draft-ietf-dnsext-delegation-signer-05.txt   draft-ietf-dnsext-delegation-signer-06.txt 
DNSEXT Working Group Olafur Gudmundsson DNSEXT Working Group Olafur Gudmundsson
<draft-ietf-dnsext-delegation-signer-05.txt> <draft-ietf-dnsext-delegation-signer-06.txt>
Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090. Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090.
Delegation Signer Resource Record Delegation Signer Resource Record
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the authors or the DNSEXT WG mailing list Comments should be sent to the authors or the DNSEXT WG mailing list
namedroppers@ops.ietf.org namedroppers@ops.ietf.org
This draft expires on July 5, 2002. This draft expires on September 1, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All rights reserved. Copyright (C) The Internet Society (2002). All rights reserved.
Abstract Abstract
The Delegation Signer Resource Record is inserted at a zone cut point The delegation signer (DS) resource record is inserted at a zone cut
to indicate tha the delegated zone is digitally signed and that the (i.e., a delegation point) to indicate that the delegated zone is
delegation zone recognizes the indicated key as a valid zone key for digitally signed and that the delegated zone recognizes the indicated
the delegated zone. The DS RR is an modification to the DNS Security key as a valid zone key for the delegated zone. The DS RR is a
Extensions definition, motivated by operational considerations. The modification to the DNS Security Extensions definition, motivated by
intent is to use the resource record as an explicit statement about operational considerations. The intent is to use this resource record
the delegation, rather than relying on inference. as an explicit statement about the delegation, rather than relying on
inference.
This document defines the DS RR, gives examples of how it is used and This document defines the DS RR, gives examples of how it is used and
the implications of this record on resolvers. This change is not the implications of this record on resolvers. This change is not
backwards compatible with RFC 2535. backwards compatible with RFC 2535.
This document updates RFC1035, RFC2535, RFC3008 and RFC3090. This document updates RFC1035, RFC2535, RFC3008 and RFC3090.
1 - Introduction 1 Introduction
Familiarity with the DNS system [RFC1035], DNS security extensions Familiarity with the DNS system [RFC1035], DNS security extensions
[RFC2535] and DNSSEC terminology [RFC3090] is important. [RFC2535] and DNSSEC terminology [RFC3090] is important.
Experience shows that when the same data can reside in two Experience shows that when the same data can reside in two
administratively different DNS zones, the data frequently gets out of administratively different DNS zones, the data frequently gets out of
sync. NS record in a zone indicates that this name is a delegation sync. The presence of an NS RRset in a zone anywhere other than at
and the NS record lists the authorative servers for the real zone. the apex indicates a zone cut or delegation. The RDATA of the NS
Based on actual measurements 10-30% of all delegations in the RRset specifies the authoritative servers for the delegated or
Internet have differing NS sets at parent and child. There are number "child" zone. Based on actual measurements, 10-30% of all delegations
of reasons for this, including lack of communication between parent on the Internet have differing NS RRsets at parent and child. There
and child and bogus name-servers being listed to meet registrar are a number of reasons for this, including a lack of communication
requirements. between parent and child and bogus name servers being listed to meet
registrar requirements.
DNSSEC [RFC2535,RFC3008,RFC3090] specifies that child must have its
KEY set signed by the parent to create a verifiable chain of KEYs.
There has been some debate on where the signed KEY set should reside,
at the child[RFC2535] or at the parent. If the KEY set resides at the
child, maintaining the signed KEY set in the child, requires frequent
two way communication is needed between the two parties. First the
child needs to transmit the key set to parent and then the parent
sends the signed set or signatures to child. Storing the KEY at the
parent simplifies the communication.
DNSSEC[RFC2535] requires that the parent store NULL key set for DNSSEC [RFC2535,RFC3008,RFC3090] specifies that a child zone needs to
unsecure children, this is intended to be a signal that the child is have its KEY RRset signed by its parent to create a verifiable chain
unsecure. NULL Key RRset is a waste as a whole signed RRset is used of KEYs. There has been some debate on where the signed KEY RRset
to effectively communicate one bit of information, child is unsecure. should reside, whether at the child [RFC2535] or at the parent. If
Chasing down NULL key records complicates resolution process in many the KEY RRset resides at the child, maintaining the signed KEY RRset
cases as servers for both parent and child need to be queried for KEY in the child requires frequent two-way communication between the two
set if the child server does not return a KEY set. Storing the KEY parties. First the child transmits the KEY RRset to the parent and
record only in the parent zone simplifies this and would allow the then the parent sends the signature(s) to the child. Storing the KEY
elimination of the NULL key set. For large delegation zones the cost RRset at the parent simplifies the communication.
of NULL keys is significant barrier to deployment.
Another complication of the DNSSEC KEY model is that KEY record is DNSSEC [RFC2535] requires that the parent store a NULL KEY record for
used to store DNS zone keys and public keys for other protocols. an unsecure child zone to indicate that the child is unsecure. A NULL
KEY record is a waste: an entire signed RRset is used to communicate
effectively one bit of information--that the child is unsecure.
Chasing down NULL KEY RRsets complicates the resolution process in
many cases, because servers for both parent and child need to be
queried for the KEY RRset if the child server does not return it.
Storing the KEY RRset only in the parent zone simplifies this and
would allow the elimination of the NULL KEY RRsets entirely. For
large delegation zones the cost of NULL keys is a significant barrier
to deployment.
There are number of potential problems with this including: Another complication of the DNSSEC key model is that the KEY record
1. KEY set can become quite large if many applications/protocols can be used to store public keys for other protocols in addition to
store their keys at the zone apex. Possible protocols are IPSEC, DNSSEC keys. There are number of potential problems with this,
HTTP, SMTP, SSH and others that use public key cryptography. including:
2. Key set may require frequent updates. 1. The KEY RRset can become quite large if many applications and
3. Probability of compromised/lost keys increases and triggers protocols store their keys at the zone apex. Possible protocols are
emergency key rollover procedures. IPSEC, HTTP, SMTP, SSH and others that use public key cryptography.
4. Parent may refuse sign key sets with NON DNS zone keys. 2. The KEY RRset may require frequent updates.
5. Parent may not meet the child's expectations in turnaround time 3. The probability of compromised or lost keys, which trigger
in resigning the key set. emergency key rollover procedures, increases.
4. The parent may refuse sign KEY RRsets with non-DNSSEC zone keys.
5. The parent may not meet the child's expectations in turnaround
time for resigning the KEY RRset.
Given these and other reasons there is good reason to explore Given these and other reasons, there is good reason to explore
alternatives to using only KEY records to create chain of trust. alternatives to using only KEY records to create a chain of trust.
Some of these problems can be reduced or eliminated by operational Some of these problems can be reduced or eliminated by operational
rules or protocol changes. To reduce the number of keys at apex, a rules or protocol changes. To reduce the number of keys at the zone
rule to require applications to store their KEY records at the SRV apex, a rule to require applications to store their KEY records at
name for that application is one possibility. Another is to restrict the SRV name for that application is one possibility. Another is to
KEY record to DNS keys only and create a new type for all non DNS restrict the KEY record to only DNSSEC keys and create a new record
keys. Third possible solution is to ban the storage of non DNS type for all non-DNSSEC keys. A third possible solution is to
related keys at zone apex. There are other possible solutions but prohibit the storage of non-DNSSEC keys at the zone apex. There are
they are outside the scope of this document. other possible solutions, but they are outside the scope of this
document.
1.2 - Reserved words 1.2 Reserved Words
The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
"RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
interpreted as described in RFC2119. interpreted as described in RFC2119.
2 - DS (Delegation KEY Signer) 2 DS (Delegation KEY Signer)
2.1 - Delegation Signer Record model 2.1 Delegation Signer Record Model
This document presents replacement of the DNSSEC KEY record chain of This document presents a replacement for the DNSSEC KEY record chain
trust[RFC2535], that uses a new RR that only reside at the parent. of trust [RFC2535] that uses a new RR that resides only at the
This record will identify the key(s) that child uses to self sign its parent. This record identifies the key(s) that the child uses to
own KEY set. self-sign its own KEY RRset.
The chain of trust is now established by verifying the parent KEY The chain of trust is now established by verifying the parent KEY
set, the DS set from the parent and the KEY set at the child. This is RRset, the DS RRset from the parent and the KEY RRset at the child.
cryptographically equivalent to just using KEY records. This is cryptographically equivalent to using just KEY records.
Communication between the parent and child is greatly reduced, since Communication between the parent and child is greatly reduced, since
the child only needs to notify parent about changes in keys that sign the child only needs to notify the parent about changes in keys that
its apex KEY RRset. Parent is ignorant of all other keys in the sign its apex KEY RRset. The parent is ignorant of all other keys in
child's apex KEY RRset, furthermore the child maintains full control the child's apex KEY RRset. Furthermore, the child maintains full
over the apex KEY set and its content. Child can maintain any control over the apex KEY RRset and its content. The child can
policies over its DNS and other KEY usage with minimal impact on maintain any policies regarding its KEY usage for DNSSEC and other
parent. Thus if child wants to have frequent key rollover for its DNS applications and protocols with minimal impact on the parent. Thus if
zone keys parent does not need to be aware of it as the child can use the child wants to have frequent key rollover for its DNS zone keys,
one key to only sign its apex KEY set and other keys to sign the the parent does not need to be aware of it: the child can use one key
other record sets in the zone. to sign only its apex KEY RRset and other keys to sign the other
RRsets in the zone.
This model fits well with slow roll out of DNSSEC and islands of This model fits well with a slow rollout of DNSSEC and the islands of
security model. In the islands of security model someone that trusts security model. In this model, someone who trusts "good.example." can
"good.example." can preconfigure a key from "good.example." as a preconfigure a key from "good.example." as a trusted key, and from
trusted keys and from then on trusts any data that is signed by that then on trusts any data signed by that key or that has a chain of
key or has a chain of trust to that key. If "example." starts trust to that key. If "example." starts advertising DS records,
advertising DS records, "good.example." does not have to change "good.example." does not have to change operations by suspending
operations, by suspending self-signing. DS records can also be used self-signing. DS records can also be used to identify trusted keys
to identify trusted keys instead of KEY records. Another significant instead of KEY records. Another significant advantage is that the
advantage is the information stored in the large delegation zones amount of information stored in large delegation zones is reduced:
reduced, as only signed keying records for secure delegations are rather than the NULL KEY record at every unsecure delegation required
needed, unlike the NULL KEY record at every unsecure delegation. by RFC 2535, only secure delegations require additional information
in the form of a signed DS RRset.
The main disadvantage of this approach that verifying delegations KEY The main disadvantage of this approach is that verifying a zone's KEY
set requires two signature verification operations instead of one in RRset requires two signature verification operations instead of the
RFC 2535. There is no impact on the number of signatures verified one required by RFC 2535. There is no impact on the number of
for other RR sets. signatures verified for other types of RRsets.
2.2 Protocol change 2.2 Protocol Change
All DNS servers and resolvers that support DS MUST support OK bit All DNS servers and resolvers that support DS MUST support the OK bit
[RFC3225] and support larger message size[RFC3226]. Each secure [RFC3225] and a larger message size [RFC3226]. Each secure
delegation in a secure zone MUST contain a DS RR set. If a query delegation in a secure zone MUST contain a DS RR set. If a query
contains the OK bit, server returning a referral for the delegation contains the OK bit, a server returning a referral for the delegation
MUST include the following RR sets in the authority section in this MUST include the following RR sets in the authority section in this
order: order:
parent NS parent NS
DS and SIG(DS) (if present) DS and SIG(DS) (if present)
parent NXT and SIG(NXT/parent) parent NXT and SIG(parent NXT)
This increases the size of referral messages and may cause some or This increases the size of referral messages and may cause some or
all glue to be omitted. If DS or NXT RR or their signatures do not all glue to be omitted. If the DS or NXT RRsets or their signatures
fit inside the DNS message the TC bit must be set. Additional do not fit in the DNS message, the TC bit MUST be set. Additional
section processing is not changed. section processing is not changed.
If a DS RR set accompanies the NS RR set, this states that the child A DS RRset accompanying an NS RRset indicates that the child zone is
zone is secured. If an NS RR set exists without a DS RR set the secure. If an NS RRset exists without a DS RRset, the child zone is
intent is to state that the child zone is unsecure. DS sets MUST NOT unsecure. DS RRsets MUST NOT appear at non-delegation points or at a
appear at non delegations or at zone APEX. zone's apex.
Following section 2.2.1 replaces RFC2535 sections 2.3.4 and 3.4, The following section 2.2.1 replaces RFC2535 sections 2.3.4 and 3.4,
section 2.2.2 replaces RFC3008 section 2.7, RFC3090 updates are in section 2.2.2 replaces RFC3008 section 2.7, and RFC3090 updates are
section 2.2.3. in section 2.2.3.
2.2.1 RFC2535 2.3.4 and 3.4: Special considerations at delegation points 2.2.1 RFC2535 2.3.4 and 3.4: Special Considerations at Delegation Points
DNS security would like to view each zone as a unit of data DNS security views each zone as a unit of data completely under the
completely under the control of the zone owner with each entry control of the zone owner with each entry (RRset) signed by a special
(RRset) signed by a special private key held by the zone manager. private key held by the zone manager. But the DNS protocol views the
But the DNS protocol views the leaf nodes in a zone, which are also leaf nodes in a zone that are also the apex nodes of a child zone
the apex nodes of a subzone (i.e., delegation points), as "really" (i.e., delegation points) as "really" belonging to the child zone.
belonging to the subzone. These nodes occur in two master files and The corresponding domain names appear in two master files and might
might have RRs signed by both the upper and lower zone's keys. A have RRsets signed by both the parent and child zones' keys. A
retrieval could get a mixture of these RRs and SIGs, especially since retrieval could get a mixture of these RRsets and SIGs, especially
one server could be serving both the zone above and below a since one server could be serving both the zone above and below a
delegation point[RFC 2181]. delegation point[RFC 2181].
For every secure delegation there MUST be a DS record stored in For every secure delegation there MUST be a DS RRset stored in the
parent zone signed by parent zone key. Parent zone MUST NOT contain parent zone signed by the parent zone's private key. The parent zone
KEY record at delegation points. Delegations in parent MAY only MUST NOT contain a KEY RRset at any delegation points. Delegations in
contain following RR types NS, DS, NXT and SIG. NS RR set MUST NOT be the parent MAY contain only the following RR types: NS, DS, NXT and
signed. The NXT RR type is the exceptional case that will always SIG. The NS RRset MUST NOT be signed. The NXT RRset is the
appear differently and authoritatively in both the super-zone and exceptional case: it will always appear differently and
subzone, if both are secure. authoritatively in both the parent and child zones if both are
secure.
All secure zones MUST contain a self signed KEY RR set at apex. Upon A secure zones MUST contain a self-signed KEY RRset at its apex.
verifying the DS set from the parent, the resolver MAY trust any KEY Upon verifying the DS RRset from the parent, a resolver MAY trust any
identified in the DS set as a valid signer of the childs apex KEY KEY identified in the DS RRset as a valid signer of the child's apex
set. Resolvers configured to trust one of the KEY's signing the KEY KEY RRset. Resolvers configured to trust one of the keys signing the
set MAY now treat any data signed by the zone keys in the KEY set as KEY RRset MAY now treat any data signed by the zone keys in the KEY
secure. In all other cases resolvers MUST consider the zone RRset as secure. In all other cases resolvers MUST consider the zone
insecure. DS RR MUST NOT appear at zone APEX. unsecure. A DS RRset MUST NOT appear at a zone's apex.
2.2.2 Signers name (replaces RFC3008 section 2.7) An authoritative server queried for type DS MUST return the DS RRset
in the answer section along with the corresponding NXT RRset in the
authority section. If the server is authoritative for both parent
and child zones, the answer MUST be from the parent. A caching
server MUST behave the same way, returning the DS RRset and the
parent's NXT RRset, if records are available.
2.2.2 Signer's Name (replaces RFC3008 section 2.7)
The signer's name field of a data SIG MUST contain the name of the The signer's name field of a data SIG MUST contain the name of the
zone to which the data and signature belong. The combination of zone to which the data and signature belong. The combination of
signer's name, key tag, and algorithm MUST identify a zone key if the signer's name, key tag, and algorithm MUST identify a zone key if the
SIG is to be considered material. This document defines a standard SIG is to be considered material. This document defines a standard
policy for DNSSEC validation; local policy may override the standard policy for DNSSEC validation; local policy may override the standard
policy. policy.
There are no restrictions on the signer field of a SIG(0) record. There are no restrictions on the signer field of a SIG(0) record.
The combination of signer's name, key tag, and algorithm MUST The combination of signer's name, key tag, and algorithm MUST
identify a key if this SIG(0) is to be processed. identify a key if this SIG(0) is to be processed.
2.2.4 changes to RFC3090 2.2.4 Changes to RFC3090
Number of sections of RFC3090 need to be updated to reflect the DS A number of sections of RFC3090 need to be updated to reflect the DS
record. record.
2.2.4.1 RFC3090: Updates to section 1: Introduction 2.2.4.1 RFC3090: Updates to section 1: Introduction
Most of the text is still relevant but the words ``NULL key'' are to Most of the text is still relevant but the words ``NULL key'' are to
be replaced with ``missing DS set''. In section 1.3 the last three be replaced with ``missing DS RRset''. In section 1.3 the last three
paragraphs discuss the confusion in sections of RFC 2535, that are paragraphs discuss the confusion in sections of RFC 2535 that are
replaced in section 2.2.1 above, thus these paragraphs are now replaced in section 2.2.1 above. Therefore, these paragraphs are now
obsolete. obsolete.
2.2.4.2 RFC3090 section 2.1: Globally Secured 2.2.4.2 RFC3090 section 2.1: Globally Secured
Rule 2.1.b is replaced by following rule: Rule 2.1.b is replaced by the following rule:
2.1.b. The zone's apex KEY RR set MUST be self signed by a private 2.1.b. The KEY RRset at a zone's apex MUST be self-signed by a
key in the KEY RR set. The private key's public companion MUST be a private key whose public counterpart MUST appear in a zone signing
zone signing KEY RR (2.a) of a mandatory to implement algorithm and KEY RR (2.a) owned by the zone's apex and specifying a mandatory-to-
owned by the parent's apex. This KEY must be identified by a signed implement algorithm. This KEY RR MUST be identified by a DS RR in a
DS RR in the parent zone. signed DS RRset in the parent zone.
If a zone cannot get a parent to advertise a DS record for it, child If a zone cannot get its parent to advertise a DS record for it, the
zone cannot be considered globally secured. The only exception to child zone cannot be considered globally secured. The only exception
this is the root zone, for which there is no parent zone to this is the root zone, for which there is no parent zone.
2.2.4.3 RFC3090 section 3: Experimental Status. 2.2.4.3 RFC3090 section 3: Experimental Status.
The only difference between Experimental status and globally secured The only difference between experimental status and globally secured
is the missing DS in the parent. All Locally Secured zones are is the missing DS RRset in the parent zone. All locally secured zones
Experimental. are experimental.
2.3 - Comments on protocol changes 2.3 Comments on Protocol Changes
Over the years there has been various discussions on that the Over the years there have been various discussions surrounding the
delegation model in DNS is broken as there is no real good way to DNS delegation model, declaring it to be broken because there is no
assert if delegation exists. In RFC2535 version of DNSSEC the good way to assert if a delegation exists. In the RFC2535 version of
authentication of a delegation is the NS bit in the NXT bitmap at the DNSSEC, the presence of the NS bit in the NXT bit map proves there is
delegation point. Something more explicit is needed and the DS record a delegation at this name. Something more explicit is needed and the
addresses this for secure delegations. DS record addresses this need for secure delegations.
DS record is a major change to DNS as it is the first DNS record that The DS record is a major change to DNS: it is the first resource
can only appear on the upper side of a delegation. Adding it will record that can appear only on the upper side of a delegation. Adding
cause interoperabilty problems and a flag day for DNSSEC. Many old it will cause interoperability problems and requires a flag day for
servers and resolvers MUST be upgraded to take advantage of DS. Some DNSSEC. Many old servers and resolvers MUST be upgraded to take
old servers will be able to be authorative for zones with DS records advantage of DS. Some old servers will be able to be authoritative
but will not add the NXT and DS records to authority section. Same for zones with DS records but will not add the NXT and DS records to
goes for caching servers, some may even refuse to pass on the DS and the authority section. The same is true for caching servers; in
NXT records. fact, some may even refuse to pass on the DS and NXT records.
2.4 Wire format of DS record 2.4 Wire Format of the DS record
The DS (type=TDB) record consists of algorithm, key tag and SHA-1 The DS (type=TDB) record contains these fields: key tag, algorithm,
digest of a public key KEY record that is allowed/used to sign the digest type, and the digest of a public key KEY record that is
child's delegation. Other keys MAY sign the child's apex KEY set. allowed and/or used to sign the child's apex KEY RRset. Other keys
MAY sign the child's apex KEY RRset.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| key tag | algorithm | Digest type | | key tag | algorithm | Digest type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SHA-1 digest | | SHA-1 digest |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (20 bytes) | | (20 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The key tag is calculated as specified in RFC2535, Algorithm MUST be
The key tag is calculated as specified in RFC2535. Algorithm MUST be
an algorithm number assigned in the range 1..251 and the algorithm an algorithm number assigned in the range 1..251 and the algorithm
MUST be allowed to sign DNS data. The digest type is an identifier MUST be allowed to sign DNS data. The digest type is an identifier
for the digest algorithm used. The digest is calculated over the for the digest algorithm used. The digest is calculated over the
canonical name of the delegation followed by the whole RDATA of the canonical name of the delegated domain name followed by the whole
KEY record. RDATA of the KEY record.
Digest type value 0 is reserved, value 1 is SHA-1, and reserving
other types requires IETF standards action. For interoperability
reasons, as few digest algorithms as possible should be reserved. The
only reason to reserve additional digest types is to increase
security.
Digest type value 0 is reserved, value 1 is SHA-1, reserving other
types requires IETF standards action. For interoperabilty reasons as
few digest type algorithms should be reserved, the only reason to
reserve another digest type is to increase security.
DS records MUST point to zone KEY records that are allowed to DS records MUST point to zone KEY records that are allowed to
authenticate DNS data. Protocol MUST be set to 3. Flag field bits 0 authenticate DNS data. The indicated KEY record's protocol field
and 6 MUST be set to 0, bit 7 MUST be set to 1. Value of other bits MUST be set to 3; flag field bits 0 and 6 MUST be set to 0; bit 7
is not important. MUST be set to 1. The value of other bits is not significant for the
The size of the DS RDATA for type 1(SHA-1) is 24 bytes, regardless of purposes of this document.
key size.
2.4.1 Justifications for fields The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless
of key size.
The algorithm and key tag fields are here to allow resolvers to 2.4.1 Justifications for Fields
quickly identify the candidate KEY records to examine. The key tag
adds some greater assurance than SHA-1 digest on its own. SHA-1 is a
strong cryptographic checksum, it is real hard for attacker to
generate a KEY record that has the same SHA-1 digest. Combining the
name of the key and the key data as input to the digest provides
stronger assurance of the binding.
This format allows concise representation of the keys that child will The algorithm and key tag fields are present to allow resolvers to
use, thus keeping down the size of the answer for the delegation, quickly identify the candidate KEY records to examine. SHA-1 is a
reducing the probability of packet overflow. The SHA-1 hash is strong strong cryptographic checksum: it is computationally infeasible for
enough to uniquely identify the key. This is similar to the PGP an attacker to generate a KEY record that has the same SHA-1 digest.
footprint. The digest type field is there for possible future Combining the name of the key and the key data as input to the digest
expansion. provides stronger assurance of the binding. Having the key tag in
the DS record adds greater assurance than the SHA-1 digest alone, as
there are now two different mapping functions that a KEY RR must
match.
DS record is well suited to lists trusted keys for islands of This format allows concise representation of the keys that the child
will use, thus keeping down the size of the answer for the
delegation, reducing the probability of DNS message overflow. The
SHA-1 hash is strong enough to uniquely identify the key and is
similar to the PGP key footprint. The digest type field is present
for possible future expansion.
The DS record is well suited to listing trusted keys for islands of
security in configuration files. security in configuration files.
2.5 Presentation format of DS record 2.5 Presentation Format of the DS Record
The presentation format of DS record consists of 2 numbers followed The presentation format of the DS record consists of three numbers
by digest presented in hex. (key tag, algorithm and digest type) followed by the digest itself
foo.example DS 12345 3 1 123456789abcdef67890 presented in hex:
foo.example. DS 12345 3 1 123456789abcdef67890
2.6 Transition issues for installed base 2.6 Transition Issues for Installed Base
RFC2535 compliant resolver will assume that all DS secured No backwards compatibility with RFC2535 is provided.
delegations are locally secure. This is a bad thing, but the DNSEXT
working group has determined that rather than having to have to deal RFC2535-compliant resolvers will assume that all DS-secured
with both RFC2535 secured zone and DS secured zone, a rapid adaption delegations are locally secure. This is bad, but the DNSEXT Working
of DS is preferable. Thus the only option for early adopters is to Group has determined that rather than dealing with both
upgrade to DS as soon as possible. RFC2535-secured zones and DS-secured zones, a rapid adoption of DS is
preferable. Thus the only option for early adopters is to upgrade to
DS as soon as possible.
2.6.1 Backwards compatibility with RFC2535 and RFC1035 2.6.1 Backwards compatibility with RFC2535 and RFC1035
This section documents how a resolver determines the type of This section documents how a resolver determines the type of
delegation. delegation.
RFC1035 delegation has: RFC1035 delegation (in parent) has:
RFC1035 NS RFC1035 NS
RFC2535 adds the following two cases: RFC2535 adds the following two cases:
Secure RFC2535: NS + NXT + SIG(NXT) Secure RFC2535: NS + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT NXT bit map contains: NS SIG NXT
Insecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT) Unsecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
NXT bit map contains: NS SIG KEY NXT NXT bit map contains: NS SIG KEY NXT
KEY must be null-key. KEY must be a NULL key.
DS has the following two states: DS has the following two states:
Secure DS: NS + DS + SIG(DS) + NXT + SIG(NXT) Secure DS: NS + DS + SIG(DS) + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT DS NXT bit map contains: NS SIG NXT DS
Insecure DS: NS + NXT + SIG(NXT) Unsecure DS: NS + NXT + SIG(NXT)
NXT bit map contains: NS SIG KEY NXT NXT bit map contains: NS SIG NXT
It is hard for a resolver to determine if a delegation is Secure 2535
or Insecure DS. This can be overcome by adding a flag to the NXT bit
map but only upgraded resolvers will understand this flag. Having
both parent and child signatures on the keyset may allow old
resolvers to accept zone as secure, but the cost of doing this for a
long time is much higher than just outlaw Sig@Child and force rapid
deployment of DS enabled servers and resolvers.
RFC 2535 and DS can in theory be deployed in parallel, but this will It is difficult for a resolver to determine if a delegation is secure
RFC 2535 or unsecure DS. This could be overcome by adding a flag to
the NXT bit map, but only upgraded resolvers would understand this
flag, anyway. Having both parent and child signatures for a KEY RRset
might allow old resolvers to accept a zone as secure, but the cost of
doing this for a long time is much higher than just prohibiting RFC
2535-style signatures at child zone apexes and forcing rapid
deployment of DS-enabled servers and resolvers.
RFC 2535 and DS can in theory be deployed in parallel, but this would
require resolvers to deal with RFC 2535 configurations forever. This require resolvers to deal with RFC 2535 configurations forever. This
document obsoletes NULL KEY in parent zones, that is difficult enough document obsoletes the NULL KEY in parent zones, which is a difficult
change that flag day is required. enough change that a flag day is required.
3 Resolver Example 3 Resolver Example
To create a chain of trust resolver goes from trusted KEY to DS to To create a chain of trust, a resolver goes from trusted KEY to DS to
KEY. KEY.
Assume the key for domain "example." is trusted. Zone "example." Assume the key for domain "example." is trusted. Zone "example."
contains at least the following records: contains at least the following records:
example. SOA <soa stuff> example. SOA <soa stuff>
example. NS ns.example. example. NS ns.example.
example. KEY <stuff> example. KEY <stuff>
example. NXT NS SOA KEY SIG NXT example. NXT NS SOA KEY SIG NXT
example. SIG(SOA) example. SIG(SOA)
example. SIG(NS) example. SIG(NS)
example. SIG(NXT) example. SIG(NXT)
example. SIG(KEY) example. SIG(KEY)
secure.example. NS ns1.secure.example. secure.example. NS ns1.secure.example.
secure.example. DS tag=10243 alg=3 <foofoo> secure.example. DS tag=10243 alg=3 digest_type=1 <foofoo>
secure.example. NXT NS SIG NXT DS unsecure.example. secure.example. NXT NS SIG NXT DS unsecure.example.
secure.example. SIG(NXT) secure.example. SIG(NXT)
secure.example. SIG(DS) secure.example. SIG(DS)
unsecure.example NS ns1.unsecure.example. unsecure.example NS ns1.unsecure.example.
unsecure.example. NXT NS SIG NXT .example. unsecure.example. NXT NS SIG NXT .example.
unsecure.example. SIG(NXT) unsecure.example. SIG(NXT)
In zone "secure.example." following records exist: In zone "secure.example." following records exist:
secure.example. SOA <soa stuff> secure.example. SOA <soa stuff>
secure.example. NS ns1.secure.example. secure.example. NS ns1.secure.example.
secure.example. KEY <tag=12345 alg=3> secure.example. KEY <tag=12345 alg=3>
secure.example. SIG(KEY) <key-tag=12345 alg=3> secure.example. SIG(KEY) <key-tag=12345 alg=3>
secure.example. SIG(SOA) <key-tag=12345 alg=3> secure.example. SIG(SOA) <key-tag=12345 alg=3>
secure.example. SIG(NS) <key-tag=12345 alg=5> secure.example. SIG(NS) <key-tag=12345 alg=5>
In this example the trusted key for "example." signs the DS record In this example the private key for "example." signs the DS record
for "secure.example.", making that a trusted record. The DS record for "secure.example.", making that a secure delegation. The DS record
states what key is expected to sign the KEY RRset at states which key is expected to sign the KEY RRset at
"secure.example". Here "secure.example." signs its KEY set with the "secure.example.". Here "secure.example." signs its KEY RRset with
KEY identified in the DS set, thus the KEY set is validated and the KEY identified in the DS RRset, thus the KEY RRset is validated
trusted. and trusted.
This example has only one DS record for the child, parents MUST allow This example has only one DS record for the child, but parents MUST
multiple DS records to facilitate key rollover. It is strongly allow multiple DS records to facilitate key rollover. It is strongly
recommended that the DS set be kept small, 2 or 3 records SHOULD be recommended that the DS RRset be kept small: two or three DS records
sufficient in all cases. SHOULD be sufficient in all cases.
Resolver determines the security status of "unsecure.example." by The resolver determines the security status of "unsecure.example." by
examining the parent NXT for this name. examining the parent zone's NXT record for this name. The absence of
the DS bit indicates an unsecure delegation.
3.1 Resolver cost estimates for DS records 3.1 Resolver Cost Estimates for DS Records
From a RFC2535 resolver point of view for each delegation followed to From a RFC2535 resolver point of view, for each delegation followed
chase down an answer one KEY record has to be verified and possibly to chase down an answer, one KEY RRset has to be verified.
some other records based on policy, for example the contents of the Additional RRsets might also need to be verified based on local
NS set. Once the resolver gets to the appropriate delegation policy (e.g., the contents of the NS RRset). Once the resolver gets
validating the answer may require verifying one or more signatures. to the appropriate delegation, validating the answer might require
A simple A record lookup requires at least N delegations to be verifying one or more signatures. A simple A record lookup requires
verified and 1 RRset. For a DS enabled resolver the cost is 2N+1. at least N delegations to be verified and one RRset. For a DS-enabled
For MX record the cost where the target of the MX record is in the resolver, the cost is 2N+1. For an MX record, where the target of
same zone as the MX record the costs are N+2 and 2N+2. In the case of the MX record is in the same zone as the MX record, the costs are N+2
negative answer the same ratios hold true. and 2N+2, for RFC 2535 and DS, respectively. In the case of negatives
answer the same ratios hold true.
Resolver may require an extra query to get the DS record and this may The resolver may require an extra query to get the DS record and this
add to the overall cost of the query, but this is never worse than may add to the overall cost of the query, but this is never worse
chasing down NULL KEY records from the parent in RFC2535 DNSSEC. than chasing down NULL KEY records from the parent in RFC2535 DNSSEC.
DS adds processing overhead on resolvers, increases the size of DS adds processing overhead on resolvers and increases the size of
delegation answers but much less than SIG@Parent. delegation answers, but much less than storing signatures in the
parent zone.
4 - Security Considerations: 4 Security Considerations:
This document proposes a change to the validation chain of KEY This document proposes a change to the validation chain of KEY
records in DNS. The change in is not believed to reduce security in records in DNSSEC. The change is not believed to reduce security in
the overall system, in RFC2535 DNSSEC child must communicate keys to the overall system. In RFC2535 DNSSEC, the child zone has to
parent and prudent parents will require some authentication on that communicate keys to its parent and prudent parents will require some
handshake. The modified protocol will require same authentication but authentication with that transaction. The modified protocol will
allows the child to exert more local control over its own KEY set. require the same authentication, but allows the child to exert more
local control over its own KEY RRset.
There is a possibility that an attacker can generate an valid KEY There is a remote possibility that an attacker could generate a valid
that matches all the DS fields thus starting to forge data from the KEY that matches all the DS fields and thus forge data from the
child. This is considered impractical as on average more than 2^80 child. This possibility is considered impractical, as on average more
keys must be generated before one is found that will match. than 2^80 keys would have to be generated before a match would be
found.
DS record is a change to DNSSEC protocol and there is some installed The DS record represents a change to the DNSSEC protocol and there is
base of implementations, as well as text books on how to set up an installed base of implementations, as well as textbooks on how to
secured delegations. Implementations that do not understand DS record set up secure delegations. Implementations that do not understand the
will not be able to follow the KEY to DS to KEY chain and consider DS record will not be able to follow the KEY to DS to KEY chain and
all zone secured that way insecure. will consider all zones secured that way as unsecure.
5 - IANA Considerations: 5 IANA Considerations:
IANA needs to allocate RR type code for DS from the standard RR type IANA needs to allocate an RR type code for DS from the standard RR
space. type space.
IANA needs to open a new registry for the DS type for Digest IANA needs to open a new registry for the DS type for digest
algorithms, Defined types are, 0 is Reserved, 1 is SHA-1. Adding new algorithms. Defined types are: 0 is Reserved, 1 is SHA-1. Adding new
reservations requires IETF standards action. reservations requires IETF standards action.
4 Acknowledgments 4 Acknowledgments
Number of people have over the last few years contributed number of Over the last few years a number of people have contributed ideas
ideas that are captured in this document. The core idea of using one that are captured in this document. The core idea of using one key to
key to only sign key set, comes from discussions with Bill Manning sign only the KEY RRset comes from discussions with Bill Manning and
and Perry Metzger on how to put in a single root key in all Perry Metzger on how to put in a single root key in all resolvers.
resolvers.
Alexis Yushin, Brian Wellington, Paul Vixie, Jakob Schlyter, Scott Alexis Yushin, Brian Wellington, Paul Vixie, Jakob Schlyter, Scott
Rosen, Edward Lewis, Dan Massey, Lars-Johan Liman, Mark Kosters, Olaf Rosen, Edward Lewis, Lars-Johan Liman, Matt Larson, Mark Kosters, Dan
Kolman, Phillip Hallam-Baker, Miek Gieben, Havard Eidnes, Donald Massey, Olaf Kolman, Phillip Hallam-Baker, Miek Gieben, Havard
Eastlake 3rd., Randy Bush, David Blacka, Steve Bellovin, Rob Austein, Eidnes, Donald Eastlake 3rd., Randy Bush, David Blacka, Steve
Derek Atkins, Roy Arends, Harald Alvestrand, and others have provided Bellovin, Rob Austein, Derek Atkins, Roy Arends, Harald Alvestrand,
useful comments. and others have provided useful comments.
References: References:
[RFC1035] P. Mockapetris, ``Domain Names - Implementation and [RFC1035] P. Mockapetris, ``Domain Names - Implementation and
Specification'', STD 13, RFC 1035, November 1987. Specification'', STD 13, RFC 1035, November 1987.
[RFC2181] R. Elz, R. Bush, ``Clarifications to the DNS Specification'', [RFC2181] R. Elz, R. Bush, ``Clarifications to the DNS Specification'',
RFC 2181, July 1997. RFC 2181, July 1997.
[RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC [RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC
skipping to change at page 12, line 17 skipping to change at page 13, line 14
Author Address Author Address
Olafur Gudmundsson Olafur Gudmundsson
3826 Legation Street, NW 3826 Legation Street, NW
Washington, DC, 20015 Washington, DC, 20015
USA USA
<ogud@ogud.com> <ogud@ogud.com>
Appendix A: Changes from Prior versions Appendix A: Changes from Prior versions
Changes from version 05
Major wording changes for clarity contributed by Matt Larson.
Added explicit rule that query for type DS MUST be answered from the
upper side of delegation.
Changes from version 04 Changes from version 04
Reworded document to obsolete RFC2535 chain of trust, no backwards Reworded document to obsolete RFC2535 chain of trust, no backwards
compatibility. Require DS and NXT records in referrals in authority compatibility. Require DS and NXT records in referrals in authority
section. Removed the NODS bit. section. Removed the NODS bit.
Added the requirement for OK bit and Message size. Added the requirement for OK bit and Message size.
Rewrote Abstract to better express what is in the document. Rewrote Abstract to better express what is in the document.
Removed size field from examples and simplified them. Removed size field from examples and simplified them.
Changes from version 03 Changes from version 03
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/