draft-ietf-dnsop-kskroll-sentinel-07.txt   draft-ietf-dnsop-kskroll-sentinel-08.txt 
DNSOP G. Huston DNSOP G. Huston
Internet-Draft J. Damas Internet-Draft J. Damas
Intended status: Standards Track APNIC Intended status: Standards Track APNIC
Expires: September 21, 2018 W. Kumari Expires: September 25, 2018 W. Kumari
Google Google
March 20, 2018 March 24, 2018
A Sentinel for Detecting Trusted Keys in DNSSEC A Root Key Trust Anchor Sentinel for DNSSEC
draft-ietf-dnsop-kskroll-sentinel-07 draft-ietf-dnsop-kskroll-sentinel-08
Abstract Abstract
The DNS Security Extensions (DNSSEC) were developed to provide origin The DNS Security Extensions (DNSSEC) were developed to provide origin
authentication and integrity protection for DNS data by using digital authentication and integrity protection for DNS data by using digital
signatures. These digital signatures can be verified by building a signatures. These digital signatures can be verified by building a
chain of trust starting from a trust anchor and proceeding down to a chain of trust starting from a trust anchor and proceeding down to a
particular node in the DNS. This document specifies a mechanism that particular node in the DNS. This document specifies a mechanism that
will allow an end user and third parties to determine the trusted key will allow an end user and third parties to determine the trusted key
state for the root key of the resolvers that handle that user's DNS state for the root key of the resolvers that handle that user's DNS
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 21, 2018. This Internet-Draft will expire on September 25, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 45 skipping to change at page 4, line 45
Bob, Charlie, Dave and Ed to be able to perform tests, and also would Bob, Charlie, Dave and Ed to be able to perform tests, and also would
like to be able to perform Internet-wide measurements of what the like to be able to perform Internet-wide measurements of what the
impact will be (and report this back to Alice). impact will be (and report this back to Alice).
Geoff sets an authoritative DNS server for example.com, and also a Geoff sets an authoritative DNS server for example.com, and also a
webserver (www.example.com). He adds three address records to webserver (www.example.com). He adds three address records to
example.com: example.com:
invalid.example.com. IN AAAA 2001:db8::1 invalid.example.com. IN AAAA 2001:db8::1
kskroll-sentinel-is-ta-02323.example.com. IN AAAA 2001:db8::1 root-key-sentinel-is-ta-02323.example.com. IN AAAA 2001:db8::1
kskroll-sentinel-not-ta-02323.example.com. IN AAAA 2001:db8::1 root-key-sentinel-not-ta-02323.example.com. IN AAAA 2001:db8::1
Note that the use of "example.com" names and the addresses here are Note that the use of "example.com" names and the addresses here are
examples. In a real deployment, the domain names need to be under examples. In a real deployment, the domain names need to be under
control of the researcher, and the addresses must be real, reachable control of the researcher, and the addresses must be real, reachable
addresses. addresses.
Geoff then DNSSEC signs the example.com zone, and intentionally makes Geoff then DNSSEC signs the example.com zone, and intentionally makes
the invalid.example.com record invalid/bogus (for example, by editing the invalid.example.com record invalid/bogus (for example, by editing
the signed zone and entering garbage for the signature). Geoff also the signed zone and entering garbage for the signature). Geoff also
configures his webserver to listen on 2001:db8::1 and serve a configures his webserver to listen on 2001:db8::1 and serve a
resource (for example, a 1x1 GIF, 1x1.gif) for all of these names. resource (for example, a 1x1 GIF, 1x1.gif) for all of these names.
The webserver also serves a webpage (www.example.com) which contains The webserver also serves a webpage (www.example.com) which contains
links to these 3 resources (http://invalid.example.com/1x1.gif, links to these 3 resources (http://invalid.example.com/1x1.gif,
http://kskroll-sentinel-is-ta-02323.example.com/1x1.gif, http://root-key-sentinel-is-ta-02323.example.com/1x1.gif,
http://kskroll-sentinel-not-ta-02323.example.com/1x1.gif). http://root-key-sentinel-not-ta-02323.example.com/1x1.gif).
Geoff then asks Bob, Charlie, Dave and Ed to browse to Geoff then asks Bob, Charlie, Dave and Ed to browse to
www.example.com. Using the methods described in this document, the www.example.com. Using the methods described in this document, the
users can figure out what their fate will be when the 11112 KSK is users can figure out what their fate will be when the 11112 KSK is
removed. removed.
Bob is not using a validating resolver. This means that he will be Bob is not using a validating resolver. This means that he will be
able to resolve invalid.example.com (and fetch the 1x1 GIF) - this able to resolve invalid.example.com (and fetch the 1x1 GIF) - this
tells him that the KSK roll does not affect him, and so he will be tells him that the KSK roll does not affect him, and so he will be
OK. OK.
skipping to change at page 5, line 37 skipping to change at page 5, line 37
fetch the http://invalid.example.com/1x1.gif resource (the fetch the http://invalid.example.com/1x1.gif resource (the
invalid.example.com record is bogus, and none of his resolvers will invalid.example.com record is bogus, and none of his resolvers will
resolve it). He is able to fetch both of the other resources - from resolve it). He is able to fetch both of the other resources - from
this he knows (see the logic below) that he is using legacy, this he knows (see the logic below) that he is using legacy,
validating resolvers. The KSK sentinel method cannot provided him validating resolvers. The KSK sentinel method cannot provided him
with a definitive answer to the question of what root trust anchors with a definitive answer to the question of what root trust anchors
this resolver is using. this resolver is using.
Dave's resolvers implement the sentinel method, and have picked up Dave's resolvers implement the sentinel method, and have picked up
the new KSK. For the same reason as Charlie, he cannot fetch the the new KSK. For the same reason as Charlie, he cannot fetch the
"invalid" resource. His resolver resolves the kskroll-sentinel-is- "invalid" resource. His resolver resolves the root-key-sentinel-is-
ta-02323.example.com name normally (it contacts the example.com ta-02323.example.com name normally (it contacts the example.com
authoritative servers, etc); as it supports the sentinel mechanism, authoritative servers, etc); as it supports the sentinel mechanism,
just before Dave's recursive server send the reply to Dave's stub, it just before Dave's recursive server send the reply to Dave's stub, it
performs the KSK Sentinel check (see below). The QNAME starts with performs the KSK Sentinel check (see below). The QNAME starts with
"kskroll-sentinel-is-ta-", and the recursive resolver does indeed "root-key-sentinel-is-ta-", and the recursive resolver does indeed
have a key with the Key Tag of 02323 in its root trust store. This have a key with the Key Tag of 02323 in its root trust store. This
means that that this part of the KSK Sentinel check passes (it is means that that this part of the KSK Sentinel check passes (it is
true that Key Tag 02323 is in the trust anchor store), and the true that Key Tag 02323 is in the trust anchor store), and the
recursive resolver replies normally (with the answer provided by the recursive resolver replies normally (with the answer provided by the
authoritative server). Dave's recursive resolver then resolves the authoritative server). Dave's recursive resolver then resolves the
kskroll-sentinel-not-ta-02323.example.com name. Once again, it root-key-sentinel-not-ta-02323.example.com name. Once again, it
performs the normal resolution process, but because it implements KSK performs the normal resolution process, but because it implements KSK
Sentinel (and the QNAME starts with "kskroll-sentinel-not-ta-"), just Sentinel (and the QNAME starts with "root-key-sentinel-not-ta-"),
before sending the reply, it performs the KSK Sentinel check. As it just before sending the reply, it performs the KSK Sentinel check.
has 02323 in it's trust anchor store, the answer to "is this *not* a As it has 02323 in it's trust anchor store, the answer to "is this
trust anchor" is false, and so the recursive resolver does not reply *not* a trust anchor" is false, and so the recursive resolver does
with the answer from the authoritative server - instead, it replies not reply with the answer from the authoritative server - instead, it
with a SERVFAIL (note that replying with SERVFAIL instead of the replies with a SERVFAIL (note that replying with SERVFAIL instead of
original answer is the only mechanism that KSK Sentinel uses). This the original answer is the only mechanism that KSK Sentinel uses).
means that Dave cannot fetch "invalid", he can fetch "kskroll- This means that Dave cannot fetch "invalid", he can fetch "root-key-
sentinel-is-ta-02323", but he cannot fetch "kskroll-sentinel-not-ta- sentinel-is-ta-02323", but he cannot fetch "root-key-sentinel-not-ta-
02323". From this, Dave knows that he is behind an upgraded, 02323". From this, Dave knows that he is behind an upgraded,
validating resolver, which has successfully installed the new, 02323 validating resolver, which has successfully installed the new, 02323
KSK. KSK.
Just like Charlie and Dave, Ed cannot fetch the "invalid" record. Just like Charlie and Dave, Ed cannot fetch the "invalid" record.
This tells him that his resolvers are validating. When his This tells him that his resolvers are validating. When his
(upgraded) resolver performs the KSK Sentinel check for "kskroll- (upgraded) resolver performs the KSK Sentinel check for "root-key-
sentinel-is-ta-02323", it does *not* have the (new, 02323) KSK in sentinel-is-ta-02323", it does *not* have the (new, 02323) KSK in
it's trust anchor store. This means check fails, and Ed's recursive it's trust anchor store. This means check fails, and Ed's recursive
resolver converts the (valid) answer into a SERVFAIL error response. resolver converts the (valid) answer into a SERVFAIL error response.
It performs the same check for kskroll-sentinel-not-ta- It performs the same check for root-key-sentinel-not-ta-
02323.example.com; as it does not have the 02323 KSK, it is true that 02323.example.com; as it does not have the 02323 KSK, it is true that
this is not a trust anchor for it, and so it replies normally. This this is not a trust anchor for it, and so it replies normally. This
means that Ed cannot fetch the "invalid" resource, he also cannot means that Ed cannot fetch the "invalid" resource, he also cannot
fetch the "kskroll-sentinel-is-ta-02323" resource, but he can fetch fetch the "root-key-sentinel-is-ta-02323" resource, but he can fetch
the "kskroll-sentinel-not-ta-02323" resource. This tells Ed that his the "root-key-sentinel-not-ta-02323" resource. This tells Ed that
resolvers have not installed the new KSK. his resolvers have not installed the new KSK.
Geoff would like to do a large scale test and provide the information Geoff would like to do a large scale test and provide the information
back to Alice. He uses some mechanism such as causing users to go to back to Alice. He uses some mechanism such as causing users to go to
a web page to cause a large number of users to attempt to resolve the a web page to cause a large number of users to attempt to resolve the
three resources, and then analyzes the results of the tests to three resources, and then analyzes the results of the tests to
determine what percentage of users will be affected by the KSK determine what percentage of users will be affected by the KSK
rollover event. rollover event.
The above description is a simplified example - it is not anticipated The above description is a simplified example - it is not anticipated
that Bob, Charlie, Dave and Ed will actually look for the absence or that Bob, Charlie, Dave and Ed will actually look for the absence or
skipping to change at page 7, line 13 skipping to change at page 7, line 13
KSK roll, but not what the user impact of the KSK roll will be. KSK roll, but not what the user impact of the KSK roll will be.
3. Sentinel Mechanism in Resolvers 3. Sentinel Mechanism in Resolvers
DNSSEC-Validating resolvers that implement this mechanism MUST DNSSEC-Validating resolvers that implement this mechanism MUST
perform validation of responses in accordance with the DNSSEC perform validation of responses in accordance with the DNSSEC
response validation specification [RFC4035]. response validation specification [RFC4035].
This sentinel mechanism makes use of two special labels: This sentinel mechanism makes use of two special labels:
o kskroll-sentinel-is-ta-<key-tag> o root-key-sentinel-is-ta-<key-tag>
o kskroll-sentinel-not-ta-<key-tag> o root-key-sentinel-not-ta-<key-tag>
Note that the <key-tag> is specified in the DNS label as unsigned Note that the <key-tag> is specified in the DNS label as unsigned
decimal integer (as described in [RFC4034], section 5.3), but zero- decimal integer (as described in [RFC4034], section 5.3), but zero-
padded to five digits (for example, a Key Tag 42 would be represented padded to five digits (for example, a Key Tag 42 would be represented
in the label as 00042). in the label as 00042).
These labels trigger special processing in the resolver when These labels trigger special processing in the resolver when
responses from authoritative servers are received. Labels containing responses from authoritative servers are received. Labels containing
"kskroll-sentinel-is-ta-<key-tag>" is used to answer the question "Is "root-key-sentinel-is-ta-<key-tag>" is used to answer the question
this the Key Tag a trust anchor which the validating DNS resolver is "Is this the Key Tag a trust anchor which the validating DNS resolver
currently trusting?" Labels containing "kskroll-sentinel-not-ta- is currently trusting?" Labels containing "root-key-sentinel-not-ta-
<key-tag>" is used to answer the question "Is this the Key Tag *not* <key-tag>" is used to answer the question "Is this the Key Tag *not*
a trust anchor which the validating DNS resolver is currently a trust anchor which the validating DNS resolver is currently
trusting?" trusting?"
3.1. Preconditions 3.1. Preconditions
All of the following conditions must be met to trigger special All of the following conditions must be met to trigger special
processing inside resolver code: processing inside resolver code:
o The DNS response is DNSSEC validated and result of validation is o The DNS response is DNSSEC validated and result of validation is
"Secure" "Secure"
o The QTYPE is either A or AAAA (Query Type value 1 or 28) o The QTYPE is either A or AAAA (Query Type value 1 or 28)
o The OPCODE is QUERY o The OPCODE is QUERY
o The leftmost label of the QNAME is either "kskroll-sentinel-is-ta- o The leftmost label of the QNAME is either "root-key-sentinel-is-
<key-tag>" or "kskroll-sentinel-not-ta-<key-tag>" ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>"
If any one of the preconditions is not met, the resolver MUST NOT If any one of the preconditions is not met, the resolver MUST NOT
alter the DNS response based on the mechanism in this document. alter the DNS response based on the mechanism in this document.
3.2. Special processing 3.2. Special processing
Responses which fullfill all of the preconditions in Section 3.1 Responses which fullfill all of the preconditions in Section 3.1
require special processing, depending on leftmost label in the QNAME. require special processing, depending on leftmost label in the QNAME.
First, the resolver determines if the numerical value of <key-tag> is First, the resolver determines if the numerical value of <key-tag> is
skipping to change at page 8, line 49 skipping to change at page 8, line 49
their DNS resolution system, and, in particular, whether or not they their DNS resolution system, and, in particular, whether or not they
are using one or more validating DNS resolvers that use a particular are using one or more validating DNS resolvers that use a particular
trust anchor for the root zone. trust anchor for the root zone.
The critical aspect of the DNS names used in this mechanism is that The critical aspect of the DNS names used in this mechanism is that
they contain the specified label for either the positive and negative they contain the specified label for either the positive and negative
test as the left-most label in the query name. test as the left-most label in the query name.
The sentinel detection process uses a test with three query names: The sentinel detection process uses a test with three query names:
o A query name containing the left-most label "kskroll-sentinel-is- o A query name containing the left-most label "root-key-sentinel-is-
ta-<key-tag>". This corresponds to a a validly-signed RRset in ta-<key-tag>". This corresponds to a a validly-signed RRset in
the zone, so that responses associated with queried names in this the zone, so that responses associated with queried names in this
zone can be authenticated by a DNSSEC-validating resolver. Any zone can be authenticated by a DNSSEC-validating resolver. Any
validly-signed DNS zone can be used for this test. validly-signed DNS zone can be used for this test.
o A query name containing the left-most label "kskroll-sentinel-not- o A query name containing the left-most label "root-key-sentinel-
ta-<key-tag>". This is also a validly-signed name. Any validly- not-ta-<key-tag>". This is also a validly-signed name. Any
signed DNS zone can be used for this test. validly-signed DNS zone can be used for this test.
o A query name that is signed with a DNSSEC signature that cannot be o A query name that is signed with a DNSSEC signature that cannot be
validated (such as if the corresponding RRset is not signed with a validated (such as if the corresponding RRset is not signed with a
valid RRSIG record). valid RRSIG record).
The responses received from queries to resolve each of these names The responses received from queries to resolve each of these names
would allow us to infer a trust key state of the resolution would allow us to infer a trust key state of the resolution
environment. The techniques describes in this document rely on environment. The techniques describes in this document rely on
(DNSSEC validating) resolvers responding with SERVFAIL to valid (DNSSEC validating) resolvers responding with SERVFAIL to valid
answers. Note that a slew of other issues can also cause SERVFAIL answers. Note that a slew of other issues can also cause SERVFAIL
responses, and so the sentinel processing may sometimes result in responses, and so the sentinel processing may sometimes result in
incorrect conclusions. incorrect conclusions.
To describe this process of classification, we can classify resolvers To describe this process of classification, we can classify resolvers
into four distinct behavior types, for which we will use the labels: into four distinct behavior types, for which we will use the labels:
"Vnew", "Vold", "Vleg", and "nonV". These labels correspond to "Vnew", "Vold", "Vleg", and "nonV". These labels correspond to
resolver behaviour types as follows: resolver behaviour types as follows:
Vnew: A DNSSEC-Validating resolver that is configured to implement Vnew: A DNSSEC-Validating resolver that is configured to implement
this mechanism has loaded the nominated key into its local trusted this mechanism has loaded the nominated key into its local trusted
key store will respond with an A or AAAA RRset response for key store will respond with an A or AAAA RRset response for "root-
"kskroll-sentinel-is-ta" queries, SERVFAIL for "kskroll-sentinel- key-sentinel-is-ta" queries, SERVFAIL for "root-key-sentinel-not-
not-ta" queries and SERVFAIL for the invalidly signed name ta" queries and SERVFAIL for the invalidly signed name queries.
queries.
Vold: A DNSSEC-Validating resolver that is configured to implement Vold: A DNSSEC-Validating resolver that is configured to implement
this mechanism that has not loaded the nominated key into its this mechanism that has not loaded the nominated key into its
local trusted key store will respond with an SERVFAIL for local trusted key store will respond with an SERVFAIL for "root-
"kskroll-sentinel-is-ta" queries, an A or AAAA RRset response for key-sentinel-is-ta" queries, an A or AAAA RRset response for
"kskroll-sentinel-not-ta" queries and SERVFAIL for the invalidly "root-key-sentinel-not-ta" queries and SERVFAIL for the invalidly
signed name queries. signed name queries.
Vleg: A DNSSEC-Validating resolver that does not implement this Vleg: A DNSSEC-Validating resolver that does not implement this
mechanism will respond with an A or AAAA RRset response for mechanism will respond with an A or AAAA RRset response for "root-
"kskroll-sentinel-is-ta", an A or AAAA RRset response for key-sentinel-is-ta", an A or AAAA RRset response for "root-key-
"kskroll-sentinel-not-ta" and SERVFAIL for the invalid name. sentinel-not-ta" and SERVFAIL for the invalid name.
nonV: A non-DNSSEC-Validating resolver will respond with an A or nonV: A non-DNSSEC-Validating resolver will respond with an A or
AAAA record response for "kskroll-sentinel-is-ta", an A record AAAA record response for "root-key-sentinel-is-ta", an A record
response for "kskroll-sentinel-not-ta" and an A or AAAA RRset response for "root-key-sentinel-not-ta" and an A or AAAA RRset
response for the invalid name. response for the invalid name.
Given the clear delineation amongst these three cases, if a client Given the clear delineation amongst these three cases, if a client
directs these three queries to a simple resolver, the variation in directs these three queries to a simple resolver, the variation in
response to the three queries should allow the client to determine response to the three queries should allow the client to determine
the category of the resolver, and if it supports this mechanism, the category of the resolver, and if it supports this mechanism,
whether or not it has a particular key in its trust anchor store. whether or not it has a particular key in its trust anchor store.
Query Query
+----------+-----------+------------+ +----------+-----------+------------+
skipping to change at page 12, line 50 skipping to change at page 12, line 50
resolver, identified a number of places where it wasn't clear, and resolver, identified a number of places where it wasn't clear, and
provided very helpful text to address this. provided very helpful text to address this.
10. Change Log 10. Change Log
RFC Editor: Please remove this section! RFC Editor: Please remove this section!
Note that this document is being worked on in GitHub - see Abstract. Note that this document is being worked on in GitHub - see Abstract.
The below is mainly large changes, and is not authoritative. The below is mainly large changes, and is not authoritative.
From -07 to -06 From -08 to -07:
o Changed title from "A Sentinel for Detecting Trusted Keys in
DNSSEC" to "A Root Key Trust Anchor Sentinel for DNSSEC".
o Changed magic string from "kskroll-sentinel-" to "root-key-
sentinel-" -- this time for sure, Rocky!
From -07 to -06:
o Addressed GitHub PR #14: Clarifications regarding caching and o Addressed GitHub PR #14: Clarifications regarding caching and
SERVFAIL responses SERVFAIL responses
o Addressed GitHub PR #12, #13: Clarify situation with multiple o Addressed GitHub PR #12, #13: Clarify situation with multiple
resolvers, Fix editorial nits. resolvers, Fix editorial nits.
From -05 to -06: From -05 to -06:
o Paul improved my merging of Petr's text to make it more readable. o Paul improved my merging of Petr's text to make it more readable.
Minor change, but this is just before the cut-off, so I wanted it Minor change, but this is just before the cut-off, so I wanted it
 End of changes. 25 change blocks. 
50 lines changed or deleted 58 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/