draft-ietf-dnsop-delegation-trust-maintainance-02.txt   draft-ietf-dnsop-delegation-trust-maintainance-03.txt 
dnsop W. Kumari dnsop W. Kumari
Internet-Draft Google Internet-Draft Google
Intended status: Informational O. Gudmundsson Intended status: Informational O. Gudmundsson
Expires: August 9, 2014 Shinkuro Inc. Expires: August 12, 2014 Shinkuro Inc.
G. Barwood G. Barwood
February 5, 2014 February 8, 2014
Automating DNSSEC delegation trust maintenance Automating DNSSEC delegation trust maintenance
draft-ietf-dnsop-delegation-trust-maintainance-02 draft-ietf-dnsop-delegation-trust-maintainance-03
Abstract Abstract
This document describes a method to allow DNS operators to more This document describes a method to allow DNS operators to more
easily update DNSSEC Key Signing Keys using DNS as communication easily update DNSSEC Key Signing Keys using DNS as communication
channel. This document does not address the initial configuration of channel. This document does not address the initial configuration of
trust anchors for a domain. The technique described is aimed at trust anchors for a domain. The technique described is aimed at
delegations in which it is currently hard to move information from delegations in which it is currently hard to move information from
the child to parent. the child to parent.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 9, 2014. This Internet-Draft will expire on August 12, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 29 skipping to change at page 3, line 29
[RFC4034], [RFC4035], [RFC5011] and [RFC6781]. [RFC4034], [RFC4035], [RFC5011] and [RFC6781].
This document is a compilation of two earlier drafts: draft-barwood- This document is a compilation of two earlier drafts: draft-barwood-
dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll. dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll.
This document outlines a technique in which the parent periodically This document outlines a technique in which the parent periodically
(or upon request) polls its signed children and automatically publish (or upon request) polls its signed children and automatically publish
new DS records. To a large extent, the procedures this document new DS records. To a large extent, the procedures this document
follows are as described in [RFC6781] section 4.1.2. follows are as described in [RFC6781] section 4.1.2.
This technique is in some ways similar to RFC 5011 style rollovers, This technique is in some ways similar to [RFC5011] style rollovers,
but for sub-domains DS records, instead of trust anchors. but for sub-domains DS records, instead of trust anchors.
This technique is designed to be friendly both to fully automated This technique is designed to be friendly both to fully automated
tools and humans. Fully automated tools can perform all the actions tools and humans. Fully automated tools can perform all the actions
needed without human intervention, and thus can monitor when it is needed without human intervention, and thus can monitor when it is
safe to move to the next step. safe to move to the next step.
The solution described in this document only allows transferring The solution described in this document only allows transferring
information about DNSSEC keys (DS and DNSKEY) from the child to the information about DNSSEC keys (DS and DNSKEY) from the child to the
parental agent. It lists exactly what the parent should publish, and parental agent. It lists exactly what the parent should publish, and
skipping to change at page 7, line 33 skipping to change at page 7, line 33
-- or worse, the update action is not performed at all. -- or worse, the update action is not performed at all.
3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions
This document specifies two new DNS RRtypes (CDS and CDNSKEY) that This document specifies two new DNS RRtypes (CDS and CDNSKEY) that
indicates what the Child wants the parent's DS RRset to contain. It indicates what the Child wants the parent's DS RRset to contain. It
allows the Child to present DS records and / or DNSKEY records (for allows the Child to present DS records and / or DNSKEY records (for
those parents who would rather generate the DS records for their those parents who would rather generate the DS records for their
children). children).
The CDS / CDNSKEY record is published in the child zone and gives the The CDS / CDNSKEY records are published in the child zone and gives
child control of what is published for it in the parental zone. The the child control of what is published for it in the parental zone.
CDS / CDNSKEY RRset expresses what the child would like the DS RRset The CDS / CDNSKEY RRset expresses what the child would like the DS
to look like after the change; it is a "replace" operation, and it is RRset to look like after the change; it is a "replace" operation, and
up to the consumer of the records to translate that into the it is up to the consumer of the records to translate that into the
appropriate add/delete operations in the registration systems (and in appropriate add/delete operations in the registration systems (and in
the case of CDNSKEY, to generate the DS from the DNSKEY). the case of CDNSKEY, to generate the DS from the DNSKEY). If no CDS
/ CDNSKEY RRset is present in child, this means that no change is
needed.
[[RFC Editor: Please remove this paragraph before publication] [[RFC Editor: Please remove this paragraph before publication]
Version -04 of the ID that became this document (http:// Version -04 of the ID that became this working group document (http:/
tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new /tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new
record (CTA) that could hold either a DS or a DNSKEY record (with a record (CTA) that could hold either a DS or a DNSKEY record (with a
selector to differentiate between them). In a shocking development, selector to differentiate between them). In a shocking development,
there was almost full consensus that this was horrid :-) ] there was almost full consensus that this was horrid :-) ]
3.1. CDS Resource Record Format 3.1. CDS Resource Record Format
The wire and presentation format of the CDS ("Child DS") record is The wire and presentation format of the CDS ("Child DS") record is
identical to the DS record [RFC4034]. IANA has allocated RR code 59 identical to the DS record [RFC4034]. IANA has allocated RR code 59
for the CDS record via expert review [I-D.ds-publish]. for the CDS record via expert review [I-D.ds-publish]. CDS uses the
same registries as DS for its fields
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes CDS revolvers, when serving or resolving. For all practical purposes CDS
is a regular RR type. is a regular RR type.
3.2. CDNSKEY Resource Record Format 3.2. CDNSKEY Resource Record Format
The wire and presentation format of the CDNSKEY ("Child DNSKEY") The wire and presentation format of the CDNSKEY ("Child DNSKEY")
record is identical to the DNSKEY record. record is identical to the DNSKEY record. CDNSKEY uses the same
registries as DNSKEY for its fields.
No special processing is performed by authoritative servers or by No special processing is performed by authoritative servers or by
revolvers, when serving or resolving. For all practical purposes revolvers, when serving or resolving. For all practical purposes
CDNSKEY is a regular RR type. CDNSKEY is a regular RR type.
4. Automating DS maintainance with CDS/CDNSKEY records 4. Automating DS maintainance with CDS/CDNSKEY records
CDS/CDNSKEY records are intended to be "consumed" by delegation trust CDS/CDNSKEY records are intended to be "consumed" by delegation trust
maintainers. The use of CDS/CDNSKEY is optional. maintainers. The use of CDS/CDNSKEY is optional.
Some parents prefer to accept DNSSEC key information in DS format, Some parents prefer to accept DNSSEC key information in DS format,
some parents prefer to accept it in DNSKEY format, and calculate the some parents prefer to accept it in DNSKEY format, and calculate the
DS record on the child's behalf. Each method has pros and cons, both DS record on the child's behalf. Each method has pros and cons, both
technical and policy. This solution is DS vs DNSKEY agnostic, and technical and policy. This solution is DS vs DNSKEY agnostic, and
allows operation with either. allows operation with either.
If the child knows what the parent prefers, they can publish the If the child knows what the parent prefers, they can publish the
parent's preferred record type. If the child does not know (or parent's preferred record type. If the child does not know (or
simply chooses to), they can publish both CDS and CDNSKEY. If the simply chooses to), they can publish both CDS and CDNSKEY. If the
child publishes both, they SHOULD have matching CDS records for each child publishes both, the two RRsets they SHOULD match in content.
CDNSKEY record. The parent should use whichever one they choose, but The parent should use whichever one they choose, but SHOULD NOT query
SHOULD NOT query for both and perform consistency checks between the for both and perform consistency checks between the CDS and CDNSKEY
CDS and CDNSKEY records. records.
[Editor note: It is not an error for a child to have published CDS [Editor note: It is not an error for a child to have published CDS
records and not have CDNSKEYs that hash to those records, nor for records and not have CDNSKEYs that hash to those records, nor for
there to be CDNSKEY records without matching DS records. This is there to be CDNSKEY records without matching DS records. This is
because a child might have been publishing CDS records and then the because a child might have been publishing CDS records and then the
parent's policy changes to require CDNSKEY records. The child might parent's policy changes to require CDNSKEY records. The child might
forget to remove the CDS, etc. This avoids all sorts of error forget to remove the CDS, etc. This avoids all sorts of error
conditions / complexity, etc.] conditions / complexity, etc.]
4.1. CDS / CDNSKEY processing rules 4.1. CDS / CDNSKEY processing rules
Absence of CDS / CDNSKEY in child signals "No change" to the current If there are no CDS / CDNSKEY resource records in the child, this
DS set. Following acceptance rules are placed on the CDS / CDNSKEY signals that no change should be made to the current DS set. This
records as follows: means that, once the child and parent are in sync, the child DNS
operator MAY remove all CDS records from the zone.
Following acceptance rules are placed on the CDS / CDNSKEY records as
follows:
o Location: "the CDS / CDNSKEY record MUST be at the child zone o Location: "the CDS / CDNSKEY record MUST be at the child zone
apex". apex".
o Signer: "MUST be signed with a key that is represented in both the o Signer: "MUST be signed with a key that is represented in both the
current DNSKEY and DS RRset's." current DNSKEY and DS RRset's."
o Continuity: "SHOULD NOT break the current delegation if applied to o Continuity: "SHOULD NOT break the current delegation if applied to
DS RRset" DS RRset"
If any these conditions fail the CDS / CDNSKEY record MUST be If any these conditions fail the CDS / CDNSKEY record MUST be
ignored. ignored.
5. Child's CDS / CDNSKEY Publication 5. Child's CDS / CDNSKEY Publication
Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it
wants to make a change to the DS RRset in the Parent. The CDS / wants to make a change to the DS RRset in the Parent. The CDS /
CDNSKEY RRset SHOULD be compliant with the rules in Section 4.1. CDNSKEY RRset SHOULD be compliant with the rules in Section 4.1.
When the Parent DS is "in-sync" with the CDS, the Child DNS Operator When the Parent DS is "in-sync" with the CDS / CDNSKEY, the Child DNS
MAY delete the CDS RRset. Note that if the child has published a Operator MAY delete the CDS / CDNSKEY RRset(s). Note that if the
DNSKEY RR in the CDS, it will have to calculate the DS (using the child has published a DNSKEY RR in the CDS, it will have to calculate
requested digest algorithm) to do the comparison. the DS (using the requested digest algorithm) to do the comparison.
A child MAY publish both CDS and CDNSKEY. If a child chooses to A child MAY publish both CDS and CDNSKEY. If a child chooses to
publish both, it SHOULD attempt to maintain consistency (a matching publish both, it SHOULD attempt to maintain consistency (a matching
CDS for each CDNSKEY) CDS for each CDNSKEY)
6. Parent side CDS / CDNSKEY Consumption 6. Parent side CDS / CDNSKEY Consumption
The CDS / CDNSKEY RRset MAY be used by the Parental Agent to update The CDS / CDNSKEY RRset MAY be used by the Parental Agent to update
the DS RRset in the parent zone. The Parental Agent for this uses a the DS RRset in the parent zone. The Parental Agent for this uses a
tool that understands the CDS / CDNSKEY signing rules from tool that understands the CDS / CDNSKEY signing rules from
skipping to change at page 11, line 12 skipping to change at page 11, line 12
unauthenticated POST could be made to a webserver (with rate- unauthenticated POST could be made to a webserver (with rate-
limiting), etc.) limiting), etc.)
Other documents can specify the trigger conditions. Other documents can specify the trigger conditions.
6.2. Using the new CDS / CDNSKEY records 6.2. Using the new CDS / CDNSKEY records
Regardless of how the Parental Agent detected changes to a CDS / Regardless of how the Parental Agent detected changes to a CDS /
CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain
a validated CDS / CDNSKEY RRset from the Child zone. It would be a a validated CDS / CDNSKEY RRset from the Child zone. It would be a
good idea if the Parental Agent checked all NS RRs listed at the good idea if the Parental Agent checked all NS RRs listed at the
delegation. However, due to the use of technologies such as load delegation.
balancing and anycast, this should not be taken as proof that the new
CDS / CDNSKEY is present on all nodes serving the Child zone.
The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY
RRset do not overwrite newer versions. This MAY be accomplished by RRset do not overwrite newer versions. This MAY be accomplished by
checking that the signature inception in the RRSIG for CDS / CDNSKEY checking that the signature inception in the RRSIG for CDS / CDNSKEY
is newer and/or the serial number on the child's SOA is greater. is newer and/or the serial number on the child's SOA is greater.
This may require the Parental Agent to maintain some state This may require the Parental Agent to maintain some state
information. information.
The Parental Agent MAY take extra security measures. For example, to The Parental Agent MAY take extra security measures. For example, to
mitigate the possibility that a Child's key signing key has been mitigate the possibility that a Child's key signing key has been
skipping to change at page 12, line 44 skipping to change at page 12, line 42
If child breaks DNSSEC validation by removing all the DNSKEYs that If child breaks DNSSEC validation by removing all the DNSKEYs that
are represented in the DS set its only repair actions are to contact are represented in the DS set its only repair actions are to contact
the parent or restore the DNSKEYs in the DS set. the parent or restore the DNSKEYs in the DS set.
In the event of a compromise of the server or system generating In the event of a compromise of the server or system generating
signatures for a zone, an attacker might be able to generate and signatures for a zone, an attacker might be able to generate and
publish new CDS records. The modified CDS records will be picked up publish new CDS records. The modified CDS records will be picked up
by this technique and so may allow the attacker to extend the by this technique and so may allow the attacker to extend the
effective time of his attack. If there a delay in accepting changes effective time of his attack. If there a delay in accepting changes
to DS, as in RFC5011, then the attacker needs to hope his activity is to DS, as in [RFC5011], then the attacker needs to hope his activity
not detected before the DS in parent is changed. If this type of is not detected before the DS in parent is changed. If this type of
change takes place, the child needs to contact the parent (possibly change takes place, the child needs to contact the parent (possibly
via a registrar web interface) and remove any compromised DS keys. via a registrar web interface) and remove any compromised DS keys.
A compromise of the account with the parent (e.g. registrar) will not A compromise of the account with the parent (e.g. registrar) will not
be mitigated by this technique, as the "new registrant" can delete/ be mitigated by this technique, as the "new registrant" can delete/
modify the DS records at will. modify the DS records at will.
While it may be tempting, this SHOULD NOT be used for initial While it may be tempting, this SHOULD NOT be used for initial
enrollment of keys since there is no way to ensure that the initial enrollment of keys since there is no way to ensure that the initial
key is the correct one. If is used, strict rules for inclusion of key is the correct one. If is used, strict rules for inclusion of
keys like hold down times, challenge data inclusion etc., ought to be keys like hold down times, challenge data inclusion etc., ought to be
used, along with some kind of challenge mechanism. used, along with some kind of challenge mechanism. A child cannot
use this mechanism to go from signed to unsigned (publishing an empty
CDS / CDNSKEY RRset means no-change should be made in the parent).
The CDS RR type should allow for enhanced security by simplifying The CDS RR type should allow for enhanced security by simplifying
process. Since rollover is automated, updating a DS RRset by other process. Since rollover is automated, updating a DS RRset by other
means may be regarded as unusual and subject to extra security means may be regarded as unusual and subject to extra security
checks. checks.
If there is a failure in applying changes in child zone to all DNS If there is a failure in applying changes in child zone to all DNS
servers listed in either parent or child NS set it is possible that servers listed in either parent or child NS set it is possible that
the Parental agent may get confused either not perform action because the Parental agent may get confused either not perform action because
it gets different answers on different checks or CDS validation it gets different answers on different checks or CDS validation
skipping to change at page 13, line 48 skipping to change at page 13, line 47
By automating the maintenance of the DNSSEC key information (and By automating the maintenance of the DNSSEC key information (and
removing humans from the process) we expect to decrease the number of removing humans from the process) we expect to decrease the number of
DNSSEC related outages, which should increase DNSSEC deployment. DNSSEC related outages, which should increase DNSSEC deployment.
10. Acknowledgements 10. Acknowledgements
We would like to thank a large number of folk, including: Mark We would like to thank a large number of folk, including: Mark
Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian
Dickinson, Paul Ebersman, Tony Finch, Patrik Faltsrom, Jim Galvin, Dickinson, Paul Ebersman, Tony Finch, Patrik Faltsrom, Jim Galvin,
Paul Hoffman, Olaf Kolkman, Cricket Liu, Stephan Lagerholm, Matt Paul Hoffman, Samir Hussain, Tatuya Jinmei, Olaf Kolkman, Cricket
Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul Wouters, Liu, Stephan Lagerholm, Matt Larson, Marco Sanz, Antoin Verschuren,
Matthijs Meeking, John Dickinson, Timothe Litt and Edward Lewis. Suzanne Woolf, Paul Wouters, Matthijs Meeking, John Dickinson,
Timothe Litt and Edward Lewis.
Special thanks to Wes Hardaker for contributing significant text and Special thanks to Wes Hardaker for contributing significant text and
creating the complementary (CSYNC) solution, and to Paul Hoffman and creating the complementary (CSYNC) solution, and to Paul Hoffman and
Mukund Sivaraman for text and review. Mukund Sivaraman for text and review.
There were a number of other folk with whom we discussed this, There were a number of other folk with whom we discussed this,
apologies for not remembering everyone. apologies for not remembering everyone.
11. References 11. References
skipping to change at page 16, line 9 skipping to change at page 16, line 9
In many RRR cases the Registrar and Registry communicate via In many RRR cases the Registrar and Registry communicate via
EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number
of ccTLDs there are other mechanisms in use as well as EPP, but in of ccTLDs there are other mechanisms in use as well as EPP, but in
general there seems to be a movement towards EPP usage when DNSSEC is general there seems to be a movement towards EPP usage when DNSSEC is
enabled in the TLD. enabled in the TLD.
Appendix B. Changes / Author Notes. Appendix B. Changes / Author Notes.
[RFC Editor: Please remove this section before publication ] [RFC Editor: Please remove this section before publication ]
WG-02 to WG-03
o Fixed some references to RFC 5011 - from Samir Hussain.
o Fixed some spelling / typos - from Samir Hussain.
o A number of clarifiations on the meaning on an empty / non-
existant CDS RRset - thanks to JINMEI, Tatuya
o Be consistent in mentioning both CDS and CDNSKEY throughout the
document.
WG-01 to WG-02 WG-01 to WG-02
o Many nits and suggestions from Mukund. o Many nits and suggestions from Mukund.
o Matthijs: " I still think that it is too strong that the Child DNS o Matthijs: " I still think that it is too strong that the Child DNS
Operator SHOULD/MUST delete the CDS RRset when the Parent DS is Operator SHOULD/MUST delete the CDS RRset when the Parent DS is
"in-sync". This should be a MAY" "in-sync". This should be a MAY"
WG-00 to WG-01 WG-00 to WG-01
skipping to change at page 16, line 31 skipping to change at page 16, line 43
strategies." Thanks to Paul for providing text. strategies." Thanks to Paul for providing text.
From -05 to WG-00: From -05 to WG-00:
o Nothing rchanged, resubmit under new name. o Nothing rchanged, resubmit under new name.
From 04 to 05 From 04 to 05
o Renamed the record back to CDS. o Renamed the record back to CDS.
o
From 03 to 04. From 03 to 04.
o Added text explaining that CDS and CSYNC complement each other, o Added text explaining that CDS and CSYNC complement each other,
not replace or compete. not replace or compete.
o Changed format of record to be <selector> <data> to allow the o Changed format of record to be <selector> <data> to allow the
publication of DS **or** DNSKEY. publication of DS **or** DNSKEY.
o Bunch of text changed to cover the above. o Bunch of text changed to cover the above.
o Added a bit more text on the polling scaling stuff, expecation o Added a bit more text on the polling scaling stuff, expectation
that other triggers will be documented, that other triggers will be documented.
From 02 to 03 From 02 to 03
o Applied comments by Matthijs Mekking o Applied comments by Matthijs Mekking
o Incorporated suggestions from Edward Lewis about structure o Incorporated suggestions from Edward Lewis about structure
o Reworked structure to be easier for implementors to follow o Reworked structure to be easier for implementors to follow
o Applied many suggestions from a wonderful thorough review by John o Applied many suggestions from a wonderful thorough review by John
Dickinson Dickinson
o Removed the going Unsigned option o Removed the going Unsigned option
From 01 to 02 From 01 to 02
o Major restructuring to facilitate easier discussion o Major restructuring to facilitate easier discussion
o Lots of comments from DNSOP mailing list incorporated, including o Lots of comments from DNSOP mailing list incorporated, including
 End of changes. 21 change blocks. 
39 lines changed or deleted 59 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/