draft-ietf-dnsext-delegation-signer-15.txt   rfc3658.txt 
DNSEXT Working Group Olafur Gudmundsson Network Working Group O. Gudmundsson
INTERNET-DRAFT June 2003 Request for Comments: 3658 December 2003
<draft-ietf-dnsext-delegation-signer-15.txt> Updates: 3090, 3008, 2535, 1035
Category: Standards Track
Updates: RFC 1035, RFC 2535, RFC 3008, RFC 3090.
Delegation Signer Resource Record Delegation Signer (DS) Resource Record (RR)
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document specifies an Internet standards track protocol for the
all provisions of Section 10 of RFC2026. Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Internet-Drafts are working documents of the Internet Engineering Official Protocol Standards" (STD 1) for the standardization state
Task Force (IETF), its areas, and its working groups. Note that and status of this protocol. Distribution of this memo is unlimited.
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Copyright Notice
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at Copyright (C) The Internet Society (2003). All Rights Reserved.
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at Abstract
http://www.ietf.org/shadow.html
This draft expires on January 19, 2004. The delegation signer (DS) resource record (RR) is inserted at a zone
cut (i.e., a delegation point) to indicate that the delegated zone is
digitally signed and that the delegated zone recognizes the indicated
key as a valid zone key for the delegated zone. The DS RR is a
modification to the DNS Security Extensions definition, motivated by
operational considerations. The intent is to use this resource
record as an explicit statement about the delegation, rather than
relying on inference.
Copyright Notice This document defines the DS RR, gives examples of how it is used and
describes the implications on resolvers. This change is not
backwards compatible with RFC 2535. This document updates RFC 1035,
RFC 2535, RFC 3008 and RFC 3090.
Copyright (C) The Internet Society (2003). All rights reserved. Table of Contents
Abstract 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Reserved Words. . . . . . . . . . . . . . . . . . . . . 4
2. Specification of the Delegation key Signer. . . . . . . . . . 4
2.1. Delegation Signer Record Model. . . . . . . . . . . . . 4
2.2. Protocol Change . . . . . . . . . . . . . . . . . . . . 5
2.2.1. RFC 2535 2.3.4 and 3.4: Special Considerations
at Delegation Points . . . . . . . . . . . . . 6
2.2.1.1. Special processing for DS queries. . . 6
2.2.1.2. Special processing when child and an
ancestor share nameserver. . . . . . . 7
2.2.1.3. Modification on use of KEY RR in the
construction of Responses. . . . . . . 8
2.2.2. Signer's Name (replaces RFC3008 section 2.7). . 9
2.2.3. Changes to RFC 3090 . . . . . . . . . . . . . . 9
2.2.3.1. RFC 3090: Updates to section 1:
Introduction . . . . . . . . . . . . . 9
2.2.3.2. RFC 3090 section 2.1: Globally
Secured. . . . . . . . . . . . . . . . 10
2.2.3.3. RFC 3090 section 3: Experimental
Status . . . . . . . . . . . . . . . . 10
2.2.4. NULL KEY elimination. . . . . . . . . . . . . . 10
2.3. Comments on Protocol Changes. . . . . . . . . . . . . . 10
2.4. Wire Format of the DS record. . . . . . . . . . . . . . 11
2.4.1. Justifications for Fields . . . . . . . . . . . 12
2.5. Presentation Format of the DS Record. . . . . . . . . . 12
2.6. Transition Issues for Installed Base. . . . . . . . . . 12
2.6.1. Backwards compatibility with RFC 2535 and
RFC 1035. . . . . . . . . . . . . . . . . . . . 12
2.7. KEY and corresponding DS record example . . . . . . . . 13
3. Resolver. . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1. DS Example" . . . . . . . . . . . . . . . . . . . . . . 14
3.2. Resolver Cost Estimates for DS Records" . . . . . . . . 15
4. Security Considerations . . . . . . . . . . . . . . . . . . . 15
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
6. Intellectual Property Statement . . . . . . . . . . . . . . . 16
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17
8. References. . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.1. Normative References. . . . . . . . . . . . . . . . . . 17
8.2. Informational References. . . . . . . . . . . . . . . . 17
9. Author's Address. . . . . . . . . . . . . . . . . . . . . . . 18
10. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 19
The delegation signer (DS) resource record is inserted at a zone cut 1. Introduction
(i.e., a delegation point) to indicate that the delegated zone is
digitally signed and that the delegated zone recognizes the indicated
key as a valid zone key for the delegated zone. The DS RR is a
modification to the DNS Security Extensions definition, motivated by
operational considerations. The intent is to use this resource record
as an explicit statement about the delegation, rather than relying on
inference.
This document defines the DS RR, gives examples of how it is used and Familiarity with the DNS system [RFC1035], DNS security extensions
describes the implications on resolvers. This change is not backwards [RFC2535], and DNSSEC terminology [RFC3090] is important.
compatible with RFC 2535.
This document updates RFC1035, RFC2535, RFC3008 and RFC3090.
Table of contents Experience shows that when the same data can reside in two
administratively different DNS zones, the data frequently gets out of
sync. The presence of an NS RRset in a zone anywhere other than at
the apex indicates a zone cut or delegation. The RDATA of the NS
RRset specifies the authoritative nameservers for the delegated or
"child" zone. Based on actual measurements, 10-30% of all
delegations on the Internet have differing NS RRsets at parent and
child. There are a number of reasons for this, including a lack of
communication between parent and child and bogus name servers being
listed to meet registry requirements.
Status of this Memo . . . . . . . . . . . . . . . . . . . . . . . . 1 DNSSEC [RFC2535, RFC3008, RFC3090] specifies that a child zone needs
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 to have its KEY RRset signed by its parent to create a verifiable
Table of contents . . . . . . . . . . . . . . . . . . . . . . . . . 2 chain of KEYs. There has been some debate on where the signed KEY
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 RRset should reside, whether at the child [RFC2535] or at the parent.
1.2 Reserved Words" . . . . . . . . . . . . . . . . . . . . . . . . 4 If the KEY RRset resides at the child, maintaining the signed KEY
2 Specification of the Delegation key Signer" . . . . . . . . . . . 4 RRset in the child requires frequent two-way communication between
2.1 Delegation Signer Record Model" . . . . . . . . . . . . . . . . 4 the two parties. First, the child transmits the KEY RRset to the
2.2 Protocol Change" . . . . . . . . . . . . . . . . . . . . . . . . 5 parent and then the parent sends the signature(s) to the child.
2.2.1 RFC2535 2.3.4 and 3.4: Special Considerations at Storing the KEY RRset at the parent was thought to simplify the
Delegation Points" . . . . . . . . . . . . . . . . . . . . . . . . . 6 communication.
2.2.1.1 Special processing for DS queries" . . . . . . . . . . . . 6
2.2.1.2 Special processing when child and an ancestor share
server" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.1.3 Modification on use of KEY RR in the construction of
Responses" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.2 Signer's Name (replaces RFC3008 section 2.7)" . . . . . . . . 9
2.2.3 Changes to RFC3090" . . . . . . . . . . . . . . . . . . . . . 9
2.2.3.1 RFC3090: Updates to section 1: Introduction" . . . . . . . . 9
2.2.3.2 RFC3090 section 2.1: Globally Secured" . . . . . . . . . . . 9
2.2.3.3 RFC3090 section 3: Experimental Status." . . . . . . . . . 10
2.2.4 NULL KEY elimination" . . . . . . . . . . . . . . . . . . . . 10
2.3 Comments on Protocol Changes" . . . . . . . . . . . . . . . . . 10
2.4 Wire Format of the DS record" . . . . . . . . . . . . . . . . . 11
2.4.1 Justifications for Fields" . . . . . . . . . . . . . . . . . . 12
2.5 Presentation Format of the DS Record" . . . . . . . . . . . . . 12
2.6 Transition Issues for Installed Base" . . . . . . . . . . . . . 12
2.6.1 Backwards compatibility with RFC2535 and RFC1035" . . . . . . 12
2.7 KEY and corresponding DS record example" . . . . . . . . . . . . 13
3 Resolver" . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1 DS Example" . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 Resolver Cost Estimates for DS Records" . . . . . . . . . . . . 15
4 Security Considerations: " . . . . . . . . . . . . . . . . . . . . 15
5 IANA Considerations: " . . . . . . . . . . . . . . . . . . . . . . 16
6 Acknowledgments" . . . . . . . . . . . . . . . . . . . . . . . . . 16
Normative References: " . . . . . . . . . . . . . . . . . . . . . . 16
Informational References" " . . . . . . . . . . . . . . . . . . . . 17
Author Address" . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Full Copyright Statement" . . . . . . . . . . . . . . . . . . . . . 17
1 Introduction
Familiarity with the DNS system [RFC1035], DNS security extensions DNSSEC [RFC2535] requires that the parent store a NULL KEY record for
[RFC2535] and DNSSEC terminology [RFC3090] is important. an unsecure child zone to indicate that the child is unsecure. A
NULL KEY record is a waste: an entire signed RRset is used to
communicate effectively one bit of information - that the child is
unsecure. Chasing down NULL KEY RRsets complicates the resolution
process in many cases, because nameservers for both parent and child
need to be queried for the KEY RRset if the child nameserver does not
return it. Storing the KEY RRset only in the parent zone simplifies
this and would allow the elimination of the NULL KEY RRsets entirely.
For large delegation zones, the cost of NULL keys is a significant
barrier to deployment.
Experience shows that when the same data can reside in two Prior to the restrictions imposed by RFC 3445 [RFC3445], another
administratively different DNS zones, the data frequently gets out of implication of the DNSSEC key model is that the KEY record could be
sync. The presence of an NS RRset in a zone anywhere other than at used to store public keys for other protocols in addition to DNSSEC
the apex indicates a zone cut or delegation. The RDATA of the NS keys. There are a number of potential problems with this, including:
RRset specifies the authoritative servers for the delegated or
"child" zone. Based on actual measurements, 10-30% of all delegations
on the Internet have differing NS RRsets at parent and child. There
are a number of reasons for this, including a lack of communication
between parent and child and bogus name servers being listed to meet
registry requirements.
DNSSEC [RFC2535,RFC3008,RFC3090] specifies that a child zone needs to 1. The KEY RRset can become quite large if many applications and
have its KEY RRset signed by its parent to create a verifiable chain protocols store their keys at the zone apex. Possible protocols
of KEYs. There has been some debate on where the signed KEY RRset are IPSEC, HTTP, SMTP, SSH and others that use public key
should reside, whether at the child [RFC2535] or at the parent. If cryptography.
the KEY RRset resides at the child, maintaining the signed KEY RRset
in the child requires frequent two-way communication between the two
parties. First the child transmits the KEY RRset to the parent and
then the parent sends the signature(s) to the child. Storing the KEY
RRset at the parent was thought to simplify the communication.
DNSSEC [RFC2535] requires that the parent store a NULL KEY record for 2. The KEY RRset may require frequent updates.
an unsecure child zone to indicate that the child is unsecure. A NULL
KEY record is a waste: an entire signed RRset is used to communicate
effectively one bit of information--that the child is unsecure.
Chasing down NULL KEY RRsets complicates the resolution process in
many cases, because servers for both parent and child need to be
queried for the KEY RRset if the child server does not return it.
Storing the KEY RRset only in the parent zone simplifies this and
would allow the elimination of the NULL KEY RRsets entirely. For
large delegation zones the cost of NULL keys is a significant barrier
to deployment.
Prior to the restrictions imposed by RFC3445[RFC3445], another 3. The probability of compromised or lost keys, which trigger
implication of the DNSSEC key model is that the KEY record could be emergency key roll-over procedures, increases.
used to store public keys for other protocols in addition to DNSSEC
keys. There are number of potential problems with this, including:
1. The KEY RRset can become quite large if many applications and
protocols store their keys at the zone apex. Possible protocols
are IPSEC, HTTP, SMTP, SSH and others that use public key
cryptography.
2. The KEY RRset may require frequent updates.
3. The probability of compromised or lost keys, which trigger
emergency key rollover procedures, increases.
4. The parent may refuse to sign KEY RRsets with non-DNSSEC zone 4. The parent may refuse to sign KEY RRsets with non-DNSSEC zone
keys. keys.
5. The parent may not meet the child's expectations of turnaround
time for resigning the KEY RRset.
Given these reasons, SIG@parent isn't any better than SIG/KEY@Child. 5. The parent may not meet the child's expectations of turnaround
time for resigning the KEY RRset.
1.2 Reserved Words Given these reasons, SIG@parent isn't any better than SIG/KEY@Child.
The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED", 1.2. Reserved Words
"RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
interpreted as described in RFC2119.
2 Specification of the Delegation key Signer The key words "MAY", "MAY NOT", "MUST", "MUST NOT", "REQUIRED",
"RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
interpreted as described in BCP 14, RFC 2119 [RFC2119].
This section defines the Delegation Signer (DS) RR type (type code 2. Specification of the Delegation key Signer
TBD) and the changes to DNS to accommodate it.
2.1 Delegation Signer Record Model This section defines the Delegation Signer (DS) RR type (type code
43) and the changes to DNS to accommodate it.
This document presents a replacement for the DNSSEC KEY record chain 2.1. Delegation Signer Record Model
of trust [RFC2535] that uses a new RR that resides only at the
parent. This record identifies the key(s) that the child uses to
self-sign its own KEY RRset.
Even though DS identifies two roles for KEYs, Key Signing Key (KSK) This document presents a replacement for the DNSSEC KEY record chain
and Zone Signing Key (ZSK), there is no requirement that zone use two of trust [RFC2535] that uses a new RR that resides only at the
different keys for these roles. It is expected that many small zones parent. This record identifies the key(s) that the child uses to
will only use one key, while larger zones will be more likely to use self-sign its own KEY RRset.
multiple keys.
The chain of trust is now established by verifying the parent KEY Even though DS identifies two roles for KEYs, Key Signing Key (KSK)
RRset, the DS RRset from the parent and the KEY RRset at the child. and Zone Signing Key (ZSK), there is no requirement that zone uses
This is cryptographically equivalent to using just KEY records. two different keys for these roles. It is expected that many small
zones will only use one key, while larger zones will be more likely
to use multiple keys.
Communication between the parent and child is greatly reduced, since The chain of trust is now established by verifying the parent KEY
the child only needs to notify the parent about changes in keys that RRset, the DS RRset from the parent and the KEY RRset at the child.
sign its apex KEY RRset. The parent is ignorant of all other keys in This is cryptographically equivalent to using just KEY records.
the child's apex KEY RRset. Furthermore, the child maintains full
control over the apex KEY RRset and its content. The child can
maintain any policies regarding its KEY usage for DNSSEC with minimal
impact on the parent. Thus if the child wants to have frequent key
rollover for its DNS zone keys, the parent does not need to be aware
of it. The child can use one key to sign only its apex KEY RRset and
a different key to sign the other RRsets in the zone.
This model fits well with a slow roll out of DNSSEC and the islands Communication between the parent and child is greatly reduced, since
of security model. In this model, someone who trusts "good.example." the child only needs to notify the parent about changes in keys that
can preconfigure a key from "good.example." as a trusted key, and sign its apex KEY RRset. The parent is ignorant of all other keys in
from then on trusts any data signed by that key or that has a chain the child's apex KEY RRset. Furthermore, the child maintains full
of trust to that key. If "example." starts advertising DS records, control over the apex KEY RRset and its content. The child can
"good.example." does not have to change operations by suspending maintain any policies regarding its KEY usage for DNSSEC with minimal
self-signing. DS records can be used in configuration files to impact on the parent. Thus, if the child wants to have frequent key
identify trusted keys instead of KEY records. Another significant roll-over for its DNS zone keys, the parent does not need to be aware
advantage is that the amount of information stored in large of it. The child can use one key to sign only its apex KEY RRset and
delegation zones is reduced: rather than the NULL KEY record at every a different key to sign the other RRsets in the zone.
unsecure delegation demanded by RFC 2535, only secure delegations
require additional information in the form of a signed DS RRset.
The main disadvantage of this approach is that verifying a zone's KEY This model fits well with a slow roll out of DNSSEC and the islands
RRset requires two signature verification operations instead of the of security model. In this model, someone who trusts "good.example."
one in RFC 2535 chain of trust. There is no impact on the number of can preconfigure a key from "good.example." as a trusted key, and
signatures verified for other types of RRsets. from then on trusts any data signed by that key or that has a chain
of trust to that key. If "example." starts advertising DS records,
"good.example." does not have to change operations by suspending
self-signing. DS records can be used in configuration files to
identify trusted keys instead of KEY records. Another significant
advantage is that the amount of information stored in large
delegation zones is reduced: rather than the NULL KEY record at every
unsecure delegation demanded by RFC 2535, only secure delegations
require additional information in the form of a signed DS RRset.
2.2 Protocol Change The main disadvantage of this approach is that verifying a zone's KEY
RRset requires two signature verification operations instead of the
one in RFC 2535 chain of trust. There is no impact on the number of
signatures verified for other types of RRsets.
All DNS servers and resolvers that support DS MUST support the OK bit 2.2. Protocol Change
[RFC3225] and a larger message size [RFC3226]. In order for a
delegation to be considered secure the delegation MUST contain a DS
RRset. If a query contains the OK bit, a server returning a referral
for the delegation MUST include the following RRsets in the authority
section in this order:
If DS RRset is present:
parent's copy of child's NS RRset
DS and SIG(DS)
If no DS RRset is present:
parent's copy of child's NS RRset
parent's zone NXT and SIG(NXT)
This increases the size of referral messages, possibly causing some All DNS servers and resolvers that support DS MUST support the OK bit
or all glue to be omitted. If the DS or NXT RRsets with signatures do [RFC3225] and a larger message size [RFC3226]. In order for a
not fit in the DNS message, the TC bit MUST be set. Additional delegation to be considered secure the delegation MUST contain a DS
section processing is not changed. RRset. If a query contains the OK bit, a nameserver returning a
referral for the delegation MUST include the following RRsets in the
authority section in this order:
A DS RRset accompanying a NS RRset indicates that the child zone is If DS RRset is present:
secure. If a NS RRset exists without a DS RRset, the child zone is parent's copy of child's NS RRset
unsecure (from the parents point of view). DS RRsets MUST NOT appear DS and SIG(DS)
at non-delegation points or at a zone's apex.
Section 2.2.1 defines special considerations related to authoritative If no DS RRset is present:
servers responding to DS queries and replaces RFC2535 sections 2.3.4 parent's copy of child's NS RRset
and 3.4. Section 2.2.2 replaces RFC3008 section 2.7, and section parent's zone NXT and SIG(NXT)
2.2.3 updates RFC3090.
2.2.1 RFC2535 2.3.4 and 3.4: Special Considerations at Delegation Points This increases the size of referral messages, possibly causing some
or all glue to be omitted. If the DS or NXT RRsets with signatures
do not fit in the DNS message, the TC bit MUST be set. Additional
section processing is not changed.
DNS security views each zone as a unit of data completely under the A DS RRset accompanying a NS RRset indicates that the child zone is
control of the zone owner with each entry (RRset) signed by a special secure. If a NS RRset exists without a DS RRset, the child zone is
private key held by the zone manager. But the DNS protocol views the unsecure (from the parents point of view). DS RRsets MUST NOT appear
leaf nodes in a zone that are also the apex nodes of a child zone at non-delegation points or at a zone's apex.
(i.e., delegation points) as "really" belonging to the child zone.
The corresponding domain names appear in two master files and might
have RRsets signed by both the parent and child zones' keys. A
retrieval could get a mixture of these RRsets and SIGs, especially
since one server could be serving both the zone above and below a
delegation point [RFC 2181].
Each DS RRset stored in the parent zone MUST be signed by at least Section 2.2.1 defines special considerations related to authoritative
one of the parent zone's private keys. The parent zone MUST NOT nameservers responding to DS queries and replaces RFC 2535 sections
contain a KEY RRset at any delegation point. Delegations in the 2.3.4 and 3.4. Section 2.2.2 replaces RFC 3008 section 2.7, and
parent MAY contain only the following RR types: NS, DS, NXT and SIG. section 2.2.3 updates RFC 3090.
The NS RRset MUST NOT be signed. The NXT RRset is the exceptional
case: it will always appear differently and authoritatively in both
the parent and child zones if both are secure.
A secure zone MUST contain a self-signed KEY RRset at its apex. Upon 2.2.1. RFC 2535 2.3.4 and 3.4: Special Considerations at Delegation
verifying the DS RRset from the parent, a resolver MAY trust any KEY Points
identified in the DS RRset as a valid signer of the child's apex KEY
RRset. Resolvers configured to trust one of the keys signing the KEY
RRset MAY now treat any data signed by the zone keys in the KEY RRset
as secure. In all other cases resolvers MUST consider the zone
unsecure. A DS RRset MUST NOT appear at a zone's apex.
An authoritative server queried for type DS MUST return the DS RRset DNS security views each zone as a unit of data completely under the
in the answer section. control of the zone owner with each entry (RRset) signed by a special
private key held by the zone manager. But the DNS protocol views the
leaf nodes in a zone that are also the apex nodes of a child zone
(i.e., delegation points) as "really" belonging to the child zone.
The corresponding domain names appear in two master files and might
have RRsets signed by both the parent and child zones' keys. A
retrieval could get a mixture of these RRsets and SIGs, especially
since one nameserver could be serving both the zone above and below a
delegation point [RFC2181].
2.2.1.1 Special processing for DS queries Each DS RRset stored in the parent zone MUST be signed by at least
one of the parent zone's private keys. The parent zone MUST NOT
contain a KEY RRset at any delegation point. Delegations in the
parent MAY contain only the following RR types: NS, DS, NXT and SIG.
The NS RRset MUST NOT be signed. The NXT RRset is the exceptional
case: it will always appear differently and authoritatively in both
the parent and child zones, if both are secure.
When a server is authoritative for the parent zone at a delegation A secure zone MUST contain a self-signed KEY RRset at its apex. Upon
point and receives a query for the DS record at that name, it MUST verifying the DS RRset from the parent, a resolver MAY trust any KEY
answer based on data in the parent zone, return DS or negative identified in the DS RRset as a valid signer of the child's apex KEY
answer. This is true whether or not it is also authoritative for the RRset. Resolvers configured to trust one of the keys signing the KEY
child zone. RRset MAY now treat any data signed by the zone keys in the KEY RRset
as secure. In all other cases, resolvers MUST consider the zone
unsecure.
When the server is authoritative for the child zone at a delegation An authoritative nameserver queried for type DS MUST return the DS
point but not the parent zone, there is no natural response, since RRset in the answer section.
the child zone is not authoritative for the DS record at the zone's
apex. As these queries are only expected to originate from recursive
servers which are not DS-aware, the authoritative server MUST answer
with:
RCODE: NOERROR
AA bit: set
Answer Section: Empty
Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)]
That is, it answers as if it is authoritative and the DS record does 2.2.1.1. Special processing for DS queries
not exist. DS-aware recursive servers will query the parent zone at
delegation points, so will not be affected by this.
A server authoritative for only the child zone, that is also a When a nameserver is authoritative for the parent zone at a
caching server MAY (if the RD bit is set in the query) perform delegation point and receives a query for the DS record at that name,
recursion to find the DS record at the delegation point, or MAY it MUST answer based on data in the parent zone, return DS or
return the DS record from its cache. In this case, the AA bit MUST negative answer. This is true whether or not it is also
not be set in the response. authoritative for the child zone.
2.2.1.2 Special processing when child and an ancestor share server When the nameserver is authoritative for the child zone at a
delegation point but not the parent zone, there is no natural
response, since the child zone is not authoritative for the DS record
at the zone's apex. As these queries are only expected to originate
from recursive nameservers which are not DS-aware, the authoritative
nameserver MUST answer with:
Special rules are needed to permit DS RR aware servers to gracefully RCODE: NOERROR
interact with older caches which otherwise might falsely label a AA bit: set
server as lame because of the placement of the DS RR set. Answer Section: Empty
Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)]
Such a situation might arise when a server is authoritative for both That is, it answers as if it is authoritative and the DS record does
a zone and it's grandparent, but not the parent. This sounds like an not exist. DS-aware recursive nameservers will query the parent zone
obscure example, but it is very real. The root zone is currently at delegation points, so will not be affected by this.
served on 13 machines, and "root-servers.net." is served on 4 of the
same 13, but "net." is served elsewhere.
When a server receives a query for (<QNAME>, DS, <QCLASS>), the A nameserver authoritative for only the child zone, that is also a
response MUST be determined from reading these rules in order: caching server MAY (if the RD bit is set in the query) perform
recursion to find the DS record at the delegation point, or MAY
return the DS record from its cache. In this case, the AA bit MUST
NOT be set in the response.
1) If the server is authoritative for the zone that holds the DS RR 2.2.1.2. Special processing when child and an ancestor share
set (i.e., the zone that delegates <QNAME>, aka the "parent" zone), nameserver
the response contains the DS RR set as an authoritative answer.
2) If the server is offering recursive service and the RD bit is set Special rules are needed to permit DS RR aware nameservers to
in the query, the server performs the query itself (according to the gracefully interact with older caches which otherwise might falsely
rules for resolvers described below) and returns its findings. label a nameserver as lame because of the placement of the DS RR set.
3) If the server is authoritative for the zone that holds the Such a situation might arise when a nameserver is authoritative for
both a zone and it's grandparent, but not the parent. This sounds
like an obscure example, but it is very real. The root zone is
currently served on 13 machines, and "root-servers.net." is served on
4 of the 13, but "net." is severed on different nameservers.
When a nameserver receives a query for (<QNAME>, DS, <QCLASS>), the
response MUST be determined from reading these rules in order:
1) If the nameserver is authoritative for the zone that holds the DS
RR set (i.e., the zone that delegates <QNAME>, a.k.a. the "parent"
zone), the response contains the DS RR set as an authoritative
answer.
2) If the nameserver is offering recursive service and the RD bit is
set in the query, the nameserver performs the query itself
(according to the rules for resolvers described below) and returns
its findings.
3) If the nameserver is authoritative for the zone that holds the
<QNAME>'s SOA RR set, the response is an authoritative negative <QNAME>'s SOA RR set, the response is an authoritative negative
answer as described in 2.2.1.1. answer as described in 2.2.1.1.
4) If the server is authoritative for a zone or zones above the 4) If the nameserver is authoritative for a zone or zones above the
QNAME, a referral to the most enclosing zone's servers is made. QNAME, a referral to the most enclosing (deepest match) zone's
servers is made.
5) If the server is not authoritative for any part of the QNAME, a 5) If the nameserver is not authoritative for any part of the QNAME,
response indicating a lame server for QNAME is given. a response indicating a lame nameserver for QNAME is given.
Using these rules will require some special processing on the part of Using these rules will require some special processing on the part of
a DS RR aware resolver. To illustrate this, an example is used. a DS RR aware resolver. To illustrate this, an example is used.
Assuming a server is authoritative for roots.example.net. and for the Assuming a nameserver is authoritative for roots.example.net. and for
root zone but not the intervening two zones (or the intervening two the root zone but not the intervening two zones (or the intervening
label deep zone). Assume that QNAME=roots.example.net., QTYPE=DS, two label deep zone). Assume that QNAME=roots.example.net.,
and QCLASS=IN. QTYPE=DS, and QCLASS=IN.
The resolver will issue this request (assuming no cached data) The resolver will issue this request (assuming no cached data)
expecting a referral to a net. server. Instead, rule number 3 above expecting a referral to a nameserver for .net. Instead, rule number
applies and a negative answer is returned by the server. The 3 above applies and a negative answer is returned by the nameserver.
reaction by the resolver is not to accept this answer as final as it The reaction by the resolver is not to accept this answer as final,
can determine from the SOA RR in the negative answer the context as it can determine from the SOA RR in the negative answer the
within which the server has answered. context within which the nameserver has answered.
A solution to this is to instruct the resolver to hunt for the A solution would be to instruct the resolver to hunt for the
authoritative zone of the data in a brute force manner. authoritative zone of the data in a brute force manner.
This can be accomplished by taking the owner name of the returned SOA This can be accomplished by taking the owner name of the returned SOA
RR and striping off enough left-hand labels until a successful NS RR and striping off enough left-hand labels until a successful NS
response is obtained. A successful response here means that the response is obtained. A successful response here means that the
answer has NS records in it. (Entertaining the possibility that a answer has NS records in it. (Entertaining the possibility that a
cut point can be two labels down in a zone.) cut point can be two labels down in a zone.)
Returning to the example, the response will include a negative answer Returning to the example, the response will include a negative answer
with either the SOA RR for "roots.example.net." or "example.net." with either the SOA RR for "roots.example.net." or "example.net."
depending on whether roots.example.net is a delegated domain. In depending on whether roots.example.net is a delegated domain. In
either case, removing the left most label of the SOA owner name will either case, removing the left most label of the SOA owner name will
lead to the location of the desired data. lead to the location of the desired data.
2.2.1.3 Modification on use of KEY RR in the construction of Responses 2.2.1.3. Modification on use of KEY RR in the construction of Responses
This section updates RFC2535 section 3.5 by replacing it with the This section updates RFC 2535 section 3.5 by replacing it with the
following: following:
A query for KEY RR MUST NOT trigger any additional section A query for KEY RR MUST NOT trigger any additional section
processing. Security aware resolvers will include corresponding SIG processing. Security aware resolvers will include corresponding SIG
records in the answer section. records in the answer section.
KEY records SHOULD NOT be added to the additional records section in KEY records SHOULD NOT be added to the additional records section in
response to any query. response to any query.
RFC2535 specified that KEY records be added to the additional section RFC 2535 specified that KEY records be added to the additional
when SOA or NS records where included in an answer. This was done to section when SOA or NS records were included in an answer. This was
reduce round trips (in the case of SOA) and to force out NULL KEYs done to reduce round trips (in the case of SOA) and to force out NULL
(in the NS case). As this document obsoletes NULL keys there is no KEYs (in the NS case). As this document obsoletes NULL keys, there
need for the inclusion of KEYs with NSs. Furthermore as SOAs are is no need for the inclusion of KEYs with NSs. Furthermore, as SOAs
included in the authority section of negative answers, including the are included in the authority section of negative answers, including
KEYs each time will cause redundant transfers of KEYs. the KEYs each time will cause redundant transfers of KEYs.
RFC2535 section 3.5 also included rule for adding the KEY RRset to RFC 2535 section 3.5 also included a rule for adding the KEY RRset to
the response for a query for A and AAAA types. As Restrict the response for a query for A and AAAA types. As Restrict KEY
KEY[RFC3445] eliminated use of KEY RR by all applications this rule [RFC3445] eliminated use of KEY RR by all applications, this rule is
is no longer needed. no longer needed.
2.2.2 Signer's Name (replaces RFC3008 section 2.7) 2.2.2. Signer's Name (replaces RFC 3008 section 2.7)
The signer's name field of a SIG RR MUST contain the name of the zone The signer's name field of a SIG RR MUST contain the name of the zone
to which the data and signature belong. The combination of signer's to which the data and signature belong. The combination of signer's
name, key tag, and algorithm MUST identify a zone key if the SIG is name, key tag, and algorithm MUST identify a zone key if the SIG is
to be considered material. This document defines a standard policy to be considered material. This document defines a standard policy
for DNSSEC validation; local policy MAY override the standard policy. for DNSSEC validation; local policy MAY override the standard policy.
There are no restrictions on the signer field of a SIG(0) record. There are no restrictions on the signer field of a SIG(0) record. The
The combination of signer's name, key tag, and algorithm MUST combination of signer's name, key tag, and algorithm MUST identify a
identify a key if this SIG(0) is to be processed. key if this SIG(0) is to be processed.
2.2.3 Changes to RFC3090 2.2.3. Changes to RFC 3090
A number of sections of RFC3090 need to be updated to reflect the DS A number of sections in RFC 3090 need to be updated to reflect the DS
record. record.
2.2.3.1 RFC3090: Updates to section 1: Introduction 2.2.3.1. RFC 3090: Updates to section 1: Introduction
Most of the text is still relevant but the words ``NULL key'' are to Most of the text is still relevant but the words "NULL key" are to be
be replaced with ``missing DS RRset''. In section 1.3 the last three replaced with "missing DS RRset". In section 1.3, the last three
paragraphs discuss the confusion in sections of RFC 2535 that are paragraphs discuss the confusion in sections of RFC 2535 that are
replaced in section 2.2.1 above. Therefore, these paragraphs are now replaced in section 2.2.1 above. Therefore, these paragraphs are now
obsolete. obsolete.
2.2.3.2 RFC3090 section 2.1: Globally Secured 2.2.3.2. RFC 3090 section 2.1: Globally Secured
Rule 2.1.b is replaced by the following rule: Rule 2.1.b is replaced by the following rule:
2.1.b. The KEY RRset at a zone's apex MUST be self-signed by a 2.1.b. The KEY RRset at a zone's apex MUST be self-signed by a
private key whose public counterpart MUST appear in a zone signing private key whose public counterpart MUST appear in a zone signing
KEY RR (2.a) owned by the zone's apex and specifying a mandatory-to- KEY RR (2.a) owned by the zone's apex and specifying a mandatory-to-
implement algorithm. This KEY RR MUST be identified by a DS RR in a implement algorithm. This KEY RR MUST be identified by a DS RR in a
signed DS RRset in the parent zone. signed DS RRset in the parent zone.
If a zone cannot get its parent to advertise a DS record for it, the If a zone cannot get its parent to advertise a DS record for it, the
child zone cannot be considered globally secured. The only exception child zone cannot be considered globally secured. The only exception
to this is the root zone, for which there is no parent zone. to this is the root zone, for which there is no parent zone.
2.2.3.3 RFC3090 section 3: Experimental Status. 2.2.3.3. RFC 3090 section 3: Experimental Status.
The only difference between experimental status and globally secured The only difference between experimental status and globally secured
is the missing DS RRset in the parent zone. All locally secured zones is the missing DS RRset in the parent zone. All locally secured
are experimental. zones are experimental.
2.2.4 NULL KEY elimination 2.2.4. NULL KEY elimination
RFC3445 section 3 eliminates the top two bits in the flags field of RFC 3445 section 3 eliminates the top two bits in the flags field of
KEY RR. These two bits were used to indicate NULL KEY or NO KEY. KEY RR. These two bits were used to indicate NULL KEY or NO KEY. RFC
RFC3090 defines that zone is either secure or not, these rules 3090 defines that zone as either secure or not and these rules
eliminates the possible need to put NULL keys in the zone apex to eliminate the need to put NULL keys in the zone apex to indicate that
indicate that the zone is not secured for a algorithm. Along with the zone is not secured for a algorithm. Along with this document,
this document these other two eliminate all uses for the NULL KEY, these other two eliminate all uses for the NULL KEY. This document
This document obsoletes NULL KEY. obsoletes NULL KEY.
2.3 Comments on Protocol Changes 2.3. Comments on Protocol Changes
Over the years there have been various discussions surrounding the Over the years, there have been various discussions surrounding the
DNS delegation model, declaring it to be broken because there is no DNS delegation model, declaring it to be broken because there is no
good way to assert if a delegation exists. In the RFC2535 version of good way to assert if a delegation exists. In the RFC 2535 version
DNSSEC, the presence of the NS bit in the NXT bit map proves there is of DNSSEC, the presence of the NS bit in the NXT bit map proves there
a delegation at this name. Something more explicit is needed and the is a delegation at this name. Something more explicit is required
DS record addresses this need for secure delegations. and the DS record addresses this need for secure delegations.
The DS record is a major change to DNS: it is the first resource The DS record is a major change to DNS: it is the first resource
record that can appear only on the upper side of a delegation. Adding record that can appear only on the upper side of a delegation.
it will cause interoperabilty problems and requires a flag day for Adding it will cause interoperability problems and requires a flag
DNSSEC. Many old servers and resolvers MUST be upgraded to take day for DNSSEC. Many old nameservers and resolvers MUST be upgraded
advantage of DS. Some old servers will be able to be authoritative to take advantage of DS. Some old nameservers will be able to be
for zones with DS records but will not add the NXT or DS records to authoritative for zones with DS records but will not add the NXT or
the authority section. The same is true for caching servers; in DS records to the authority section. The same is true for caching
fact, some might even refuse to pass on the DS or NXT records. nameservers; in fact, some might even refuse to pass on the DS or NXT
records.
2.4 Wire Format of the DS record 2.4. Wire Format of the DS record
The DS (type=TDB) record contains these fields: key tag, algorithm, The DS (type=43) record contains these fields: key tag, algorithm,
digest type, and the digest of a public key KEY record that is digest type, and the digest of a public key KEY record that is
allowed and/or used to sign the child's apex KEY RRset. Other keys allowed and/or used to sign the child's apex KEY RRset. Other keys
MAY sign the child's apex KEY RRset. MAY sign the child's apex KEY RRset.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| key tag | algorithm | Digest type | | key tag | algorithm | Digest type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| digest (length depends on type) | | digest (length depends on type) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (SHA-1 digest is 20 bytes) | | (SHA-1 digest is 20 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The key tag is calculated as specified in RFC2535. Algorithm MUST be The key tag is calculated as specified in RFC 2535. Algorithm MUST
an algorithm number assigned in the range 1..251 and the algorithm be allowed to sign DNS data. The digest type is an identifier for
MUST be allowed to sign DNS data. The digest type is an identifier the digest algorithm used. The digest is calculated over the
for the digest algorithm used. The digest is calculated over the canonical name of the delegated domain name followed by the whole
canonical name of the delegated domain name followed by the whole RDATA of the KEY record (all four fields).
RDATA of the KEY record (all four fields).
digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata) digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata)
KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key
Digest type value 0 is reserved, value 1 is SHA-1, and reserving Digest type value 0 is reserved, value 1 is SHA-1, and reserving
other types requires IETF standards action. For interoperabilty other types requires IETF standards action. For interoperability
reasons, keeping number of digest algorithms low is strongly reasons, keeping number of digest algorithms low is strongly
RECOMMENDED. The only reason to reserve additional digest types is RECOMMENDED. The only reason to reserve additional digest types is
to increase security. to increase security.
DS records MUST point to zone KEY records that are allowed to DS records MUST point to zone KEY records that are allowed to
authenticate DNS data. The indicated KEY records protocol field MUST authenticate DNS data. The indicated KEY records protocol field MUST
be set to 3; flag field bit 7 MUST be set to 1. The value of other be set to 3; flag field bit 7 MUST be set to 1. The value of other
flag bits is not significant for the purposes of this document. flag bits is not significant for the purposes of this document.
The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless
of key size. New digest types probably will have larger digests. of key size. New digest types probably will have larger digests.
2.4.1 Justifications for Fields 2.4.1. Justifications for Fields
The algorithm and key tag fields are present to allow resolvers to The algorithm and key tag fields are present to allow resolvers to
quickly identify the candidate KEY records to examine. SHA-1 is a quickly identify the candidate KEY records to examine. SHA-1 is a
strong cryptographic checksum: it is computationally infeasible for strong cryptographic checksum: it is computationally infeasible for
an attacker to generate a KEY record that has the same SHA-1 digest. an attacker to generate a KEY record that has the same SHA-1 digest.
Combining the name of the key and the key rdata as input to the Combining the name of the key and the key rdata as input to the
digest provides stronger assurance of the binding. Having the key digest provides stronger assurance of the binding. Having the key
tag in the DS record adds greater assurance than the SHA-1 digest tag in the DS record adds greater assurance than the SHA-1 digest
alone, as there are now two different mapping functions. alone, as there are now two different mapping functions.
This format allows concise representation of the keys that the child This format allows concise representation of the keys that the child
will use, thus keeping down the size of the answer for the will use, thus keeping down the size of the answer for the
delegation, reducing the probability of DNS message overflow. The delegation, reducing the probability of DNS message overflow. The
SHA-1 hash is strong enough to uniquely identify the key and is SHA-1 hash is strong enough to uniquely identify the key and is
similar to the PGP key footprint. The digest type field is present similar to the PGP key footprint. The digest type field is present
for possible future expansion. for possible future expansion.
The DS record is well suited to listing trusted keys for islands of The DS record is well suited to listing trusted keys for islands of
security in configuration files. security in configuration files.
2.5 Presentation Format of the DS Record 2.5. Presentation Format of the DS Record
The presentation format of the DS record consists of three numbers The presentation format of the DS record consists of three numbers
(key tag, algorithm and digest type) followed by the digest itself (key tag, algorithm, and digest type) followed by the digest itself
presented in hex: presented in hex:
example. DS 12345 3 1 123456789abcdef67890123456789abcdef67890
2.6 Transition Issues for Installed Base example. DS 12345 3 1 123456789abcdef67890123456789abcdef67890
No backwards compatibility with RFC2535 is provided. 2.6. Transition Issues for Installed Base
RFC2535-compliant resolvers will assume that all DS-secured No backwards compatibility with RFC 2535 is provided.
delegations are locally secure. This is bad, but the DNSEXT Working
Group has determined that rather than dealing with both
RFC2535-secured zones and DS-secured zones, a rapid adoption of DS is
preferable. Thus the only option for early adopters is to upgrade to
DS as soon as possible.
2.6.1 Backwards compatibility with RFC2535 and RFC1035 RFC 2535-compliant resolvers will assume that all DS-secured
delegations are locally secure. This is bad, but the DNSEXT Working
Group has determined that rather than dealing with both RFC 2535-
secured zones and DS-secured zones, a rapid adoption of DS is
preferable. Thus, the only option for early adopters is to upgrade
to DS as soon as possible.
This section documents how a resolver determines the type of 2.6.1. Backwards compatibility with RFC 2535 and RFC 1035
delegation.
RFC1035 delegation (in parent) has:
RFC1035 NS This section documents how a resolver determines the type of
delegation.
RFC2535 adds the following two cases: RFC 1035 delegation (in parent) has:
Secure RFC2535: NS + NXT + SIG(NXT) RFC 1035 NS
NXT bit map contains: NS SIG NXT
Unsecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
NXT bit map contains: NS SIG KEY NXT
KEY must be a NULL key.
DNSSEC with DS has the following two states: RFC 2535 adds the following two cases:
Secure DS: NS + DS + SIG(DS) Secure RFC 2535: NS + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT DS NXT bit map contains: NS SIG NXT
Unsecure DS: NS + NXT + SIG(NXT) Unsecure RFC 2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT NXT bit map contains: NS SIG KEY NXT
KEY must be a NULL key.
It is difficult for a resolver to determine if a delegation is secure DNSSEC with DS has the following two states:
RFC 2535 or unsecure DS. This could be overcome by adding a flag to
the NXT bit map, but only upgraded resolvers would understand this
flag, anyway. Having both parent and child signatures for a KEY RRset
might allow old resolvers to accept a zone as secure, but the cost of
doing this for a long time is much higher than just prohibiting RFC
2535-style signatures at child zone apexes and forcing rapid
deployment of DS-enabled servers and resolvers.
RFC 2535 and DS can in theory be deployed in parallel, but this would Secure DS: NS + DS + SIG(DS)
require resolvers to deal with RFC 2535 configurations forever. This NXT bit map contains: NS SIG NXT DS
document obsoletes the NULL KEY in parent zones, which is a difficult Unsecure DS: NS + NXT + SIG(NXT)
enough change that to cause a flag day. NXT bit map contains: NS SIG NXT
2.7 KEY and corresponding DS record example It is difficult for a resolver to determine if a delegation is secure
RFC 2535 or unsecure DS. This could be overcome by adding a flag to
the NXT bit map, but only upgraded resolvers would understand this
flag, anyway. Having both parent and child signatures for a KEY
RRset might allow old resolvers to accept a zone as secure, but the
cost of doing this for a long time is much higher than just
prohibiting RFC 2535-style signatures at child zone apexes and
forcing rapid deployment of DS-enabled nameservers and resolvers.
This is an example of a KEY record and the corresponding DS record. RFC 2535 and DS can, in theory, be deployed in parallel, but this
would require resolvers to deal with RFC 2535 configurations forever.
This document obsoletes the NULL KEY in parent zones, which is a
difficult enough change that to cause a flag day.
dskey.example. KEY 256 3 1 ( 2.7. KEY and corresponding DS record example
AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj
4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt
) ; key id = 28668
DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
3 Resolver This is an example of a KEY record and the corresponding DS record.
3.1 DS Example dskey.example. KEY 256 3 1 (
AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj
4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt
) ; key id = 28668
DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
To create a chain of trust, a resolver goes from trusted KEY to DS to 3. Resolver
KEY.
3.1. DS Example
To create a chain of trust, a resolver goes from trusted KEY to DS to
KEY.
Assume the key for domain "example." is trusted. Zone "example." Assume the key for domain "example." is trusted. Zone "example."
contains at least the following records: contains at least the following records:
example. SOA <soa stuff> example. SOA <soa stuff>
example. NS ns.example. example. NS ns.example.
example. KEY <stuff> example. KEY <stuff>
example. NXT NS SOA KEY SIG NXT secure.example. example. NXT secure.example. NS SOA KEY SIG NXT
example. SIG(SOA) example. SIG(SOA)
example. SIG(NS) example. SIG(NS)
example. SIG(NXT) example. SIG(NXT)
example. SIG(KEY) example. SIG(KEY)
secure.example. NS ns1.secure.example. secure.example. NS ns1.secure.example.
secure.example. DS tag=12345 alg=3 digest_type=1 <foofoo> secure.example. DS tag=12345 alg=3 digest_type=1 <foofoo>
secure.example. NXT NS SIG NXT DS unsecure.example. secure.example. NXT unsecure.example. NS SIG NXT DS
secure.example. SIG(NXT) secure.example. SIG(NXT)
secure.example. SIG(DS) secure.example. SIG(DS)
unsecure.example NS ns1.unsecure.example. unsecure.example NS ns1.unsecure.example.
unsecure.example. NXT NS SIG NXT example. unsecure.example. NXT example. NS SIG NXT
unsecure.example. SIG(NXT) unsecure.example. SIG(NXT)
In zone "secure.example." following records exist: In zone "secure.example." following records exist:
secure.example. SOA <soa stuff> secure.example. SOA <soa stuff>
secure.example. NS ns1.secure.example. secure.example. NS ns1.secure.example.
secure.example. KEY <tag=12345 alg=3> secure.example. KEY <tag=12345 alg=3>
secure.example. KEY <tag=54321 alg=5> secure.example. KEY <tag=54321 alg=5>
secure.example. NXT <nxt stuff> secure.example. NXT <nxt stuff>
secure.example. SIG(KEY) <key-tag=12345 alg=3> secure.example. SIG(KEY) <key-tag=12345 alg=3>
secure.example. SIG(SOA) <key-tag=54321 alg=5> secure.example. SIG(SOA) <key-tag=54321 alg=5>
secure.example. SIG(NS) <key-tag=54321 alg=5> secure.example. SIG(NS) <key-tag=54321 alg=5>
secure.example. SIG(NXT) <key-tag=54321 alg=5> secure.example. SIG(NXT) <key-tag=54321 alg=5>
In this example the private key for "example." signs the DS record In this example, the private key for "example." signs the DS record
for "secure.example.", making that a secure delegation. The DS record for "secure.example.", making that a secure delegation. The DS
states which key is expected to sign the KEY RRset at record states which key is expected to sign the KEY RRset at
"secure.example.". Here "secure.example." signs its KEY RRset with "secure.example.". Here "secure.example." signs its KEY RRset with
the KEY identified in the DS RRset, thus the KEY RRset is validated the KEY identified in the DS RRset, thus the KEY RRset is validated
and trusted. and trusted.
This example has only one DS record for the child, but parents MUST This example has only one DS record for the child, but parents MUST
allow multiple DS records to facilitate key rollover and multiple KEY allow multiple DS records to facilitate key roll-over and multiple
algorithms. KEY algorithms.
The resolver determines the security status of "unsecure.example." by The resolver determines the security status of "unsecure.example." by
examining the parent zone's NXT record for this name. The absence of examining the parent zone's NXT record for this name. The absence of
the DS bit indicates an unsecure delegation. Note the NXT record the DS bit indicates an unsecure delegation. Note the NXT record
SHOULD only be examined after verifying the corresponding signature. SHOULD only be examined after verifying the corresponding signature.
3.2 Resolver Cost Estimates for DS Records 3.2. Resolver Cost Estimates for DS Records
From a RFC2535 resolver point of view, for each delegation followed From a RFC 2535 recursive resolver point of view, for each delegation
to chase down an answer, one KEY RRset has to be verified. followed to chase down an answer, one KEY RRset has to be verified.
Additional RRsets might also need to be verified based on local Additional RRsets might also need to be verified based on local
policy (e.g., the contents of the NS RRset). Once the resolver gets policy (e.g., the contents of the NS RRset). Once the resolver gets
to the appropriate delegation, validating the answer might require to the appropriate delegation, validating the answer might require
verifying one or more signatures. A simple A record lookup requires verifying one or more signatures. A simple A record lookup requires
at least N delegations to be verified and one RRset. For a DS-enabled at least N delegations to be verified and one RRset. For a DS-
resolver, the cost is 2N+1. For an MX record, where the target of enabled recursive resolver, the cost is 2N+1. For an MX record,
the MX record is in the same zone as the MX record, the costs are N+2 where the target of the MX record is in the same zone as the MX
and 2N+2, for RFC 2535 and DS, respectively. In the case of negatives record, the costs are N+2 and 2N+2, for RFC 2535 and DS,
answer the same ratios hold true. respectively. In the case of a negative answer, the same ratios hold
true.
The resolver have to do an extra query to get the DS record and this The recursive resolver has to do an extra query to get the DS record,
increases the overall cost of resolving this question, but this is which will increase the overall cost of resolving this question, but
never worse than chasing down NULL KEY records from the parent in it will never be worse than chasing down NULL KEY records from the
RFC2535 DNSSEC. parent in RFC 2535 DNSSEC.
DS adds processing overhead on resolvers and increases the size of DS adds processing overhead on resolvers and increases the size of
delegation answers, but much less than storing signatures in the delegation answers, but much less than storing signatures in the
parent zone. parent zone.
4 Security Considerations: 4. Security Considerations
This document proposes a change to the validation chain of KEY This document proposes a change to the validation chain of KEY
records in DNSSEC. The change is not believed to reduce security in records in DNSSEC. The change is not believed to reduce security in
the overall system. In RFC2535 DNSSEC, the child zone has to the overall system. In RFC 2535 DNSSEC, the child zone has to
communicate keys to its parent and prudent parents will require some communicate keys to its parent and prudent parents will require some
authentication with that transaction. The modified protocol will authentication with that transaction. The modified protocol will
require the same authentication, but allows the child to exert more require the same authentication, but allows the child to exert more
local control over its own KEY RRset. local control over its own KEY RRset.
There is a remote possibility that an attacker could generate a valid There is a remote possibility that an attacker could generate a valid
KEY that matches all the DS fields, of a specific DS set, and thus KEY that matches all the DS fields, of a specific DS set, and thus
forge data from the child. This possibility is considered forge data from the child. This possibility is considered
impractical, as on average more than impractical, as on average more than
2 ^ (160 - <Number of keys in DS set>)
keys would have to be generated before a match would be found.
An attacker that wants to match any DS record will have to generate 2 ^ (160 - <Number of keys in DS set>)
on average at least 2^80 keys.
The DS record represents a change to the DNSSEC protocol and there is keys would have to be generated before a match would be found.
an installed base of implementations, as well as textbooks on how to
set up secure delegations. Implementations that do not understand the
DS record will not be able to follow the KEY to DS to KEY chain and
will consider all zones secured that way as unsecure.
5 IANA Considerations: An attacker that wants to match any DS record will have to generate
on average at least 2^80 keys.
IANA needs to allocate an RR type code for DS from the standard RR The DS record represents a change to the DNSSEC protocol and there is
type space (type 43 requested). an installed base of implementations, as well as textbooks on how to
set up secure delegations. Implementations that do not understand
the DS record will not be able to follow the KEY to DS to KEY chain
and will consider all zones secured that way as unsecure.
IANA needs to open a new registry for the DS RR type for digest 5. IANA Considerations
algorithms. Defined types are:
0 is Reserved,
1 is SHA-1.
Adding new reservations requires IETF standards action.
6 Acknowledgments IANA has allocated an RR type code for DS from the standard RR type
space (type 43).
Over the last few years a number of people have contributed ideas IANA has established a new registry for the DS RR type for digest
that are captured in this document. The core idea of using one key to algorithms. Defined types are:
sign only the KEY RRset comes from discussions with Bill Manning and
Perry Metzger on how to put in a single root key in all resolvers.
Alexis Yushin, Brian Wellington, Sam Weiler, Paul Vixie, Jakob
Schlyter, Scott Rose, Edward Lewis, Lars-Johan Liman, Matt Larson,
Mark Kosters, Dan Massey, Olaf Kolman, Phillip Hallam-Baker, Miek
Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David
Blacka, Steve Bellovin, Rob Austein, Derek Atkins, Roy Arends, Mark
Andrews, Harald Alvestrand, and others have provided useful comments.
Normative References: 0 is Reserved,
1 is SHA-1.
[RFC1035] P. Mockapetris, ``Domain Names - Implementation and Adding new reservations requires IETF standards action.
Specification'', STD 13, RFC 1035, November 1987.
[RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC 6. Intellectual Property Statement
2535, March 1999.
[RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing The IETF takes no position regarding the validity or scope of any
Authority'', RFC 3008, November 2000. intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
[RFC3090] E. Lewis `` DNS Security Extension Clarification on Zone The IETF invites any interested party to bring to its attention any
Status'', RFC 3090, March 2001. copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
[RFC3225] D. Conrad, ``Indicating Resolver Support of DNSSEC'', RFC 7. Acknowledgments
Over the last few years a number of people have contributed ideas
that are captured in this document. The core idea of using one key
to sign only the KEY RRset comes from discussions with Bill Manning
and Perry Metzger on how to put in a single root key in all
resolvers. Alexis Yushin, Brian Wellington, Sam Weiler, Paul Vixie,
Jakob Schlyter, Scott Rose, Edward Lewis, Lars-Johan Liman, Matt
Larson, Mark Kosters, Dan Massey, Olaf Kolman, Phillip Hallam-Baker,
Miek Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David
Blacka, Steve Bellovin, Rob Austein, Derek Atkins, Roy Arends, Mark
Andrews, Harald Alvestrand, and others have provided useful comments.
8. References
8.1. Normative References
[RFC1035] Mockapetris, P., "Domain Names - Implementation and
Specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2535] Eastlake, D., "Domain Name System Security Extensions",
RFC 2535, March 1999.
[RFC3008] Wellington, B., "Domain Name System Security (DNSSEC)
Signing Authority", RFC 3008, November 2000.
[RFC3090] Lewis, E., "DNS Security Extension Clarification on Zone
Status", RFC 3090, March 2001.
[RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
3225, December 2001. 3225, December 2001.
[RFC3445] D. Massey, S. Rose ``Limiting the scope of the KEY Resource [RFC3445] Massey, D. and S. Rose, "Limiting the scope of the KEY
Record (RR)``, RFC 3445, December 2002. Resource Record (RR)", RFC 3445, December 2002.
Informational References 8.2. Informational References
[RFC2181] R. Elz, R. Bush, ``Clarifications to the DNS Specification'', [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
RFC 2181, July 1997. Specification", RFC 2181, July 1997.
[RFC3226] O. Gudmundsson, ``DNSSEC and IPv6 A6 aware server/resolver [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
message size requirements'', RFC 3226, December 2001. message size requirements", RFC 3226, December 2001.
Author Address 9. Author's Address
Olafur Gudmundsson Olafur Gudmundsson
3821 Village Park Drive 3821 Village Park Drive
Chevy Chase, MD, 20815 Chevy Chase, MD, 20815
USA
<ogud@ogud.com>
Full Copyright Statement EMail: ds-rfc@ogud.com
Copyright (C) The Internet Society (2003). All Rights Reserved. 10. Full Copyright Statement
This document and translations of it may be copied and furnished to Copyright (C) The Internet Society (2003). All Rights Reserved.
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be This document and translations of it may be copied and furnished to
revoked by the Internet Society or its successors or assigns. others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
This document and the information contained herein is provided on an The limited permissions granted above are perpetual and will not be
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING revoked by the Internet Society or its successors or assignees.
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION This document and the information contained herein is provided on an
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
 End of changes. 157 change blocks. 
589 lines changed or deleted 621 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/