draft-ietf-dnsext-delegation-signer-06.txt   draft-ietf-dnsext-delegation-signer-07.txt 
DNSEXT Working Group Olafur Gudmundsson DNSEXT Working Group Olafur Gudmundsson
<draft-ietf-dnsext-delegation-signer-06.txt> <draft-ietf-dnsext-delegation-signer-07.txt>
Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090. Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090.
Delegation Signer Resource Record Delegation Signer Resource Record
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the authors or the DNSEXT WG mailing list Comments should be sent to the authors or the DNSEXT WG mailing list
namedroppers@ops.ietf.org namedroppers@ops.ietf.org
This draft expires on September 1, 2002. This draft expires on September 30, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All rights reserved. Copyright (C) The Internet Society (2002). All rights reserved.
Abstract Abstract
The delegation signer (DS) resource record is inserted at a zone cut The delegation signer (DS) resource record is inserted at a zone cut
(i.e., a delegation point) to indicate that the delegated zone is (i.e., a delegation point) to indicate that the delegated zone is
digitally signed and that the delegated zone recognizes the indicated digitally signed and that the delegated zone recognizes the indicated
skipping to change at page 3, line 10 skipping to change at page 3, line 10
Storing the KEY RRset only in the parent zone simplifies this and Storing the KEY RRset only in the parent zone simplifies this and
would allow the elimination of the NULL KEY RRsets entirely. For would allow the elimination of the NULL KEY RRsets entirely. For
large delegation zones the cost of NULL keys is a significant barrier large delegation zones the cost of NULL keys is a significant barrier
to deployment. to deployment.
Another complication of the DNSSEC key model is that the KEY record Another complication of the DNSSEC key model is that the KEY record
can be used to store public keys for other protocols in addition to can be used to store public keys for other protocols in addition to
DNSSEC keys. There are number of potential problems with this, DNSSEC keys. There are number of potential problems with this,
including: including:
1. The KEY RRset can become quite large if many applications and 1. The KEY RRset can become quite large if many applications and
protocols store their keys at the zone apex. Possible protocols are protocols store their keys at the zone apex. Possible protocols
IPSEC, HTTP, SMTP, SSH and others that use public key cryptography. are IPSEC, HTTP, SMTP, SSH and others that use public key
cryptography.
2. The KEY RRset may require frequent updates. 2. The KEY RRset may require frequent updates.
3. The probability of compromised or lost keys, which trigger 3. The probability of compromised or lost keys, which trigger
emergency key rollover procedures, increases. emergency key rollover procedures, increases.
4. The parent may refuse sign KEY RRsets with non-DNSSEC zone keys. 4. The parent may refuse sign KEY RRsets with non-DNSSEC zone keys.
5. The parent may not meet the child's expectations in turnaround 5. The parent may not meet the child's expectations in turnaround
time for resigning the KEY RRset. time for resigning the KEY RRset.
Given these and other reasons, there is good reason to explore Given these and other reasons, there is good reason to explore
alternatives to using only KEY records to create a chain of trust. alternatives to using only KEY records to create a chain of trust.
skipping to change at page 4, line 40 skipping to change at page 4, line 43
signatures verified for other types of RRsets. signatures verified for other types of RRsets.
2.2 Protocol Change 2.2 Protocol Change
All DNS servers and resolvers that support DS MUST support the OK bit All DNS servers and resolvers that support DS MUST support the OK bit
[RFC3225] and a larger message size [RFC3226]. Each secure [RFC3225] and a larger message size [RFC3226]. Each secure
delegation in a secure zone MUST contain a DS RRset. If a query delegation in a secure zone MUST contain a DS RRset. If a query
contains the OK bit, a server returning a referral for the delegation contains the OK bit, a server returning a referral for the delegation
MUST include the following RRsets in the authority section in this MUST include the following RRsets in the authority section in this
order: order:
parent NS parent NS RRset
DS and SIG(DS) (if present) DS and SIG(DS) (if DS is present)
parent NXT and SIG(parent NXT) parent NXT and SIG(NXT) (If no DS)
This increases the size of referral messages and may cause some or This increases the size of referral messages and may cause some or
all glue to be omitted. If the DS or NXT RRsets or their signatures all glue to be omitted. If the DS or NXT RRsets with signatures do
do not fit in the DNS message, the TC bit MUST be set. Additional not fit in the DNS message, the TC bit MUST be set. Additional
section processing is not changed. section processing is not changed.
A DS RRset accompanying an NS RRset indicates that the child zone is A DS RRset accompanying an NS RRset indicates that the child zone is
secure. If an NS RRset exists without a DS RRset, the child zone is secure. If an NS RRset exists without a DS RRset, the child zone is
unsecure. DS RRsets MUST NOT appear at non-delegation points or at a unsecure. DS RRsets MUST NOT appear at non-delegation points or at a
zone's apex. zone's apex.
The following section 2.2.1 replaces RFC2535 sections 2.3.4 and 3.4, The following section 2.2.1 replaces RFC2535 sections 2.3.4 and 3.4,
section 2.2.2 replaces RFC3008 section 2.7, and RFC3090 updates are section 2.2.2 replaces RFC3008 section 2.7, and RFC3090 updates are
in section 2.2.3. in section 2.2.3.
skipping to change at page 5, line 40 skipping to change at page 5, line 42
A secure zones MUST contain a self-signed KEY RRset at its apex. A secure zones MUST contain a self-signed KEY RRset at its apex.
Upon verifying the DS RRset from the parent, a resolver MAY trust any Upon verifying the DS RRset from the parent, a resolver MAY trust any
KEY identified in the DS RRset as a valid signer of the child's apex KEY identified in the DS RRset as a valid signer of the child's apex
KEY RRset. Resolvers configured to trust one of the keys signing the KEY RRset. Resolvers configured to trust one of the keys signing the
KEY RRset MAY now treat any data signed by the zone keys in the KEY KEY RRset MAY now treat any data signed by the zone keys in the KEY
RRset as secure. In all other cases resolvers MUST consider the zone RRset as secure. In all other cases resolvers MUST consider the zone
unsecure. A DS RRset MUST NOT appear at a zone's apex. unsecure. A DS RRset MUST NOT appear at a zone's apex.
An authoritative server queried for type DS MUST return the DS RRset An authoritative server queried for type DS MUST return the DS RRset
in the answer section along with the corresponding NXT RRset in the in the answer section.
authority section. If the server is authoritative for both parent
and child zones, the answer MUST be from the parent. A caching
server MUST behave the same way, returning the DS RRset and the
parent's NXT RRset, if records are available.
2.2.2 Signer's Name (replaces RFC3008 section 2.7) 2.2.2 Signer's Name (replaces RFC3008 section 2.7)
The signer's name field of a data SIG MUST contain the name of the The signer's name field of a SIG RR MUST contain the name of the zone
zone to which the data and signature belong. The combination of to which the data and signature belong. The combination of signer's
signer's name, key tag, and algorithm MUST identify a zone key if the name, key tag, and algorithm MUST identify a zone key if the SIG is
SIG is to be considered material. This document defines a standard to be considered material. This document defines a standard policy
policy for DNSSEC validation; local policy may override the standard for DNSSEC validation; local policy may override the standard policy.
policy.
There are no restrictions on the signer field of a SIG(0) record. There are no restrictions on the signer field of a SIG(0) record.
The combination of signer's name, key tag, and algorithm MUST The combination of signer's name, key tag, and algorithm MUST
identify a key if this SIG(0) is to be processed. identify a key if this SIG(0) is to be processed.
2.2.4 Changes to RFC3090 2.2.4 Changes to RFC3090
A number of sections of RFC3090 need to be updated to reflect the DS A number of sections of RFC3090 need to be updated to reflect the DS
record. record.
skipping to change at page 7, line 13 skipping to change at page 7, line 10
good way to assert if a delegation exists. In the RFC2535 version of good way to assert if a delegation exists. In the RFC2535 version of
DNSSEC, the presence of the NS bit in the NXT bit map proves there is DNSSEC, the presence of the NS bit in the NXT bit map proves there is
a delegation at this name. Something more explicit is needed and the a delegation at this name. Something more explicit is needed and the
DS record addresses this need for secure delegations. DS record addresses this need for secure delegations.
The DS record is a major change to DNS: it is the first resource The DS record is a major change to DNS: it is the first resource
record that can appear only on the upper side of a delegation. Adding record that can appear only on the upper side of a delegation. Adding
it will cause interoperability problems and requires a flag day for it will cause interoperability problems and requires a flag day for
DNSSEC. Many old servers and resolvers MUST be upgraded to take DNSSEC. Many old servers and resolvers MUST be upgraded to take
advantage of DS. Some old servers will be able to be authoritative advantage of DS. Some old servers will be able to be authoritative
for zones with DS records but will not add the NXT and DS records to for zones with DS records but will not add the NXT or DS records to
the authority section. The same is true for caching servers; in the authority section. The same is true for caching servers; in
fact, some may even refuse to pass on the DS and NXT records. fact, some may even refuse to pass on the DS or NXT records.
2.4 Wire Format of the DS record 2.4 Wire Format of the DS record
The DS (type=TDB) record contains these fields: key tag, algorithm, The DS (type=TDB) record contains these fields: key tag, algorithm,
digest type, and the digest of a public key KEY record that is digest type, and the digest of a public key KEY record that is
allowed and/or used to sign the child's apex KEY RRset. Other keys allowed and/or used to sign the child's apex KEY RRset. Other keys
MAY sign the child's apex KEY RRset. MAY sign the child's apex KEY RRset.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 7, line 45 skipping to change at page 7, line 42
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The key tag is calculated as specified in RFC2535. Algorithm MUST be The key tag is calculated as specified in RFC2535. Algorithm MUST be
an algorithm number assigned in the range 1..251 and the algorithm an algorithm number assigned in the range 1..251 and the algorithm
MUST be allowed to sign DNS data. The digest type is an identifier MUST be allowed to sign DNS data. The digest type is an identifier
for the digest algorithm used. The digest is calculated over the for the digest algorithm used. The digest is calculated over the
canonical name of the delegated domain name followed by the whole canonical name of the delegated domain name followed by the whole
RDATA of the KEY record. RDATA of the KEY record (all four fields).
digest = hash( cannonical FQDN on KEY RR | KEY_RR_rdata)
KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key
Digest type value 0 is reserved, value 1 is SHA-1, and reserving Digest type value 0 is reserved, value 1 is SHA-1, and reserving
other types requires IETF standards action. For interoperability other types requires IETF standards action. For interoperability
reasons, as few digest algorithms as possible should be reserved. The reasons, as few digest algorithms as possible should be reserved. The
only reason to reserve additional digest types is to increase only reason to reserve additional digest types is to increase
security. security.
DS records MUST point to zone KEY records that are allowed to DS records MUST point to zone KEY records that are allowed to
authenticate DNS data. The indicated KEY record's protocol field authenticate DNS data. The indicated KEY record's protocol field
MUST be set to 3; flag field bits 0 and 6 MUST be set to 0; bit 7 MUST be set to 3; flag field bits 0 and 6 MUST be set to 0; bit 7
skipping to change at page 8, line 20 skipping to change at page 8, line 20
The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless
of key size. of key size.
2.4.1 Justifications for Fields 2.4.1 Justifications for Fields
The algorithm and key tag fields are present to allow resolvers to The algorithm and key tag fields are present to allow resolvers to
quickly identify the candidate KEY records to examine. SHA-1 is a quickly identify the candidate KEY records to examine. SHA-1 is a
strong cryptographic checksum: it is computationally infeasible for strong cryptographic checksum: it is computationally infeasible for
an attacker to generate a KEY record that has the same SHA-1 digest. an attacker to generate a KEY record that has the same SHA-1 digest.
Combining the name of the key and the key data as input to the digest Combining the name of the key and the key rdata as input to the
provides stronger assurance of the binding. Having the key tag in digest provides stronger assurance of the binding. Having the key
the DS record adds greater assurance than the SHA-1 digest alone, as tag in the DS record adds greater assurance than the SHA-1 digest
there are now two different mapping functions that a KEY RR must alone, as there are now two different mapping functions that a KEY RR
match. must match.
This format allows concise representation of the keys that the child This format allows concise representation of the keys that the child
will use, thus keeping down the size of the answer for the will use, thus keeping down the size of the answer for the
delegation, reducing the probability of DNS message overflow. The delegation, reducing the probability of DNS message overflow. The
SHA-1 hash is strong enough to uniquely identify the key and is SHA-1 hash is strong enough to uniquely identify the key and is
similar to the PGP key footprint. The digest type field is present similar to the PGP key footprint. The digest type field is present
for possible future expansion. for possible future expansion.
The DS record is well suited to listing trusted keys for islands of The DS record is well suited to listing trusted keys for islands of
security in configuration files. security in configuration files.
2.5 Presentation Format of the DS Record 2.5 Presentation Format of the DS Record
The presentation format of the DS record consists of three numbers The presentation format of the DS record consists of three numbers
(key tag, algorithm and digest type) followed by the digest itself (key tag, algorithm and digest type) followed by the digest itself
presented in hex: presented in hex:
foo.example. DS 12345 3 1 123456789abcdef67890 example. DS 12345 3 1 123456789abcdef67890123456789abcdef67890
2.6 Transition Issues for Installed Base 2.6 Transition Issues for Installed Base
No backwards compatibility with RFC2535 is provided. No backwards compatibility with RFC2535 is provided.
RFC2535-compliant resolvers will assume that all DS-secured RFC2535-compliant resolvers will assume that all DS-secured
delegations are locally secure. This is bad, but the DNSEXT Working delegations are locally secure. This is bad, but the DNSEXT Working
Group has determined that rather than dealing with both Group has determined that rather than dealing with both
RFC2535-secured zones and DS-secured zones, a rapid adoption of DS is RFC2535-secured zones and DS-secured zones, a rapid adoption of DS is
preferable. Thus the only option for early adopters is to upgrade to preferable. Thus the only option for early adopters is to upgrade to
skipping to change at page 9, line 21 skipping to change at page 9, line 21
RFC1035 NS RFC1035 NS
RFC2535 adds the following two cases: RFC2535 adds the following two cases:
Secure RFC2535: NS + NXT + SIG(NXT) Secure RFC2535: NS + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT NXT bit map contains: NS SIG NXT
Unsecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT) Unsecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
NXT bit map contains: NS SIG KEY NXT NXT bit map contains: NS SIG KEY NXT
KEY must be a NULL key. KEY must be a NULL key.
DS has the following two states: DNSSEC with DS has the following two states:
Secure DS: NS + DS + SIG(DS) + NXT + SIG(NXT) Secure DS: NS + DS + SIG(DS)
NXT bit map contains: NS SIG NXT DS NXT bit map contains: NS SIG NXT DS
Unsecure DS: NS + NXT + SIG(NXT) Unsecure DS: NS + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT NXT bit map contains: NS SIG NXT
It is difficult for a resolver to determine if a delegation is secure It is difficult for a resolver to determine if a delegation is secure
RFC 2535 or unsecure DS. This could be overcome by adding a flag to RFC 2535 or unsecure DS. This could be overcome by adding a flag to
the NXT bit map, but only upgraded resolvers would understand this the NXT bit map, but only upgraded resolvers would understand this
flag, anyway. Having both parent and child signatures for a KEY RRset flag, anyway. Having both parent and child signatures for a KEY RRset
might allow old resolvers to accept a zone as secure, but the cost of might allow old resolvers to accept a zone as secure, but the cost of
doing this for a long time is much higher than just prohibiting RFC doing this for a long time is much higher than just prohibiting RFC
2535-style signatures at child zone apexes and forcing rapid 2535-style signatures at child zone apexes and forcing rapid
deployment of DS-enabled servers and resolvers. deployment of DS-enabled servers and resolvers.
RFC 2535 and DS can in theory be deployed in parallel, but this would RFC 2535 and DS can in theory be deployed in parallel, but this would
require resolvers to deal with RFC 2535 configurations forever. This require resolvers to deal with RFC 2535 configurations forever. This
document obsoletes the NULL KEY in parent zones, which is a difficult document obsoletes the NULL KEY in parent zones, which is a difficult
enough change that a flag day is required. enough change that a flag day is required.
2.7 KEY and corresponding DS record example
This is a example of a KEY record and corresponding DS record.
dskey.example. KEY 256 3 1 (
AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj
4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt
) ; key id = 28668
DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
3 Resolver Example 3 Resolver Example
To create a chain of trust, a resolver goes from trusted KEY to DS to To create a chain of trust, a resolver goes from trusted KEY to DS to
KEY. KEY.
Assume the key for domain "example." is trusted. Zone "example." Assume the key for domain "example." is trusted. Zone "example."
contains at least the following records: contains at least the following records:
example. SOA <soa stuff> example. SOA <soa stuff>
example. NS ns.example. example. NS ns.example.
example. KEY <stuff> example. KEY <stuff>
skipping to change at page 12, line 8 skipping to change at page 12, line 8
The DS record represents a change to the DNSSEC protocol and there is The DS record represents a change to the DNSSEC protocol and there is
an installed base of implementations, as well as textbooks on how to an installed base of implementations, as well as textbooks on how to
set up secure delegations. Implementations that do not understand the set up secure delegations. Implementations that do not understand the
DS record will not be able to follow the KEY to DS to KEY chain and DS record will not be able to follow the KEY to DS to KEY chain and
will consider all zones secured that way as unsecure. will consider all zones secured that way as unsecure.
5 IANA Considerations: 5 IANA Considerations:
IANA needs to allocate an RR type code for DS from the standard RR IANA needs to allocate an RR type code for DS from the standard RR
type space. type space (type 43 requested).
IANA needs to open a new registry for the DS type for digest IANA needs to open a new registry for the DS RR type for digest
algorithms. Defined types are: 0 is Reserved, 1 is SHA-1. Adding new algorithms. Defined types are:
reservations requires IETF standards action. 0 is Reserved,
1 is SHA-1.
Adding new reservations requires IETF standards action.
4 Acknowledgments 4 Acknowledgments
Over the last few years a number of people have contributed ideas Over the last few years a number of people have contributed ideas
that are captured in this document. The core idea of using one key to that are captured in this document. The core idea of using one key to
sign only the KEY RRset comes from discussions with Bill Manning and sign only the KEY RRset comes from discussions with Bill Manning and
Perry Metzger on how to put in a single root key in all resolvers. Perry Metzger on how to put in a single root key in all resolvers.
Alexis Yushin, Brian Wellington, Paul Vixie, Jakob Schlyter, Scott Alexis Yushin, Brian Wellington, Paul Vixie, Jakob Schlyter, Scott
Rosen, Edward Lewis, Lars-Johan Liman, Matt Larson, Mark Kosters, Dan Rose, Edward Lewis, Lars-Johan Liman, Matt Larson, Mark Kosters, Dan
Massey, Olaf Kolman, Phillip Hallam-Baker, Miek Gieben, Havard Massey, Olaf Kolman, Phillip Hallam-Baker, Miek Gieben, Havard
Eidnes, Donald Eastlake 3rd., Randy Bush, David Blacka, Steve Eidnes, Donald Eastlake 3rd., Randy Bush, David Blacka, Steve
Bellovin, Rob Austein, Derek Atkins, Roy Arends, Harald Alvestrand, Bellovin, Rob Austein, Derek Atkins, Roy Arends, Harald Alvestrand,
and others have provided useful comments. and others have provided useful comments.
References: References:
[RFC1035] P. Mockapetris, ``Domain Names - Implementation and [RFC1035] P. Mockapetris, ``Domain Names - Implementation and
Specification'', STD 13, RFC 1035, November 1987. Specification'', STD 13, RFC 1035, November 1987.
skipping to change at page 13, line 15 skipping to change at page 13, line 15
Author Address Author Address
Olafur Gudmundsson Olafur Gudmundsson
3826 Legation Street, NW 3826 Legation Street, NW
Washington, DC, 20015 Washington, DC, 20015
USA USA
<ogud@ogud.com> <ogud@ogud.com>
Appendix A: Changes from Prior versions Appendix A: Changes from Prior versions
Changes from Version 06
Made IANA section more explicit.
Removed the requirement that both DS and NXT be returned on positive
answers.
Added explicit DS example along with a KEY.
Added more explicit text what goes into DS calculation.
Updated example to be right length and added explicit DS and
corresponding KEY example (section 2.7).
Changes from version 05 Changes from version 05
Major wording changes for clarity contributed by Matt Larson. Major wording changes for clarity contributed by Matt Larson.
Added explicit rule that query for type DS MUST be answered from the Added explicit rule that query for type DS MUST be answered from the
upper side of delegation. upper side of delegation.
Changes from version 04 Changes from version 04
Reworded document to obsolete RFC2535 chain of trust, no backwards Reworded document to obsolete RFC2535 chain of trust, no backwards
compatibility. Require DS and NXT records in referrals in authority compatibility. Require DS and NXT records in referrals in authority
section. Removed the NODS bit. section.
Removed the NODS bit.
Added the requirement for OK bit and Message size. Added the requirement for OK bit and Message size.
Rewrote Abstract to better express what is in the document. Rewrote Abstract to better express what is in the document.
Removed size field from examples and simplified them. Removed size field from examples and simplified them.
Changes from version 03 Changes from version 03
Added strict rules on what KEY records can be pointed to by DS. Added strict rules on what KEY records can be pointed to by DS.
Changes from version 02 Changes from version 02
Added text outlawing DS at non delegations. Added text outlawing DS at non delegations.
Added table showing the contents of DS, SIG@child, and RFC1034 Added table showing the contents of DS, SIG@child, and RFC1034
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/