DNS Message (response) 580 TSIG Variables (response) 582 (This calculation is different for the second and subsequent message 583 in a multi-message answer, see below.) 585 If addition of the TSIG record will cause the message to be 586 truncated, the server MUST alter the response so that a TSIG can be 587 included. This response consists of only the question and a TSIG 588 record, and has the TC bit set and an RCODE of 0 (NOERROR). The 589 client SHOULD at this point retry the request using TCP (as per 590 [RFC1035] 4.2.2). 592 5.3.1. TSIG on Zone Transfer Over a TCP Connection 594 A zone transfer over a DNS TCP session can include multiple DNS 595 messages. Using TSIG on such a connection can protect the connection 596 from hijacking and provide data integrity. The TSIG MUST be included 597 on all DNS messages in the response. For backward compatibility, a 598 client which receives DNS messages and verifies TSIG MUST accept up 599 to 99 intermediary messages without a TSIG. The first message is 600 processed as a standard answer (see Section 5.3) but subsequent 601 messages have the following digest components: 603 Prior MAC (running) 604 DNS Messages (any unsigned messages since the last TSIG) 605 TSIG Timers (current message) 607 The "Prior MAC" is the MAC from the TSIG attached to the last message 608 containing a TSIG. "DNS Messages" comprises the concatenation (in 609 message order) of all messages after the last message that included a 610 TSIG and includes the current message. "TSIG timers" comprises the 611 "Time Signed" and "Fudge" fields (in that order) pertaining to the 612 message for which the TSIG is being created: this means that the 613 successive TSIG records in the stream will have non-decreasing "Time 614 Signed" fields. Note that only the timers are included in the second 615 and subsequent messages, not all the TSIG variables. 617 This allows the client to rapidly detect when the session has been 618 altered; at which point it can close the connection and retry. If a 619 client TSIG verification fails, the client MUST close the connection. 620 If the client does not receive TSIG records frequently enough (as 621 specified above) it SHOULD assume the connection has been hijacked 622 and it SHOULD close the connection. The client SHOULD treat this the 623 same way as they would any other interrupted transfer (although the 624 exact behavior is not specified here). 626 5.3.2. Generation of TSIG on Error Returns 628 When a server detects an error relating to the key or MAC in the 629 incoming request, the server SHOULD send back an unsigned error 630 message (MAC size == 0 and empty MAC). It MUST NOT send back a 631 signed error message. 633 If an error is detected relating to the TSIG validity period or the 634 MAC is too short for the local policy, the server SHOULD send back a 635 signed error message. The digest components are: 637 Request MAC (if the request MAC validated) 638 DNS Message (response) 639 TSIG Variables (response) 641 The reason that the request is not included in this MAC in some cases 642 is to make it possible for the client to verify the error. If the 643 error is not a TSIG error the response MUST be generated as specified 644 in Section 5.3. 646 5.4. Client Processing of Answer 648 When a client receives a response from a server and expects to see a 649 TSIG, it performs the same checks as described in Section 5.2, with 650 the following modifications: 652 o If the TSIG RR does not validate, that response MUST be discarded, 653 unless the RCODE is 9 (NOTAUTH), in which case the client SHOULD 654 proceed as described in the following subsections. 656 A message containing an unsigned TSIG record or a TSIG record which 657 fails verification SHOULD NOT be considered an acceptable response; 658 the client SHOULD log an error and continue to wait for a signed 659 response until the request times out. 661 5.4.1. Key Error Handling 663 If an RCODE on a response is 9 (NOTAUTH), but the response TSIG 664 validates and the TSIG key recognised by the client but different 665 from that used on the request, then this is a Key Error. The client 666 MAY retry the request using the key specified by the server. 667 However, this should never occur, as a server MUST NOT sign a 668 response with a different key to that used to sign the request. 670 5.4.2. MAC Error Handling 672 If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG), 673 this is a MAC error, and client MAY retry the request with a new 674 request ID but it would be better to try a different shared key if 675 one is available. Clients SHOULD keep track of how many MAC errors 676 are associated with each key. Clients SHOULD log this event. 678 5.4.3. Time Error Handling 680 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18 681 (BADTIME), or the current time does not fall in the range specified 682 in the TSIG record, then this is a Time error. This is an indication 683 that the client and server clocks are not synchronized. In this case 684 the client SHOULD log the event. DNS resolvers MUST NOT adjust any 685 clocks in the client based on BADTIME errors, but the server's time 686 in the other data field SHOULD be logged. 688 5.4.4. Truncation Error Handling 690 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22 691 (BADTRUNC) then this is a Truncation error. The client MAY retry 692 with a lesser truncation up to the full HMAC output (no truncation), 693 using the truncation used in the response as a hint for what the 694 server policy allowed (Section 7). Clients SHOULD log this event. 696 5.5. Special Considerations for Forwarding Servers 698 A server acting as a forwarding server of a DNS message SHOULD check 699 for the existence of a TSIG record. If the name on the TSIG is not 700 of a secret that the server shares with the originator the server 701 MUST forward the message unchanged including the TSIG. If the name 702 of the TSIG is of a key this server shares with the originator, it 703 MUST process the TSIG. If the TSIG passes all checks, the forwarding 704 server MUST, if possible, include a TSIG of its own, to the 705 destination or the next forwarder. If no transaction security is 706 available to the destination and the message is a query then, if the 707 corresponding response has the AD flag (see [RFC4035]) set, the 708 forwarder MUST clear the AD flag before adding the TSIG to the 709 response and returning the result to the system from which it 710 received the query. 712 6. Algorithms and Identifiers 714 The only message digest algorithm specified in the first version of 715 these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321], 716 [RFC2104]). Although a review of its security [RFC6151] concluded 717 that "it may not be urgent to remove HMAC-MD5 from the existing 718 protocols", with the availability of more secure alternatives the 719 opportunity has been taken to make the implementation of this 720 algorithm optional. 722 [RFC4635] added mandatory support in TSIG for SHA-1 [FIPS180-4], 723 [RFC3174]. SHA-1 collisions have been demonstrated so the MD5 724 security considerations apply to SHA-1 in a similar manner. Although 725 support for hmac-sha1 in TSIG is still mandatory for compatibility 726 reasons, existing uses should be replaced with hmac-sha256 or other 727 SHA-2 digest algorithms [FIPS180-4], [RFC3874], [RFC6234]. 729 Use of TSIG between two DNS agents is by mutual agreement. That 730 agreement can include the support of additional algorithms and 731 criteria as to which algorithms and truncations are acceptable, 732 subject to the restriction and guidelines in Section 5.2.2.1 above. 733 Key agreement can be by the TKEY mechanism [RFC2930] or some other 734 mutually agreeable method. 736 Implementations that support TSIG MUST also implement HMAC SHA1 and 737 HMAC SHA256 and MAY implement gss-tsig and the other algorithms 738 listed below. SHA-1 truncated to 96 bits (12 octets) SHOULD be 739 implemented. 741 Requirement Name 742 ----------- ------------------------ 743 Optional HMAC-MD5.SIG-ALG.REG.INT 744 Optional gss-tsig 745 Mandatory hmac-sha1 746 Optional hmac-sha224 747 Mandatory hmac-sha256 748 Optional hmac-sha384 749 Optional hmac-sha512 751 Table 1 753 7. TSIG Truncation Policy 755 As noted above, two DNS agents (e.g., resolver and server) must 756 mutually agree to use TSIG. Implicit in such an "agreement" are 757 criteria as to acceptable keys and algorithms and, with the 758 extensions in this document, truncations. Local policies MAY require 759 the rejection of TSIGs, even though they use an algorithm for which 760 implementation is mandatory. 762 When a local policy permits acceptance of a TSIG with a particular 763 algorithm and a particular non-zero amount of truncation, it SHOULD 764 also permit the use of that algorithm with lesser truncation (a 765 longer MAC) up to the full keyed hash output. 767 Regardless of a lower acceptable truncated MAC length specified by 768 local policy, a reply SHOULD be sent with a MAC at least as long as 769 that in the corresponding request. Note if the request specified a 770 MAC length longer than the keyed hash output it will be rejected by 771 processing rules Section 5.2.2.1 case 1. 773 Implementations permitting multiple acceptable algorithms and/or 774 truncations SHOULD permit this list to be ordered by presumed 775 strength and SHOULD allow different truncations for the same 776 algorithm to be treated as separate entities in this list. When so 777 implemented, policies SHOULD accept a presumed stronger algorithm and 778 truncation than the minimum strength required by the policy. 780 8. Shared Secrets 782 Secret keys are very sensitive information and all available steps 783 should be taken to protect them on every host on which they are 784 stored. Generally such hosts need to be physically protected. If 785 they are multi-user machines, great care should be taken that 786 unprivileged users have no access to keying material. Resolvers 787 often run unprivileged, which means all users of a host would be able 788 to see whatever configuration data is used by the resolver. 790 A name server usually runs privileged, which means its configuration 791 data need not be visible to all users of the host. For this reason, 792 a host that implements transaction-based authentication should 793 probably be configured with a "stub resolver" and a local caching and 794 forwarding name server. This presents a special problem for 795 [RFC2136] which otherwise depends on clients to communicate only with 796 a zone's authoritative name servers. 798 Use of strong random shared secrets is essential to the security of 799 TSIG. See [RFC4086] for a discussion of this issue. The secret 800 SHOULD be at least as long as the keyed hash output [RFC2104]. 802 9. IANA Considerations 804 IANA maintains a registry of algorithm names to be used as "Algorithm 805 Names" as defined in Section 4.2. Algorithm names are text strings 806 encoded using the syntax of a domain name. There is no structure 807 required other than names for different algorithms must be unique 808 when compared as DNS names, i.e., comparison is case insensitive. 809 Previous specifications [RFC2845] and [RFC4635] defined values for 810 HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an 811 identifier for TSIG authentication where the cryptographic operations 812 are delegated to the Generic Security Service (GSS) [RFC3645]. 814 New algorithms are assigned using the IETF Review policy defined in 815 [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like a 816 fully-qualified domain name for historical reasons; other algorithm 817 names are simple (i.e., single-component) names. 819 IANA maintains a registry of RCODES (error codes), including "TSIG 820 Error values" to be used for "Error" values as defined in 821 Section 4.2. New error codes are assigned and specified as in 822 [RFC6895]. 824 10. Security Considerations 826 The approach specified here is computationally much less expensive 827 than the signatures specified in DNSSEC. As long as the shared 828 secret key is not compromised, strong authentication is provided 829 between two DNS systems, e.g., for the last hop from a local name 830 server to the user resolver, or between primary and secondary 831 nameservers. 833 Recommendations for choosing and maintaining secret keys can be found 834 in [RFC2104]. If the client host has been compromised, the server 835 should suspend the use of all secrets known to that client. If 836 possible, secrets should be stored in encrypted form. Secrets should 837 never be transmitted in the clear over any network. This document 838 does not address the issue on how to distribute secrets except that 839 it mentions the possibilities of manual configuration and the use of 840 TKEY [RFC2930]. Secrets SHOULD NOT be shared by more than two 841 entities. 843 This mechanism does not authenticate source data, only its 844 transmission between two parties who share some secret. The original 845 source data can come from a compromised zone master or can be 846 corrupted during transit from an authentic zone master to some 847 "caching forwarder." However, if the server is faithfully performing 848 the full DNSSEC security checks, then only security checked data will 849 be available to the client. 851 A fudge value that is too large may leave the server open to replay 852 attacks. A fudge value that is too small may cause failures if 853 machines are not time synchronized or there are unexpected network 854 delays. The RECOMMENDED value in most situations is 300 seconds. 856 For all of the message authentication code algorithms listed in this 857 document, those producing longer values are believed to be stronger; 858 however, while there have been some arguments that mild truncation 859 can strengthen a MAC by reducing the information available to an 860 attacker, excessive truncation clearly weakens authentication by 861 reducing the number of bits an attacker has to try to break the 862 authentication by brute force [RFC2104]. 864 Significant progress has been made recently in cryptanalysis of hash 865 functions of the types used here. While the results so far should 866 not affect HMAC, the stronger SHA-1 and SHA-256 algorithms are being 867 made mandatory as a precaution. 869 See also the Security Considerations section of [RFC2104] from which 870 the limits on truncation in this RFC were taken. 872 10.1. Issue Fixed in this Document 874 When signing a DNS reply message using TSIG, the MAC computation uses 875 the request message's MAC as an input to cryptographically relate the 876 reply to the request. The original TSIG specification [RFC2845] 877 required that the TIME values be checked before the request's MAC. 878 If the TIME was invalid, some implementations failed to carry out 879 further checks and could use an invalid request MAC in the signed 880 reply. 882 This document makes it a madatory that the request MAC is considered 883 to be invalid until it has been validated: until then, any answer 884 must be unsigned. For this reason, the request MAC is now checked 885 before the TIME value. 887 10.2. Why not DNSSEC? 889 This section from the original document [RFC2845] analyzes DNSSEC in 890 order to justify the introduction of TSIG. 892 "DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and 893 [RFC4035]) to provide for data origin authentication, and public key 894 distribution, all based on public key cryptography and public key 895 based digital signatures. To be practical, this form of security 896 generally requires extensive local caching of keys and tracing of 897 authentication through multiple keys and signatures to a pre-trusted 898 locally configured key. 900 One difficulty with the DNSSEC scheme is that common DNS 901 implementations include simple "stub" resolvers which do not have 902 caches. Such resolvers typically rely on a caching DNS server on 903 another host. It is impractical for these stub resolvers to perform 904 general DNSSEC authentication and they would naturally depend on 905 their caching DNS server to perform such services for them. To do so 906 securely requires secure communication of queries and responses. 907 DNSSEC provides public key transaction signatures to support this, 908 but such signatures are very expensive computationally to generate. 909 In general, these require the same complex public key logic that is 910 impractical for stubs. 912 A second area where use of straight DNSSEC public key based 913 mechanisms may be impractical is authenticating dynamic update 914 [RFC2136] requests. DNSSEC provides for request signatures but with 915 DNSSEC they, like transaction signatures, require computationally 916 expensive public key cryptography and complex authentication logic. 917 Secure Domain Name System Dynamic Update ([RFC3007]) describes how 918 different keys are used in dynamically updated zones." 920 11. References 922 11.1. Normative References 924 [FIPS180-4] 925 National Institute of Standards and Technology, "Secure 926 Hash Standard (SHS)", FIPS PUB 180-4, August 2015. 928 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 929 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 930 . 932 [RFC1035] Mockapetris, P., "Domain names - implementation and 933 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 934 November 1987, . 936 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 937 Requirement Levels", BCP 14, RFC 2119, 938 DOI 10.17487/RFC2119, March 1997, 939 . 941 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. 942 Wellington, "Secret Key Transaction Authentication for DNS 943 (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000, 944 . 946 [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record 947 (RR) Types", RFC 3597, DOI 10.17487/RFC3597, September 948 2003, . 950 [RFC4635] Eastlake 3rd, D., "HMAC SHA (Hashed Message Authentication 951 Code, Secure Hash Algorithm) TSIG Algorithm Identifiers", 952 RFC 4635, DOI 10.17487/RFC4635, August 2006, 953 . 955 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 956 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 957 May 2017, . 959 11.2. Informative References 961 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 962 DOI 10.17487/RFC1321, April 1992, 963 . 965 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 966 Hashing for Message Authentication", RFC 2104, 967 DOI 10.17487/RFC2104, February 1997, 968 . 970 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 971 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 972 RFC 2136, DOI 10.17487/RFC2136, April 1997, 973 . 975 [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY 976 RR)", RFC 2930, DOI 10.17487/RFC2930, September 2000, 977 . 979 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 980 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 981 . 983 [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 984 (SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001, 985 . 987 [RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J., 988 and R. Hall, "Generic Security Service Algorithm for 989 Secret Key Transaction Authentication for DNS (GSS-TSIG)", 990 RFC 3645, DOI 10.17487/RFC3645, October 2003, 991 . 993 [RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224", 994 RFC 3874, DOI 10.17487/RFC3874, September 2004, 995 . 997 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 998 Rose, "DNS Security Introduction and Requirements", 999 RFC 4033, DOI 10.17487/RFC4033, March 2005, 1000 . 1002 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1003 Rose, "Resource Records for the DNS Security Extensions", 1004 RFC 4034, DOI 10.17487/RFC4034, March 2005, 1005 . 1007 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1008 Rose, "Protocol Modifications for the DNS Security 1009 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 1010 . 1012 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 1013 "Randomness Requirements for Security", BCP 106, RFC 4086, 1014 DOI 10.17487/RFC4086, June 2005, 1015 . 1017 [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations 1018 for the MD5 Message-Digest and the HMAC-MD5 Algorithms", 1019 RFC 6151, DOI 10.17487/RFC6151, March 2011, 1020 . 1022 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 1023 (SHA and SHA-based HMAC and HKDF)", RFC 6234, 1024 DOI 10.17487/RFC6234, May 2011, 1025 . 1027 [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA 1028 Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, 1029 April 2013, . 1031 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1032 Writing an IANA Considerations Section in RFCs", BCP 26, 1033 RFC 8126, DOI 10.17487/RFC8126, June 2017, 1034 . 1036 Appendix A. Acknowledgments 1038 This document consolidates and updates the earlier documents by the 1039 authors of [RFC2845] (Paul Vixie, Olafur Gudmundsson, Donald E. 1040 Eastlake 3rd and Brian Wellington) and [RFC4635] (Donald E. Eastlake 1041 3rd). 1043 The security problem addressed by this document was reported by 1044 Clement Berthaux from Synacktiv. 1046 Note for the RFC Editor (to be removed before publication): the first 1047 'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9. 1048 I do not know if xml2rfc supports non ASCII characters so I prefer to 1049 not experiment with it. BTW I am French too so I can help if you 1050 have questions like correct spelling... 1052 Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund 1053 Sivaraman and Ralph Dolmans participated in the discussions that 1054 prompted this document. Mukund Sivaraman, Martin Hoffman and Tony 1055 Finch made extremely helpful suggestions concerning the structure and 1056 wording of the updated document. 1058 Appendix B. Change History (to be removed before publication) 1060 RFC EDITOR: Please remove this appendix before publication. 1062 draft-dupont-dnsop-rfc2845bis-00 1064 [RFC4635] was merged. 1066 Authors of original documents were moved to Acknowledgments 1067 (Appendix A). 1069 Section 2 was updated to [RFC8174] style. 1071 Spit references into normative and informative references and 1072 updated them. 1074 Added a text explaining why this document was written in the 1075 Abstract and at the beginning of the introduction. 1077 Clarified the layout of TSIG RDATA. 1079 Moved the text about using DNSSEC from the Introduction to the end 1080 of Security Considerations. 1082 Added the security clarifications: 1084 1. Emphasized that MAC is invalid until it is successfully 1085 validated. 1087 2. Added requirement that a request MAC that has not been 1088 successfully validated MUST NOT be included into a response. 1090 3. Added requirement that a request that has not been validated 1091 MUST NOT generate a signed response. 1093 4. Added note about MAC too short for the local policy to 1094 Section 5.3.2. 1096 5. Changed the order of server checks and swapped corresponding 1097 sections. 1099 6. Removed the truncation size limit "also case" as it does not 1100 apply and added confusion. 1102 7. Relocated the error provision for TSIG truncation to the new 1103 Section 5.2.4. Moved from RCODE 22 to RCODE 9 and TSIG ERROR 1104 22, i.e., aligned with other TSIG error cases. 1106 8. Added Section 5.4.4 about truncation error handling by 1107 clients. 1109 9. Removed the limit to HMAC output in replies as a request 1110 which specified a MAC length longer than the HMAC output is 1111 invalid according to the first processing rule in 1112 Section 5.2.2.1. 1114 10. Promoted the requirement that a secret length should be at 1115 least as long as the HMAC output to a SHOULD [RFC2119] key 1116 word. 1118 11. Added a short text to explain the security issue. 1120 draft-dupont-dnsop-rfc2845bis-01 1122 Improved wording (post-publication comments). 1124 Specialized and renamed the "TSIG on TCP connection" 1125 (Section 5.3.1) to "TSIG on zone transfer over a TCP connection". 1127 Added a SHOULD for a TSIG in each message (was envelope) for new 1128 implementations. 1130 draft-ietf-dnsop-rfc2845bis-00 1132 Adopted by the IETF DNSOP working group: title updated and version 1133 counter reset to 00. 1135 draft-ietf-dnsop-rfc2845bis-01 1137 Relationship between protocol change and principle of assuming the 1138 request MAC is invalid until validated clarified. (Jinmei Tatuya) 1140 Cross reference to considerations for forwarding servers added. 1141 (Bob Harold) 1143 Added text from [RFC3645] concerning the signing behavior if a 1144 secret key is added during a multi-message exchange. 1146 Added reference to [RFC6895]. 1148 Many improvements in the wording. 1150 Added RFC 2845 authors as co-authors of this document. 1152 draft-ietf-dnsop-rfc2845bis-02 1154 Added a recommendation to copy time fields in BADKEY errors. 1155 (Mark Andrews) 1157 draft-ietf-dnsop-rfc2845bis-03 1159 Further changes as a result of comments by Mukund Sivaraman. 1161 Miscellaneous changes to wording. 1163 draft-ietf-dnsop-rfc2845bis-04 1165 Major restructing as a result of comprehensive review by Martin 1166 Hoffman. Amongst the more significant changes: 1168 * More comprehensive introduction. 1170 * Merged "Protocol Description" and "Protocol Details" sections. 1172 * Reordered sections so as to follow message exchange through 1173 "client "sending", "server receipt", "server sending", "client 1174 receipt". 1176 * Added miscellaneous clarifications. 1178 draft-ietf-dnsop-rfc2845bis-05 1180 Make implementation of HMAC-MD5 optional. 1182 Require that the Fudge field in BADTIME response be equal to the 1183 Fudge field received from the client. 1185 Added comment concerning the handling of BADTIME messages due to 1186 out of order packet reception. 1188 draft-ietf-dnsop-rfc2845bis-06 1190 Wording changes and minor corrections after feedback. 1192 draft-ietf-dnsop-rfc2845bis-07 1194 Updated text about use of hmac-sha1 using suggestion from Tony 1195 Finch. 1197 Corrected name of review policy used for new algorithms. 1199 Authors' Addresses 1201 Francis Dupont 1202 Internet Software Consortium 1203 950 Charter Street 1204 Redwood City, CA 94063 1205 United States of America 1207 Email: Francis.Dupont@fdupont.fr 1209 Stephen Morris 1210 Internet Software Consortium 1211 950 Charter Street 1212 Redwood City, CA 94063 1213 United States of America 1215 Email: sa.morris8@gmail.com 1216 Paul Vixie 1217 Farsight Security Inc 1218 177 Bovet Road, Suite 180 1219 San Mateo, CA 94402 1220 United States of America 1222 Email: paul@redbarn.org 1224 Donald E. Eastlake 3rd 1225 Futurewei Technologies 1226 2386 Panoramic Circle 1227 Apopka, FL 32703 1228 United States of America 1230 Email: d3e3e3@gmail.com 1232 Olafur Gudmundsson 1233 Cloudflare 1234 San Francisco, CA 94107 1235 United States of America 1237 Email: olafur+ietf@cloudflare.com 1239 Brian Wellington 1240 Akamai 1241 United States of America 1243 Email: bwelling@akamai.com