| draft-ietf-dnsext-ds-sha256-02.txt | draft-ietf-dnsext-ds-sha256-03.txt | |||
|---|---|---|---|---|
| Network Working Group W. Hardaker | Network Working Group W. Hardaker | |||
| Internet-Draft Sparta | Internet-Draft Sparta | |||
| Expires: June 12, 2006 December 9, 2005 | Expires: July 10, 2006 January 6, 2006 | |||
| Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) | Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) | |||
| draft-ietf-dnsext-ds-sha256-02.txt | draft-ietf-dnsext-ds-sha256-03.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 33 | skipping to change at page 1, line 33 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on June 12, 2006. | This Internet-Draft will expire on July 10, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2006). | |||
| Abstract | Abstract | |||
| This document specifies how to use the SHA-256 digest type in DNS | This document specifies how to use the SHA-256 digest type in DNS | |||
| Delegation Signer (DS) Resource Records (RRs). DS records, when | Delegation Signer (DS) Resource Records (RRs). DS records, when | |||
| stored in a parent zone, point to key signing DNSKEY key(s) in a | stored in a parent zone, point to key signing DNSKEY key(s) in a | |||
| child zone. | child zone. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Implementing the SHA-256 algorithm for DS record support . . . 3 | 2. Implementing the SHA-256 algorithm for DS record support . . . 3 | |||
| 2.1. DS record field values . . . . . . . . . . . . . . . . . . 3 | 2.1. DS record field values . . . . . . . . . . . . . . . . . . 3 | |||
| 2.2. DS Record with SHA-256 Wire Format . . . . . . . . . . . . 3 | 2.2. DS Record with SHA-256 Wire Format . . . . . . . . . . . . 3 | |||
| 2.3. Example DS Record Using SHA-256 . . . . . . . . . . . . . . 4 | 2.3. Example DS Record Using SHA-256 . . . . . . . . . . . . . . 4 | |||
| 3. Implementation Requirements . . . . . . . . . . . . . . . . . . 4 | 3. Implementation Requirements . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Deployment Considerations . . . . . . . . . . . . . . . . . . . 5 | 4. Deployment Considerations . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6.1. Potential Digest Type Downgrade Attacks . . . . . . . . . . 5 | ||||
| 6.2. SHA-1 vs SHA-256 Considerations for DS Records . . . . . . 6 | ||||
| 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 | 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 6 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 7 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 8 | Intellectual Property and Copyright Statements . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| The DNSSEC [RFC4033] [RFC4034] [RFC4035] DS RR is published in parent | The DNSSEC [RFC4033] [RFC4034] [RFC4035] DS RR is published in parent | |||
| zones to distribute a cryptographic digest of a child's Key Signing | zones to distribute a cryptographic digest of a child's Key Signing | |||
| Key (KSK) DNSKEY RR. The DS RRset is signed by at least one of the | Key (KSK) DNSKEY RR. The DS RRset is signed by at least one of the | |||
| parent zone's private zone data signing keys for each algorithm in | parent zone's private zone data signing keys for each algorithm in | |||
| use by the parent. Each signature is published in an RRSIG resource | use by the parent. Each signature is published in an RRSIG resource | |||
| record, owned by the same domain as the DS RRset and with a type | record, owned by the same domain as the DS RRset and with a type | |||
| covered of DS. | covered of DS. | |||
| skipping to change at page 4, line 21 | skipping to change at page 4, line 21 | |||
| / Digest (length for SHA-256 is 32 bytes) / | / Digest (length for SHA-256 is 32 bytes) / | |||
| / / | / / | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| | |||
| 2.3. Example DS Record Using SHA-256 | 2.3. Example DS Record Using SHA-256 | |||
| The following is an example DNSKEY and matching DS record. This | The following is an example DNSKEY and matching DS record. This | |||
| DNSKEY record comes from the example DNSKEY/DS records found in | DNSKEY record comes from the example DNSKEY/DS records found in | |||
| section 5.4 of [RFC4034]. | section 5.4 of [RFC4034]. | |||
| The DNSKEY record:: | The DNSKEY record: | |||
| dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz | dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz | |||
| fwJr1AYtsmx3TGkJaNXVbfi/ | fwJr1AYtsmx3TGkJaNXVbfi/ | |||
| 2pHm822aJ5iI9BMzNXxeYCmZ | 2pHm822aJ5iI9BMzNXxeYCmZ | |||
| DRD99WYwYqUSdjMmmAphXdvx | DRD99WYwYqUSdjMmmAphXdvx | |||
| egXd/M5+X7OrzKBaMbCVdFLU | egXd/M5+X7OrzKBaMbCVdFLU | |||
| Uh6DhweJBjEVv5f2wwjM9Xzc | Uh6DhweJBjEVv5f2wwjM9Xzc | |||
| nOf+EPbtG9DMBmADjFDc2w/r | nOf+EPbtG9DMBmADjFDc2w/r | |||
| ljwvFw== | ljwvFw== | |||
| ) ; key id = 60485 | ) ; key id = 60485 | |||
| skipping to change at page 4, line 44 | skipping to change at page 4, line 44 | |||
| 256 digest: [RFC Editor: please replace XXX with the assigned digest | 256 digest: [RFC Editor: please replace XXX with the assigned digest | |||
| type (likely 2):] | type (likely 2):] | |||
| dskey.example.com. 86400 IN DS 60485 5 XXX ( D4B7D520E7BB5F0F67674A0C | dskey.example.com. 86400 IN DS 60485 5 XXX ( D4B7D520E7BB5F0F67674A0C | |||
| CEB1E3E0614B93C4F9E99B83 | CEB1E3E0614B93C4F9E99B83 | |||
| 83F6A1E4469DA50A ) | 83F6A1E4469DA50A ) | |||
| 3. Implementation Requirements | 3. Implementation Requirements | |||
| Implementations MUST support the use of the SHA-256 algorithm in DS | Implementations MUST support the use of the SHA-256 algorithm in DS | |||
| RRs. | RRs. Validator implementations SHOULD ignore DS RRs containing SHA-1 | |||
| digests if DS RRs with SHA-256 digests are present in the DS RRset. | ||||
| Validator implementations MUST, by default, ignore DS RRs containing | ||||
| SHA-1 digests if DS RRs with SHA-256 digests are present in the DS | ||||
| RRset. This behavior SHOULD be the default. Validator | ||||
| implementations MAY provide configuration settings that allow network | ||||
| operators to specify preference policy when validating multiple DS | ||||
| records containing different digest types. | ||||
| 4. Deployment Considerations | 4. Deployment Considerations | |||
| If a validator does not support the SHA-256 digest type and no other | If a validator does not support the SHA-256 digest type and no other | |||
| DS RR exists in a zone's DS RRset with a supported digest type, then | DS RR exists in a zone's DS RRset with a supported digest type, then | |||
| the validator has no supported authentication path leading from the | the validator has no supported authentication path leading from the | |||
| parent to the child. The resolver should treat this case as it would | parent to the child. The resolver should treat this case as it would | |||
| the case of an authenticated NSEC RRset proving that no DS RRset | the case of an authenticated NSEC RRset proving that no DS RRset | |||
| exists, as described in [RFC4035], section 5.2. | exists, as described in [RFC4035], section 5.2. | |||
| skipping to change at page 5, line 39 | skipping to change at page 5, line 34 | |||
| use in DS records are as follows: | use in DS records are as follows: | |||
| VALUE Digest Type Status | VALUE Digest Type Status | |||
| 0 Reserved - | 0 Reserved - | |||
| 1 SHA-1 MANDATORY | 1 SHA-1 MANDATORY | |||
| 2 SHA-256 MANDATORY | 2 SHA-256 MANDATORY | |||
| 3-255 Unassigned - | 3-255 Unassigned - | |||
| 6. Security Considerations | 6. Security Considerations | |||
| 6.1. Potential Digest Type Downgrade Attacks | ||||
| A downgrade attack from a stronger digest type to a weaker one is | ||||
| possible if all of the following are true: | ||||
| o A zone includes multiple DS records for a given child's DNSKEY, | ||||
| each of which use a different digest type. | ||||
| o A validator accepts a weaker digest even if a stronger one is | ||||
| present but invalid. | ||||
| For example, if the following conditions are all true: | ||||
| o Both SHA-1 and SHA-256 based digests are published in DS records | ||||
| within a parent zone for a given child zone's DNSKEY. | ||||
| o The DS record with the SHA-1 digest matches the digest computed | ||||
| using the child zone's DNSKEY. | ||||
| o The DS record with the SHA-256 digest fails to match the signature | ||||
| computed using the child zone's DNSKEY | ||||
| Then if the validator accepts the above situation as secure then this | ||||
| can be used as a downgrade attack since the stronger SHA-256 digest | ||||
| is ignored. | ||||
| 6.2. SHA-1 vs SHA-256 Considerations for DS Records | ||||
| Because of the weaknesses recently discovered within the SHA-1 | Because of the weaknesses recently discovered within the SHA-1 | |||
| algorithm, users of DNSSEC are encouraged to deploy the use of SHA- | algorithm, users of DNSSEC are encouraged to deploy the use of SHA- | |||
| 256 as soon as the software implementations in use allow for it. | 256 as soon as the software implementations in use allow for it. | |||
| At the time of this publication, the SHA-256 digest algorithm is | At the time of this publication, the SHA-256 digest algorithm is | |||
| considered sufficiently strong for the immediate future. It is also | considered sufficiently strong for the immediate future. It is also | |||
| considered sufficient for use in DNSSEC DS RRs for the immediate | considered sufficient for use in DNSSEC DS RRs for the immediate | |||
| future. However, future published attacks may, of course, weaken the | future. However, future published attacks may weaken the usability | |||
| usability of this algorithm within the DS RRs. It is beyond the | of this algorithm within the DS RRs. It is beyond the scope of this | |||
| scope of this document to speculate extensively on the cryptographic | document to speculate extensively on the cryptographic strength of | |||
| strength of the SHA-256 digest algorithm. | the SHA-256 digest algorithm. | |||
| Likewise, it is also beyond the scope of this document to specify | Likewise, it is also beyond the scope of this document to specify | |||
| whether or for how long SHA-1 based DS records should be | whether or for how long SHA-1 based DS records should be | |||
| simultaneously published alongside SHA-256 based DS records. | simultaneously published alongside SHA-256 based DS records. | |||
| 7. Acknowledgments | 7. Acknowledgments | |||
| This document is a minor extension to the existing DNSSEC documents | This document is a minor extension to the existing DNSSEC documents | |||
| and those authors are gratefully appreciated for the hard work that | and those authors are gratefully appreciated for the hard work that | |||
| went into the base documents. | went into the base documents. | |||
| The following people contributed to portions of this document in some | The following people contributed to portions of this document in some | |||
| fashion: Mark Andrews, Roy Arends, Olafur Gudmundsson, Olaf M. | fashion: Mark Andrews, Roy Arends, Olafur Gudmundsson, Olaf M. | |||
| Kolkman, Edward Lewis, Scott Rose, Sam Weiler. | Kolkman, Edward Lewis, Scott Rose, Stuart E. Schechter, Sam Weiler. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "DNS Security Introduction and Requirements", | Rose, "DNS Security Introduction and Requirements", | |||
| RFC 4033, March 2005. | RFC 4033, March 2005. | |||
| [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| skipping to change at page 7, line 5 | skipping to change at page 7, line 18 | |||
| [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Protocol Modifications for the DNS Security | Rose, "Protocol Modifications for the DNS Security | |||
| Extensions", RFC 4035, March 2005. | Extensions", RFC 4035, March 2005. | |||
| [SHA256] National Institute of Standards and Technology, "Secure | [SHA256] National Institute of Standards and Technology, "Secure | |||
| Hash Algorithm. NIST FIPS 180-2", August 2002. | Hash Algorithm. NIST FIPS 180-2", August 2002. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [SHA256CODE] | ||||
| Motorola Labs, "US Secure Hash Algorithms (SHA)", | ||||
| June 2005. | ||||
| Author's Address | Author's Address | |||
| Wes Hardaker | Wes Hardaker | |||
| Sparta | Sparta | |||
| P.O. Box 382 | P.O. Box 382 | |||
| Davis 95617 | Davis 95617 | |||
| US | US | |||
| Email: hardaker@tislabs.com | Email: hardaker@tislabs.com | |||
| skipping to change at page 8, line 41 | skipping to change at page 9, line 41 | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
| Copyright Statement | Copyright Statement | |||
| Copyright (C) The Internet Society (2005). This document is subject | Copyright (C) The Internet Society (2006). This document is subject | |||
| to the rights, licenses and restrictions contained in BCP 78, and | to the rights, licenses and restrictions contained in BCP 78, and | |||
| except as set forth therein, the authors retain all their rights. | except as set forth therein, the authors retain all their rights. | |||
| Acknowledgment | Acknowledgment | |||
| Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
| Internet Society. | Internet Society. | |||
| End of changes. 14 change blocks. | ||||
| 23 lines changed or deleted | 51 lines changed or added | |||
This html diff was produced by rfcdiff 1.28, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||