draft-ietf-dnsext-delegation-signer-14.txt   draft-ietf-dnsext-delegation-signer-15.txt 
DNSEXT Working Group Olafur Gudmundsson DNSEXT Working Group Olafur Gudmundsson
<draft-ietf-dnsext-delegation-signer-14.txt> <draft-ietf-dnsext-delegation-signer-15.txt>
Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090. Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090.
Delegation Signer Resource Record Delegation Signer Resource Record
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
skipping to change at page 1, line 31 skipping to change at page 1, line 31
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.'' material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the authors or the DNSEXT WG mailing list This draft expires on January 19, 2004.
namedroppers@ops.ietf.org
This draft expires on December 6, 2003.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2003). All rights reserved. Copyright (C) The Internet Society (2003). All rights reserved.
Abstract Abstract
The delegation signer (DS) resource record is inserted at a zone cut The delegation signer (DS) resource record is inserted at a zone cut
(i.e., a delegation point) to indicate that the delegated zone is (i.e., a delegation point) to indicate that the delegated zone is
digitally signed and that the delegated zone recognizes the indicated digitally signed and that the delegated zone recognizes the indicated
key as a valid zone key for the delegated zone. The DS RR is a key as a valid zone key for the delegated zone. The DS RR is a
modification to the DNS Security Extensions definition, motivated by modification to the DNS Security Extensions definition, motivated by
operational considerations. The intent is to use this resource record operational considerations. The intent is to use this resource record
as an explicit statement about the delegation, rather than relying on as an explicit statement about the delegation, rather than relying on
inference. inference.
This document defines the DS RR, gives examples of how it is used and This document defines the DS RR, gives examples of how it is used and
the implications of this record on resolvers. This change is not describes the implications on resolvers. This change is not backwards
backwards compatible with RFC 2535. compatible with RFC 2535.
This document updates RFC1035, RFC2535, RFC3008 and RFC3090. This document updates RFC1035, RFC2535, RFC3008 and RFC3090.
Table of contents
Status of this Memo . . . . . . . . . . . . . . . . . . . . . . . . 1
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Table of contents . . . . . . . . . . . . . . . . . . . . . . . . . 2
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Reserved Words" . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Specification of the Delegation key Signer" . . . . . . . . . . . 4
2.1 Delegation Signer Record Model" . . . . . . . . . . . . . . . . 4
2.2 Protocol Change" . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1 RFC2535 2.3.4 and 3.4: Special Considerations at
Delegation Points" . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1.1 Special processing for DS queries" . . . . . . . . . . . . 6
2.2.1.2 Special processing when child and an ancestor share
server" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.1.3 Modification on use of KEY RR in the construction of
Responses" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.2 Signer's Name (replaces RFC3008 section 2.7)" . . . . . . . . 9
2.2.3 Changes to RFC3090" . . . . . . . . . . . . . . . . . . . . . 9
2.2.3.1 RFC3090: Updates to section 1: Introduction" . . . . . . . . 9
2.2.3.2 RFC3090 section 2.1: Globally Secured" . . . . . . . . . . . 9
2.2.3.3 RFC3090 section 3: Experimental Status." . . . . . . . . . 10
2.2.4 NULL KEY elimination" . . . . . . . . . . . . . . . . . . . . 10
2.3 Comments on Protocol Changes" . . . . . . . . . . . . . . . . . 10
2.4 Wire Format of the DS record" . . . . . . . . . . . . . . . . . 11
2.4.1 Justifications for Fields" . . . . . . . . . . . . . . . . . . 12
2.5 Presentation Format of the DS Record" . . . . . . . . . . . . . 12
2.6 Transition Issues for Installed Base" . . . . . . . . . . . . . 12
2.6.1 Backwards compatibility with RFC2535 and RFC1035" . . . . . . 12
2.7 KEY and corresponding DS record example" . . . . . . . . . . . . 13
3 Resolver" . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1 DS Example" . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 Resolver Cost Estimates for DS Records" . . . . . . . . . . . . 15
4 Security Considerations: " . . . . . . . . . . . . . . . . . . . . 15
5 IANA Considerations: " . . . . . . . . . . . . . . . . . . . . . . 16
6 Acknowledgments" . . . . . . . . . . . . . . . . . . . . . . . . . 16
Normative References: " . . . . . . . . . . . . . . . . . . . . . . 16
Informational References" " . . . . . . . . . . . . . . . . . . . . 17
Author Address" . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Full Copyright Statement" . . . . . . . . . . . . . . . . . . . . . 17
1 Introduction 1 Introduction
Familiarity with the DNS system [RFC1035], DNS security extensions Familiarity with the DNS system [RFC1035], DNS security extensions
[RFC2535] and DNSSEC terminology [RFC3090] is important. [RFC2535] and DNSSEC terminology [RFC3090] is important.
Experience shows that when the same data can reside in two Experience shows that when the same data can reside in two
administratively different DNS zones, the data frequently gets out of administratively different DNS zones, the data frequently gets out of
sync. The presence of an NS RRset in a zone anywhere other than at sync. The presence of an NS RRset in a zone anywhere other than at
the apex indicates a zone cut or delegation. The RDATA of the NS the apex indicates a zone cut or delegation. The RDATA of the NS
RRset specifies the authoritative servers for the delegated or RRset specifies the authoritative servers for the delegated or
skipping to change at page 3, line 5 skipping to change at page 1, line 131
KEY record is a waste: an entire signed RRset is used to communicate KEY record is a waste: an entire signed RRset is used to communicate
effectively one bit of information--that the child is unsecure. effectively one bit of information--that the child is unsecure.
Chasing down NULL KEY RRsets complicates the resolution process in Chasing down NULL KEY RRsets complicates the resolution process in
many cases, because servers for both parent and child need to be many cases, because servers for both parent and child need to be
queried for the KEY RRset if the child server does not return it. queried for the KEY RRset if the child server does not return it.
Storing the KEY RRset only in the parent zone simplifies this and Storing the KEY RRset only in the parent zone simplifies this and
would allow the elimination of the NULL KEY RRsets entirely. For would allow the elimination of the NULL KEY RRsets entirely. For
large delegation zones the cost of NULL keys is a significant barrier large delegation zones the cost of NULL keys is a significant barrier
to deployment. to deployment.
Another complication of the DNSSEC key model is that the KEY record Prior to the restrictions imposed by RFC3445[RFC3445], another
can be used to store public keys for other protocols in addition to implication of the DNSSEC key model is that the KEY record could be
DNSSEC keys. There are number of potential problems with this, used to store public keys for other protocols in addition to DNSSEC
including: keys. There are number of potential problems with this, including:
1. The KEY RRset can become quite large if many applications and 1. The KEY RRset can become quite large if many applications and
protocols store their keys at the zone apex. Possible protocols protocols store their keys at the zone apex. Possible protocols
are IPSEC, HTTP, SMTP, SSH and others that use public key are IPSEC, HTTP, SMTP, SSH and others that use public key
cryptography. cryptography.
2. The KEY RRset may require frequent updates. 2. The KEY RRset may require frequent updates.
3. The probability of compromised or lost keys, which trigger 3. The probability of compromised or lost keys, which trigger
emergency key rollover procedures, increases. emergency key rollover procedures, increases.
4. The parent may refuse sign KEY RRsets with non-DNSSEC zone keys.
5. The parent may not meet the child's expectations in turnaround 4. The parent may refuse to sign KEY RRsets with non-DNSSEC zone
keys.
5. The parent may not meet the child's expectations of turnaround
time for resigning the KEY RRset. time for resigning the KEY RRset.
Given these reasons, SIG@parent isn't any better than SIG/KEY@Child. Given these reasons, SIG@parent isn't any better than SIG/KEY@Child.
1.2 Reserved Words 1.2 Reserved Words
The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
"RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
interpreted as described in RFC2119. interpreted as described in RFC2119.
skipping to change at page 3, line 40 skipping to change at page 1, line 168
This section defines the Delegation Signer (DS) RR type (type code This section defines the Delegation Signer (DS) RR type (type code
TBD) and the changes to DNS to accommodate it. TBD) and the changes to DNS to accommodate it.
2.1 Delegation Signer Record Model 2.1 Delegation Signer Record Model
This document presents a replacement for the DNSSEC KEY record chain This document presents a replacement for the DNSSEC KEY record chain
of trust [RFC2535] that uses a new RR that resides only at the of trust [RFC2535] that uses a new RR that resides only at the
parent. This record identifies the key(s) that the child uses to parent. This record identifies the key(s) that the child uses to
self-sign its own KEY RRset. self-sign its own KEY RRset.
Even though DS identifies two roles for KEYs, Key Signing Key (KSK)
and Zone Signing Key (ZSK), there is no requirement that zone use two
different keys for these roles. It is expected that many small zones
will only use one key, while larger zones will be more likely to use
multiple keys.
The chain of trust is now established by verifying the parent KEY The chain of trust is now established by verifying the parent KEY
RRset, the DS RRset from the parent and the KEY RRset at the child. RRset, the DS RRset from the parent and the KEY RRset at the child.
This is cryptographically equivalent to using just KEY records. This is cryptographically equivalent to using just KEY records.
Communication between the parent and child is greatly reduced, since Communication between the parent and child is greatly reduced, since
the child only needs to notify the parent about changes in keys that the child only needs to notify the parent about changes in keys that
sign its apex KEY RRset. The parent is ignorant of all other keys in sign its apex KEY RRset. The parent is ignorant of all other keys in
the child's apex KEY RRset. Furthermore, the child maintains full the child's apex KEY RRset. Furthermore, the child maintains full
control over the apex KEY RRset and its content. The child can control over the apex KEY RRset and its content. The child can
maintain any policies regarding its KEY usage for DNSSEC with minimal maintain any policies regarding its KEY usage for DNSSEC with minimal
skipping to change at page 4, line 12 skipping to change at page 1, line 195
rollover for its DNS zone keys, the parent does not need to be aware rollover for its DNS zone keys, the parent does not need to be aware
of it. The child can use one key to sign only its apex KEY RRset and of it. The child can use one key to sign only its apex KEY RRset and
a different key to sign the other RRsets in the zone. a different key to sign the other RRsets in the zone.
This model fits well with a slow roll out of DNSSEC and the islands This model fits well with a slow roll out of DNSSEC and the islands
of security model. In this model, someone who trusts "good.example." of security model. In this model, someone who trusts "good.example."
can preconfigure a key from "good.example." as a trusted key, and can preconfigure a key from "good.example." as a trusted key, and
from then on trusts any data signed by that key or that has a chain from then on trusts any data signed by that key or that has a chain
of trust to that key. If "example." starts advertising DS records, of trust to that key. If "example." starts advertising DS records,
"good.example." does not have to change operations by suspending "good.example." does not have to change operations by suspending
self-signing. DS records can also be used to identify trusted keys self-signing. DS records can be used in configuration files to
instead of KEY records. Another significant advantage is that the identify trusted keys instead of KEY records. Another significant
amount of information stored in large delegation zones is reduced: advantage is that the amount of information stored in large
rather than the NULL KEY record at every unsecure delegation required delegation zones is reduced: rather than the NULL KEY record at every
by RFC 2535, only secure delegations require additional information unsecure delegation demanded by RFC 2535, only secure delegations
in the form of a signed DS RRset. require additional information in the form of a signed DS RRset.
The main disadvantage of this approach is that verifying a zone's KEY The main disadvantage of this approach is that verifying a zone's KEY
RRset requires two signature verification operations instead of the RRset requires two signature verification operations instead of the
one required by RFC 2535. There is no impact on the number of one in RFC 2535 chain of trust. There is no impact on the number of
signatures verified for other types of RRsets. signatures verified for other types of RRsets.
Even though DS identifies two roles for KEY's, Key Signing Key (KSK)
and Zone Signing Key (ZSK), there is no requirement that zone use two
different keys for these roles. It is expected that many small zones
will only use one key, while larger organizations will be more likely
to use multiple keys.
2.2 Protocol Change 2.2 Protocol Change
All DNS servers and resolvers that support DS MUST support the OK bit All DNS servers and resolvers that support DS MUST support the OK bit
[RFC3225] and a larger message size [RFC3226]. In order for a [RFC3225] and a larger message size [RFC3226]. In order for a
delegation to be considered secure the delegation MUST contain a DS delegation to be considered secure the delegation MUST contain a DS
RRset. If a query contains the OK bit, a server returning a referral RRset. If a query contains the OK bit, a server returning a referral
for the delegation MUST include the following RRsets in the authority for the delegation MUST include the following RRsets in the authority
section in this order: section in this order:
If DS RRset is present: If DS RRset is present:
parents copy of childs NS RRset parent's copy of child's NS RRset
DS and SIG(DS) DS and SIG(DS)
If no DS RRset is present: If no DS RRset is present:
parents copy of childs NS RRset parent's copy of child's NS RRset
parents zone NXT and SIG(NXT) parent's zone NXT and SIG(NXT)
This increases the size of referral messages and possilbly causing This increases the size of referral messages, possibly causing some
some or all glue to be omitted. If the DS or NXT RRsets with or all glue to be omitted. If the DS or NXT RRsets with signatures do
signatures do not fit in the DNS message, the TC bit MUST be set. not fit in the DNS message, the TC bit MUST be set. Additional
Additional section processing is not changed. section processing is not changed.
A DS RRset accompanying a NS RRset indicates that the child zone is A DS RRset accompanying a NS RRset indicates that the child zone is
secure. If a NS RRset exists without a DS RRset, the child zone is secure. If a NS RRset exists without a DS RRset, the child zone is
unsecure (from the parents point of view). DS RRsets MUST NOT appear unsecure (from the parents point of view). DS RRsets MUST NOT appear
at non-delegation points or at a zone's apex. at non-delegation points or at a zone's apex.
Section 2.2.1 defines special considerations related to authoritative Section 2.2.1 defines special considerations related to authoritative
servers responding to DS queries and replaces RFC2535 sections 2.3.4 servers responding to DS queries and replaces RFC2535 sections 2.3.4
and 3.4. Section 2.2.2 replaces RFC3008 section 2.7, and section and 3.4. Section 2.2.2 replaces RFC3008 section 2.7, and section
2.2.3 updates RFC3090. 2.2.3 updates RFC3090.
skipping to change at page 5, line 25 skipping to change at page 1, line 251
private key held by the zone manager. But the DNS protocol views the private key held by the zone manager. But the DNS protocol views the
leaf nodes in a zone that are also the apex nodes of a child zone leaf nodes in a zone that are also the apex nodes of a child zone
(i.e., delegation points) as "really" belonging to the child zone. (i.e., delegation points) as "really" belonging to the child zone.
The corresponding domain names appear in two master files and might The corresponding domain names appear in two master files and might
have RRsets signed by both the parent and child zones' keys. A have RRsets signed by both the parent and child zones' keys. A
retrieval could get a mixture of these RRsets and SIGs, especially retrieval could get a mixture of these RRsets and SIGs, especially
since one server could be serving both the zone above and below a since one server could be serving both the zone above and below a
delegation point [RFC 2181]. delegation point [RFC 2181].
Each DS RRset stored in the parent zone MUST be signed by at least Each DS RRset stored in the parent zone MUST be signed by at least
one of the parent zone's private key. The parent zone MUST NOT one of the parent zone's private keys. The parent zone MUST NOT
contain a KEY RRset at any delegation point. Delegations in the contain a KEY RRset at any delegation point. Delegations in the
parent MAY contain only the following RR types: NS, DS, NXT and SIG. parent MAY contain only the following RR types: NS, DS, NXT and SIG.
The NS RRset MUST NOT be signed. The NXT RRset is the exceptional The NS RRset MUST NOT be signed. The NXT RRset is the exceptional
case: it will always appear differently and authoritatively in both case: it will always appear differently and authoritatively in both
the parent and child zones if both are secure. the parent and child zones if both are secure.
A secure zone MUST contain a self-signed KEY RRset at its apex. Upon A secure zone MUST contain a self-signed KEY RRset at its apex. Upon
verifying the DS RRset from the parent, a resolver MAY trust any KEY verifying the DS RRset from the parent, a resolver MAY trust any KEY
identified in the DS RRset as a valid signer of the child's apex KEY identified in the DS RRset as a valid signer of the child's apex KEY
RRset. Resolvers configured to trust one of the keys signing the KEY RRset. Resolvers configured to trust one of the keys signing the KEY
RRset MAY now treat any data signed by the zone keys in the KEY RRset RRset MAY now treat any data signed by the zone keys in the KEY RRset
as secure. In all other cases resolvers MUST consider the zone as secure. In all other cases resolvers MUST consider the zone
unsecure. A DS RRset MUST NOT appear at a zone's apex. unsecure. A DS RRset MUST NOT appear at a zone's apex.
An authoritative server queried for type DS MUST return the DS RRset An authoritative server queried for type DS MUST return the DS RRset
in the answer section. in the answer section.
2.2.1.1 Special processing for DS queries 2.2.1.1 Special processing for DS queries
When a server is authoritative for the parent zone at a delegation When a server is authoritative for the parent zone at a delegation
point and receives a query for the DS record at that name, it will point and receives a query for the DS record at that name, it MUST
return the DS from the parent zone. This is true whether or not it answer based on data in the parent zone, return DS or negative
is also authoritative for the child zone. answer. This is true whether or not it is also authoritative for the
child zone.
When the server is authoritative for the child zone at a delegation When the server is authoritative for the child zone at a delegation
point but not the parent zone, there is no natural response, since point but not the parent zone, there is no natural response, since
the child zone is not authoritative for the DS record at the zone's the child zone is not authoritative for the DS record at the zone's
apex. As these queries are only expected to originate from recursive apex. As these queries are only expected to originate from recursive
servers which are not DS-aware, the authoritative server MUST answer servers which are not DS-aware, the authoritative server MUST answer
with: with:
RCODE: NOERROR RCODE: NOERROR
AA bit: set AA bit: set
Answer Section: Empty Answer Section: Empty
Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)] Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)]
That is, it answers as if it is authoritative and the DS record does That is, it answers as if it is authoritative and the DS record does
not exist. DS-aware recursive servers will query the parent zone at not exist. DS-aware recursive servers will query the parent zone at
delegation points, so will not be affected by this. delegation points, so will not be affected by this.
A server authoritative for only the child zone at a delegation point A server authoritative for only the child zone, that is also a
that is also a caching server MAY (if the RD bit is set in the query) caching server MAY (if the RD bit is set in the query) perform
perform recursion to find the DS record at the delegation point, and recursion to find the DS record at the delegation point, or MAY
may return the DS record from its cache. In this case, the AA bit return the DS record from its cache. In this case, the AA bit MUST
MUST not be set in the response. not be set in the response.
2.2.1.2 Special processing when child and an ancestor share server" 2.2.1.2 Special processing when child and an ancestor share server
Special rules are needed to permit DS RR aware servers to gracefully Special rules are needed to permit DS RR aware servers to gracefully
interact with older caches which otherwise might falsely label a interact with older caches which otherwise might falsely label a
server as lame because of the new placement of the DS RR set. server as lame because of the placement of the DS RR set.
Such a situation might arise when a server is authoritative for both Such a situation might arise when a server is authoritative for both
a zone and it's grandparent, but not the parent. This sounds like an a zone and it's grandparent, but not the parent. This sounds like an
obscure example, but it is very real. The root zone is currently obscure example, but it is very real. The root zone is currently
served on 13 machines, and "root-servers.net." is served on 4 of the served on 13 machines, and "root-servers.net." is served on 4 of the
same 13, but "net." is served elsewhere. same 13, but "net." is served elsewhere.
When a server receives a query for (<QNAME>, DS, IN), the response When a server receives a query for (<QNAME>, DS, <QCLASS>), the
MUST be determined from reading these rules in order: response MUST be determined from reading these rules in order:
1) If the server is authoritative for the zone that holds the DS RR 1) If the server is authoritative for the zone that holds the DS RR
set (i.e., the zone that delegates <QNAME> away, aka the "parent" set (i.e., the zone that delegates <QNAME>, aka the "parent" zone),
zone), the response contains the DS RR set as an authoritative the response contains the DS RR set as an authoritative answer.
answer.
2) If the server is offering recursive service and the RD bit is set 2) If the server is offering recursive service and the RD bit is set
in the query, the server performs the query itself (according to the in the query, the server performs the query itself (according to the
rules for resolvers described below) and returns it's findings. rules for resolvers described below) and returns its findings.
3) If the server is authoritative for the zone that holds the 3) If the server is authoritative for the zone that holds the
<QNAME>'s SOA RR set, the response is an authoritative negative <QNAME>'s SOA RR set, the response is an authoritative negative
answer as described in 2.2.1.1. answer as described in 2.2.1.1.
4) If the server is authoritative for a zone or zones above the 4) If the server is authoritative for a zone or zones above the
QNAME, a referral to the most enclosing zone's servers is made. QNAME, a referral to the most enclosing zone's servers is made.
5) If the server is not authoritative for any part of the QNAME, a 5) If the server is not authoritative for any part of the QNAME, a
response indicating a lame server for QNAME is given. response indicating a lame server for QNAME is given.
skipping to change at page 7, line 31 skipping to change at page 1, line 350
expecting a referral to a net. server. Instead, rule number 3 above expecting a referral to a net. server. Instead, rule number 3 above
applies and a negative answer is returned by the server. The applies and a negative answer is returned by the server. The
reaction by the resolver is not to accept this answer as final as it reaction by the resolver is not to accept this answer as final as it
can determine from the SOA RR in the negative answer the context can determine from the SOA RR in the negative answer the context
within which the server has answered. within which the server has answered.
A solution to this is to instruct the resolver to hunt for the A solution to this is to instruct the resolver to hunt for the
authoritative zone of the data in a brute force manner. authoritative zone of the data in a brute force manner.
This can be accomplished by taking the owner name of the returned SOA This can be accomplished by taking the owner name of the returned SOA
RR and strip off enough left-hand labels until a successful NS RR and striping off enough left-hand labels until a successful NS
response is obtained. A successful response here means that the response is obtained. A successful response here means that the
answer has NS records in it. (Entertaining the possibility that a answer has NS records in it. (Entertaining the possibility that a
cut point may be two labels down in a zone.) cut point can be two labels down in a zone.)
Returning to the example, the response will include a negative answer Returning to the example, the response will include a negative answer
with either the SOA RR for "roots.example.net." or "example.net." with either the SOA RR for "roots.example.net." or "example.net."
depending on whether roots.example.net is a delegated domain. In depending on whether roots.example.net is a delegated domain. In
either case, removing the least significant label of the SOA owner either case, removing the left most label of the SOA owner name will
name will lead to the location of the desired data. lead to the location of the desired data.
2.2.1.3 Modification on KEY RR in the construction of Responses 2.2.1.3 Modification on use of KEY RR in the construction of Responses
This section updates RFC2535 section 3.5 by replacing it with the This section updates RFC2535 section 3.5 by replacing it with the
following: following:
An query for KEY RR MUST NOT trigger any additional section A query for KEY RR MUST NOT trigger any additional section
processing. Security aware resolver will include corresponding SIG processing. Security aware resolvers will include corresponding SIG
records in the answer section. records in the answer section.
KEY records SHOULD NOT be added to additional records section in KEY records SHOULD NOT be added to the additional records section in
response to any query. response to any query.
RFC2535 included rules to in add KEY records to additional section RFC2535 specified that KEY records be added to the additional section
when SOA or NS records where included in an answer. The is was done when SOA or NS records where included in an answer. This was done to
to reduce round trips (in the case of SOA) and to force out NULL reduce round trips (in the case of SOA) and to force out NULL KEYs
KEY's (in the NS case), as this document obsoletes NULL keys there is (in the NS case). As this document obsoletes NULL keys there is no
no need for the second case, the first case causes redundant need for the inclusion of KEYs with NSs. Furthermore as SOAs are
transfers of KEY RRset as SOA is included in the authority section of included in the authority section of negative answers, including the
negative answers. KEYs each time will cause redundant transfers of KEYs.
RFC2535 section 3.5 also included rule for adding KEY RRset to query RFC2535 section 3.5 also included rule for adding the KEY RRset to
for A and AAAA, as Restrict KEY[RFC3445] eliminated use of KEY RR by the response for a query for A and AAAA types. As Restrict
all applications therfore the rule is not needed anymore. KEY[RFC3445] eliminated use of KEY RR by all applications this rule
is no longer needed.
2.2.2 Signer's Name (replaces RFC3008 section 2.7) 2.2.2 Signer's Name (replaces RFC3008 section 2.7)
The signer's name field of a SIG RR MUST contain the name of the zone The signer's name field of a SIG RR MUST contain the name of the zone
to which the data and signature belong. The combination of signer's to which the data and signature belong. The combination of signer's
name, key tag, and algorithm MUST identify a zone key if the SIG is name, key tag, and algorithm MUST identify a zone key if the SIG is
to be considered material. This document defines a standard policy to be considered material. This document defines a standard policy
for DNSSEC validation; local policy may override the standard policy. for DNSSEC validation; local policy MAY override the standard policy.
There are no restrictions on the signer field of a SIG(0) record. There are no restrictions on the signer field of a SIG(0) record.
The combination of signer's name, key tag, and algorithm MUST The combination of signer's name, key tag, and algorithm MUST
identify a key if this SIG(0) is to be processed. identify a key if this SIG(0) is to be processed.
2.2.3 Changes to RFC3090 2.2.3 Changes to RFC3090
A number of sections of RFC3090 need to be updated to reflect the DS A number of sections of RFC3090 need to be updated to reflect the DS
record. record.
skipping to change at page 9, line 23 skipping to change at page 1, line 433
to this is the root zone, for which there is no parent zone. to this is the root zone, for which there is no parent zone.
2.2.3.3 RFC3090 section 3: Experimental Status. 2.2.3.3 RFC3090 section 3: Experimental Status.
The only difference between experimental status and globally secured The only difference between experimental status and globally secured
is the missing DS RRset in the parent zone. All locally secured zones is the missing DS RRset in the parent zone. All locally secured zones
are experimental. are experimental.
2.2.4 NULL KEY elimination 2.2.4 NULL KEY elimination
RFC3445 section 3 elminates the top two bits in the flags field of RFC3445 section 3 eliminates the top two bits in the flags field of
KEY RR. These two bits where used to indicate NULL KEY or NO KEY. KEY RR. These two bits were used to indicate NULL KEY or NO KEY.
RFC3090 defines that zone that defines that zone is either secure or RFC3090 defines that zone is either secure or not, these rules
not, eliminates the possible need to put NULL keys in the zone apex eliminates the possible need to put NULL keys in the zone apex to
to indicate that the zone is not secured for a algorithm. Along with indicate that the zone is not secured for a algorithm. Along with
this document these other two elminate all uses for the NULL KEY, this document these other two eliminate all uses for the NULL KEY,
Thus this document obsoletes NULL KEY. This document obsoletes NULL KEY.
2.3 Comments on Protocol Changes 2.3 Comments on Protocol Changes
Over the years there have been various discussions surrounding the Over the years there have been various discussions surrounding the
DNS delegation model, declaring it to be broken because there is no DNS delegation model, declaring it to be broken because there is no
good way to assert if a delegation exists. In the RFC2535 version of good way to assert if a delegation exists. In the RFC2535 version of
DNSSEC, the presence of the NS bit in the NXT bit map proves there is DNSSEC, the presence of the NS bit in the NXT bit map proves there is
a delegation at this name. Something more explicit is needed and the a delegation at this name. Something more explicit is needed and the
DS record addresses this need for secure delegations. DS record addresses this need for secure delegations.
The DS record is a major change to DNS: it is the first resource The DS record is a major change to DNS: it is the first resource
record that can appear only on the upper side of a delegation. Adding record that can appear only on the upper side of a delegation. Adding
it will cause interoperabilty problems and requires a flag day for it will cause interoperabilty problems and requires a flag day for
DNSSEC. Many old servers and resolvers MUST be upgraded to take DNSSEC. Many old servers and resolvers MUST be upgraded to take
advantage of DS. Some old servers will be able to be authoritative advantage of DS. Some old servers will be able to be authoritative
for zones with DS records but will not add the NXT or DS records to for zones with DS records but will not add the NXT or DS records to
the authority section. The same is true for caching servers; in the authority section. The same is true for caching servers; in
fact, some may even refuse to pass on the DS or NXT records. fact, some might even refuse to pass on the DS or NXT records.
2.4 Wire Format of the DS record 2.4 Wire Format of the DS record
The DS (type=TDB) record contains these fields: key tag, algorithm, The DS (type=TDB) record contains these fields: key tag, algorithm,
digest type, and the digest of a public key KEY record that is digest type, and the digest of a public key KEY record that is
allowed and/or used to sign the child's apex KEY RRset. Other keys allowed and/or used to sign the child's apex KEY RRset. Other keys
MAY sign the child's apex KEY RRset. MAY sign the child's apex KEY RRset.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 10, line 41 skipping to change at page 1, line 495
for the digest algorithm used. The digest is calculated over the for the digest algorithm used. The digest is calculated over the
canonical name of the delegated domain name followed by the whole canonical name of the delegated domain name followed by the whole
RDATA of the KEY record (all four fields). RDATA of the KEY record (all four fields).
digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata) digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata)
KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key
Digest type value 0 is reserved, value 1 is SHA-1, and reserving Digest type value 0 is reserved, value 1 is SHA-1, and reserving
other types requires IETF standards action. For interoperabilty other types requires IETF standards action. For interoperabilty
reasons, as few digest algorithms as possible should be reserved. The reasons, keeping number of digest algorithms low is strongly
only reason to reserve additional digest types is to increase RECOMMENDED. The only reason to reserve additional digest types is
security. to increase security.
DS records MUST point to zone KEY records that are allowed to DS records MUST point to zone KEY records that are allowed to
authenticate DNS data. The indicated KEY record's protocol field authenticate DNS data. The indicated KEY records protocol field MUST
MUST be set to 3; flag field bit 7 MUST be set to 1. The value of be set to 3; flag field bit 7 MUST be set to 1. The value of other
other flag bits is not significant for the purposes of this document. flag bits is not significant for the purposes of this document.
The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless
of key size, new digest types probably will have larger digests. of key size. New digest types probably will have larger digests.
2.4.1 Justifications for Fields 2.4.1 Justifications for Fields
The algorithm and key tag fields are present to allow resolvers to The algorithm and key tag fields are present to allow resolvers to
quickly identify the candidate KEY records to examine. SHA-1 is a quickly identify the candidate KEY records to examine. SHA-1 is a
strong cryptographic checksum: it is computationally infeasible for strong cryptographic checksum: it is computationally infeasible for
an attacker to generate a KEY record that has the same SHA-1 digest. an attacker to generate a KEY record that has the same SHA-1 digest.
Combining the name of the key and the key rdata as input to the Combining the name of the key and the key rdata as input to the
digest provides stronger assurance of the binding. Having the key digest provides stronger assurance of the binding. Having the key
tag in the DS record adds greater assurance than the SHA-1 digest tag in the DS record adds greater assurance than the SHA-1 digest
alone, as there are now two different mapping functions that a KEY RR alone, as there are now two different mapping functions.
must match.
This format allows concise representation of the keys that the child This format allows concise representation of the keys that the child
will use, thus keeping down the size of the answer for the will use, thus keeping down the size of the answer for the
delegation, reducing the probability of DNS message overflow. The delegation, reducing the probability of DNS message overflow. The
SHA-1 hash is strong enough to uniquely identify the key and is SHA-1 hash is strong enough to uniquely identify the key and is
similar to the PGP key footprint. The digest type field is present similar to the PGP key footprint. The digest type field is present
for possible future expansion. for possible future expansion.
The DS record is well suited to listing trusted keys for islands of The DS record is well suited to listing trusted keys for islands of
security in configuration files. security in configuration files.
skipping to change at page 12, line 30 skipping to change at page 1, line 581
the NXT bit map, but only upgraded resolvers would understand this the NXT bit map, but only upgraded resolvers would understand this
flag, anyway. Having both parent and child signatures for a KEY RRset flag, anyway. Having both parent and child signatures for a KEY RRset
might allow old resolvers to accept a zone as secure, but the cost of might allow old resolvers to accept a zone as secure, but the cost of
doing this for a long time is much higher than just prohibiting RFC doing this for a long time is much higher than just prohibiting RFC
2535-style signatures at child zone apexes and forcing rapid 2535-style signatures at child zone apexes and forcing rapid
deployment of DS-enabled servers and resolvers. deployment of DS-enabled servers and resolvers.
RFC 2535 and DS can in theory be deployed in parallel, but this would RFC 2535 and DS can in theory be deployed in parallel, but this would
require resolvers to deal with RFC 2535 configurations forever. This require resolvers to deal with RFC 2535 configurations forever. This
document obsoletes the NULL KEY in parent zones, which is a difficult document obsoletes the NULL KEY in parent zones, which is a difficult
enough change that a flag day is required. enough change that to cause a flag day.
2.7 KEY and corresponding DS record example 2.7 KEY and corresponding DS record example
This is an example of a KEY record and the corresponding DS record. This is an example of a KEY record and the corresponding DS record.
dskey.example. KEY 256 3 1 ( dskey.example. KEY 256 3 1 (
AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj
4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt 4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt
) ; key id = 28668 ) ; key id = 28668
DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
skipping to change at page 14, line 10 skipping to change at page 1, line 645
This example has only one DS record for the child, but parents MUST This example has only one DS record for the child, but parents MUST
allow multiple DS records to facilitate key rollover and multiple KEY allow multiple DS records to facilitate key rollover and multiple KEY
algorithms. algorithms.
The resolver determines the security status of "unsecure.example." by The resolver determines the security status of "unsecure.example." by
examining the parent zone's NXT record for this name. The absence of examining the parent zone's NXT record for this name. The absence of
the DS bit indicates an unsecure delegation. Note the NXT record the DS bit indicates an unsecure delegation. Note the NXT record
SHOULD only be examined after verifying the corresponding signature. SHOULD only be examined after verifying the corresponding signature.
3.1 Resolver Cost Estimates for DS Records 3.2 Resolver Cost Estimates for DS Records
From a RFC2535 resolver point of view, for each delegation followed From a RFC2535 resolver point of view, for each delegation followed
to chase down an answer, one KEY RRset has to be verified. to chase down an answer, one KEY RRset has to be verified.
Additional RRsets might also need to be verified based on local Additional RRsets might also need to be verified based on local
policy (e.g., the contents of the NS RRset). Once the resolver gets policy (e.g., the contents of the NS RRset). Once the resolver gets
to the appropriate delegation, validating the answer might require to the appropriate delegation, validating the answer might require
verifying one or more signatures. A simple A record lookup requires verifying one or more signatures. A simple A record lookup requires
at least N delegations to be verified and one RRset. For a DS-enabled at least N delegations to be verified and one RRset. For a DS-enabled
resolver, the cost is 2N+1. For an MX record, where the target of resolver, the cost is 2N+1. For an MX record, where the target of
the MX record is in the same zone as the MX record, the costs are N+2 the MX record is in the same zone as the MX record, the costs are N+2
and 2N+2, for RFC 2535 and DS, respectively. In the case of negatives and 2N+2, for RFC 2535 and DS, respectively. In the case of negatives
answer the same ratios hold true. answer the same ratios hold true.
The resolver may require an extra query to get the DS record and this The resolver have to do an extra query to get the DS record and this
may add to the overall cost of the query, but this is never worse increases the overall cost of resolving this question, but this is
than chasing down NULL KEY records from the parent in RFC2535 DNSSEC. never worse than chasing down NULL KEY records from the parent in
RFC2535 DNSSEC.
DS adds processing overhead on resolvers and increases the size of DS adds processing overhead on resolvers and increases the size of
delegation answers, but much less than storing signatures in the delegation answers, but much less than storing signatures in the
parent zone. parent zone.
4 Security Considerations: 4 Security Considerations:
This document proposes a change to the validation chain of KEY This document proposes a change to the validation chain of KEY
records in DNSSEC. The change is not believed to reduce security in records in DNSSEC. The change is not believed to reduce security in
the overall system. In RFC2535 DNSSEC, the child zone has to the overall system. In RFC2535 DNSSEC, the child zone has to
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/