draft-ietf-dnsop-dns-zone-digest-06.txt   draft-ietf-dnsop-dns-zone-digest-07.txt 
Internet Engineering Task Force D. Wessels Internet Engineering Task Force D. Wessels
Internet-Draft P. Barber Internet-Draft P. Barber
Intended status: Standards Track M. Weinberg Intended status: Standards Track M. Weinberg
Expires: October 10, 2020 Verisign Expires: October 30, 2020 Verisign
W. Kumari W. Kumari
Google Google
W. Hardaker W. Hardaker
USC/ISI USC/ISI
April 8, 2020 April 28, 2020
Message Digest for DNS Zones Message Digest for DNS Zones
draft-ietf-dnsop-dns-zone-digest-06 draft-ietf-dnsop-dns-zone-digest-07
Abstract Abstract
This document describes a protocol and new DNS Resource Record that This document describes a protocol and new DNS Resource Record that
can be used to provide a cryptographic message digest over DNS zone can be used to provide a cryptographic message digest over DNS zone
data. The ZONEMD Resource Record conveys the digest data in the zone data. The ZONEMD Resource Record conveys the digest data in the zone
itself. When a zone publisher includes an ZONEMD record, recipients itself. When a zone publisher includes an ZONEMD record, recipients
can verify the zone contents for accuracy and completeness. This can verify the zone contents for accuracy and completeness. This
provides assurance that received zone data matches published data, provides assurance that received zone data matches published data,
regardless of how the zone data has been transmitted and received. regardless of how the zone data has been transmitted and received.
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 10, 2020. This Internet-Draft will expire on October 30, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 22 skipping to change at page 3, line 22
6.1. Attacks Against the Zone Digest . . . . . . . . . . . . . 15 6.1. Attacks Against the Zone Digest . . . . . . . . . . . . . 15
6.2. Attacks Utilizing ZONEMD Queries . . . . . . . . . . . . 15 6.2. Attacks Utilizing ZONEMD Queries . . . . . . . . . . . . 15
6.3. Resilience and Fragility . . . . . . . . . . . . . . . . 15 6.3. Resilience and Fragility . . . . . . . . . . . . . . . . 15
7. Performance Considerations . . . . . . . . . . . . . . . . . 16 7. Performance Considerations . . . . . . . . . . . . . . . . . 16
7.1. SIMPLE SHA384 . . . . . . . . . . . . . . . . . . . . . . 16 7.1. SIMPLE SHA384 . . . . . . . . . . . . . . . . . . . . . . 16
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17
10. Implementation Status . . . . . . . . . . . . . . . . . . . . 17 10. Implementation Status . . . . . . . . . . . . . . . . . . . . 17
10.1. Authors' Implementation . . . . . . . . . . . . . . . . 17 10.1. Authors' Implementation . . . . . . . . . . . . . . . . 17
10.2. Shane Kerr's Implementation . . . . . . . . . . . . . . 18 10.2. Shane Kerr's Implementation . . . . . . . . . . . . . . 18
10.3. NIC Chile Labs Implementation . . . . . . . . . . . . . 18
11. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 18 11. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 18
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
12.1. Normative References . . . . . . . . . . . . . . . . . . 23 12.1. Normative References . . . . . . . . . . . . . . . . . . 23
12.2. Informative References . . . . . . . . . . . . . . . . . 23 12.2. Informative References . . . . . . . . . . . . . . . . . 24
Appendix A. Example Zones With Digests . . . . . . . . . . . . . 25 Appendix A. Example Zones With Digests . . . . . . . . . . . . . 26
A.1. Simple EXAMPLE Zone . . . . . . . . . . . . . . . . . . . 25 A.1. Simple EXAMPLE Zone . . . . . . . . . . . . . . . . . . . 26
A.2. Complex EXAMPLE Zone . . . . . . . . . . . . . . . . . . 26 A.2. Complex EXAMPLE Zone . . . . . . . . . . . . . . . . . . 26
A.3. EXAMPLE Zone with multiple digests . . . . . . . . . . . 27 A.3. EXAMPLE Zone with multiple digests . . . . . . . . . . . 27
A.4. The URI.ARPA Zone . . . . . . . . . . . . . . . . . . . . 27 A.4. The URI.ARPA Zone . . . . . . . . . . . . . . . . . . . . 28
A.5. The ROOT-SERVERS.NET Zone . . . . . . . . . . . . . . . . 30 A.5. The ROOT-SERVERS.NET Zone . . . . . . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33
1. Introduction 1. Introduction
In the DNS, a zone is the collection of authoritative resource In the DNS, a zone is the collection of authoritative resource
records (RRs) sharing a common origin ([RFC8499]). Zones are often records (RRs) sharing a common origin ([RFC8499]). Zones are often
stored as files on disk in the so-called master file format stored as files on disk in the so-called master file format
[RFC1034]. Zones are generally distributed among name servers using [RFC1034]. Zones are generally distributed among name servers using
the AXFR [RFC5936], and IXFR [RFC1995] protocols. Zone files can the AXFR [RFC5936], and IXFR [RFC1995] protocols. Zone files can
also be distributed outside of the DNS, with such protocols as FTP, also be distributed outside of the DNS, with such protocols as FTP,
HTTP, rsync, and even via email. Currently there is no standard way HTTP, rsync, and even via email. Currently there is no standard way
skipping to change at page 18, line 23 skipping to change at page 18, line 23
o Verify the zone digest from an input zone. o Verify the zone digest from an input zone.
o Output the ZONEMD record in its defined presentation format. o Output the ZONEMD record in its defined presentation format.
This implementation does not: This implementation does not:
o Re-compute DNSSEC signature over the ZONEMD record. o Re-compute DNSSEC signature over the ZONEMD record.
o Perform DNSSEC validation of the ZONEMD record. o Perform DNSSEC validation of the ZONEMD record.
10.3. NIC Chile Labs Implementation
NIC Chile Labs wrote an implementation of this specification as part
of "dns-tools" suite [DnsTools], which besides digesting, can also
sign and verify zones. This implementation is in Go and is able to
perform the following functions:
o Compute zone digest over signed zone and update the ZONEMD record.
o Verify the zone digest from an input zone.
o Perform DNSSEC validation of the ZONEMD record during
verification.
o Re-compute DNSSEC signature over the ZONEMD record.
11. Change Log 11. Change Log
RFC Editor: Please remove this section. RFC Editor: Please remove this section.
This section lists substantial changes to the document as it is being This section lists substantial changes to the document as it is being
worked on. worked on.
From -00 to -01: From -00 to -01:
o Removed requirement to sort by RR CLASS. o Removed requirement to sort by RR CLASS.
skipping to change at page 23, line 8 skipping to change at page 23, line 21
From -05 to -06: From -05 to -06:
o Per WG suggestion, no longer include any apex ZONEMD record in o Per WG suggestion, no longer include any apex ZONEMD record in
digest calculation. digest calculation.
o Updated examples in the appendix. o Updated examples in the appendix.
o Clarified verification procedure by describing a loop over all o Clarified verification procedure by describing a loop over all
ZONEMD RRs. ZONEMD RRs.
From -06 to -07:
o Added NIC Chile Labs implementation.
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
skipping to change at page 23, line 45 skipping to change at page 24, line 15
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
12.2. Informative References 12.2. Informative References
[CZDS] Internet Corporation for Assigned Names and Numbers, [CZDS] Internet Corporation for Assigned Names and Numbers,
"Centralized Zone Data Service", October 2018, "Centralized Zone Data Service", October 2018,
<https://czds.icann.org/>. <https://czds.icann.org/>.
[DnsTools]
NIC Chile Labs, "DNS tools for zone signature (file,
pkcs11-hsm) and validation, and zone digest (ZONEMD)",
April 2020, <https://github.com/niclabs/dns-tools>.
[InterNIC] [InterNIC]
ICANN, "InterNIC FTP site", May 2018, ICANN, "InterNIC FTP site", May 2018,
<ftp://ftp.internic.net/domain/>. <ftp://ftp.internic.net/domain/>.
[ldns-zone-digest] [ldns-zone-digest]
Verisign, "Implementation of Message Digests for DNS Zones Verisign, "Implementation of Message Digests for DNS Zones
using the ldns library", July 2018, using the ldns library", July 2018,
<https://github.com/verisign/ldns-zone-digest>. <https://github.com/verisign/ldns-zone-digest>.
[RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
 End of changes. 10 change blocks. 
10 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/