draft-ietf-dnsext-delegation-signer-01.txt   draft-ietf-dnsext-delegation-signer-02.txt 
DNSEXT Working Group Olafur Gudmundsson DNSEXT Working Group Olafur Gudmundsson
<draft-ietf-dnsext-delegation-signer-01.txt> <draft-ietf-dnsext-delegation-signer-02.txt>
Updates: RFC 1035, RFC 2535, RFC 3008. Updates: RFC 1035, RFC 2535, RFC 3008.
Delegation Signer record in parent. Delegation Signer record in parent.
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. provisions of Section 10 of RFC2026.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the authors or the DNSEXT WG mailing list Comments should be sent to the authors or the DNSEXT WG mailing list
namedroppers@ops.ietf.org namedroppers@ops.ietf.org
This draft expires on January 15, 2002. This draft expires on February 20, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All rights reserved. Copyright (C) The Internet Society (2001). All rights reserved.
Abstract Abstract
One of the biggest problems in DNS occur when records of the same type The Delegation Signer (DS) RR set is stored in a delegating (parent)
can appear on both sides of an delegation. If the contents of these zone at each delegation point, and indicates the keys used in the
sets differs clients can get confused. RFC2535 KEY records follows delegated (child) zone. The main design goal of the DS RR simplify the
the same model as for NS records, parent is responsible for the operation of secure delegations by eliminating the need to store the
records but the child is responsible for the contents. This document same RR in parent and child, as is done with the NS RR set and the KEY
proposes to store a different record in the parent that specifies set in RFC2535.
which one of the child's keys are authorized to sign the child's KEY Secure resolvers need to take an additional step with DS to verify a
set. This change is not backwards compatible with RFC2535 but child's KEY RR set. Operationally this schema is much simpler as
simplifies DNSSEC operation. operation of the two zones at delegation is now decoupled to great
extent.
1 - Introduction 1 - Introduction
Familiarity with the DNS system [RFC1035], DNS security extensions Familiarity with the DNS system [RFC1035], DNS security extensions
[RFC2535] and DNSSEC terminology [RFC3090] is important. [RFC2535] and DNSSEC terminology [RFC3090] is important.
When the same data can reside in two administratively different DNS When the same data can reside in two administratively different DNS
zones sources it is common that the data gets out of sync. NS record zones, the data frequently gets out of sync. NS record in a zone
in a zone indicates that there is a delegation at this name and the NS indicates that this name is a delegation and the NS record lists the
record lists the authorative servers for the real zone. Based on authorative servers for the real zone. Based on actual measurements
actual measurements 10-30% of all delegations in the Internet have 10-30% of all delegations in the Internet have differing NS sets at
differing NS sets at parent and child. There are number of reasons for parent and child. There are number of reasons for this, including lack
this, including lack of communication between parent and child and of communication between parent and child and bogus name-servers being
bogus name-servers being listed to meet registrar requirements. listed to meet registrar requirements.
DNSSEC [RFC2535,RFC3008,RFC3090] specifies that child must have its DNSSEC [RFC2535,RFC3008,RFC3090] specifies that child must have its
KEY set signed by the parent to create a verifiable chain of KEYs. KEY set signed by the parent to create a verifiable chain of KEYs.
There is some debate, where the signed KEY set should reside, There is some debate, where the signed KEY set should reside,
parent[Parent] or child[RFC2535]. If the KEY set resides at the child, parent[Parent] or child[RFC2535]. If the KEY set resides at the child,
frequent communication is needed between the two parties, to transmit frequent two way communication is needed between the two parties.
key sets up to parent and then the signed set or signatures down to First the child needs to transmit the key set to parent and then the
child. If the KEY set resides at the parent[Parent] the communication parent must send the signed set or signatures to child. If the KEY set
is reduced having only child send updated key sets to parent. resides at the parent the communication is reduced as the child only
sends changed key sets to parent.
DNSSEC[RFC2535] requires that the parent store NULL key set for DNSSEC[RFC2535] requires that the parent store NULL key set for
unsecure children, this complicates resolution process as in many unsecure children, this complicates resolution process in many cases
cases as servers for both parent and child need to be queried for KEY as servers for both parent and child need to be queried for KEY set if
set the [Parent] proposal simplifies this. the child server does not return a KEY set. Storing the KEY record
only in the parent zone simplifies this and allows the elimination of
the NULL key set.
Further complication of the DNSSEC KEY model is that KEY record is Another complication of the DNSSEC KEY model is that KEY record is
used to store DNS zone keys and public keys for other protocols. This used to store DNS zone keys and public keys for other protocols.
can lead to large key sets at delegation points. There are number of There are number of potential problems with this including:
potential problems with this including: 1. KEY set may become quite large if many applications/protocols
1. KEY set may become quite large if many applications/protocols store store their keys at the zone apex. Possible protocols are IPSEC,
their keys at the zone apex. Example of protocols are IPSEC, HTTP, HTTP, SMTP, SSH and others that use public key cryptography.
SMTP, SSH etc.
2. Key set may require frequent updates. 2. Key set may require frequent updates.
3. Probability of compromised/lost keys increases and triggers 3. Probability of compromised/lost keys increases and triggers
emergency key rollover. emergency key rollover procedures.
4. Parent may refuse sign key sets with NON DNS zone keys. 4. Parent may refuse sign key sets with NON DNS zone keys.
5. Parent may not have QoS on key changes that meets child's
expectations. 5. Parent may not meet the child's expectations in turnaround time
in resigning the key set.
Given these and other reasons there is good reason to explore Given these and other reasons there is good reason to explore
alternatives to using only KEY records to create chain of trust. alternatives to using only KEY records to create chain of trust.
Some of these problems can be reduced or eliminated by operational Some of these problems can be reduced or eliminated by operational
rules or protocol changes. To reduce the number of keys at apex, rule rules or protocol changes. To reduce the number of keys at apex, a
to require applications to store their KEY records at the SRV name for rule to require applications to store their KEY records at the SRV
that application is one possibility. Another is to restrict KEY record name for that application is one possibility. Another is to restrict
to DNS keys only and create a new type for all non DNS keys. Third KEY record to DNS keys only and create a new type for all non DNS
possible solution is to ban the storage of non DNS related keys at keys. Third possible solution is to ban the storage of non DNS related
zone apex. There are other possible solutions but they are outside the keys at zone apex. There are other possible solutions but they are
scope of this document. outside the scope of this document.
1.1 - Delegation Signer Record model 1.2 - Reserved words
The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
"RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
interpreted as described in RFC2119.
2 - DS (Delegation KEY Signer)
2.1 - Delegation Signer Record model
This document proposes an alternative to the KEY record chain of This document proposes an alternative to the KEY record chain of
trust, that uses a special record that can only reside at the parent. trust, that uses a special record that can only reside at the parent.
This record will identify the key(s) that child will use to self sign This record will identify the key(s) that child are allowed to self
its own KEY set. sign its own KEY set.
The chain of trust is now established by verifying the parent KEY set, The chain of trust is now established by verifying the parent KEY set,
the DS set from the parent and then the KEY set at the child. This is the DS set from the parent and the KEY set at the child. This is
cryptographically equivalent to just using KEY records. cryptographically equivalent to just using KEY records.
Communication between the parent and child is reduced as the parent Communication between the parent and child is greatly reduced, since
only needs to know of changes in DNS zone KEY(s) used to sign the apex the child only needs to notify parent about changes in keys that sign
KEY set. If other KEY records are stored at the zone apex, the parent its apex KEY RRset. Parent is ignorant of all other keys in the
does not need to be aware of them. child's apex KEY RRset, and the child maintains full control over the
apex KEY set and its content. Child can maintain any policies over
This approach has the advantage that it minimizes the communication its DNS and other KEY usage with minimal impact on parent. Thus if
between the parent and child and the child is the authority for the child wants to have frequent key rollover for its DNS keys parent
KEY set with full control over the contents. This enables each to does not need to be aware of it as the child can use one key to only
operate and maintain each zone independent of each other. Thus if sign its apex KEY set and other keys to sign the other record sets in
child wants to have frequent key rollover for its DNS keys parent does the zone.
not need to be aware of it as the child can use one key to only sign
its apex KEY set and other keys to sign the other record sets in the
zone. The child can just as well use the same key to sign all records
in its zone.
Another advantage is that this model fits well with slow rollout of
DNSSEC and islands of security model. In the islands of security model
someone that trusts "good.example." preconfigures a key from
"good.example." as a trusted keys and from then on trusts any data
that is signed by that key or has a chain of trust to that key. If
"example." starts advertising DS records "good.example." does not have
to change operations, by suspending self-signing. If DS records can
also be used to identify trusted keys instead of KEY records.
The main disadvantage of this approach is double the number of
signatures that need to be verified for the each delegation KEY set.
There is no impact on verifying other record sets.
1.2 - Reserved words
The key words "MUST", "MUST NOT", "SHOULD", and "MAY" in this document This model fits well with slow roll out of DNSSEC and islands of
are to be interpreted as described in RFC2119. security model. In the islands of security model someone that trusts
"good.example." can preconfigure a key from "good.example." as a
trusted keys and from then on trusts any data that is signed by that
key or has a chain of trust to that key. If "example." starts
advertising DS records, "good.example." does not have to change
operations, by suspending self-signing. DS records can also be used to
identify trusted keys instead of KEY records. One further advantage
is the information stored in the parent is minimized, as only records
for secure delegations are needed.
2 - DS (Delegation KEY signer) record: The main disadvantage of this approach that verifying delegations KEY
set requires twice as many signature verification operations. There
is no impact on the number of signatures verified for other RR sets.
2.1 Protocol change 2.2 Protocol change
DS record MUST only appear at secure delegations in the parent zone. A DS RR set MUST appear at each secure delegation from a secure zone.
The record lists the child's keys that SHOULD sign the child's key If a DS RR set accompanies the NS RR set, the intent is to state that
set. Insecure delegation MUST NOT have a DS record, the presence of the child zone is secured. If an NS RR set exists without a DS RR set
DS record SHOULD be considered a hint that the child might be secure. the intent is to state that the child zone is unsecure.
Resolver MUST only trust KEY records that match a DS record. The public keys indicated in the DS RR set are the keys the child has
NOTE: It has been suggested that NULL DS record for insecure children informed the parent, the child allows to sign the child zone apex KEY
is better than no record. The advantage is to have authenticated RR set. Barring emergency, the intent of the DS RR set it to indicate
denial of child's security status, the drawback is for large to state the child's zone keyset signing keys. If the child's APEX is
delegating zones there will be many NULL DS records. If parent uses not signed by any KEY indicated in the DS RR set than any of number of
NXT records adding NXT record to the authority section in the cases problems may have occurred, and are described later.
when no DS record exists at delegation will give the same result as
NULL DS record.
WG please comment on which approach is better.
Updates RFC2535 sections 2.3.4 and 3.4, as well as RFC3008 section Updates RFC2535 sections 2.3.4 and 3.4, as well as RFC3008 section
2.7: Delegating zones MUST NOT store KEY records for delegations. The 2.7: Delegating zones MUST NOT store KEY records for delegations. The
only records that can appear at delegation in parent are NS, SIG, NXT only records that can appear at delegation in parent are NS, SIG, NXT
and DS. and DS.
Zone MUST self sign its apex KEY set, it SHOULD sign it with a key Zone MUST self sign its apex KEY set, it SHOULD sign it with a key
that corresponds to a DS record in the parent. The KEY used to sign that corresponds to a DS record in the parent. The KEY used to sign
the apex KEY RRset CAN sign other RRsets in the zone. the apex KEY RRset MAY sign other RRsets in the zone.
If child apex KEY RRset is not signed with one of the keys specified If child apex KEY RRset is not signed with one of the keys specified
in the DS record the child is locally secure[RFC3090] and SHOULD only in the DS record the child is locally secure[RFC3090] and SHOULD only
be considered secure the resolver has been instructed to trust the key be considered secure the resolver has been configured to trust the key
used, via preconfiguration. used.
Authorative server answering a query, that has the OK bit set[OKbit], Authorative server for a zone with DS records MUST include the DS
MUST include the DS set in the additional section if the answer is a records in answers for a delegation, when the OKbit[okbit] is set in
referral and there is space. Caching servers SHOULD return the DS the query and if space is available in answer. DS records SHOULD have
record in the additional section under the same condition. lower priority than address records but higher priority than KEY
records.
Caching servers SHOULD return the DS record in the additional section
under the same condition.
2.1.1 - Comments on protocol change 2.2.1 - Comments on protocol change
Over the years there has been various discussions on that the Over the years there has been various discussions on that the
delegation model in DNS is broken as there is no real good way to delegation model in DNS is broken as there is no real good way to
assert if delegation exists. In RFC2535 version of DNSSEC the assert if delegation exists. In RFC2535 version of DNSSEC the
authentication of a delegation is the NS bit in the NXT bitmap at the authentication of a delegation is the NS bit in the NXT bitmap at the
delegation point. Something more explicit is needed and the DS record delegation point. Something more explicit is needed and the DS record
addresses this for secure delegations. addresses this for secure delegations.
DS record is the first DNS record to be only stored at the upper side DS record is the first DNS record that can only appear on the upper
of a delegation. NS records appear at both sides as do SIG and NXT. side of a delegation. NS records appear at both sides as do SIG and
All other records can only appear at the lower side. This will cause NXT. All other records can only appear at the lower side. This will
some problems as servers authorative for parent may reject DS record cause some problems as servers authorative for parent may reject DS
even if the server understands unknown types, or not hand them out record even if the server understands unknown types, or not hand them
unless explicitly asked. Similarly a nameserver acting as a out unless explicitly asked. Similarly a nameserver acting as a
authorative for child and as a caching recursive server may never authorative for child and as a caching recursive server may never
return the DS record. A caching server does not care from which side return the DS record. A caching server does not care from which side
DS record comes from and thus should not have to be changed if it DS record comes from and thus does not have to be changed if it
supports unknown types. Different TTL values on the childs NS set and supports unknown types. Different TTL values on the child's NS set
parents DS set may cause the DS set to expire before the NS set. In and parents DS set may cause the DS set to expire before the NS set.
this case an non-DS aware server would ask the child server for the DS In this case an non-DS aware server would ask the child server for the
set and get NXDOMAIN answer. DS aware server will know to ask the DS set and get NXDOMAIN answer. DS aware server will know to ask a
parent for the DS record. parent DNS server for the DS record.
Secure resolvers need to know about the DS record and how to interpret Secure resolvers need to know about the DS record and how to interpret
it. In the worst case, introducing the DS record, doubles the it. In the worst case, introducing the DS record, doubles the
signatures that need to be checked to validate a KEY set. signatures that need to be checked to validate a KEY set.
Note: The working group must determine if the tradeoff between more Note: The working group must determine if the tradeoff between more
work in resolvers is justified by the operational simplification of work in resolvers is justified by the operational simplification of
this model. The author think this is a small price to pay to have a this model. The author thinks this is a small price to pay to have a
cleaner delegations structure. One argument put forward is that DNS cleaner delegations structure. One argument, put forward is that DNS
should be optimized for read when ever possible, and on the face of it should be optimized for read when ever possible, and on the face of it
adding the DS record makes reading data from DNS more expensive. The adding the DS record makes reading data from DNS more expensive. The
operational complexities and legal hurdles that KEY records in parents operational complexities and legal hurdles related to KEY records in
or children make prevent DNSSEC to ever get deployed. either parents or children may prevent DNSSEC deployment.
2.2 Wire format of DS record 2.3 Wire format of DS record
The DS record consists of algorithm, size, key tag and SHA-1 digest of The DS (type=TDB) record consists of algorithm, key tag and SHA-1
the public key KEY record allowed to sign the child's delegation. digest of the public key KEY record allowed to sign the child's
delegation.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| key tag | size | | key tag | algorithm | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| algorithm | SHA-1 digest | | SHA-1 digest |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (20 bytes) | | (20 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+-+-+-+-+-+-+-+-+
The key tag is calculated as specified in RFC2535, the size is the
size of the public key in bits as specified in the document specifying
the algorithm. Algorithm MUST be an algorithm number assigned in the
range 1..251. The SHA-1 digest is calculated over the canonical name
of the delegation followed by the RDATA of the KEY record.
The size of the DS RDATA is 25 bytes, regardless of the key size.
NOTE: if 160 bits is to large the SHA-1 digest can be shortened but
that weakens the overall security of the system.
2.2.1 Justifications for fields
The algorithm and size fields are here to allow resolvers to quickly
identify the candidate KEY records to examine. Key Tag is to allow
quick check if this is a good candidate. The key tag is redundant but
provides some greater assurance than SHA-1 digest on its own. SHA-1 is
a strong cryptographic checksum, it is hard for attacker to generate a
KEY record that has the same SHA-1 digest. Making sure that the KEY
record is a valid public key is much harder. Combining the name of the
key and the key data as input to the digest provides stronger
assurance of the binding. Combining the SHA-1 with the other fields
makes the task of the attacker is as hard breaking the public key.
Even if someone creates a database of all SHA-1 key hashes seen so
far, the addition of the name renders that database useless for
attacks against random zones.
2.3 Presentation format of DS record The key tag is calculated as specified in RFC2535, Algorithm MUST be
an algorithm number assigned in the range 1..251. The SHA-1 digest is
calculated over the canonical name of the delegation followed by the
RDATA of the KEY record.
The size of the DS RDATA is 23 bytes, regardless of key size.
The presentation format of DS record consists of 2 numbers, followed 2.3.1 Justifications for fields
by either the name of the signature algorithm or the algorithm number.
The digest is to be presented in hex.
2.4 Justifications for compact format The algorithm and key tag fields are here to allow resolvers to
quickly identify the candidate KEY records to examine. The key tag
adds some greater assurance than SHA-1 digest on its own. SHA-1 is a
strong cryptographic checksum, it is real hard for attacker to
generate a KEY record that has the same SHA-1 digest. Combining the
name of the key and the key data as input to the digest provides
stronger assurance of the binding.
This format allows concise representation of the keys that child will This format allows concise representation of the keys that child will
use, thus keeping down the size of the answer for the delegation, use, thus keeping down the size of the answer for the delegation,
reducing the probability of packet overflow. The SHA-1 hash is strong reducing the probability of packet overflow. The SHA-1 hash is strong
enough to uniquely identify the key. This is similar to the PGP enough to uniquely identify the key. This is similar to the PGP
footprint. footprint.
Each DS record has RDATA size of 25, regardless of the size of the DS record is also well suited to lists trusted keys for islands of
keys, keeping the answers from the parent smaller than if public key security in configuration files.
was used. The smallest currently defined KEY record RDATA is 70 bytes.
Compact DS format is also better suited to list trusted keys for 2.4 Presentation format of DS record
islands of security in configuration files.
The presentation format of DS record consists of 2 numbers followed by
digest presented in hex.
2.5 Transition issues for installed base 2.5 Transition issues for installed base
RFC2535 compliant resolver will assume that all DS secured delegations RFC2535 compliant resolver will assume that all DS secured delegations
are locally secure. This is a bad thing, thus it might be necessary are locally secure. This is a bad thing, thus it might be necessary
for a transition period to support both DS and SIG@Child. The cost is for a transition period to support both DS and SIG@Child. The cost is
one more signatures in the answer and that early adopters have to one more signatures in the answer and that early adopters have to use
cumbersome communications that DS is supposed to solve. cumbersome communications that DS solves.
Resolvers will not get confused as they will select signatures with This section needs work, it needs list of all cases and find if there
the KEY they trust and ignore the other one. are any where resolvers get confused or can not determine what the
security status of child is.
3 Resolver Example 3 Resolver Example
To create a chain of trust resolver goes from trusted KEY to DS to To create a chain of trust resolver goes from trusted KEY to DS to
KEY. KEY.
Assume the key for domain example. is trusted. In zone "example." we Assume the key for domain "example." is trusted. In zone "example."
have we have
example. KEY <stuff> example. KEY <stuff>
secure.example. DS tag=12345 size=1024 alg=dsa <foofoo> secure.example. DS tag=10243 alg=3 <foofoo>
secure.example. NS ns1.secure.example. secure.example. NS ns1.secure.example.
NS ns1.secure.example. s NS ns1.secure.example.
secure.example. NXT NS SIG NXT DS tail.example. secure.example. NXT NS SIG NXT DS unsecure.example.
secure.example. SIG(NXT) secure.example. SIG(NXT)
secure.example. SIG(DS) secure.example. SIG(DS)
unsecure.example NS ns1.unsecure.example.
unsecure.example NS ns2.unsecure.example.
unsecure.example. NXT NS SIG NXT .example.
unsecure.example. SIG(NXT)
In zone "secure.example." we have In zone "secure.example." we have
secure.example. SOA <soa stuff> secure.example. SOA <soa stuff>
secure.example. NS ns1.secure.example. secure.example. NS ns1.secure.example.
NS ns1.secure.example. NS ns1.secure.example.
secure.example. KEY <tag=12345 size=1024 alg=dsa> secure.example. KEY <tag=12345 size=1024 alg=3>
KEY <tag=54321 size=512 alg=rsa/sha1> KEY <tag=54321 size=512 alg=5>
KEY <tag=32145 size=1024 alg=dsa> KEY <tag=32145 size=1024 alg=3>
secure.example. SIG(KEY) <key-tag=12345 size=1024 alg=dsa> secure.example. SIG(KEY) <key-tag=12345 alg=3>
secure.example. SIG(SOA) <key-tag=54321 size=512 alg=rsa/sha1> secure.example. SIG(SOA) <key-tag=54321 alg=5>
secure.example. SIG(NS) <key-tag=54321 size=512 alg=rsa/sha1> secure.example. SIG(NS) <key-tag=54321 alg=5>
In this example the trusted key for "example." signs the DS record for
In this example the trusted key for example signs the DS record for
"secure.example.", making that a trusted record. The DS record states "secure.example.", making that a trusted record. The DS record states
what key is supposed to sign the KEY record at secure.example. In what key is expected to sign the KEY RRset at "secure.example". Here
this example "secure.example." has three different KEY records and the "secure.example." has three different KEY records and the KEY
one corresponding to the KEY identified in the DS record signs the KEY identified in the DS record signs the KEY set, thus the KEY set is
set, thus the key set is validated and trusted. Note that one of the validated and trusted. Note that one of the other keys in the keyset
other keys in the keyset actually signs the zone data, and resolvers actually signs the zone data, and resolvers will trust the signatures
will trust the signatures as the key appears in the KEY set. as the key appears in the KEY set.
This example has only one DS record for the child but there no reason This example has only one DS record for the child but there no reason
to outlaw multiple DS records. More than one DS record is needed to outlaw multiple DS records. More than one DS record is needed
during signing key rollover. It is strongly recommended that the DS during signing key rollover. It is strongly recommended that the DS
set be kept small. set be kept small.
Resolver determines the security status of "unsecure.example." by
examining the parent size NXT for this name.
3.1 Resolver cost estimates for DS records 3.1 Resolver cost estimates for DS records
From a RFC2535 resolver point of view for each delegation followed to From a RFC2535 resolver point of view for each delegation followed to
chase down an answer one KEY record has to be verified and possibly chase down an answer one KEY record has to be verified and possibly
some other records based on policy, for example the contents of the NS some other records based on policy, for example the contents of the NS
set. Once the resolver gets to the appropriate delegation validating set. Once the resolver gets to the appropriate delegation validating
the answer may require verifying one or more signatures. For a simple the answer may require verifying one or more signatures. A simple A
A record lookup requires at least N delegations to be verified and 1 record lookup requires at least N delegations to be verified and 1
RRset. For a DS enabled resolver the cost is 2N+1. For MX record the RRset. For a DS enabled resolver the cost is 2N+1. For MX record the
cost where the target of the MX record is in the same zone as the MX cost where the target of the MX record is in the same zone as the MX
record the costs are N+2 and 2N+2. In the case of negative answer the record the costs are N+2 and 2N+2. In the case of negative answer the
same holds ratios hold true. same ratios hold true.
Resolver may require an extra query to get the DS record but and this
may add to the overall cost of the query, but this is never worse than Resolver may require an extra query to get the DS record and this may
add to the overall cost of the query, but this is never worse than
chasing down NULL KEY records from the parent in RFC2535 DNSSEC. chasing down NULL KEY records from the parent in RFC2535 DNSSEC.
DS adds processing overhead on resolvers, increases the size of DS adds processing overhead on resolvers, increases the size of
delegation answers. DS requires much less storage in large delegation delegation answers but much less than SIG@Parent.
zones than SIG@Parent.
4 Acknowledgments 4 Acknowledgments
Number of people have over the last few years contributed number of Number of people have over the last few years contributed number of
ideas that are captured in this document. The core idea of using one ideas that are captured in this document. The core idea of using one
key to that has only the role of signing a key set, comes from key to only sign key set, comes from discussions with Bill Manning and
discussions with Bill Manning and Perry Metzger on how to put in a Perry Metzger on how to put in a single root key in all resolvers.
single root key in all resolver that lives for a long time. Brian Brian Wellington, Jakob Schlyter, Scott Rosen, Edward Lewis, Dan
Wellington, Dan Massey, Edward Lewis, Havard Eidnes, Jakob Schlyter, Massey, Mark Kosters, Olaf Kolman, Miek Gieben, Havard Eidnes, Donald
Mark Kosters, Miek Gieben, Roy Arens, Scott Rosen have provided Eastlake 3rd., Randy Bush, Rob Austein, Roy Arends, and others have
usefull comments. provided useful comments.
4 - Security Considerations: 4 - Security Considerations:
This document proposes a change to the validation chain of KEY records This document proposes a change to the validation chain of KEY records
in DNS. The change in is not believed to reduce security in the in DNS. The change in is not believed to reduce security in the
overall system, in RFC2535 DNSSEC child must communicate keys to overall system, in RFC2535 DNSSEC child must communicate keys to
parent and prudent parents will require some authentication on that parent and prudent parents will require some authentication on that
handshake. The modified protocol will require same authentication but handshake. The modified protocol will require same authentication but
allows the child to exert more local control over its own KEY set. allows the child to exert more local control over its own KEY set.
In the representation of DS record, there is a possibility that an There is a possibility that an attacker can generate an valid KEY that
attacker can generate an valid KEY that matches all the checks thus matches all the DS fields thus starting to forge data from the child.
starting to forge data from the child. This is considered impractical This is considered impractical as on average more than 2^80 keys must
as on average more than 2**80 keys must be generated before one is be generated before one is found that will match.
found that will match.
DS record is a change to DNSSEC protocol and there is some installed DS record is a change to DNSSEC protocol and there is some installed
base of implementations, as well as text books on how to set up base of implementations, as well as text books on how to set up
secured delegations. Implementations that do not understand DS record secured delegations. Implementations that do not understand DS record
will not be able to follow the KEY to DS to KEY chain and consider all will not be able to follow the KEY to DS to KEY chain and consider all
zone secured that way insecure. zone secured that way insecure.
5 - IANA Considerations: 5 - IANA Considerations:
IANA needs to allocate RR type code for DS from the standard RR type IANA needs to allocate RR type code for DS from the standard RR type
skipping to change at page 10, line 36 skipping to change at page 10, line 36
Author Address Author Address
Olafur Gudmundsson Olafur Gudmundsson
3826 Legation Street, NW 3826 Legation Street, NW
Washington, DC, 20015 Washington, DC, 20015
USA USA
<ogud@ogud.com> <ogud@ogud.com>
Appendix A: Changes from Prior versions Appendix A: Changes from Prior versions
Changes from version 01
Deleted KEY size field as it did not contribute anything but
complexity.
Number of wordsmith changes to make document more readable.
The word CAN was used when SHOULD was intended.
Deleted section 2.4 "Justifications for compact format" moved relevant
text to section 2.2.
Reverse alphabetized the acknowledgments section.
Reorganized sections 1 and 2 for readability.
Changes from version 00 Changes from version 00
Changed name from DK to DS based on working group comments. Changed name from DK to DS based on working group comments.
Dropped verbose format based on WG comments. Dropped verbose format based on WG comments.
Added text about TTL issue/problem in caching servers. Added text about TTL issue/problem in caching servers.
Added text about islands of security and clarified the cost impact. Added text about islands of security and clarified the cost impact.
Major editing of arguments and some reordering of text for clarity. Major editing of arguments and some reordering of text for clarity.
Added section on transition issues. Added section on transition issues.
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and or assist in its implementation may be prepared, copied, published and
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/