idnits 2.17.1 draft-york-dnsop-deploying-dnssec-crypto-algs-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (July 08, 2016) is 2848 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 6944 (Obsoleted by RFC 8624) -- Obsolete informational reference (is this intentional?): RFC 3658 (Obsoleted by RFC 4033, RFC 4034, RFC 4035) == Outdated reference: A later version (-06) exists of draft-ietf-dnsop-maintain-ds-01 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSOP Working Group D. York 3 Internet-Draft Internet Society 4 Intended status: Informational O. Sury 5 Expires: January 9, 2017 CZ.NIC 6 P. Wouters 7 Red Hat 8 O. Gudmundsson 9 CloudFlare 10 July 08, 2016 12 Observations on Deploying New DNSSEC Cryptographic Algorithms 13 draft-york-dnsop-deploying-dnssec-crypto-algs-01 15 Abstract 17 As new cryptographic algorithms are developed for use in DNSSEC 18 signing and validation, this document captures the steps needed for 19 new algorithms to be deployed and enter general usage. The intent is 20 to ensure a common understanding of the typical deployment process 21 and potentially identify opportunities for improvement of operations. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 9, 2017. 40 Copyright Notice 42 Copyright (c) 2016 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 1. Introduction 57 The DNS Security Extensions (DNSSEC), broadly defined in [RFC4033], 58 [RFC4034] and [RFC4035], make use of cryptographic algorithms in both 59 the signing of DNS records and the validation of DNSSEC signatures by 60 recursive resolvers. 62 The current list of cryptographic algorithms can be found in the IANA 63 "Domain Name System Security (DNSSEC) Algorithm Numbers" registry 64 located at http://www.iana.org/assignments/dns-sec-alg-numbers/ 65 Algorithms are added to this IANA registry through a process defined 66 in [RFC6014]. Note that [RFC6944] provides some guidance as to which 67 of these algorithms should be implemented and supported. 69 Historically DNSSEC signatures have primarily used cryptographic 70 algorithms based on RSA keys. As deployment of DNSSEC has increased 71 there has been interest in using newer and more secure algorithms, 72 particularly those using elliptic curve cryptography. 73 The ECDSA algorithm [RFC6605] has seen some adoption and two new 74 algorithms are being proposed: Ed25519 75 [I-D.ietf-curdle-dnskey-ed25519] and Ed448 76 [I-D.ietf-curdle-dnskey-ed448]. 78 The challenge is that the deployment of a new cryptographic algorithm 79 for DNSSEC is not a simple process. DNSSEC algorithms are used 80 throughout the DNS infrastructure for tasks such as: 82 o Generation of keys ("DNSKEY" record) for signing 84 o Creation of DNSSEC signatures in zone files ("RRSIG") 86 o Usage in a Delegation Signer ("DS") record [RFC3658] for the 87 "chain of trust" connecting back to the root of DNS 89 o Generation of NSEC/NSEC3 responses by authoritative DNS servers 91 o Validation of DNSSEC signatures by DNS resolvers 93 In order for a new cryptographic algorithm to be fully deployed, all 94 aspects of the DNS infrastructure that interact with DNSSEC must be 95 updated to use the new algorithm. 97 This document outlines the current understanding of the components of 98 the DNS infrastructure that need to be updated to deploy a new 99 cryptographic algorithm. 101 It should be noted that DNSSEC is not alone in complexity of 102 deployment. The IAB documented "Guidelines for Cryptographic 103 Algorithm Agility" in [RFC7696] to highlight the importance of this 104 issue. 106 1.1. Terminology 108 In this document, the key words "MUST", "MUST NOT", "REQUIRED", 109 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", 110 and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 111 [RFC2119]. 113 2. Aspects of Deploying New Algorithms 115 For a new cryptographic algorithm to be deployed in DNSSEC, the 116 following aspects of the DNS infrastructure must be updated: 118 o DNS resolvers performing validation 120 o Authoritative DNS servers 122 o Signing software 124 o Registries 126 o Registrars 128 o DNS Hosting Operators 130 o Applications 132 Each of these aspects is discussed in more detail below. 134 2.1. DNS Resolvers Performing Validation 136 DNS recursive resolvers perform "validation" to check the DNSSEC 137 signatures of records received in a DNS query. To validate the 138 signatures, the resolvers need to be able to understand the algorithm 139 used to create the signatures. 141 In the case of a new algorithm, the resolver software needs to be 142 updated. In some cases this could require waiting until an 143 underlying library is updated to support the new algorithm. 145 Once the software is updated, the updates need to be deployed to all 146 resolvers using that software. This can be challenging in cases of 147 customer-premises equipment (CPE) that does not have any mechanism 148 for automatic updating. 150 2.1.1. Resolvers and Unknown Algorithms 152 It should be noted that section 5.2 of [RFC4035] states: 154 "If the resolver does not support any of the algorithms listed in an 155 authenticated DS RRset, then the resolver will not be able to verify 156 the authentication path to the child zone. In this case, the 157 resolver SHOULD treat the child zone as if it were unsigned." 159 This means that signing a zone with a new algorithm that is not 160 widely supported by DNS resolvers would result in the signatures 161 being ignored and the zone treated as unsigned until resolvers were 162 updated to recognize the new algorithm. 164 2.2. Authoritative DNS Servers 166 Authoritative DNS servers serve out signed DNS records. Serving new 167 DNSSEC signing algorithms should not be a problem as a well-written 168 authoritative DNS server implementation should be agnostic to the RR 169 DATA they serve. 171 The one exception is if the new cryptographic algorithms are used in 172 the creation of NSEC/NSEC3 responses. In the case of new NSEC/NSEC3 173 algorithms, the authoritative DNS server software would need to be 174 updated to be able to use the new algorithms. 176 Note that some authoritative server implementations could include 177 DNSSEC signing as part of the server and thus also fall into the 178 "Signing Software" category below. 180 2.3. Signing Software 182 The software performing the signing of the records needs to be 183 updated with the new cryptographic algorithm. 185 User interfaces that allow users to interact with the DNSSEC signing 186 software may also need to be updated to reflect the existence of the 187 new algorithm. 189 Note that the key and signatures with the new algorithm will need to 190 co-exist with the existing key and signatures for some period of 191 time. This will have an impact on the size of the DNS records. 193 [NOTE(OS): Shouldn't we just update the language that requires the 194 resolver to be so strict and finally be done with this requirement? 195 Or just give a recommendation in the paragraph on resolver here?] 197 One issue that has been identified is that not all commonly-used 198 signing software releases include support for an algorithm rollover. 199 This software would need to be updated to support rolling an 200 algorithm before any new algorithms could be deployed. 202 2.4. Registries 204 The registry for a top-level domain (TLD) needs to accept DS records 205 using the new cryptographic algorithm. 207 Observations to date have shown that some registries only accept DS 208 records with certain algorithms. Registry representatives have 209 indicated that they verify the accuracy of DS records to reduce 210 technical support incidents and ensure customers do not mistakenly 211 create any outages. 213 However, this means that registries who perform this level of 214 checking must be able to understand new algorithms in order to 215 successfully verify the DS records. 217 Separately, feedback from registrars has indicated that they do not 218 currently have any mechanism to understand what DNSSEC algorithms a 219 registry can accept. 221 2.5. Registrars 223 Registrars perform a critical role in the DNSSEC "chain of trust" of 224 passing the DS record up to the Registry to ensure that the signed 225 zone can be authenticated from the root of DNS all the way to the 226 zone. 228 If the registrar is also providing the DNS hosting services for a 229 domain, the registrar can easily create the "DS" record from the 230 "DNSKEY" record and pass the DS record up to the registry. 232 However, if the authoritative servers for a domain are not with the 233 registrar, then the registrar needs to provide some mechanism to 234 accept a DS record to pass that up to the registry. Typically this 235 is done through a web interface. 237 An issue is that many registrar web interfaces only allow the input 238 of DS records using a listed set of DNSSEC algorithms. Any new 239 cryptographic algorithms need to be added to the web interface in 240 order to be accepted into the registrar's system. 242 Additionally, in a manner similar to registries, many registrars 243 perform some level of verification on the DS record to ensure it was 244 entered "correctly". To do this verification, the registrar's 245 software needs to understand the algorithm used in the DS record. 246 This requires the software to be updated to support the new 247 algorithm. 249 Note that work is currently underway in [I-D.ietf-dnsop-maintain-ds] 250 to provide an automated mechanism to update the DS records with a 251 registry. If this method becomes widely adopted, registrar web 252 interfaces may no longer be needed. 254 2.6. DNS Hosting Operators 256 DNS hosting operators are entities that are operating the 257 authoritative DNS servers for domains and with DNSSEC are also 258 providing the signing of zones. In many cases they may also be the 259 registrar for domain names, but in other cases they are a separate 260 entity providing DNS services to customers. 262 DNS hosting operators need to update their authoritative DNS server 263 software to understand new cryptographic algorithms, but they also 264 need to update their web interfaces and provisioning software to 265 allow configuration and support of new algorithms. 267 2.7. Applications 269 Beyond the recursive resolvers, authoritative servers, web interfaces 270 and provisioning software, it has been observed that some 271 applications (or "apps"), particularly in the mobile environment, are 272 including their own DNS resolvers within the app itself. These 273 recursive resolvers are used by the app instead of the recursive 274 resolver included with the underlying operating system. These 275 applications that perform DNSSEC validation would need to also be 276 updated to understand a new algorithm. 278 In many cases, it may be that an underlying developer library needs 279 to be updated first. It will then depend upon how long it takes the 280 application developer to pull in the updated library. 282 Outside of applications, these developer libraries are also typically 283 used by recursive resolver software and signing software. 285 3. Conclusion 287 This document provides a view into the steps necessary for the 288 deployment of new cryptographic algorithms in DNSSEC at the time of 289 this publication. In order to more rapidly roll out new DNSSEC 290 algorithms, these steps must be understood and hopefully improved 291 over time. 293 It should be noted that a common theme to emerge from all discussions 294 is a general reluctance to update or change any DNS-related software. 295 "If it isn't broken, don't fix it" is a common refrain. While 296 perhaps understandable from a stability point of view, this attitude 297 creates a challenge for deploying new algorithms. 299 One potential idea suggested during discussions was for some kind of 300 web-based testing tool that could assist people in understanding what 301 algorithms are supported by different servers and sites. 303 It is also quite clear that any deployment of new algorithms for 304 DNSSEC use will take a few years to propagate throughout the 305 infrastructure. This needs to be factored in as new algorithms are 306 proposed. 308 4. IANA Considerations 310 This document does not make any requests of IANA. 312 5. Security Considerations 314 No new security considerations are created by this document. 316 It should be noted that there are security considerations regarding 317 changing DNSSEC algorithms that are mentioned in both [RFC6781] and 318 [RFC7583]. 320 6. Acknowledgements 322 The information in this document evolved out of several mailing list 323 discussions and also through engagement with participants in the 324 following sessions or events: 326 o DNSSEC Workshop at ICANN 53 (Buenos Aires) 328 o DNSSEC Workshop at ICANN 55 (Marrakech) 330 o Spring 2016 DNS-OARC meeeting (Buenos Aires) 332 o various IETF 95 working groups (Buenos Aires) 334 o Panel session at RIPE 72 (Copenhagen) 336 o DNSSEC Workshop at ICANN 56 (Helsinki) 337 The authors thank the participants of the various sessions for their 338 feedback. 340 7. Changes 342 NOTE TO RFC EDITOR - Please remove this "Changes" section prior to 343 publication. Thank you. 345 o Revision -01 adds text about authoritative servers needing an 346 update if the algorithm is for NSEC/NSEC3. Also expands 347 acknowledgements. 349 8. References 351 8.1. Normative References 353 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 354 Requirement Levels", BCP 14, RFC 2119, March 1997. 356 8.2. Informative References 358 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 359 Rose, "DNS Security Introduction and Requirements", RFC 360 4033, DOI 10.17487/RFC4033, March 2005, 361 . 363 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 364 Rose, "Resource Records for the DNS Security Extensions", 365 RFC 4034, DOI 10.17487/RFC4034, March 2005, 366 . 368 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 369 Rose, "Protocol Modifications for the DNS Security 370 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 371 . 373 [RFC6014] Hoffman, P., "Cryptographic Algorithm Identifier 374 Allocation for DNSSEC", RFC 6014, DOI 10.17487/RFC6014, 375 November 2010, . 377 [RFC6944] Rose, S., "Applicability Statement: DNS Security (DNSSEC) 378 DNSKEY Algorithm Implementation Status", RFC 6944, DOI 379 10.17487/RFC6944, April 2013, 380 . 382 [RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital 383 Signature Algorithm (DSA) for DNSSEC", RFC 6605, DOI 384 10.17487/RFC6605, April 2012, 385 . 387 [I-D.ietf-curdle-dnskey-ed25519] 388 Sury, O. and R. Edmonds, "Ed25519 for DNSSEC", draft-ietf- 389 curdle-dnskey-ed25519-01 (work in progress), February 390 2016. 392 [I-D.ietf-curdle-dnskey-ed448] 393 Sury, O. and R. Edmonds, "Ed448 for DNSSEC", draft-ietf- 394 curdle-dnskey-ed448-00 (work in progress), March 2016. 396 [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record 397 (RR)", RFC 3658, DOI 10.17487/RFC3658, December 2003, 398 . 400 [RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm 401 Agility and Selecting Mandatory-to-Implement Algorithms", 402 BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015, 403 . 405 [I-D.ietf-dnsop-maintain-ds] 406 Gu[eth]mundsson, O. and P. Wouters, "Managing DS records 407 from parent via CDS/CDNSKEY", draft-ietf-dnsop-maintain- 408 ds-01 (work in progress), March 2016. 410 [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC 411 Operational Practices, Version 2", RFC 6781, DOI 10.17487/ 412 RFC6781, December 2012, 413 . 415 [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking, 416 "DNSSEC Key Rollover Timing Considerations", RFC 7583, DOI 417 10.17487/RFC7583, October 2015, 418 . 420 Authors' Addresses 422 Dan York 423 Internet Society 425 Email: york@isoc.org 426 Ondrej Sury 427 CZ.NIC 429 Email: ondrej.sury@nic.cz 431 Paul Wouters 432 Red Hat 434 Email: pwouters@redhat.com 436 Olafur Gudmundsson 437 CloudFlare 439 Email: olafur+ietf@cloudflare.com