draft-ietf-dnsext-delegation-signer-04.txt   draft-ietf-dnsext-delegation-signer-05.txt 
DNSEXT Working Group Olafur Gudmundsson DNSEXT Working Group Olafur Gudmundsson
<draft-ietf-dnsext-delegation-signer-04.txt> <draft-ietf-dnsext-delegation-signer-05.txt>
Updates: RFC 1035, RFC 2535, RFC 3008. Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090.
Delegation Signer record in parent. Delegation Signer Resource Record
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with
provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering
Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that
groups may also distribute working documents as Internet-Drafts. other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.'' material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the authors or the DNSEXT WG mailing list Comments should be sent to the authors or the DNSEXT WG mailing list
namedroppers@ops.ietf.org namedroppers@ops.ietf.org
This draft expires on May 20, 2002. This draft expires on July 5, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All rights reserved. Copyright (C) The Internet Society (2002). All rights reserved.
Abstract Abstract
The Delegation Signer (DS) RR set is stored in a delegating (parent) The Delegation Signer Resource Record is inserted at a zone cut point
zone at each delegation point, and indicates the keys used in the to indicate tha the delegated zone is digitally signed and that the
delegated (child) zone. The main design goal of the DS RR simplify the delegation zone recognizes the indicated key as a valid zone key for
operation of secure delegations by eliminating the need to store the the delegated zone. The DS RR is an modification to the DNS Security
same RR in parent and child, as is done with the NS RR set and the KEY Extensions definition, motivated by operational considerations. The
set in RFC2535. intent is to use the resource record as an explicit statement about
Secure resolvers need to take an additional step with DS to verify a the delegation, rather than relying on inference.
child's KEY RR set. Operationally this schema is much simpler as
operation of the two zones at delegation is now decoupled to great This document defines the DS RR, gives examples of how it is used and
extent. the implications of this record on resolvers. This change is not
This document updates RFC1035, RFC2535 and RFC3008. backwards compatible with RFC 2535.
This document updates RFC1035, RFC2535, RFC3008 and RFC3090.
1 - Introduction 1 - Introduction
Familiarity with the DNS system [RFC1035], DNS security extensions Familiarity with the DNS system [RFC1035], DNS security extensions
[RFC2535] and DNSSEC terminology [RFC3090] is important. [RFC2535] and DNSSEC terminology [RFC3090] is important.
When the same data can reside in two administratively different DNS Experience shows that when the same data can reside in two
zones, the data frequently gets out of sync. NS record in a zone administratively different DNS zones, the data frequently gets out of
indicates that this name is a delegation and the NS record lists the sync. NS record in a zone indicates that this name is a delegation
authorative servers for the real zone. Based on actual measurements and the NS record lists the authorative servers for the real zone.
10-30% of all delegations in the Internet have differing NS sets at Based on actual measurements 10-30% of all delegations in the
parent and child. There are number of reasons for this, including lack Internet have differing NS sets at parent and child. There are number
of communication between parent and child and bogus name-servers being of reasons for this, including lack of communication between parent
listed to meet registrar requirements. and child and bogus name-servers being listed to meet registrar
requirements.
DNSSEC [RFC2535,RFC3008,RFC3090] specifies that child must have its DNSSEC [RFC2535,RFC3008,RFC3090] specifies that child must have its
KEY set signed by the parent to create a verifiable chain of KEYs. KEY set signed by the parent to create a verifiable chain of KEYs.
There is some debate, where the signed KEY set should reside, There has been some debate on where the signed KEY set should reside,
parent[Parent] or child[RFC2535]. If the KEY set resides at the child, at the child[RFC2535] or at the parent. If the KEY set resides at the
frequent two way communication is needed between the two parties. child, maintaining the signed KEY set in the child, requires frequent
First the child needs to transmit the key set to parent and then the two way communication is needed between the two parties. First the
parent sends the signed set or signatures to child. If the KEY set child needs to transmit the key set to parent and then the parent
resides at the parent the communication is reduced as the child only sends the signed set or signatures to child. Storing the KEY at the
sends changed key sets to parent. parent simplifies the communication.
DNSSEC[RFC2535] requires that the parent store NULL key set for DNSSEC[RFC2535] requires that the parent store NULL key set for
unsecure children, this complicates resolution process in many cases unsecure children, this is intended to be a signal that the child is
as servers for both parent and child need to be queried for KEY set if unsecure. NULL Key RRset is a waste as a whole signed RRset is used
the child server does not return a KEY set. Storing the KEY record to effectively communicate one bit of information, child is unsecure.
only in the parent zone simplifies this and allows the elimination of Chasing down NULL key records complicates resolution process in many
the NULL key set. cases as servers for both parent and child need to be queried for KEY
set if the child server does not return a KEY set. Storing the KEY
record only in the parent zone simplifies this and would allow the
elimination of the NULL key set. For large delegation zones the cost
of NULL keys is significant barrier to deployment.
Another complication of the DNSSEC KEY model is that KEY record is Another complication of the DNSSEC KEY model is that KEY record is
used to store DNS zone keys and public keys for other protocols. used to store DNS zone keys and public keys for other protocols.
There are number of potential problems with this including: There are number of potential problems with this including:
1. KEY set can become quite large if many applications/protocols 1. KEY set can become quite large if many applications/protocols
store their keys at the zone apex. Possible protocols are IPSEC, store their keys at the zone apex. Possible protocols are IPSEC,
HTTP, SMTP, SSH and others that use public key cryptography. HTTP, SMTP, SSH and others that use public key cryptography.
2. Key set may require frequent updates. 2. Key set may require frequent updates.
3. Probability of compromised/lost keys increases and triggers 3. Probability of compromised/lost keys increases and triggers
emergency key rollover procedures. emergency key rollover procedures.
4. Parent may refuse sign key sets with NON DNS zone keys. 4. Parent may refuse sign key sets with NON DNS zone keys.
5. Parent may not meet the child's expectations in turnaround time 5. Parent may not meet the child's expectations in turnaround time
in resigning the key set. in resigning the key set.
Given these and other reasons there is good reason to explore Given these and other reasons there is good reason to explore
alternatives to using only KEY records to create chain of trust. alternatives to using only KEY records to create chain of trust.
Some of these problems can be reduced or eliminated by operational Some of these problems can be reduced or eliminated by operational
rules or protocol changes. To reduce the number of keys at apex, a rules or protocol changes. To reduce the number of keys at apex, a
rule to require applications to store their KEY records at the SRV rule to require applications to store their KEY records at the SRV
skipping to change at page 3, line 17 skipping to change at page 3, line 24
in resigning the key set. in resigning the key set.
Given these and other reasons there is good reason to explore Given these and other reasons there is good reason to explore
alternatives to using only KEY records to create chain of trust. alternatives to using only KEY records to create chain of trust.
Some of these problems can be reduced or eliminated by operational Some of these problems can be reduced or eliminated by operational
rules or protocol changes. To reduce the number of keys at apex, a rules or protocol changes. To reduce the number of keys at apex, a
rule to require applications to store their KEY records at the SRV rule to require applications to store their KEY records at the SRV
name for that application is one possibility. Another is to restrict name for that application is one possibility. Another is to restrict
KEY record to DNS keys only and create a new type for all non DNS KEY record to DNS keys only and create a new type for all non DNS
keys. Third possible solution is to ban the storage of non DNS related keys. Third possible solution is to ban the storage of non DNS
keys at zone apex. There are other possible solutions but they are related keys at zone apex. There are other possible solutions but
outside the scope of this document. they are outside the scope of this document.
1.2 - Reserved words 1.2 - Reserved words
The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
"RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
interpreted as described in RFC2119. interpreted as described in RFC2119.
2 - DS (Delegation KEY Signer) 2 - DS (Delegation KEY Signer)
2.1 - Delegation Signer Record model 2.1 - Delegation Signer Record model
This document proposes an alternative to the KEY record chain of This document presents replacement of the DNSSEC KEY record chain of
trust, that uses a special record that can only reside at the parent. trust[RFC2535], that uses a new RR that only reside at the parent.
This record will identify the key(s) that child are allowed to self This record will identify the key(s) that child uses to self sign its
sign its own KEY set. own KEY set.
The chain of trust is now established by verifying the parent KEY set, The chain of trust is now established by verifying the parent KEY
the DS set from the parent and the KEY set at the child. This is set, the DS set from the parent and the KEY set at the child. This is
cryptographically equivalent to just using KEY records. cryptographically equivalent to just using KEY records.
Communication between the parent and child is greatly reduced, since Communication between the parent and child is greatly reduced, since
the child only needs to notify parent about changes in keys that sign the child only needs to notify parent about changes in keys that sign
its apex KEY RRset. Parent is ignorant of all other keys in the its apex KEY RRset. Parent is ignorant of all other keys in the
child's apex KEY RRset, and the child maintains full control over the child's apex KEY RRset, furthermore the child maintains full control
apex KEY set and its content. Child can maintain any policies over over the apex KEY set and its content. Child can maintain any
its DNS and other KEY usage with minimal impact on parent. Thus if policies over its DNS and other KEY usage with minimal impact on
child wants to have frequent key rollover for its DNS keys parent does parent. Thus if child wants to have frequent key rollover for its DNS
not need to be aware of it as the child can use one key to only sign zone keys parent does not need to be aware of it as the child can use
its apex KEY set and other keys to sign the other record sets in the one key to only sign its apex KEY set and other keys to sign the
zone. other record sets in the zone.
This model fits well with slow roll out of DNSSEC and islands of This model fits well with slow roll out of DNSSEC and islands of
security model. In the islands of security model someone that trusts security model. In the islands of security model someone that trusts
"good.example." can preconfigure a key from "good.example." as a "good.example." can preconfigure a key from "good.example." as a
trusted keys and from then on trusts any data that is signed by that trusted keys and from then on trusts any data that is signed by that
key or has a chain of trust to that key. If "example." starts key or has a chain of trust to that key. If "example." starts
advertising DS records, "good.example." does not have to change advertising DS records, "good.example." does not have to change
operations, by suspending self-signing. DS records can also be used to operations, by suspending self-signing. DS records can also be used
identify trusted keys instead of KEY records. One further advantage to identify trusted keys instead of KEY records. Another significant
is the information stored in the parent is minimized, as only records advantage is the information stored in the large delegation zones
for secure delegations are needed. reduced, as only signed keying records for secure delegations are
needed, unlike the NULL KEY record at every unsecure delegation.
The main disadvantage of this approach that verifying delegations KEY The main disadvantage of this approach that verifying delegations KEY
set requires twice as many signature verification operations. There set requires two signature verification operations instead of one in
is no impact on the number of signatures verified for other RR sets. RFC 2535. There is no impact on the number of signatures verified
for other RR sets.
2.2 Protocol change 2.2 Protocol change
Each secure delegation in a secure zone MUST contain a DS RR set. If All DNS servers and resolvers that support DS MUST support OK bit
a DS RR set accompanies the NS RR set, the intent is to state that the [RFC3225] and support larger message size[RFC3226]. Each secure
child zone is secured. If an NS RR set exists without a DS RR set the delegation in a secure zone MUST contain a DS RR set. If a query
contains the OK bit, server returning a referral for the delegation
MUST include the following RR sets in the authority section in this
order:
parent NS
DS and SIG(DS) (if present)
parent NXT and SIG(NXT/parent)
This increases the size of referral messages and may cause some or
all glue to be omitted. If DS or NXT RR or their signatures do not
fit inside the DNS message the TC bit must be set. Additional
section processing is not changed.
If a DS RR set accompanies the NS RR set, this states that the child
zone is secured. If an NS RR set exists without a DS RR set the
intent is to state that the child zone is unsecure. DS sets MUST NOT intent is to state that the child zone is unsecure. DS sets MUST NOT
appear at non delegations or at zone APEX. appear at non delegations or at zone APEX.
In a zone that uses DS, insecure delegations MUST have the NODS[TBD] Following section 2.2.1 replaces RFC2535 sections 2.3.4 and 3.4,
bit set in the NXT record. This is required to differenciate this section 2.2.2 replaces RFC3008 section 2.7, RFC3090 updates are in
delegation from Secure RFC2535 delegation. section 2.2.3.
Updates RFC2535 sections 2.3.4 and 3.4, as well as RFC3008 section 2.2.1 RFC2535 2.3.4 and 3.4: Special considerations at delegation points
2.7:
Delegating zones MUST NOT store KEY records for delegations. The only
records that can appear at delegation in parent are NS, SIG, NXT and
DS.
Zone MUST self sign its apex KEY set, it SHOULD sign it with a key DNS security would like to view each zone as a unit of data
that corresponds to a DS record in the parent. The KEY used to sign completely under the control of the zone owner with each entry
the apex KEY RRset MAY sign other RRsets in the zone. (RRset) signed by a special private key held by the zone manager.
But the DNS protocol views the leaf nodes in a zone, which are also
the apex nodes of a subzone (i.e., delegation points), as "really"
belonging to the subzone. These nodes occur in two master files and
might have RRs signed by both the upper and lower zone's keys. A
retrieval could get a mixture of these RRs and SIGs, especially since
one server could be serving both the zone above and below a
delegation point[RFC 2181].
If child apex KEY RRset is not signed with one of the keys specified For every secure delegation there MUST be a DS record stored in
in the DS record the child is locally secure[RFC3090] and SHOULD only parent zone signed by parent zone key. Parent zone MUST NOT contain
be considered secure if the resolver has been configured to trust the KEY record at delegation points. Delegations in parent MAY only
key used. contain following RR types NS, DS, NXT and SIG. NS RR set MUST NOT be
signed. The NXT RR type is the exceptional case that will always
appear differently and authoritatively in both the super-zone and
subzone, if both are secure.
Authorative server answering a query with the OK bit[OKbit] set, MUST All secure zones MUST contain a self signed KEY RR set at apex. Upon
include the DS records and NXT record along with signatures in answers verifying the DS set from the parent, the resolver MAY trust any KEY
for a delegation and space is available. DS and NXT records SHOULD identified in the DS set as a valid signer of the childs apex KEY
have lower priority than address records but higher priority than KEY. set. Resolvers configured to trust one of the KEY's signing the KEY
Caching servers SHOULD return the DS and parent NXT record(s) in the set MAY now treat any data signed by the zone keys in the KEY set as
additional section under the same condition. secure. In all other cases resolvers MUST consider the zone
insecure. DS RR MUST NOT appear at zone APEX.
2.2.1 - Comments on protocol change 2.2.2 Signers name (replaces RFC3008 section 2.7)
The signer's name field of a data SIG MUST contain the name of the
zone to which the data and signature belong. The combination of
signer's name, key tag, and algorithm MUST identify a zone key if the
SIG is to be considered material. This document defines a standard
policy for DNSSEC validation; local policy may override the standard
policy.
There are no restrictions on the signer field of a SIG(0) record.
The combination of signer's name, key tag, and algorithm MUST
identify a key if this SIG(0) is to be processed.
2.2.4 changes to RFC3090
Number of sections of RFC3090 need to be updated to reflect the DS
record.
2.2.4.1 RFC3090: Updates to section 1: Introduction
Most of the text is still relevant but the words ``NULL key'' are to
be replaced with ``missing DS set''. In section 1.3 the last three
paragraphs discuss the confusion in sections of RFC 2535, that are
replaced in section 2.2.1 above, thus these paragraphs are now
obsolete.
2.2.4.2 RFC3090 section 2.1: Globally Secured
Rule 2.1.b is replaced by following rule:
2.1.b. The zone's apex KEY RR set MUST be self signed by a private
key in the KEY RR set. The private key's public companion MUST be a
zone signing KEY RR (2.a) of a mandatory to implement algorithm and
owned by the parent's apex. This KEY must be identified by a signed
DS RR in the parent zone.
If a zone cannot get a parent to advertise a DS record for it, child
zone cannot be considered globally secured. The only exception to
this is the root zone, for which there is no parent zone
2.2.4.3 RFC3090 section 3: Experimental Status.
The only difference between Experimental status and globally secured
is the missing DS in the parent. All Locally Secured zones are
Experimental.
2.3 - Comments on protocol changes
Over the years there has been various discussions on that the Over the years there has been various discussions on that the
delegation model in DNS is broken as there is no real good way to delegation model in DNS is broken as there is no real good way to
assert if delegation exists. In RFC2535 version of DNSSEC the assert if delegation exists. In RFC2535 version of DNSSEC the
authentication of a delegation is the NS bit in the NXT bitmap at the authentication of a delegation is the NS bit in the NXT bitmap at the
delegation point. Something more explicit is needed and the DS record delegation point. Something more explicit is needed and the DS record
addresses this for secure delegations. addresses this for secure delegations.
DS record is the first DNS record that can only appear on the upper DS record is a major change to DNS as it is the first DNS record that
side of a delegation. NS records appear at both sides as do SIG and can only appear on the upper side of a delegation. Adding it will
NXT. All other records can only appear at the lower side. This will cause interoperabilty problems and a flag day for DNSSEC. Many old
cause some problems as servers authorative for parent, reject DS servers and resolvers MUST be upgraded to take advantage of DS. Some
record even if the server understands unknown types, or will not hand old servers will be able to be authorative for zones with DS records
them out unless explicitly asked. Similarly a nameserver acting as a but will not add the NXT and DS records to authority section. Same
authorative for child and as a caching recursive server may never goes for caching servers, some may even refuse to pass on the DS and
return the DS record. NXT records.
A caching server that supports unkown types, does not care from which
side DS record comes from and thus does not have to be changed.
Different TTL values on the child's NS set and parents DS set can
cause the DS set to expire before the NS set.
Secure resolvers need to know about the DS record and how to interpret
it. In the worst case, introducing the DS record, doubles the
signatures that need to be checked to validate a KEY set.
2.3 Wire format of DS record 2.4 Wire format of DS record
The DS (type=TDB) record consists of algorithm, key tag and SHA-1 The DS (type=TDB) record consists of algorithm, key tag and SHA-1
digest of the public key KEY record allowed to sign the child's digest of a public key KEY record that is allowed/used to sign the
delegation. child's delegation. Other keys MAY sign the child's apex KEY set.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| key tag | algorithm | | | key tag | algorithm | Digest type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SHA-1 digest | | SHA-1 digest |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (20 bytes) | | (20 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The key tag is calculated as specified in RFC2535, Algorithm MUST be The key tag is calculated as specified in RFC2535, Algorithm MUST be
an algorithm number assigned in the range 1..251 and the algorithm an algorithm number assigned in the range 1..251 and the algorithm
MUST be allowed to sign DNS data. The SHA-1 digest is calculated over MUST be allowed to sign DNS data. The digest type is an identifier
the canonical name of the delegation followed by the RDATA of the KEY for the digest algorithm used. The digest is calculated over the
record. canonical name of the delegation followed by the whole RDATA of the
DS records MUST NOT point to a null KEY record, and the KEY records KEY record.
pointed to by DS records MUST have protocol value 3 (DNSSEC).
DS records MUST NOT point to KEY records where flag field has folowing
bit settings, bit 0 (no authentication) is set, bit 6 MUST be set to 0
and bit 7 MUST be set to 1 (zone key). Settings of other bits are not
important.
The size of the DS RDATA is 23 bytes, regardless of key size.
2.3.1 Justifications for fields Digest type value 0 is reserved, value 1 is SHA-1, reserving other
types requires IETF standards action. For interoperabilty reasons as
few digest type algorithms should be reserved, the only reason to
reserve another digest type is to increase security.
DS records MUST point to zone KEY records that are allowed to
authenticate DNS data. Protocol MUST be set to 3. Flag field bits 0
and 6 MUST be set to 0, bit 7 MUST be set to 1. Value of other bits
is not important.
The size of the DS RDATA for type 1(SHA-1) is 24 bytes, regardless of
key size.
2.4.1 Justifications for fields
The algorithm and key tag fields are here to allow resolvers to The algorithm and key tag fields are here to allow resolvers to
quickly identify the candidate KEY records to examine. The key tag quickly identify the candidate KEY records to examine. The key tag
adds some greater assurance than SHA-1 digest on its own. SHA-1 is a adds some greater assurance than SHA-1 digest on its own. SHA-1 is a
strong cryptographic checksum, it is real hard for attacker to strong cryptographic checksum, it is real hard for attacker to
generate a KEY record that has the same SHA-1 digest. Combining the generate a KEY record that has the same SHA-1 digest. Combining the
name of the key and the key data as input to the digest provides name of the key and the key data as input to the digest provides
stronger assurance of the binding. stronger assurance of the binding.
This format allows concise representation of the keys that child will This format allows concise representation of the keys that child will
use, thus keeping down the size of the answer for the delegation, use, thus keeping down the size of the answer for the delegation,
reducing the probability of packet overflow. The SHA-1 hash is strong reducing the probability of packet overflow. The SHA-1 hash is strong
enough to uniquely identify the key. This is similar to the PGP enough to uniquely identify the key. This is similar to the PGP
footprint. footprint. The digest type field is there for possible future
expansion.
DS record is also well suited to lists trusted keys for islands of DS record is well suited to lists trusted keys for islands of
security in configuration files. security in configuration files.
2.4 Presentation format of DS record 2.5 Presentation format of DS record
The presentation format of DS record consists of 2 numbers followed by The presentation format of DS record consists of 2 numbers followed
digest presented in hex. by digest presented in hex.
foo.example DS 12345 3 123456789abcdef67890 foo.example DS 12345 3 1 123456789abcdef67890
2.5 Transition issues for installed base 2.6 Transition issues for installed base
RFC2535 compliant resolver will assume that all DS secured delegations RFC2535 compliant resolver will assume that all DS secured
are locally secure. This is a bad thing, thus it might be necessary delegations are locally secure. This is a bad thing, but the DNSEXT
for a transition period to support both DS and SIG@Child. The cost is working group has determined that rather than having to have to deal
one or more signatures in the answer for KEY records and that early with both RFC2535 secured zone and DS secured zone, a rapid adaption
adopters have to use cumbersome communications that DS solves. #.bp of DS is preferable. Thus the only option for early adopters is to
upgrade to DS as soon as possible.
2.6 Backwards compatibilty with RFC2535 SIG@child and RFC1035 2.6.1 Backwards compatibility with RFC2535 and RFC1035
This section documents how a resolver determines the type of This section documents how a resolver determines the type of
delegation. delegation.
RFC1035 delegation has: RFC1035 delegation has:
RFC1035 NS RFC1035 NS
RFC2535 adds the following two cases: RFC2535 adds the following two cases:
Secure RFC2535: NS + NXT + SIG(NXT) Secure RFC2535: NS + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT NXT bit map contains: NS SIG NXT
Insecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT) Insecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
NXT bit map contains: NS SIG KEY NXT NXT bit map contains: NS SIG KEY NXT
KEY must be null-key. KEY must be null-key.
DS adds the following two states: DS has the following two states:
Secure DS: NS + DS + SIG(DS) + NXT + SIG(NXT) Secure DS: NS + DS + SIG(DS) + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT DS NXT bit map contains: NS SIG NXT DS
Insecure DS: NS + NXT + SIG(NXT) Insecure DS: NS + NXT + SIG(NXT)
NXT bit map contains: NS SIG KEY NXT NODS NXT bit map contains: NS SIG KEY NXT
It is hard for a resolver to determine if a delegation is Secure 2535
If the NODS bit is not used, a resover can not determine if this is a or Insecure DS. This can be overcome by adding a flag to the NXT bit
DS delegation zone. Thus is not able to determine if this delegtion is map but only upgraded resolvers will understand this flag. Having
a secure RFC2535 or a insecure DS. both parent and child signatures on the keyset may allow old
resolvers to accept zone as secure, but the cost of doing this for a
2.6.1 NODS support in servers long time is much higher than just outlaw Sig@Child and force rapid
deployment of DS enabled servers and resolvers.
NODS is a virtual type, servers MUST refuse to store any record of RFC 2535 and DS can in theory be deployed in parallel, but this will
this type. No special processing is required on answers. require resolvers to deal with RFC 2535 configurations forever. This
document obsoletes NULL KEY in parent zones, that is difficult enough
change that flag day is required.
3 Resolver Example 3 Resolver Example
To create a chain of trust resolver goes from trusted KEY to DS to To create a chain of trust resolver goes from trusted KEY to DS to
KEY. KEY.
Assume the key for domain "example." is trusted. In zone "example." Assume the key for domain "example." is trusted. Zone "example."
we have contains at least the following records:
example. SOA <soa stuff>
example. NS ns.example.
example. KEY <stuff> example. KEY <stuff>
secure.example. DS tag=10243 alg=3 <foofoo> example. NXT NS SOA KEY SIG NXT
example. SIG(SOA)
example. SIG(NS)
example. SIG(NXT)
example. SIG(KEY)
secure.example. NS ns1.secure.example. secure.example. NS ns1.secure.example.
NS ns2.secure.example. secure.example. DS tag=10243 alg=3 <foofoo>
secure.example. NXT NS SIG NXT DS unsecure.example. secure.example. NXT NS SIG NXT DS unsecure.example.
secure.example. SIG(NXT) secure.example. SIG(NXT)
secure.example. SIG(DS) secure.example. SIG(DS)
unsecure.example NS ns1.unsecure.example. unsecure.example NS ns1.unsecure.example.
unsecure.example NS ns2.unsecure.example. unsecure.example. NXT NS SIG NXT .example.
unsecure.example. NXT NS SIG NXT NODS .example.
unsecure.example. SIG(NXT) unsecure.example. SIG(NXT)
In zone "secure.example." we have In zone "secure.example." following records exist:
secure.example. SOA <soa stuff> secure.example. SOA <soa stuff>
secure.example. NS ns1.secure.example. secure.example. NS ns1.secure.example.
NS ns1.secure.example. secure.example. KEY <tag=12345 alg=3>
secure.example. KEY <tag=12345 size=1024 alg=3>
KEY <tag=54321 size=512 alg=5>
KEY <tag=32145 size=1024 alg=3>
secure.example. SIG(KEY) <key-tag=12345 alg=3> secure.example. SIG(KEY) <key-tag=12345 alg=3>
secure.example. SIG(SOA) <key-tag=54321 alg=5> secure.example. SIG(SOA) <key-tag=12345 alg=3>
secure.example. SIG(NS) <key-tag=54321 alg=5> secure.example. SIG(NS) <key-tag=12345 alg=5>
In this example the trusted key for "example." signs the DS record for In this example the trusted key for "example." signs the DS record
"secure.example.", making that a trusted record. The DS record states for "secure.example.", making that a trusted record. The DS record
what key is expected to sign the KEY RRset at "secure.example". Here states what key is expected to sign the KEY RRset at
"secure.example." has three different KEY records and the KEY "secure.example". Here "secure.example." signs its KEY set with the
identified in the DS record signs the KEY set, thus the KEY set is KEY identified in the DS set, thus the KEY set is validated and
validated and trusted. Note that one of the other keys in the keyset trusted.
actually signs the zone data, and resolvers will trust the signatures
as the key appears in the KEY set.
This example has only one DS record for the child but there no reason This example has only one DS record for the child, parents MUST allow
to outlaw multiple DS records. More than one DS record is needed multiple DS records to facilitate key rollover. It is strongly
during signing key rollover. It is strongly recommended that the DS recommended that the DS set be kept small, 2 or 3 records SHOULD be
set be kept small. sufficient in all cases.
Resolver determines the security status of "unsecure.example." by Resolver determines the security status of "unsecure.example." by
examining the parent size NXT for this name. examining the parent NXT for this name.
3.1 Resolver cost estimates for DS records 3.1 Resolver cost estimates for DS records
From a RFC2535 resolver point of view for each delegation followed to From a RFC2535 resolver point of view for each delegation followed to
chase down an answer one KEY record has to be verified and possibly chase down an answer one KEY record has to be verified and possibly
some other records based on policy, for example the contents of the NS some other records based on policy, for example the contents of the
set. Once the resolver gets to the appropriate delegation validating NS set. Once the resolver gets to the appropriate delegation
the answer may require verifying one or more signatures. A simple A validating the answer may require verifying one or more signatures.
record lookup requires at least N delegations to be verified and 1 A simple A record lookup requires at least N delegations to be
RRset. For a DS enabled resolver the cost is 2N+1. For MX record the verified and 1 RRset. For a DS enabled resolver the cost is 2N+1.
cost where the target of the MX record is in the same zone as the MX For MX record the cost where the target of the MX record is in the
record the costs are N+2 and 2N+2. In the case of negative answer the same zone as the MX record the costs are N+2 and 2N+2. In the case of
same ratios hold true. negative answer the same ratios hold true.
Resolver may require an extra query to get the DS record and this may Resolver may require an extra query to get the DS record and this may
add to the overall cost of the query, but this is never worse than add to the overall cost of the query, but this is never worse than
chasing down NULL KEY records from the parent in RFC2535 DNSSEC. chasing down NULL KEY records from the parent in RFC2535 DNSSEC.
DS adds processing overhead on resolvers, increases the size of DS adds processing overhead on resolvers, increases the size of
delegation answers but much less than SIG@Parent. delegation answers but much less than SIG@Parent.
4 Acknowledgments
Number of people have over the last few years contributed number of
ideas that are captured in this document. The core idea of using one
key to only sign key set, comes from discussions with Bill Manning and
Perry Metzger on how to put in a single root key in all resolvers.
Alexis Yushin, Brian Wellington, Jakob Schlyter, Scott Rosen, Edward
Lewis, Dan Massey, Lars-Johan Liman, Mark Kosters, Olaf Kolman, Miek
Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David Blacka,
Rob Austein, Derek Atkins, Roy Arends, and others have provided useful
comments.
4 - Security Considerations: 4 - Security Considerations:
This document proposes a change to the validation chain of KEY records This document proposes a change to the validation chain of KEY
in DNS. The change in is not believed to reduce security in the records in DNS. The change in is not believed to reduce security in
overall system, in RFC2535 DNSSEC child must communicate keys to the overall system, in RFC2535 DNSSEC child must communicate keys to
parent and prudent parents will require some authentication on that parent and prudent parents will require some authentication on that
handshake. The modified protocol will require same authentication but handshake. The modified protocol will require same authentication but
allows the child to exert more local control over its own KEY set. allows the child to exert more local control over its own KEY set.
There is a possibility that an attacker can generate an valid KEY that There is a possibility that an attacker can generate an valid KEY
matches all the DS fields thus starting to forge data from the child. that matches all the DS fields thus starting to forge data from the
This is considered impractical as on average more than 2^80 keys must child. This is considered impractical as on average more than 2^80
be generated before one is found that will match. keys must be generated before one is found that will match.
DS record is a change to DNSSEC protocol and there is some installed DS record is a change to DNSSEC protocol and there is some installed
base of implementations, as well as text books on how to set up base of implementations, as well as text books on how to set up
secured delegations. Implementations that do not understand DS record secured delegations. Implementations that do not understand DS record
will not be able to follow the KEY to DS to KEY chain and consider all will not be able to follow the KEY to DS to KEY chain and consider
zone secured that way insecure. all zone secured that way insecure.
5 - IANA Considerations: 5 - IANA Considerations:
IANA needs to allocate RR type code for DS from the standard RR type IANA needs to allocate RR type code for DS from the standard RR type
space. space.
IANA needs to allocate RR type code for the virtual NODS record from IANA needs to open a new registry for the DS type for Digest
the standard RR type space. Note: SINK (40) was never implemented and algorithms, Defined types are, 0 is Reserved, 1 is SHA-1. Adding new
that type code can be reused for NODS. reservations requires IETF standards action.
4 Acknowledgments
Number of people have over the last few years contributed number of
ideas that are captured in this document. The core idea of using one
key to only sign key set, comes from discussions with Bill Manning
and Perry Metzger on how to put in a single root key in all
resolvers.
Alexis Yushin, Brian Wellington, Paul Vixie, Jakob Schlyter, Scott
Rosen, Edward Lewis, Dan Massey, Lars-Johan Liman, Mark Kosters, Olaf
Kolman, Phillip Hallam-Baker, Miek Gieben, Havard Eidnes, Donald
Eastlake 3rd., Randy Bush, David Blacka, Steve Bellovin, Rob Austein,
Derek Atkins, Roy Arends, Harald Alvestrand, and others have provided
useful comments.
References: References:
[RFC1035] P. Mockapetris, ``Domain Names - Implementation and [RFC1035] P. Mockapetris, ``Domain Names - Implementation and
Specification'', STD 13, RFC 1035, November 1987. Specification'', STD 13, RFC 1035, November 1987.
[RFC2181] R. Elz, R. Bush, ``Clarifications to the DNS Specification'',
RFC 2181, July 1997.
[RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC [RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC
2535, March 1999. 2535, March 1999.
[RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing [RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing
Authority'', RFC 3008, November 2000. Authority'', RFC 3008, November 2000.
[RFC3090] E. Lewis `` DNS Security Extension Clarification on Zone [RFC3090] E. Lewis `` DNS Security Extension Clarification on Zone
Status'', RFC 3090, March 2001. Status'', RFC 3090, March 2001.
[OKbit] D. Conrad, ``Indicating Resolver Support of DNSSEC'', work in [RFC3225] D. Conrad, ``Indicating Resolver Support of DNSSEC'', RFC
progress <draft-ietf-dnsext-dnssec-okbit-02.txt>, April 2001. 3225, December 2001.
[Parent] R. Gieben, T. Lindgreen, ``Parent stores the child's zone [RFC3226] O. Gudmundsson, ``DNSSEC and IPv6 A6 aware server/resolver
KEYs'', work in progress <draft-ietf-dnsext-parent-stores- message size requirements'', RFC 3226, December 2001.
zones-keys-01.txt>, May 2001.
Author Address Author Address
Olafur Gudmundsson Olafur Gudmundsson
3826 Legation Street, NW 3826 Legation Street, NW
Washington, DC, 20015 Washington, DC, 20015
USA USA
<ogud@ogud.com> <ogud@ogud.com>
Appendix A: Changes from Prior versions Appendix A: Changes from Prior versions
Changes from version 04
Reworded document to obsolete RFC2535 chain of trust, no backwards
compatibility. Require DS and NXT records in referrals in authority
section. Removed the NODS bit.
Added the requirement for OK bit and Message size.
Rewrote Abstract to better express what is in the document.
Removed size field from examples and simplified them.
Changes from version 03 Changes from version 03
Added strict rules on what KEY records can be pointed to by DS. Added strict rules on what KEY records can be pointed to by DS.
Changes from version 02 Changes from version 02
Added text outlawing DS at non delegations. Added text outlawing DS at non delegations.
Added table showing the contents of DS, SIG@child, and RFC1034 Added table showing the contents of DS, SIG@child, and RFC1034
delegations. delegations.
Added the NODS type/bit definition to distiguish insecure DS Added the NODS type/bit definition to distinguish insecure DS
delegation from secure SIG@child one. delegation from secure SIG@child one.
Added the requirement that NXT be returned with referal answers. Added the requirement that NXT be returned with referral answers.
Minor text edits. Minor text edits.
Changes from version 01 Changes from version 01
Deleted KEY size field as it did not contribute anything but Deleted KEY size field as it did not contribute anything but
complexity. complexity.
Number of wordsmith changes to make document more readable. Number of wordsmith changes to make document more readable.
The word CAN was used when SHOULD was intended. The word CAN was used when SHOULD was intended.
Deleted section 2.4 "Justifications for compact format" moved relevant Deleted section 2.4 "Justifications for compact format" moved
text to section 2.2. relevant text to section 2.2.
Reverse alphabetized the acknowledgments section. Reverse alphabetized the acknowledgments section.
Reorganized sections 1 and 2 for readability. Reorganized sections 1 and 2 for readability.
Changes from version 00 Changes from version 00
Changed name from DK to DS based on working group comments. Changed name from DK to DS based on working group comments.
Dropped verbose format based on WG comments. Dropped verbose format based on WG comments.
Added text about TTL issue/problem in caching servers. Added text about TTL issue/problem in caching servers.
Added text about islands of security and clarified the cost impact. Added text about islands of security and clarified the cost impact.
Major editing of arguments and some reordering of text for clarity. Major editing of arguments and some reordering of text for clarity.
Added section on transition issues. Added section on transition issues.
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and or assist in its implementation may be prepared, copied, published
distributed, in whole or in part, without restriction of any kind, and distributed, in whole or in part, without restriction of any
provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of developing Internet organizations, except as needed for the purpose of
Internet standards in which case the procedures for copyrights defined developing Internet standards in which case the procedures for
in the Internet Standards process must be followed, or as required to copyrights defined in the Internet Standards process must be
translate it into languages other than English. followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/