draft-ietf-dnsop-rfc2845bis-00.txt   draft-ietf-dnsop-rfc2845bis-01.txt 
Internet Engineering Task Force F. Dupont, Ed. Internet Engineering Task Force F. Dupont
Internet-Draft S. Morris Internet-Draft S. Morris
Obsoletes: 2845, 4635 (if approved) ISC Obsoletes: 2845, 4635 (if approved) ISC
Intended status: Standards Track July 17, 2018 Intended status: Standards Track P. Vixie
Expires: January 18, 2019 Expires: April 18, 2019 Farsight
D. Eastlake 3rd
Huawei
O. Gudmundsson
CloudFlare
B. Wellington
Akamai
October 15, 2018
Secret Key Transaction Authentication for DNS (TSIG) Secret Key Transaction Authentication for DNS (TSIG)
draft-ietf-dnsop-rfc2845bis-00 draft-ietf-dnsop-rfc2845bis-01
Abstract Abstract
This protocol allows for transaction level authentication using This protocol allows for transaction level authentication using
shared secrets and one way hashing. It can be used to authenticate shared secrets and one way hashing. It can be used to authenticate
dynamic updates as coming from an approved client, or to authenticate dynamic updates as coming from an approved client, or to authenticate
responses as coming from an approved name server. responses as coming from an approved name server.
No provision has been made here for distributing the shared secrets: No provision has been made here for distributing the shared secrets.
it is expected that a network administrator will statically configure
name servers and clients using some out of band mechanism.
This document includes revised original TSIG specifications (RFC2845) This document includes revised original TSIG specifications (RFC2845)
and its extension for HMAC-SHA (RFC4635). and its extension for HMAC-SHA (RFC4635).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 18, 2019. This Internet-Draft will expire on April 18, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 36
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Key words . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Key words . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. New Assigned Numbers . . . . . . . . . . . . . . . . . . . . 4 3. New Assigned Numbers . . . . . . . . . . . . . . . . . . . . 5
4. TSIG RR Format . . . . . . . . . . . . . . . . . . . . . . . 5 4. TSIG RR Format . . . . . . . . . . . . . . . . . . . . . . . 5
4.1. TSIG RR Type . . . . . . . . . . . . . . . . . . . . . . 5 4.1. TSIG RR Type . . . . . . . . . . . . . . . . . . . . . . 5
4.2. TSIG Calculation . . . . . . . . . . . . . . . . . . . . 5 4.2. TSIG Calculation . . . . . . . . . . . . . . . . . . . . 5
4.3. TSIG Record Format . . . . . . . . . . . . . . . . . . . 5 4.3. TSIG Record Format . . . . . . . . . . . . . . . . . . . 5
4.4. Example . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.4. Example . . . . . . . . . . . . . . . . . . . . . . . . . 7
5. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7 5. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7
5.1. Effects of adding TSIG to outgoing message . . . . . . . 7 5.1. Effects of adding TSIG to outgoing message . . . . . . . 8
5.2. TSIG processing on incoming messages . . . . . . . . . . 8 5.2. TSIG processing on incoming messages . . . . . . . . . . 8
5.3. Time values used in TSIG calculations . . . . . . . . . . 8 5.3. Time values used in TSIG calculations . . . . . . . . . . 8
5.4. TSIG Variables and Coverage . . . . . . . . . . . . . . . 8 5.4. TSIG Variables and Coverage . . . . . . . . . . . . . . . 9
5.4.1. DNS Message . . . . . . . . . . . . . . . . . . . . . 9 5.4.1. DNS Message . . . . . . . . . . . . . . . . . . . . . 9
5.4.2. TSIG Variables . . . . . . . . . . . . . . . . . . . 9 5.4.2. TSIG Variables . . . . . . . . . . . . . . . . . . . 9
5.4.3. Request MAC . . . . . . . . . . . . . . . . . . . . . 9 5.4.3. Request MAC . . . . . . . . . . . . . . . . . . . . . 10
5.5. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.5. Component Padding . . . . . . . . . . . . . . . . . . . . 10
6. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10 6. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10
6.1. TSIG generation on requests . . . . . . . . . . . . . . . 10 6.1. TSIG generation on requests . . . . . . . . . . . . . . . 10
6.2. TSIG on Answers . . . . . . . . . . . . . . . . . . . . . 10 6.2. TSIG on Answers . . . . . . . . . . . . . . . . . . . . . 10
6.3. TSIG on TSIG Error returns . . . . . . . . . . . . . . . 10 6.3. TSIG on TSIG Error returns . . . . . . . . . . . . . . . 11
6.4. TSIG on zone tranfer over a TCP connection . . . . . . . 11 6.4. TSIG on zone transfer over a TCP connection . . . . . . . 11
6.5. Server TSIG checks . . . . . . . . . . . . . . . . . . . 11 6.5. Server TSIG checks . . . . . . . . . . . . . . . . . . . 12
6.5.1. Key check and error handling . . . . . . . . . . . . 11 6.5.1. Key check and error handling . . . . . . . . . . . . 12
6.5.2. Specifying Truncation . . . . . . . . . . . . . . . . 12 6.5.2. MAC check and error handling . . . . . . . . . . . . 12
6.5.3. MAC check and error handling . . . . . . . . . . . . 12 6.5.3. Time check and error handling . . . . . . . . . . . . 13
6.5.4. Time check and error handling . . . . . . . . . . . . 13 6.5.4. Truncation check and error handling . . . . . . . . . 13
6.5.5. Truncation check and error handling . . . . . . . . . 13
6.6. Client processing of answer . . . . . . . . . . . . . . . 13 6.6. Client processing of answer . . . . . . . . . . . . . . . 13
6.6.1. Key error handling . . . . . . . . . . . . . . . . . 13 6.6.1. Key error handling . . . . . . . . . . . . . . . . . 14
6.6.2. MAC error handling . . . . . . . . . . . . . . . . . 14 6.6.2. MAC error handling . . . . . . . . . . . . . . . . . 14
6.6.3. Time error handling . . . . . . . . . . . . . . . . . 14 6.6.3. Time error handling . . . . . . . . . . . . . . . . . 14
6.6.4. Truncation error handling . . . . . . . . . . . . . . 14 6.6.4. Truncation error handling . . . . . . . . . . . . . . 14
6.7. Special considerations for forwarding servers . . . . . . 14 6.7. Special considerations for forwarding servers . . . . . . 15
7. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 14 7. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 15
8. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 15 8. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 16
9. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 16 9. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 17
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
11. Security Considerations . . . . . . . . . . . . . . . . . . . 17 11. Security Considerations . . . . . . . . . . . . . . . . . . . 18
11.1. Issue fixed in this document . . . . . . . . . . . . . . 18 11.1. Issue fixed in this document . . . . . . . . . . . . . . 19
11.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 18 11.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 19
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
12.1. Normative References . . . . . . . . . . . . . . . . . . 19 12.1. Normative References . . . . . . . . . . . . . . . . . . 20
12.2. Informative References . . . . . . . . . . . . . . . . . 20 12.2. Informative References . . . . . . . . . . . . . . . . . 20
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 21 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 22
Appendix B. Change History . . . . . . . . . . . . . . . . . . . 22 Appendix B. Change History (to be removed before publication) . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
In 2017, security problems in two nameservers strictly following
[RFC2845] and [RFC4635] (i.e., TSIG and its HMAC-SHA extension)
specifications were discovered. The implementations were fixed but,
to avoid similar problems in the future, the two documents were
updated and merged, producing these revised specifications for TSIG.
The Domain Name System (DNS) [RFC1034], [RFC1035] is a replicated The Domain Name System (DNS) [RFC1034], [RFC1035] is a replicated
hierarchical distributed database system that provides information hierarchical distributed database system that provides information
fundamental to Internet operations, such as name <=> address fundamental to Internet operations, such as name <=> address
translation and mail handling information. translation and mail handling information.
In 2017, security problems in two nameservers strictly following
[RFC2845] and [RFC4635] (i.e., TSIG and its HMAC-SHA extension)
specifications were discovered. The implementations were fixed but,
to avoid similar problems in the future, the two documents were
updated and merged, producing this revised specification for TSIG.
This document specifies use of a message authentication code (MAC), This document specifies use of a message authentication code (MAC),
either HMAC-MD5 or HMAC-SHA (keyed hash functions), to provide an either HMAC-MD5 or HMAC-SHA (keyed hash functions), to provide an
efficient means of point-to-point authentication and integrity efficient means of point-to-point authentication and integrity
checking for transactions. checking for DNS transactions.
The second area where the secret key based MACs specified in this The second area where the secret key based MACs specified in this
document can be used is to authenticate DNS update requests as well document can be used is to authenticate DNS update requests as well
as transaction responses, providing a lightweight alternative to the as transaction responses, providing a lightweight alternative to the
protocol described by [RFC3007]. protocol described by [RFC3007].
A further use of this mechanism is to protect zone transfers. In A further use of this mechanism is to protect zone transfers. In
this case the data covered would be the whole zone transfer including this case the data covered would be the whole zone transfer including
any glue records sent. The protocol described by DNSSEC does not any glue records sent. The protocol described by DNSSEC does not
protect glue records and unsigned records unless SIG(0) (transaction protect glue records and unsigned records unless SIG(0) (transaction
skipping to change at page 4, line 27 skipping to change at page 4, line 33
many resolvers on hosts that only talk to a few recursive servers. many resolvers on hosts that only talk to a few recursive servers.
A server acting as an indirect caching resolver -- a "forwarder" in A server acting as an indirect caching resolver -- a "forwarder" in
common usage -- might use transaction-based authentication when common usage -- might use transaction-based authentication when
communicating with its small number of preconfigured "upstream" communicating with its small number of preconfigured "upstream"
servers. Other uses of DNS secret key authentication and possible servers. Other uses of DNS secret key authentication and possible
systems for automatic secret key distribution may be proposed in systems for automatic secret key distribution may be proposed in
separate future documents. separate future documents.
Note that use of TSIG presumes prior agreement between the two Note that use of TSIG presumes prior agreement between the two
parties involved (e.g., resolver and server) as to the algorithm and parties involved (e.g., resolver and server) as to any algorithm and
key to be used. key to be used.
Since the publication of first version of this document ([RFC2845]) a Since the publication of first version of this document ([RFC2845]) a
mechanism based on asymmetric signatures using the SIG RR was mechanism based on asymmetric signatures using the SIG RR was
specified (SIG(0) [RFC2931]) whereas this document uses symmetric specified (SIG(0) [RFC2931]) whereas this document uses symmetric
authentication codes calculated by HMAC [RFC2104] using strong hash authentication codes calculated by HMAC [RFC2104] using strong hash
functions. functions.
2. Key words 2. Key words
skipping to change at page 5, line 5 skipping to change at page 5, line 14
3. New Assigned Numbers 3. New Assigned Numbers
RRTYPE = TSIG (250) RRTYPE = TSIG (250)
ERROR = 0..15 (a DNS RCODE) ERROR = 0..15 (a DNS RCODE)
ERROR = 16 (BADSIG) ERROR = 16 (BADSIG)
ERROR = 17 (BADKEY) ERROR = 17 (BADKEY)
ERROR = 18 (BADTIME) ERROR = 18 (BADTIME)
ERROR = 22 (BADTRUNC) ERROR = 22 (BADTRUNC)
(See [RFC6895] Section 2.3 concerning the assignment of the value 16
to BADSIG.)
4. TSIG RR Format 4. TSIG RR Format
4.1. TSIG RR Type 4.1. TSIG RR Type
To provide secret key authentication, we use a new RR type whose To provide secret key authentication, we use a new RR type whose
mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and
MUST NOT be cached. TSIG RRs are used for authentication between DNS MUST NOT be cached. TSIG RRs are used for authentication between DNS
entities that have established a shared secret key. TSIG RRs are entities that have established a shared secret key. TSIG RRs are
dynamically computed to cover a particular DNS transaction and are dynamically computed to cover a particular DNS transaction and are
not DNS RRs in the usual sense. not DNS RRs in the usual sense.
4.2. TSIG Calculation 4.2. TSIG Calculation
As the TSIG RRs are related to one DNS request/response, there is no As the TSIG RRs are related to one DNS request/response, there is no
value in storing or retransmitting them, thus the TSIG RR is value in storing or retransmitting them, thus the TSIG RR is
discarded once it has been used to authenticate a DNS message. discarded once it has been used to authenticate a DNS message.
Recommendations concerning the message digest agorithm can be found Recommendations concerning the message digest algorithm can be found
in Section 7. All multi-octet integers in the TSIG record are sent in Section 7. All multi-octet integers in the TSIG record are sent
in network byte order (see [RFC1035] 2.3.2). in network byte order (see [RFC1035] 2.3.2).
4.3. TSIG Record Format 4.3. TSIG Record Format
NAME The name of the key used in domain name syntax. The name NAME The name of the key used in domain name syntax. The name
should reflect the names of the hosts and uniquely identify the should reflect the names of the hosts and uniquely identify the
key among a set of keys these two hosts may share at any given key among a set of keys these two hosts may share at any given
time. If hosts A.site.example and B.example.net share a key, time. If hosts A.site.example and B.example.net share a key,
possibilities for the key name include <id>.A.site.example, possibilities for the key name include <id>.A.site.example,
skipping to change at page 6, line 35 skipping to change at page 6, line 47
| Other Len | / | Other Len | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data /
/ / / /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The contents of the RDATA fields are: The contents of the RDATA fields are:
* Algorithm Name - identifies the TSIG algorithm name in the * Algorithm Name - identifies the TSIG algorithm name in the
domain name syntax. domain name syntax.
* Time Signed - the The Time Signed field specifies seconds * Time Signed - time signed as seconds since 00:00 on
since 00:00 on 1970-01-01 UTC. 1970-01-01 UTC ignoring leap seconds.
* Fudge - specifies allowed time difference in seconds * Fudge - specifies the allowed time difference in seconds
permitted in the Time Signed field. permitted in the Time Signed field.
* MAC Size - the MAC Size field specifies the length of MAC * MAC Size - the length of MAC field in octets. Truncation is
field in octets. Truncation is indicated by a MAC size less indicated by a MAC size less than the size of the keyed hash
than the HMAC size. produced by the algorithm specified by the Algorithm Name.
* MAC - the contents of the MAC field are defined by the TSIG * MAC - the contents of this field are defined by the TSIG
algorithm used. algorithm used, possibly truncated as specified by MAC Size.
* Error - contains the expanded RCODE covering TSIG * Error - contains the expanded RCODE covering TSIG
processing. processing.
* Other Len - specifies the length of the "Other Data" field * Other Len - specifies the length of the "Other Data" field
in octets. in octets.
* Other Data - this field will be empty unless the content of * Other Data - this field will be empty unless the content of
the Error field is BADTIME, in which case it will contain the Error field is BADTIME, in which case it will contain
the server's current time (see Section 6.5.4). the server's current time (see Section 6.5.3).
4.4. Example 4.4. Example
NAME HOST.EXAMPLE. NAME HOST.EXAMPLE.
TYPE TSIG TYPE TSIG
CLASS ANY CLASS ANY
TTL 0 TTL 0
skipping to change at page 8, line 11 skipping to change at page 8, line 22
of only the question and a TSIG record, and has the TC bit set and of only the question and a TSIG record, and has the TC bit set and
RCODE 0 (NOERROR). The client SHOULD at this point retry the request RCODE 0 (NOERROR). The client SHOULD at this point retry the request
using TCP (per [RFC1035] 4.2.2). using TCP (per [RFC1035] 4.2.2).
5.2. TSIG processing on incoming messages 5.2. TSIG processing on incoming messages
If an incoming message contains a TSIG record, it MUST be the last If an incoming message contains a TSIG record, it MUST be the last
record in the additional section. Multiple TSIG records are not record in the additional section. Multiple TSIG records are not
allowed. If a TSIG record is present in any other position, the DNS allowed. If a TSIG record is present in any other position, the DNS
message is dropped and a response with RCODE 1 (FORMERR) MUST be message is dropped and a response with RCODE 1 (FORMERR) MUST be
returned. Upon receipt of a message with a correctly placed TSIG RR, returned. Upon receipt of a message with exactly one correctly
the TSIG RR is copied to a safe location, removed from the DNS placed TSIG RR, the TSIG RR is copied to a safe location, removed
Message, and decremented out of the DNS message header's ARCOUNT. At from the DNS Message, and decremented out of the DNS message header's
this point the HMAC computation is performed: until this operation ARCOUNT. At this point the keyed hash (HMAC) computation is
concludes that the signature is valid, the signature MUST be performed.
considered to be invalid.
If the algorithm name or key name is unknown to the recipient, or if If the algorithm name or key name is unknown to the recipient, or if
the MACs do not match, the whole DNS message MUST be discarded. If the MACs do not match, the whole DNS message MUST be discarded. If
the message is a query, a response with RCODE 9 (NOTAUTH) MUST be the message is a query, a response with RCODE 9 (NOTAUTH) MUST be
sent back to the originator with TSIG ERROR 17 (BADKEY) or TSIG ERROR sent back to the originator with TSIG ERROR 17 (BADKEY) or TSIG ERROR
16 (BADSIG). If no key is available to sign this message it MUST be 16 (BADSIG). If no key is available to sign this message it MUST be
sent unsigned (MAC size == 0 and empty MAC). A message to the system sent unsigned (MAC size == 0 and empty MAC). A message to the system
operations log SHOULD be generated, to warn the operations staff of a operations log SHOULD be generated, to warn the operations staff of a
possible security incident in progress. Care should be taken to possible security incident in progress. Care should be taken to
ensure that logging of this type of event does not open the system to ensure that logging of this type of event does not open the system to
a denial of service attack. a denial of service attack.
Until these error checks are successfully passed, concluding that the
signature is valid, the signature MUST be considered to be invalid.
5.3. Time values used in TSIG calculations 5.3. Time values used in TSIG calculations
The data digested includes the two timer values in the TSIG header in The data digested includes the two timer values in the TSIG header in
order to defend against replay attacks. If this were not done, an order to defend against replay attacks. If this were not done, an
attacker could replay old messages but update the "Time Signed" and attacker could replay old messages but update the "Time Signed" and
"Fudge" fields to make the message look new. This data is named "Fudge" fields to make the message look new. This data is named
"TSIG Timers", and for the purpose of MAC calculation they are "TSIG Timers", and for the purpose of MAC calculation they are hashed
invoked in their "on the wire" format, in the following order: first in their "on the wire" format, in the following order: first Time
Time Signed, then Fudge. For example: Signed, then Fudge. For example:
Field Name Value Wire Format Meaning Field Name Value Wire Format Meaning
----------- --------- ----------------- ------------------------ ----------- --------- ----------------- ------------------------
Time Signed 853804800 00 00 32 e4 07 00 Tue Jan 21 00:00:00 1997 Time Signed 853804800 00 00 32 e4 07 00 Tue Jan 21 00:00:00 1997
Fudge 300 01 2C 5 minutes Fudge 300 01 2C 5 minutes
5.4. TSIG Variables and Coverage 5.4. TSIG Variables and Coverage
When generating or verifying the contents of a TSIG record, the When generating or verifying the contents of a TSIG record, the
following data are passed as input to MAC computation, in network following data are passed as input to MAC computation, in network
skipping to change at page 10, line 10 skipping to change at page 10, line 20
instead. (Section 6.3). instead. (Section 6.3).
The request's MAC is digested in wire format, including the following The request's MAC is digested in wire format, including the following
fields: fields:
Field Type Description Field Type Description
---------- ------------ ---------------------- ---------- ------------ ----------------------
MAC Length uint16_t in network byte order MAC Length uint16_t in network byte order
MAC Data octet stream exactly as transmitted MAC Data octet stream exactly as transmitted
5.5. Padding 5.5. Component Padding
Digested components (i.e., inputs to HMAC computation) are fed into Digested components (i.e., inputs to keyed hash computation) are fed
the hashing function as a continuous octet stream with no interfield into the hashing function as a continuous octet stream with no
padding. interfield separator or padding.
6. Protocol Details 6. Protocol Details
6.1. TSIG generation on requests 6.1. TSIG generation on requests
Client performs the HMAC computation and appends a TSIG record to the Client performs the keyed hash (HMAC) computation and appends a TSIG
additional data section and transmits the request to the server. The record to the additional data section and transmits the request to
client MUST store the MAC from the request while awaiting an answer. the server. The client MUST store the MAC from the request while
The digest components for a request are: awaiting an answer. The digest components for a request are:
DNS Message (request) DNS Message (request)
TSIG Variables (request) TSIG Variables (request)
Note that some older name servers will not accept requests with a Note that some older name servers will not accept requests with a
nonempty additional data section. Clients SHOULD only attempt signed nonempty additional data section. Clients SHOULD only attempt signed
transactions with servers who are known to support TSIG and share transactions with servers who are known to support TSIG and share
some secret key with the client -- so, this is not a problem in some algorithm and secret key with the client -- so, this is not a
practice. problem in practice.
6.2. TSIG on Answers 6.2. TSIG on Answers
When a server has generated a response to a signed request, it signs When a server has generated a response to a signed request, it signs
the response using the same algorithm and key. The server MUST NOT the response using the same algorithm and key. The server MUST NOT
generate a signed response to an unsigned request or a request that generate a signed response to a request if either the KEY is invalid
fails validation. The digest components are: or the MAC fails validation. It also MUST NOT not generate a signed
response to an unsigned request, except in the case of a response to
a client's unsigned TKEY request if the secret key is established on
the server side after the server processed the client's request.
Signing responses to unsigned TKEY requests MUST be explicitly
specified in the description of an individual secret key
establishment algorithm [RFC3645].
The digest components are:
Request MAC Request MAC
DNS Message (response) DNS Message (response)
TSIG Variables (response) TSIG Variables (response)
6.3. TSIG on TSIG Error returns 6.3. TSIG on TSIG Error returns
When a server detects an error relating to the key or MAC, the server When a server detects an error relating to the key or MAC, the server
SHOULD send back an unsigned error message (MAC size == 0 and empty SHOULD send back an unsigned error message (MAC size == 0 and empty
MAC). If an error is detected relating to the TSIG validity period MAC). It MUST NOT send back a signed error message.
or the MAC is too short for the local policy, the server SHOULD send
back a signed error message. The digest components are: If an error is detected relating to the TSIG validity period or the
MAC is too short for the local policy, the server SHOULD send back a
signed error message. The digest components are:
Request MAC (if the request MAC validated) Request MAC (if the request MAC validated)
DNS Message (response) DNS Message (response)
TSIG Variables (response) TSIG Variables (response)
The reason that the request is not included in this MAC in some cases The reason that the request is not included in this MAC in some cases
is to make it possible for the client to verify the error. If the is to make it possible for the client to verify the error. If the
error is not a TSIG error the response MUST be generated as specified error is not a TSIG error the response MUST be generated as specified
in Section 6.2. in Section 6.2.
6.4. TSIG on zone tranfer over a TCP connection 6.4. TSIG on zone transfer over a TCP connection
A zone transfer over a DNS TCP session can include multiple DNS A zone transfer over a DNS TCP session can include multiple DNS
messages. Using TSIG on such a connection can protect the connection messages. Using TSIG on such a connection can protect the connection
from hijacking and provide data integrity. The TSIG MUST be included from hijacking and provide data integrity. The TSIG MUST be included
on the first and last DNS messages, and for new implementations on the first and last DNS messages, and SHOULD be placed on all
SHOULD be placed on all intermediary messages. For backward intermediary messages. For backward compatibility, a client which
compatibility the client which receives DNS messages and verifies receives DNS messages and verifies TSIG MUST accept up to 99
TSIG MUST accept up to 99 intermediary messages without a TSIG. The intermediary messages without a TSIG. The first envelope is
first envelope is processed as a standard answer, and subsequent processed as a standard answer, and subsequent messages have the
messages have the following digest components: following digest components:
Prior MAC (running) Prior MAC (running)
DNS Messages (any unsigned messages since the last TSIG) DNS Messages (any unsigned messages since the last TSIG)
TSIG Timers (current message) TSIG Timers (current message)
This allows the client to rapidly detect when the session has been This allows the client to rapidly detect when the session has been
altered; at which point it can close the connection and retry. If a altered; at which point it can close the connection and retry. If a
client TSIG verification fails, the client MUST close the connection. client TSIG verification fails, the client MUST close the connection.
If the client does not receive TSIG records frequently enough (as If the client does not receive TSIG records frequently enough (as
specified above) it SHOULD assume the connection has been hijacked specified above) it SHOULD assume the connection has been hijacked
and it SHOULD close the connection. The client SHOULD treat this the and it SHOULD close the connection. The client SHOULD treat this the
same way as they would any other interrupted transfer (although the same way as they would any other interrupted transfer (although the
exact behavior is not specified). exact behavior is not specified).
6.5. Server TSIG checks 6.5. Server TSIG checks
Upon receipt of a message, server will check if there is a TSIG RR. Upon receipt of a message, server will check if there is a TSIG RR.
If one exists, the server is REQUIRED to return a TSIG RR in the If one exists, the server is REQUIRED to return a TSIG RR in the
skipping to change at page 11, line 44 skipping to change at page 12, line 16
specified above) it SHOULD assume the connection has been hijacked specified above) it SHOULD assume the connection has been hijacked
and it SHOULD close the connection. The client SHOULD treat this the and it SHOULD close the connection. The client SHOULD treat this the
same way as they would any other interrupted transfer (although the same way as they would any other interrupted transfer (although the
exact behavior is not specified). exact behavior is not specified).
6.5. Server TSIG checks 6.5. Server TSIG checks
Upon receipt of a message, server will check if there is a TSIG RR. Upon receipt of a message, server will check if there is a TSIG RR.
If one exists, the server is REQUIRED to return a TSIG RR in the If one exists, the server is REQUIRED to return a TSIG RR in the
response. The server MUST perform the following checks in the response. The server MUST perform the following checks in the
following order, check Key, check MAC, check Time values, check following order, check KEY, check MAC, check TIME values, check
Truncation policy. Truncation policy.
6.5.1. Key check and error handling 6.5.1. Key check and error handling
If a non-forwarding server does not recognize the key used by the If a non-forwarding server does not recognize the key used by the
client, the server MUST generate an error response with RCODE 9 client, the server MUST generate an error response with RCODE 9
(NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be unsigned (NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be unsigned
as specified in Section 6.3. The server SHOULD log the error. as specified in Section 6.3. The server SHOULD log the error.
(Special considerations apply to forwarding servers, see
Section 6.7.)
6.5.2. Specifying Truncation 6.5.2. MAC check and error handling
When space is at a premium and the strength of the full length of an If a TSIG fails to verify, the server MUST generate an error response
HMAC is not needed, it is reasonable to truncate the HMAC and use the as specified in Section 6.3 with RCODE 9 (NOTAUTH) and TSIG ERROR 16
truncated value for authentication. HMAC SHA-1 truncated to 96 bits (BADSIG). This response MUST be unsigned as specified in
is an option available in several IETF protocols, including IPsec and Section 6.3. The server SHOULD log the error.
TLS.
6.5.2.1. Specifying Truncation
When space is at a premium and the strength of the full length of a
MAC is not needed, it is reasonable to truncate the keyed hash and
use the truncated value for authentication. HMAC SHA-1 truncated to
96 bits is an option available in several IETF protocols, including
IPsec and TLS.
Processing of a truncated MAC follows these rules Processing of a truncated MAC follows these rules
1. If "MAC size" field is greater than HMAC output length: 1. If "MAC size" field is greater than keyed hash output length:
This case MUST NOT be generated and, if received, MUST cause the This case MUST NOT be generated and, if received, MUST cause the
DNS message to be dropped and RCODE 1 (FORMERR) to be returned. DNS message to be dropped and RCODE 1 (FORMERR) to be returned.
2. If "MAC size" field equals HMAC output length: 2. If "MAC size" field equals keyed hash output length:
The entire output HMAC output is present and used. The entire output keyed hash output is present and used.
3. "MAC size" field is less than HMAC output length but greater than 3. "MAC size" field is less than keyed hash output length but
that specified in case 4, below: greater than that specified in case 4, below:
This is sent when the signer has truncated the HMAC output to an This is sent when the signer has truncated the keyed hash output
allowable length, as described in [RFC2104], taking initial to an allowable length, as described in [RFC2104], taking initial
octets and discarding trailing octets. TSIG truncation can only octets and discarding trailing octets. TSIG truncation can only
be to an integral number of octets. On receipt of a DNS message be to an integral number of octets. On receipt of a DNS message
with truncation thus indicated, the locally calculated MAC is with truncation thus indicated, the locally calculated MAC is
similarly truncated and only the truncated values are compared similarly truncated and only the truncated values are compared
for authentication. The request MAC used when calculating the for authentication. The request MAC used when calculating the
TSIG MAC for a reply is the truncated request MAC. TSIG MAC for a reply is the truncated request MAC.
4. "MAC size" field is less than the larger of 10 (octets) and half 4. "MAC size" field is less than the larger of 10 (octets) and half
the length of the hash function in use: the length of the hash function in use:
With the exception of certain TSIG error messages described in With the exception of certain TSIG error messages described in
Section 6.3, where it is permitted that the MAC size be zero, Section 6.3, where it is permitted that the MAC size be zero,
this case MUST NOT be generated and, if received, MUST cause the this case MUST NOT be generated and, if received, MUST cause the
DNS message to be dropped and RCODE 1 (FORMERR) to be returned. DNS message to be dropped and RCODE 1 (FORMERR) to be returned.
6.5.3. MAC check and error handling 6.5.3. Time check and error handling
If a TSIG fails to verify, the server MUST generate an error response
as specified in Section 6.3 with RCODE 9 (NOTAUTH) and TSIG ERROR 16
(BADSIG). This response MUST be unsigned as specified in
Section 6.3. The server SHOULD log the error.
6.5.4. Time check and error handling
If the server time is outside the time interval specified by the If the server time is outside the time interval specified by the
request (which is: Time Signed, plus/minus Fudge), the server MUST request (which is: Time Signed, plus/minus Fudge), the server MUST
generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18 generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18
(BADTIME). The server SHOULD also cache the most recent time signed (BADTIME). The server SHOULD also cache the most recent time signed
value in a message generated by a key, and SHOULD return BADTIME if a value in a message generated by a key, and SHOULD return BADTIME if a
message received later has an earlier time signed value. A response message received later has an earlier time signed value. A response
indicating a BADTIME error MUST be signed by the same key as the indicating a BADTIME error MUST be signed by the same key as the
request. It MUST include the client's current time in the time request. It MUST include the client's current time in the time
signed field, the server's current time (a uint48_t) in the other signed field, the server's current time (a uint48_t) in the other
data field, and 6 in the other data length field. This is done so data field, and 6 in the other data length field. This is done so
that the client can verify a message with a BADTIME error without the that the client can verify a message with a BADTIME error without the
verification failing due to another BADTIME error. The data signed verification failing due to another BADTIME error. The data signed
is specified in Section 6.3. The server SHOULD log the error. is specified in Section 6.3. The server SHOULD log the error.
6.5.5. Truncation check and error handling 6.5.4. Truncation check and error handling
If a TSIG is received with truncation that is permitted under If a TSIG is received with truncation that is permitted under
Section 6.5.2 above but the MAC is too short for the local policy in Section 6.5.2.1 above but the MAC is too short for the local policy
force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be in force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be
returned. The server SHOULD log the error. returned. The server SHOULD log the error.
6.6. Client processing of answer 6.6. Client processing of answer
When a client receives a response from a server and expects to see a When a client receives a response from a server and expects to see a
TSIG, it first checks if the TSIG RR is present in the response. TSIG, it first checks if the TSIG RR is present in the response.
Otherwise, the response is treated as having a format error and Otherwise, the response is treated as having a format error and
discarded. The client then extracts the TSIG, adjusts the ARCOUNT, discarded. The client then extracts the TSIG, adjusts the ARCOUNT,
and calculates the MAC in the same way as the server, applying the and calculates the MAC in the same way as the server, applying the
same rules to decide if truncated MAC is valid. If the TSIG does not same rules to decide if truncated MAC is valid. If the TSIG does not
skipping to change at page 14, line 26 skipping to change at page 14, line 45
(BADTIME), or the current time does not fall in the range specified (BADTIME), or the current time does not fall in the range specified
in the TSIG record, then this is a Time error. This is an indication in the TSIG record, then this is a Time error. This is an indication
that the client and server clocks are not synchronized. In this case that the client and server clocks are not synchronized. In this case
the client SHOULD log the event. DNS resolvers MUST NOT adjust any the client SHOULD log the event. DNS resolvers MUST NOT adjust any
clocks in the client based on BADTIME errors, but the server's time clocks in the client based on BADTIME errors, but the server's time
in the other data field SHOULD be logged. in the other data field SHOULD be logged.
6.6.4. Truncation error handling 6.6.4. Truncation error handling
If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22
(BADTRUNC) the this is a Truncation error. The client MAY retry with (BADTRUNC) then this is a Truncation error. The client MAY retry
lesser truncation up to the full HMAC output (no truncation), using with a lesser truncation up to the full HMAC output (no truncation),
the truncation used in the response as a hint for what the server using the truncation used in the response as a hint for what the
policy allowed (Section 8). Clients SHOULD log this event. server policy allowed (Section 8). Clients SHOULD log this event.
6.7. Special considerations for forwarding servers 6.7. Special considerations for forwarding servers
A server acting as a forwarding server of a DNS message SHOULD check A server acting as a forwarding server of a DNS message SHOULD check
for the existence of a TSIG record. If the name on the TSIG is not for the existence of a TSIG record. If the name on the TSIG is not
of a secret that the server shares with the originator the server of a secret that the server shares with the originator the server
MUST forward the message unchanged including the TSIG. If the name MUST forward the message unchanged including the TSIG. If the name
of the TSIG is of a key this server shares with the originator, it of the TSIG is of a key this server shares with the originator, it
MUST process the TSIG. If the TSIG passes all checks, the forwarding MUST process the TSIG. If the TSIG passes all checks, the forwarding
server MUST, if possible, include a TSIG of his own, to the server MUST, if possible, include a TSIG of his own, to the
skipping to change at page 15, line 15 skipping to change at page 15, line 36
The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as
compared to the 128 bits for MD5), and additional hash algorithms in compared to the 128 bits for MD5), and additional hash algorithms in
the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384, the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384,
and 512 bits may be preferred in some cases. This is because and 512 bits may be preferred in some cases. This is because
increasingly successful cryptanalytic attacks are being made on the increasingly successful cryptanalytic attacks are being made on the
shorter hashes. shorter hashes.
Use of TSIG between two DNS agents is by mutual agreement. That Use of TSIG between two DNS agents is by mutual agreement. That
agreement can include the support of additional algorithms and agreement can include the support of additional algorithms and
criteria as to which algorithms and truncations are acceptable, criteria as to which algorithms and truncations are acceptable,
subject to the restriction and guidelines in Section 6.5.2 above. subject to the restriction and guidelines in Section 6.5.2.1 above.
Key agreement can be by the TKEY mechanism [RFC2930] or some other Key agreement can be by the TKEY mechanism [RFC2930] or some other
mutually agreeable method. mutually agreeable method.
The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig identifiers are The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig [RFC3645]
included in the table below for convenience. Implementations that identifiers are included in the table below for convenience.
support TSIG MUST also implement HMAC SHA1 and HMAC SHA256 and MAY Implementations that support TSIG MUST also implement HMAC SHA1 and
implement gss-tsig and the other algorithms listed below. HMAC SHA256 and MAY implement gss-tsig and the other algorithms
listed below.
Requirement Name Requirement Name
----------- ------------------------ ----------- ------------------------
Mandatory HMAC-MD5.SIG-ALG.REG.INT Mandatory HMAC-MD5.SIG-ALG.REG.INT
Optional gss-tsig Optional gss-tsig
Mandatory hmac-sha1 Mandatory hmac-sha1
Optional hmac-sha224 Optional hmac-sha224
Mandatory hmac-sha256 Mandatory hmac-sha256
Optional hmac-sha384 Optional hmac-sha384
Optional hmac-sha512 Optional hmac-sha512
SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented. SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented.
8. TSIG Truncation Policy 8. TSIG Truncation Policy
Use of TSIG is by mutual agreement between two DNS agents, e.g., a As noted above, two DNS agents (e.g., resolver and server) must
resolver and server. Implicit in such an "agreement" are criteria as mutually agree to use TSIG. Implicit in such an "agreement" are
to acceptable keys and algorithms and, with the extensions in this criteria as to acceptable keys and algorithms and, with the
document, truncations. Note that it is common for implementations to extensions in this document, truncations. Note that it is common for
bind the TSIG secret key or keys that may be in place at two parties implementations to bind the TSIG secret key or keys that may be in
to particular algorithms. Thus, such implementations only permit the place at two parties to particular algorithms. Thus, such
use of an algorithm if there is an associated key in place. Receipt implementations only permit the use of an algorithm if there is an
of an unknown, unimplemented, or disabled algorithm typically results associated key in place. Receipt of an unknown, unimplemented, or
in a BADKEY error. disabled algorithm typically results in a BADKEY error.
Local policies MAY require the rejection of TSIGs, even though they Local policies MAY require the rejection of TSIGs, even though they
use an algorithm for which implementation is mandatory. use an algorithm for which implementation is mandatory.
When a local policy permits acceptance of a TSIG with a particular When a local policy permits acceptance of a TSIG with a particular
algorithm and a particular non-zero amount of truncation, it SHOULD algorithm and a particular non-zero amount of truncation, it SHOULD
also permit the use of that algorithm with lesser truncation (a also permit the use of that algorithm with lesser truncation (a
longer MAC) up to the full HMAC output. longer MAC) up to the full keyed hash output.
Regardless of a lower acceptable truncated MAC length specified by Regardless of a lower acceptable truncated MAC length specified by
local policy, a reply SHOULD be sent with a MAC at least as long as local policy, a reply SHOULD be sent with a MAC at least as long as
that in the corresponding request. Note if the request specified a that in the corresponding request. Note if the request specified a
MAC length longer than the HMAC output it will be rejected by MAC length longer than the keyed hash output it will be rejected by
processing rules Section 6.5.2 case 1. processing rules Section 6.5.2.1 case 1.
Implementations permitting multiple acceptable algorithms and/or Implementations permitting multiple acceptable algorithms and/or
truncations SHOULD permit this list to be ordered by presumed truncations SHOULD permit this list to be ordered by presumed
strength and SHOULD allow different truncations for the same strength and SHOULD allow different truncations for the same
algorithm to be treated as separate entities in this list. When so algorithm to be treated as separate entities in this list. When so
implemented, policies SHOULD accept a presumed stronger algorithm and implemented, policies SHOULD accept a presumed stronger algorithm and
truncation than the minimum strength required by the policy. truncation than the minimum strength required by the policy.
9. Shared Secrets 9. Shared Secrets
skipping to change at page 16, line 40 skipping to change at page 17, line 25
A name server usually runs privileged, which means its configuration A name server usually runs privileged, which means its configuration
data need not be visible to all users of the host. For this reason, data need not be visible to all users of the host. For this reason,
a host that implements transaction-based authentication should a host that implements transaction-based authentication should
probably be configured with a "stub resolver" and a local caching and probably be configured with a "stub resolver" and a local caching and
forwarding name server. This presents a special problem for forwarding name server. This presents a special problem for
[RFC2136] which otherwise depends on clients to communicate only with [RFC2136] which otherwise depends on clients to communicate only with
a zone's authoritative name servers. a zone's authoritative name servers.
Use of strong random shared secrets is essential to the security of Use of strong random shared secrets is essential to the security of
TSIG. See [RFC4086] for a discussion of this issue. The secret TSIG. See [RFC4086] for a discussion of this issue. The secret
SHOULD be at least as long as the HMAC output, i.e., 16 bytes for SHOULD be at least as long as the keyed hash output, i.e., 16 bytes
HMAC-MD5 or 20 bytes for HMAC-SHA1. for HMAC-MD5 or 20 bytes for HMAC-SHA1.
10. IANA Considerations 10. IANA Considerations
IANA maintains a registry of algorithm names to be used as "Algorithm IANA maintains a registry of algorithm names to be used as "Algorithm
Names" as defined in Section 4.3. Algorithm names are text strings Names" as defined in Section 4.3. Algorithm names are text strings
encoded using the syntax of a domain name. There is no structure encoded using the syntax of a domain name. There is no structure
required other than names for different algorithms must be unique required other than names for different algorithms must be unique
when compared as DNS names, i.e., comparison is case insensitive. when compared as DNS names, i.e., comparison is case insensitive.
Previous specifications [RFC2845] and [RFC4635] defined values for Previous specifications [RFC2845] and [RFC4635] defined values for
HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an
identifier for TSIG authentication where the cryptographic operations identifier for TSIG authentication where the cryptographic operations
are delegated to the Generic Security Service (GSS) [RFC3645]. are delegated to the Generic Security Service (GSS) [RFC3645].
New algorithms are assigned using the IETF Consensus policy defined New algorithms are assigned using the IETF Consensus policy defined
in [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like in [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like
a fully-qualified domain name for historical reasons; other algorithm a fully-qualified domain name for historical reasons; other algorithm
names are simple (i.e., single-component) names. names are simple (i.e., single-component) names.
IANA maintains a registry of "TSIG Error values" to be used for IANA maintains a registry of RCODES (error codes), including "TSIG
"Error" values as defined in Section 4.3. Initial values should be Error values" to be used for "Error" values as defined in
those defined in Section 3. New TSIG error codes for the TSIG error Section 4.3. New error codes are assigned and specified as in
field are assigned using the IETF Consensus policy defined in [RFC6895].
[RFC8126].
11. Security Considerations 11. Security Considerations
The approach specified here is computationally much less expensive The approach specified here is computationally much less expensive
than the signatures specified in DNSSEC. As long as the shared than the signatures specified in DNSSEC. As long as the shared
secret key is not compromised, strong authentication is provided for secret key is not compromised, strong authentication is provided
the last hop from a local name server to the user resolver. between two DNS systems, e.g., for the last hop from a local name
server to the user resolver, or between primary and secondary
nameservers..
Secret keys should be changed periodically. If the client host has Secret keys should be changed periodically. If the client host has
been compromised, the server should suspend the use of all secrets been compromised, the server should suspend the use of all secrets
known to that client. If possible, secrets should be stored in known to that client. If possible, secrets should be stored in
encrypted form. Secrets should never be transmitted in the clear encrypted form. Secrets should never be transmitted in the clear
over any network. This document does not address the issue on how to over any network. This document does not address the issue on how to
distribute secrets. Secrets should never be shared by more than two distribute secrets except that it mentions the possibilities of
entities. manual configuration and the use of TKEY [RFC2930]. Secrets SHOULD
NOT be shared by more than two entities.
This mechanism does not authenticate source data, only its This mechanism does not authenticate source data, only its
transmission between two parties who share some secret. The original transmission between two parties who share some secret. The original
source data can come from a compromised zone master or can be source data can come from a compromised zone master or can be
corrupted during transit from an authentic zone master to some corrupted during transit from an authentic zone master to some
"caching forwarder." However, if the server is faithfully performing "caching forwarder." However, if the server is faithfully performing
the full DNSSEC security checks, then only security checked data will the full DNSSEC security checks, then only security checked data will
be available to the client. be available to the client.
A fudge value that is too large may leave the server open to replay A fudge value that is too large may leave the server open to replay
attacks. A fudge value that is too small may cause failures if attacks. A fudge value that is too small may cause failures if
machines are not time synchronized or there are unexpected network machines are not time synchronized or there are unexpected network
delays. The recommended value in most situation is 300 seconds. delays. The recommended value in most situations is 300 seconds.
For all of the message authentication code algorithms listed in this For all of the message authentication code algorithms listed in this
document, those producing longer values are believed to be stronger; document, those producing longer values are believed to be stronger;
however, while there have been some arguments that mild truncation however, while there have been some arguments that mild truncation
can strengthen a MAC by reducing the information available to an can strengthen a MAC by reducing the information available to an
attacker, excessive truncation clearly weakens authentication by attacker, excessive truncation clearly weakens authentication by
reducing the number of bits an attacker has to try to break the reducing the number of bits an attacker has to try to break the
authentication by brute force [RFC2104]. authentication by brute force [RFC2104].
Significant progress has been made recently in cryptanalysis of hash Significant progress has been made recently in cryptanalysis of hash
skipping to change at page 18, line 19 skipping to change at page 19, line 7
the design of MD4. While the results so far should not effect HMAC, the design of MD4. While the results so far should not effect HMAC,
the stronger SHA-1 and SHA-256 algorithms are being made mandatory the stronger SHA-1 and SHA-256 algorithms are being made mandatory
due to caution. Note that today SHA-3 [FIPS202] is available as an due to caution. Note that today SHA-3 [FIPS202] is available as an
alternative to SHA-2 using a very different design. alternative to SHA-2 using a very different design.
See also the Security Considerations section of [RFC2104] from which See also the Security Considerations section of [RFC2104] from which
the limits on truncation in this RFC were taken. the limits on truncation in this RFC were taken.
11.1. Issue fixed in this document 11.1. Issue fixed in this document
When signing a DNS reply message using TSIG, its MAC computation uses When signing a DNS reply message using TSIG, the MAC computation uses
the request message's MAC as an input to cryptographically relate the the request message's MAC as an input to cryptographically relate the
reply to the request. Unfortunately, the original TSIG specification reply to the request. The original TSIG specification [RFC2845]
[RFC2845] failed to clearly require the request MAC to be required that the TIME values be checked before the request's MAC.
successfully validated before using it. If the TIME was invalid, some implementations failed to carry out
further checks and could use an invalid request MAC in the signed
reply.
This document proposes the principle that the MAC must be considered This document proposes the principle that the request MAC must be
to be invalid until it was validated. This leads to the requirement considered to be invalid until it has been validated: until then, any
that only a validated request MAC is included in a signed answer. Or answer must be unsigned. For this reason, the request MAC is now
with other words when the request MAC was not validated the answer checked before the TIME value.
must be unsigned with a BADKEY or BADSIG TSIG error.
11.2. Why not DNSSEC? 11.2. Why not DNSSEC?
This section from the original document [RFC2845] analyzes DNSSEC in This section from the original document [RFC2845] analyzes DNSSEC in
order to justify the introduction of TSIG. order to justify the introduction of TSIG.
DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and
[RFC4035]) to provide for data origin authentication, and public key [RFC4035]) to provide for data origin authentication, and public key
distribution, all based on public key cryptography and public key distribution, all based on public key cryptography and public key
based digital signatures. To be practical, this form of security based digital signatures. To be practical, this form of security
skipping to change at page 21, line 35 skipping to change at page 22, line 20
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, (SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011, DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>. <https://www.rfc-editor.org/info/rfc6234>.
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
for DNS (EDNS(0))", STD 75, RFC 6891, for DNS (EDNS(0))", STD 75, RFC 6891,
DOI 10.17487/RFC6891, April 2013, DOI 10.17487/RFC6891, April 2013,
<https://www.rfc-editor.org/info/rfc6891>. <https://www.rfc-editor.org/info/rfc6891>.
[RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
April 2013, <https://www.rfc-editor.org/info/rfc6895>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
Appendix A. Acknowledgments Appendix A. Acknowledgments
This document just consolidates and updates the earlier documents by This document consolidates and updates the earlier documents by the
the authors of [RFC2845] (Paul Vixie, Olafur Gudmundsson, Donald E. authors of [RFC2845] (Paul Vixie, Olafur Gudmundsson, Donald E.
Eastlake 3rd and Brian Wellington) and [RFC4635] (Donald E. Eastlake Eastlake 3rd and Brian Wellington) and [RFC4635] (Donald E. Eastlake
3rd). It would not be possible without their original work. 3rd). It would not be possible without their original work.
The security problem addressed by this document was reported by The security problem addressed by this document was reported by
Clement Berthaux from Synacktiv. Clement Berthaux from Synacktiv.
Note for the RFC Editor (to be removed before publication): the first Note for the RFC Editor (to be removed before publication): the first
'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9. 'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9.
I do not know if xml2rfc supports non ASCII characters so I prefer to I do not know if xml2rfc supports non ASCII characters so I prefer to
not experiment with it. BTW I am French too too so I can help if you not experiment with it. BTW I am French too so I can help if you
have questions like correct spelling... have questions like correct spelling...
Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund
Sivaraman and Ralph Dolmans participated in the discussions that Sivaraman and Ralph Dolmans participated in the discussions that
prompted this document. prompted this document.
Appendix B. Change History Appendix B. Change History (to be removed before publication)
draft-dupont-dnsop-rfc2845bis-00 draft-dupont-dnsop-rfc2845bis-00
[RFC4635] was merged. [RFC4635] was merged.
Authors of original documents were moved to Acknowledgments Authors of original documents were moved to Acknowledgments
(Appendix A). (Appendix A).
Section 2 was updated to [RFC8174] style. Section 2 was updated to [RFC8174] style.
skipping to change at page 22, line 42 skipping to change at page 23, line 36
Added the security clarifications: Added the security clarifications:
1. Emphasized that MAC is invalid until it is successfully 1. Emphasized that MAC is invalid until it is successfully
validated. validated.
2. Added requirement that a request MAC that has not been 2. Added requirement that a request MAC that has not been
successfully validated MUST NOT be included into a response. successfully validated MUST NOT be included into a response.
3. Added requirement that a request that has not been validated 3. Added requirement that a request that has not been validated
to the MUST NOT generate a signed response. MUST NOT generate a signed response.
4. Added note about MAC too short for the local policy to the 4. Added note about MAC too short for the local policy to
Section 6.3. Section 6.3.
5. Changed the order of server checks and swapped corresponding 5. Changed the order of server checks and swapped corresponding
sections. sections.
6. Removed the truncation size limit "also case" as it does not 6. Removed the truncation size limit "also case" as it does not
apply and added confusion. apply and added confusion.
7. Relocated the error provision for TSIG truncation to the new 7. Relocated the error provision for TSIG truncation to the new
Section 6.5.5. Moved from RCODE 22 to RCODE 9 and TSIG ERROR Section 6.5.4. Moved from RCODE 22 to RCODE 9 and TSIG ERROR
22, i.e., aligned with other TSIG error cases. 22, i.e., aligned with other TSIG error cases.
8. Added Section 6.6.4 about truncation error handling by 8. Added Section 6.6.4 about truncation error handling by
clients. clients.
9. Removed the limit to HMAC output in replies as a request 9. Removed the limit to HMAC output in replies as a request
which specified a MAC length longer than the HMAC output is which specified a MAC length longer than the HMAC output is
invalid according the the first processing rule in invalid according to the first processing rule in
Section 6.5.2. Section 6.5.2.1.
10. Promoted the requirement that a secret length should be at 10. Promoted the requirement that a secret length should be at
least as long as the HMAC output to a SHOULD [RFC2119] key least as long as the HMAC output to a SHOULD [RFC2119] key
word. word.
11. Added a short text to explain the security issue. 11. Added a short text to explain the security issue.
draft-dupont-dnsop-rfc2845bis-01 draft-dupont-dnsop-rfc2845bis-01
Improved wording (post-publication comments). Improved wording (post-publication comments).
Specialized and renamed the "TSIG on TCP connection" (Section 6.4) Specialized and renamed the "TSIG on TCP connection" (Section 6.4)
to "TSIG on zone tranfer over a TCP connection". Added a SHOULD to "TSIG on zone transfer over a TCP connection". Added a SHOULD
for a TSIG in each message (was envelope) for new implementations. for a TSIG in each message (was envelope) for new implementations.
draft-ietf-dnsop-rfc2845bis-00 draft-ietf-dnsop-rfc2845bis-00
Adopted by the IETF DNSOP working group: title updated and version Adopted by the IETF DNSOP working group: title updated and version
counter reseted to 00. counter reset to 00.
Authors' Addresses draft-ietf-dnsop-rfc2845bis-01
Francis Dupont (editor) Relationship between protocol change and principle of assuming the
request MAC is invalid until validated clarified. (Jinmei Tatuya)
Cross reference to considerations for forwarding servers added.
(Bob Harold)
Added text from [RFC3645] concerning the signing behavior if a
secret key is added during a multi-message exchange.
Added reference to [RFC6895].
Many improvements in the wording.
Added RFC 2845 authors as co-authors of this document.
Authors' Addresses
Francis Dupont
Internet Software Consortium Internet Software Consortium
950 Charter Street 950 Charter Street
Redwood City, CA 94063 Redwood City, CA 94063
United States United States of America
Email: Francis.Dupont@fdupont.fr Email: Francis.Dupont@fdupont.fr
Stephen Morris Stephen Morris
Internet Software Consortium Internet Software Consortium
950 Charter Street 950 Charter Street
Redwood City, CA 94063 Redwood City, CA 94063
United States United States of America
Email: stephen@isc.org Email: stephen@isc.org
URI: http://www.isc.org
Paul Vixie
Farsight Security Inc
177 Bovet Road, Suite 180
San Mateo, CA 94402
United States of America
Email: paul@redbarn.org
Donald E. Eastlake 3rd
Huawei Technologies
155 Beaver Street
Milford, MA 01753
United States of America
Email: d3e3e3@gmail.com
Olafur Gudmundsson
CloudFlare
San Francisco, CA 94107
United States of America
Email: olafur+ietf@cloudflare.com
Brian Wellington
Akamai
United States of America
Email: bwelling@akamai.com
 End of changes. 78 change blocks. 
166 lines changed or deleted 214 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/