idnits 2.17.1 draft-ietf-eppext-keyrelay-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 19, 2014) is 3749 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-06) exists of draft-koch-dnsop-dnssec-operator-change-05 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Gieben 3 Internet-Draft Google 4 Intended status: Standards Track M. Groeneweg 5 Expires: July 23, 2014 R. Ribbers 6 A.L.J. Verschuren 7 SIDN Labs 8 January 19, 2014 10 Key Relay Mapping for the Extensible Provisioning Protocol 11 draft-ietf-eppext-keyrelay-00 13 Abstract 15 This document describes an Extensible Provisioning Protocol (EPP) 16 extension mapping for the purpose of relaying DNSSEC key material 17 from one DNS operator to another, by using the administrative 18 registration channel through the registrant, registrar and registry. 19 The mapping introduces "" as a new command in EPP. 21 This command will help facilitate changing the DNS operator of a 22 domain while keeping the DNSSEC chain of trust intact. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on July 23, 2014. 41 Copyright Notice 43 Copyright (c) 2014 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Conventions Used in This Document . . . . . . . . . . . . . . 2 59 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Relaying Key Material . . . . . . . . . . . . . . . . . . . . 3 61 4. Rational For a New Command . . . . . . . . . . . . . . . . . 4 62 5. Key Relay Interface . . . . . . . . . . . . . . . . . . . . . 4 63 5.1. Example Key Relay Interface . . . . . . . . . . . . . . . 6 64 6. Server Reply . . . . . . . . . . . . . . . . . . . . . . . . 6 65 7. Message Queue Interface . . . . . . . . . . . . . . . . . . . 7 66 7.1. Message Queue Format . . . . . . . . . . . . . . . . . . 7 67 8. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 8 68 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 69 10. Security Considerations . . . . . . . . . . . . . . . . . . . 11 70 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 71 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 72 12.1. Normative References . . . . . . . . . . . . . . . . . . 11 73 12.2. Informative References . . . . . . . . . . . . . . . . . 12 74 Appendix A. Changelog . . . . . . . . . . . . . . . . . . . . . 12 75 A.1. draft-gieben-epp-keyrelay-00 . . . . . . . . . . . . . . 12 76 A.2. draft-gieben-epp-keyrelay-01 . . . . . . . . . . . . . . 12 77 A.3. draft-gieben-epp-keyrelay-02 . . . . . . . . . . . . . . 12 78 A.4. draft-gieben-epp-keyrelay-03 . . . . . . . . . . . . . . 12 79 A.5. draft-eppext-epp-keyrelay-00 . . . . . . . . . . . . . . 13 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 82 1. Conventions Used in This Document 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 86 document are to be interpreted as described in BCP 14, RFC 2119 87 [RFC2119]. 89 In examples, "C:" represents lines sent by a protocol client, and 90 "S:" represents lines returned by a protocol server. "////" is used 91 to note element values that have been shortened to better fit page 92 boundaries. Indentation and white space in examples is provided only 93 to illustrate element relationships and is not a mandatory feature of 94 this protocol. 96 XML is case sensitive. Unless stated otherwise, XML specifications 97 and examples provided in this document MUST be interpreted in the 98 character case presented in order to develop a conforming 99 implementation. 101 The term "key material" denotes one or more DNSKEY resource records 102 [RFC4034]. 104 2. Introduction 106 Certain transactions for DNSSEC signed zones require an authenticated 107 exchange of DNSSEC key material between DNS operators. Often there 108 is no direct secure channel between the two or it is non-scalable. 110 One of such transactions is changing the DNS operator for DNSSEC 111 signed zones ([I-D.koch-dnsop-dnssec-operator-change]. We suggest 112 DNS operators use the administrative channel that is used to 113 bootstrap the delegation to relay the key material for the zone. In 114 this document we define a protocol extension for use in EPP that 115 helps to implement and automate this transaction. This protocol 116 extension introduces a new command called "". 118 3. Relaying Key Material 120 The "" command uses the existing authenticated EPP channel 121 with the registry. Registrars can securely talk to the registry and 122 as such the registry can serve as a drop box for relaying key 123 material between them (see Figure 1). 125 +-------------------+ DNSKEY +--------------------+ 126 |losing DNS operator| <~~~~~~~ |gaining DNS operator| 127 +-------------------+ +--------------------+ 128 ^ | 129 | v 130 +-----------------+ +---------+ 131 |current registrar| |registrar| 132 +-----------------+ +---------+ 133 ^ | 134 EPP poll | | EPP keyrelay 135 | V 136 +----------------+ 137 | registry | 138 +----------------+ 140 Figure 1: The gaining and losing DNS operators should talk directly 141 to each other (the ~ arrow) to exchange the DNSKEY, but often there 142 is no trusted path between the two. As both can securely interact 143 with the registry over the administrative channel through the 145 registrar, the registry can act as a relay for the key material 146 exchange. 148 The "" command uploads new key(s) to the registry for a 149 given domain. This key material is then relayed to the current 150 registrar's message queue. This may be the same registrar as the one 151 that submitted the "" command in the situation where the 152 DNS operators change, but the registrar stays the same. There is no 153 need for the registry to store the relayed key in the registry 154 system, although the registry MAY save the "" message for 155 administrative purposes. 157 The registrar may upload multiple keys in one "" message. 159 There is no restriction on the type (for instance Key Signing Keys or 160 Zone Signing Keys) of keys that can be put in the message. It is up 161 to the gaining DNS operator to select the keys that are needed in the 162 losing operator's zone for the intended transaction to complete 163 successfully. It is up to the losing DNS operator to validate the 164 correctness of the key material, and remove duplicate keys (Flags 165 Field, Protocol Field, Algorithm Field and Public Key Field are 166 equal) when identical keys are already in the zone. 168 If for some reason the registry can not process the "" 169 command an EPP error response MUST be returned. If the registry does 170 process the "" command it MUST put all uploaded keys on to 171 the current registrar's message queue. 173 4. Rational For a New Command 175 The existing commands in EPP all deal with data which either has an 176 owner, or soon will have one (EPP create). The "" command 177 is different, because it allows an upload of key material which will 178 never have an owner (in the registry system). All the "" 179 command does is relay data in preparation for one of the other 180 existing EPP commands in a process. This way, existing commands 181 don't need to change, and backward compatibility for existing 182 commands is guaranteed. It allows the client to be flexible in 183 timing the individual steps necessary to complete a complex process 184 like changing the DNS operator for a zone. Creating a separate 185 command also allows the command to be used or extended to relay key 186 or other data for other future processes besides DNS operator 187 changes. This new category of EPP commands can best be described as 188 "communication command" as it only facilitates communication of data 189 between two EPP clients without changing any objects at the registry. 191 5. Key Relay Interface 192 The Key Relay Interface uses a "" element for relaying the 193 key material. It needs a minimum of three elements: a domain name, 194 the key(s) to upload, a token which indicates the request is 195 authorized by the registrant, and an OPTIONAL expire element. 197 Thus a "" element MUST contain the following child 198 elements: 200 o A "" element that contains the domain name for which we 201 upload the key. 203 o A "" element that contains the key material as described 204 in [RFC5910], Section 4.2. 206 o An "" that contains an authorization token ([RFC5731], 207 Section 3.2.4). This indicates that the registrar has 208 authorization from the registrant to change the zone data, and a 209 possible future transfer is authorized. The registry MAY check if 210 the "" data is correct and if it does, it MUST return an 211 EPP error response if the authorization token is not correct. 213 And MAY contain: 215 o An "" element that describes the expected lifetime of the 216 relayed key(s) in the zone. The losing DNS operator can use this 217 as an indication when to safely remove the inserted key material 218 from the zone. This may be because the transaction that needed 219 the insertion is either completed or has been abandoned if not 220 completed before this expire time. The element MUST 221 contain one of the following child elements: 223 * "": The policy is valid from the current date and 224 time until it expires on the specified date and time. 226 * "": The policy is valid from the current date and 227 time until the end of the specified duration. 229 The current date and time are taken from the "" service 230 message's "" element, see Section 7.1. 232 o An "" (client transaction identifier) as described in 233 [RFC5730], Section 2.5. 235 5.1. Example Key Relay Interface 237 The following is an example of the "" command, where a key 238 is uploaded with a relative expire date of one month and 13 days. 240 C: 244 C: 245 C: 246 C: 247 C: example.org 248 C: 249 C: 256 250 C: 3 251 C: 8 252 C: cmlraXN0aGViZXN0 253 C: 254 C: 255 C: JnSdBAZSxxzJ 256 C: 257 C: 258 C: P1M13D 259 C: 260 C: 261 C: ABC-12345 262 C: 263 C: 264 C: 266 6. Server Reply 268 Example "" response: 270 S: 271 S: 272 S: 273 S: 274 S: Command completed successfully 275 S: 276 S: 277 S: ABC-12345 278 S: 54321-ZYX 279 S: 280 S: 281 S: 283 As stated an EPP error response MUST be returned if a "" 284 command can not be processed for any reason. 286 7. Message Queue Interface 288 The message queue interface uses the interface as defined in 289 [RFC5730], Section 2.6. All elements that are present in the 290 "" EPP message are put on the message queue of the current 291 registrar for the domain in the "" element. 293 A "" message MUST be delivered to the current registrar's 294 message queue, even if the current registrar has indicated that it 295 does not support ". 297 7.1. Message Queue Format 299 This is an example "" service message. Note that the 300 optional clTRID in this message is the clTRID value from the command 301 that polls the message queue. It is not the clTRID value used in the 302 EPP "" command. 304 S: 308 S: 309 S: 310 S: Command completed successfully; ack to dequeue 311 S: 312 S: 313 S: 1999-04-04T22:01:00.0Z 314 S: Key Relay action completed successfully. 315 S: 316 S: 317 S: 318 S: 319 S: example.org 320 S: 321 S: 1999-04-04T22:01:00.0Z 322 S: 323 S: 324 S: 256 325 S: 3 326 S: 8 327 S: cmlraXN0aGViZXN0 328 S: 329 S: 330 S: JnSdBAZSxxzJ 331 S: 332 S: 333 S: P24D 334 S: 335 S: ClientX 336 S: ClientY 337 S: 338 S: 339 S: 340 S: 341 S: BCD-23456 342 S: 65432-WXY 343 S: 344 S: 345 S: 347 8. Formal Syntax 349 An EPP object mapping is specified in XML Schema notation. The 350 formal syntax presented here is a complete schema representation of 351 the object mapping suitable for automated validation of EPP XML 352 instances. 354 "" command schema: 356 357 366 367 368 Extensible Provisioning Protocol v1.0 domain name 369 extension schema for relaying key material. 370 371 373 375 377 379 382 383 385 386 387 389 390 392 393 394 396 398 399 401 402 403 404 405 406 408 409 410 411 413 415 417 418 420 421 422 423 424 426 427 429 430 431 432 433 435 9. IANA Considerations 437 This document uses URNs to describe XML namespaces and XML schemas 438 conforming to a registry mechanism described in RFC 3688 [RFC3688]. 440 Two URI assignments must be completed by the IANA. 442 Registration request for the extension namespace: 444 URI: urn:ietf:params:xml:ns:keyrelay-1.0 446 Registrant Contact: IESG 448 XML: None. Namespace URIs do not represent an XML specification. 450 Registration request for the extension XML schema: 452 URI: urn:ietf:params:xml:schema:keyrelay-1.0 454 Registrant Contact: IESG 456 XML: See the "Formal Syntax" section of this document. 458 10. Security Considerations 460 The "" EPP extension does not allow for any object 461 transformations. 463 Any registrar can use this mechanism to put key material on the 464 message queue of another registrar, thus mounting a denial of service 465 attack. However this can, and should be detected by the registry. A 466 correct "" element can be used as an indication that 467 putting the key material on the losing registrar's message queue is 468 authorized by the registrant of that registrar. A registry MAY set a 469 server policy which limits or rejects "" messages if it 470 detects the mechanism is being abused. 472 Communication between a registrar and registry is mostly done over 473 EPP, but communication between DNS operators, registrants or 474 registrars often is not. If EPP is not used between these entities, 475 relaying the key between a DNS operator and registrar should be 476 adequately authenticated for the complete relay channel to remain 477 secure. It's out of scope for this document to describe how to 478 authenticate with other methods than EPP. 480 11. Acknowledgements 482 We like to thank the following individuals for their valuable input, 483 review, constructive criticism in earlier revisions or support for 484 the concepts described in this document: 486 Maarten Wullink, Marco Davids, Ed Lewis, James Mitchell, David Peal, 487 Patrik Faltstrom, Klaus Malorny, James Gould, Patrick Mevzek and Seth 488 Goldman. 490 12. References 492 12.1. Normative References 494 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 495 Requirement Levels", BCP 14, RFC 2119, March 1997. 497 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 498 January 2004. 500 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 501 Rose, "Resource Records for the DNS Security Extensions", 502 RFC 4034, March 2005. 504 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 505 STD 69, RFC 5730, August 2009. 507 [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) 508 Security Extensions Mapping for the Extensible 509 Provisioning Protocol (EPP)", RFC 5910, May 2010. 511 12.2. Informative References 513 [I-D.koch-dnsop-dnssec-operator-change] 514 Koch, P., Sanz, M., and A. Verschuren, "Changing DNS 515 Operators for DNSSEC signed Zones", draft-koch-dnsop- 516 dnssec-operator-change-05 (work in progress), July 2013. 518 [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 519 Domain Name Mapping", STD 69, RFC 5731, August 2009. 521 Appendix A. Changelog 523 [This section should be removed by the RFC editor before publishing] 525 A.1. draft-gieben-epp-keyrelay-00 527 1. Initial document. 529 A.2. draft-gieben-epp-keyrelay-01 531 1. Style and grammar changes; 533 2. Added an expire element as per suggestion by Klaus Malorny; 535 3. Make the authInfo element mandatory and make the registry check 536 it as per feedback by Klaus Malorny and James Gould. 538 A.3. draft-gieben-epp-keyrelay-02 540 1. Added element to identify the relaying EPP client as suggested by 541 Klaus Malorny; 543 2. Corrected XML for missing and excess clTRID as noted by Patrick 544 Mevzek; 546 3. Added clarifications for the examples based on feedback by 547 Patrick Mevzeck; 549 4. Reviewed the consistency of using DNS operator versus registrar 550 after review comments by Patrick Faltstrom and Ed Lewis. 552 A.4. draft-gieben-epp-keyrelay-03 554 1. Style and grammar changes 555 2. Corrected acknowledgement section 557 3. Corrected XML for Expire element to not be mandatory but only 558 occur once. 560 A.5. draft-eppext-epp-keyrelay-00 562 1. Added feedback from Seth Goldman and put him in the 563 acknowledgement section. 565 2. IDnits formatting ajustments 567 Authors' Addresses 569 R. (Miek) Gieben 570 Google 572 Email: miek@google.com 574 M. Groeneweg 575 SIDN Labs 576 Meander 501 577 Arnhem 6825 MD 578 NL 580 Email: marc.groeneweg@sidn.nl 581 URI: https://www.sidn.nl/ 583 Rik Ribbers 584 SIDN Labs 585 Meander 501 586 Arnhem 6825 MD 587 NL 589 Email: rik.ribbers@sidn.nl 590 URI: https://www.sidn.nl/ 592 Antoin Verschuren 593 SIDN Labs 594 Meander 501 595 Arnhem 6825 MD 596 NL 598 Email: antoin.verschuren@sidn.nl 599 URI: https://www.sidn.nl/