| draft-ietf-dnsop-rfc2845bis-00.txt | draft-ietf-dnsop-rfc2845bis-01.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force F. Dupont, Ed. | Internet Engineering Task Force F. Dupont | |||
| Internet-Draft S. Morris | Internet-Draft S. Morris | |||
| Obsoletes: 2845, 4635 (if approved) ISC | Obsoletes: 2845, 4635 (if approved) ISC | |||
| Intended status: Standards Track July 17, 2018 | Intended status: Standards Track P. Vixie | |||
| Expires: January 18, 2019 | Expires: April 18, 2019 Farsight | |||
| D. Eastlake 3rd | ||||
| Huawei | ||||
| O. Gudmundsson | ||||
| CloudFlare | ||||
| B. Wellington | ||||
| Akamai | ||||
| October 15, 2018 | ||||
| Secret Key Transaction Authentication for DNS (TSIG) | Secret Key Transaction Authentication for DNS (TSIG) | |||
| draft-ietf-dnsop-rfc2845bis-00 | draft-ietf-dnsop-rfc2845bis-01 | |||
| Abstract | Abstract | |||
| This protocol allows for transaction level authentication using | This protocol allows for transaction level authentication using | |||
| shared secrets and one way hashing. It can be used to authenticate | shared secrets and one way hashing. It can be used to authenticate | |||
| dynamic updates as coming from an approved client, or to authenticate | dynamic updates as coming from an approved client, or to authenticate | |||
| responses as coming from an approved name server. | responses as coming from an approved name server. | |||
| No provision has been made here for distributing the shared secrets: | No provision has been made here for distributing the shared secrets. | |||
| it is expected that a network administrator will statically configure | ||||
| name servers and clients using some out of band mechanism. | ||||
| This document includes revised original TSIG specifications (RFC2845) | This document includes revised original TSIG specifications (RFC2845) | |||
| and its extension for HMAC-SHA (RFC4635). | and its extension for HMAC-SHA (RFC4635). | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 18, 2019. | This Internet-Draft will expire on April 18, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 28 ¶ | skipping to change at page 2, line 36 ¶ | |||
| the copyright in such materials, this document may not be modified | the copyright in such materials, this document may not be modified | |||
| outside the IETF Standards Process, and derivative works of it may | outside the IETF Standards Process, and derivative works of it may | |||
| not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
| it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Key words . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Key words . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. New Assigned Numbers . . . . . . . . . . . . . . . . . . . . 4 | 3. New Assigned Numbers . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. TSIG RR Format . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. TSIG RR Format . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. TSIG RR Type . . . . . . . . . . . . . . . . . . . . . . 5 | 4.1. TSIG RR Type . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. TSIG Calculation . . . . . . . . . . . . . . . . . . . . 5 | 4.2. TSIG Calculation . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.3. TSIG Record Format . . . . . . . . . . . . . . . . . . . 5 | 4.3. TSIG Record Format . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.4. Example . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 4.4. Example . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7 | 5. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5.1. Effects of adding TSIG to outgoing message . . . . . . . 7 | 5.1. Effects of adding TSIG to outgoing message . . . . . . . 8 | |||
| 5.2. TSIG processing on incoming messages . . . . . . . . . . 8 | 5.2. TSIG processing on incoming messages . . . . . . . . . . 8 | |||
| 5.3. Time values used in TSIG calculations . . . . . . . . . . 8 | 5.3. Time values used in TSIG calculations . . . . . . . . . . 8 | |||
| 5.4. TSIG Variables and Coverage . . . . . . . . . . . . . . . 8 | 5.4. TSIG Variables and Coverage . . . . . . . . . . . . . . . 9 | |||
| 5.4.1. DNS Message . . . . . . . . . . . . . . . . . . . . . 9 | 5.4.1. DNS Message . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.4.2. TSIG Variables . . . . . . . . . . . . . . . . . . . 9 | 5.4.2. TSIG Variables . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.4.3. Request MAC . . . . . . . . . . . . . . . . . . . . . 9 | 5.4.3. Request MAC . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.5. Padding . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.5. Component Padding . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10 | 6. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6.1. TSIG generation on requests . . . . . . . . . . . . . . . 10 | 6.1. TSIG generation on requests . . . . . . . . . . . . . . . 10 | |||
| 6.2. TSIG on Answers . . . . . . . . . . . . . . . . . . . . . 10 | 6.2. TSIG on Answers . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6.3. TSIG on TSIG Error returns . . . . . . . . . . . . . . . 10 | 6.3. TSIG on TSIG Error returns . . . . . . . . . . . . . . . 11 | |||
| 6.4. TSIG on zone tranfer over a TCP connection . . . . . . . 11 | 6.4. TSIG on zone transfer over a TCP connection . . . . . . . 11 | |||
| 6.5. Server TSIG checks . . . . . . . . . . . . . . . . . . . 11 | 6.5. Server TSIG checks . . . . . . . . . . . . . . . . . . . 12 | |||
| 6.5.1. Key check and error handling . . . . . . . . . . . . 11 | 6.5.1. Key check and error handling . . . . . . . . . . . . 12 | |||
| 6.5.2. Specifying Truncation . . . . . . . . . . . . . . . . 12 | 6.5.2. MAC check and error handling . . . . . . . . . . . . 12 | |||
| 6.5.3. MAC check and error handling . . . . . . . . . . . . 12 | 6.5.3. Time check and error handling . . . . . . . . . . . . 13 | |||
| 6.5.4. Time check and error handling . . . . . . . . . . . . 13 | 6.5.4. Truncation check and error handling . . . . . . . . . 13 | |||
| 6.5.5. Truncation check and error handling . . . . . . . . . 13 | ||||
| 6.6. Client processing of answer . . . . . . . . . . . . . . . 13 | 6.6. Client processing of answer . . . . . . . . . . . . . . . 13 | |||
| 6.6.1. Key error handling . . . . . . . . . . . . . . . . . 13 | 6.6.1. Key error handling . . . . . . . . . . . . . . . . . 14 | |||
| 6.6.2. MAC error handling . . . . . . . . . . . . . . . . . 14 | 6.6.2. MAC error handling . . . . . . . . . . . . . . . . . 14 | |||
| 6.6.3. Time error handling . . . . . . . . . . . . . . . . . 14 | 6.6.3. Time error handling . . . . . . . . . . . . . . . . . 14 | |||
| 6.6.4. Truncation error handling . . . . . . . . . . . . . . 14 | 6.6.4. Truncation error handling . . . . . . . . . . . . . . 14 | |||
| 6.7. Special considerations for forwarding servers . . . . . . 14 | 6.7. Special considerations for forwarding servers . . . . . . 15 | |||
| 7. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 14 | 7. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 15 | |||
| 8. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 15 | 8. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 16 | |||
| 9. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 16 | 9. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 11. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 11. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 11.1. Issue fixed in this document . . . . . . . . . . . . . . 18 | 11.1. Issue fixed in this document . . . . . . . . . . . . . . 19 | |||
| 11.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 18 | 11.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 19 | |||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 12.1. Normative References . . . . . . . . . . . . . . . . . . 20 | |||
| 12.2. Informative References . . . . . . . . . . . . . . . . . 20 | 12.2. Informative References . . . . . . . . . . . . . . . . . 20 | |||
| Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 21 | Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 22 | |||
| Appendix B. Change History . . . . . . . . . . . . . . . . . . . 22 | Appendix B. Change History (to be removed before publication) . 23 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 1. Introduction | 1. Introduction | |||
| In 2017, security problems in two nameservers strictly following | ||||
| [RFC2845] and [RFC4635] (i.e., TSIG and its HMAC-SHA extension) | ||||
| specifications were discovered. The implementations were fixed but, | ||||
| to avoid similar problems in the future, the two documents were | ||||
| updated and merged, producing these revised specifications for TSIG. | ||||
| The Domain Name System (DNS) [RFC1034], [RFC1035] is a replicated | The Domain Name System (DNS) [RFC1034], [RFC1035] is a replicated | |||
| hierarchical distributed database system that provides information | hierarchical distributed database system that provides information | |||
| fundamental to Internet operations, such as name <=> address | fundamental to Internet operations, such as name <=> address | |||
| translation and mail handling information. | translation and mail handling information. | |||
| In 2017, security problems in two nameservers strictly following | ||||
| [RFC2845] and [RFC4635] (i.e., TSIG and its HMAC-SHA extension) | ||||
| specifications were discovered. The implementations were fixed but, | ||||
| to avoid similar problems in the future, the two documents were | ||||
| updated and merged, producing this revised specification for TSIG. | ||||
| This document specifies use of a message authentication code (MAC), | This document specifies use of a message authentication code (MAC), | |||
| either HMAC-MD5 or HMAC-SHA (keyed hash functions), to provide an | either HMAC-MD5 or HMAC-SHA (keyed hash functions), to provide an | |||
| efficient means of point-to-point authentication and integrity | efficient means of point-to-point authentication and integrity | |||
| checking for transactions. | checking for DNS transactions. | |||
| The second area where the secret key based MACs specified in this | The second area where the secret key based MACs specified in this | |||
| document can be used is to authenticate DNS update requests as well | document can be used is to authenticate DNS update requests as well | |||
| as transaction responses, providing a lightweight alternative to the | as transaction responses, providing a lightweight alternative to the | |||
| protocol described by [RFC3007]. | protocol described by [RFC3007]. | |||
| A further use of this mechanism is to protect zone transfers. In | A further use of this mechanism is to protect zone transfers. In | |||
| this case the data covered would be the whole zone transfer including | this case the data covered would be the whole zone transfer including | |||
| any glue records sent. The protocol described by DNSSEC does not | any glue records sent. The protocol described by DNSSEC does not | |||
| protect glue records and unsigned records unless SIG(0) (transaction | protect glue records and unsigned records unless SIG(0) (transaction | |||
| skipping to change at page 4, line 27 ¶ | skipping to change at page 4, line 33 ¶ | |||
| many resolvers on hosts that only talk to a few recursive servers. | many resolvers on hosts that only talk to a few recursive servers. | |||
| A server acting as an indirect caching resolver -- a "forwarder" in | A server acting as an indirect caching resolver -- a "forwarder" in | |||
| common usage -- might use transaction-based authentication when | common usage -- might use transaction-based authentication when | |||
| communicating with its small number of preconfigured "upstream" | communicating with its small number of preconfigured "upstream" | |||
| servers. Other uses of DNS secret key authentication and possible | servers. Other uses of DNS secret key authentication and possible | |||
| systems for automatic secret key distribution may be proposed in | systems for automatic secret key distribution may be proposed in | |||
| separate future documents. | separate future documents. | |||
| Note that use of TSIG presumes prior agreement between the two | Note that use of TSIG presumes prior agreement between the two | |||
| parties involved (e.g., resolver and server) as to the algorithm and | parties involved (e.g., resolver and server) as to any algorithm and | |||
| key to be used. | key to be used. | |||
| Since the publication of first version of this document ([RFC2845]) a | Since the publication of first version of this document ([RFC2845]) a | |||
| mechanism based on asymmetric signatures using the SIG RR was | mechanism based on asymmetric signatures using the SIG RR was | |||
| specified (SIG(0) [RFC2931]) whereas this document uses symmetric | specified (SIG(0) [RFC2931]) whereas this document uses symmetric | |||
| authentication codes calculated by HMAC [RFC2104] using strong hash | authentication codes calculated by HMAC [RFC2104] using strong hash | |||
| functions. | functions. | |||
| 2. Key words | 2. Key words | |||
| skipping to change at page 5, line 5 ¶ | skipping to change at page 5, line 14 ¶ | |||
| 3. New Assigned Numbers | 3. New Assigned Numbers | |||
| RRTYPE = TSIG (250) | RRTYPE = TSIG (250) | |||
| ERROR = 0..15 (a DNS RCODE) | ERROR = 0..15 (a DNS RCODE) | |||
| ERROR = 16 (BADSIG) | ERROR = 16 (BADSIG) | |||
| ERROR = 17 (BADKEY) | ERROR = 17 (BADKEY) | |||
| ERROR = 18 (BADTIME) | ERROR = 18 (BADTIME) | |||
| ERROR = 22 (BADTRUNC) | ERROR = 22 (BADTRUNC) | |||
| (See [RFC6895] Section 2.3 concerning the assignment of the value 16 | ||||
| to BADSIG.) | ||||
| 4. TSIG RR Format | 4. TSIG RR Format | |||
| 4.1. TSIG RR Type | 4.1. TSIG RR Type | |||
| To provide secret key authentication, we use a new RR type whose | To provide secret key authentication, we use a new RR type whose | |||
| mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and | mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and | |||
| MUST NOT be cached. TSIG RRs are used for authentication between DNS | MUST NOT be cached. TSIG RRs are used for authentication between DNS | |||
| entities that have established a shared secret key. TSIG RRs are | entities that have established a shared secret key. TSIG RRs are | |||
| dynamically computed to cover a particular DNS transaction and are | dynamically computed to cover a particular DNS transaction and are | |||
| not DNS RRs in the usual sense. | not DNS RRs in the usual sense. | |||
| 4.2. TSIG Calculation | 4.2. TSIG Calculation | |||
| As the TSIG RRs are related to one DNS request/response, there is no | As the TSIG RRs are related to one DNS request/response, there is no | |||
| value in storing or retransmitting them, thus the TSIG RR is | value in storing or retransmitting them, thus the TSIG RR is | |||
| discarded once it has been used to authenticate a DNS message. | discarded once it has been used to authenticate a DNS message. | |||
| Recommendations concerning the message digest agorithm can be found | Recommendations concerning the message digest algorithm can be found | |||
| in Section 7. All multi-octet integers in the TSIG record are sent | in Section 7. All multi-octet integers in the TSIG record are sent | |||
| in network byte order (see [RFC1035] 2.3.2). | in network byte order (see [RFC1035] 2.3.2). | |||
| 4.3. TSIG Record Format | 4.3. TSIG Record Format | |||
| NAME The name of the key used in domain name syntax. The name | NAME The name of the key used in domain name syntax. The name | |||
| should reflect the names of the hosts and uniquely identify the | should reflect the names of the hosts and uniquely identify the | |||
| key among a set of keys these two hosts may share at any given | key among a set of keys these two hosts may share at any given | |||
| time. If hosts A.site.example and B.example.net share a key, | time. If hosts A.site.example and B.example.net share a key, | |||
| possibilities for the key name include <id>.A.site.example, | possibilities for the key name include <id>.A.site.example, | |||
| skipping to change at page 6, line 35 ¶ | skipping to change at page 6, line 47 ¶ | |||
| | Other Len | / | | Other Len | / | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data / | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data / | |||
| / / | / / | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| The contents of the RDATA fields are: | The contents of the RDATA fields are: | |||
| * Algorithm Name - identifies the TSIG algorithm name in the | * Algorithm Name - identifies the TSIG algorithm name in the | |||
| domain name syntax. | domain name syntax. | |||
| * Time Signed - the The Time Signed field specifies seconds | * Time Signed - time signed as seconds since 00:00 on | |||
| since 00:00 on 1970-01-01 UTC. | 1970-01-01 UTC ignoring leap seconds. | |||
| * Fudge - specifies allowed time difference in seconds | * Fudge - specifies the allowed time difference in seconds | |||
| permitted in the Time Signed field. | permitted in the Time Signed field. | |||
| * MAC Size - the MAC Size field specifies the length of MAC | * MAC Size - the length of MAC field in octets. Truncation is | |||
| field in octets. Truncation is indicated by a MAC size less | indicated by a MAC size less than the size of the keyed hash | |||
| than the HMAC size. | produced by the algorithm specified by the Algorithm Name. | |||
| * MAC - the contents of the MAC field are defined by the TSIG | * MAC - the contents of this field are defined by the TSIG | |||
| algorithm used. | algorithm used, possibly truncated as specified by MAC Size. | |||
| * Error - contains the expanded RCODE covering TSIG | * Error - contains the expanded RCODE covering TSIG | |||
| processing. | processing. | |||
| * Other Len - specifies the length of the "Other Data" field | * Other Len - specifies the length of the "Other Data" field | |||
| in octets. | in octets. | |||
| * Other Data - this field will be empty unless the content of | * Other Data - this field will be empty unless the content of | |||
| the Error field is BADTIME, in which case it will contain | the Error field is BADTIME, in which case it will contain | |||
| the server's current time (see Section 6.5.4). | the server's current time (see Section 6.5.3). | |||
| 4.4. Example | 4.4. Example | |||
| NAME HOST.EXAMPLE. | NAME HOST.EXAMPLE. | |||
| TYPE TSIG | TYPE TSIG | |||
| CLASS ANY | CLASS ANY | |||
| TTL 0 | TTL 0 | |||
| skipping to change at page 8, line 11 ¶ | skipping to change at page 8, line 22 ¶ | |||
| of only the question and a TSIG record, and has the TC bit set and | of only the question and a TSIG record, and has the TC bit set and | |||
| RCODE 0 (NOERROR). The client SHOULD at this point retry the request | RCODE 0 (NOERROR). The client SHOULD at this point retry the request | |||
| using TCP (per [RFC1035] 4.2.2). | using TCP (per [RFC1035] 4.2.2). | |||
| 5.2. TSIG processing on incoming messages | 5.2. TSIG processing on incoming messages | |||
| If an incoming message contains a TSIG record, it MUST be the last | If an incoming message contains a TSIG record, it MUST be the last | |||
| record in the additional section. Multiple TSIG records are not | record in the additional section. Multiple TSIG records are not | |||
| allowed. If a TSIG record is present in any other position, the DNS | allowed. If a TSIG record is present in any other position, the DNS | |||
| message is dropped and a response with RCODE 1 (FORMERR) MUST be | message is dropped and a response with RCODE 1 (FORMERR) MUST be | |||
| returned. Upon receipt of a message with a correctly placed TSIG RR, | returned. Upon receipt of a message with exactly one correctly | |||
| the TSIG RR is copied to a safe location, removed from the DNS | placed TSIG RR, the TSIG RR is copied to a safe location, removed | |||
| Message, and decremented out of the DNS message header's ARCOUNT. At | from the DNS Message, and decremented out of the DNS message header's | |||
| this point the HMAC computation is performed: until this operation | ARCOUNT. At this point the keyed hash (HMAC) computation is | |||
| concludes that the signature is valid, the signature MUST be | performed. | |||
| considered to be invalid. | ||||
| If the algorithm name or key name is unknown to the recipient, or if | If the algorithm name or key name is unknown to the recipient, or if | |||
| the MACs do not match, the whole DNS message MUST be discarded. If | the MACs do not match, the whole DNS message MUST be discarded. If | |||
| the message is a query, a response with RCODE 9 (NOTAUTH) MUST be | the message is a query, a response with RCODE 9 (NOTAUTH) MUST be | |||
| sent back to the originator with TSIG ERROR 17 (BADKEY) or TSIG ERROR | sent back to the originator with TSIG ERROR 17 (BADKEY) or TSIG ERROR | |||
| 16 (BADSIG). If no key is available to sign this message it MUST be | 16 (BADSIG). If no key is available to sign this message it MUST be | |||
| sent unsigned (MAC size == 0 and empty MAC). A message to the system | sent unsigned (MAC size == 0 and empty MAC). A message to the system | |||
| operations log SHOULD be generated, to warn the operations staff of a | operations log SHOULD be generated, to warn the operations staff of a | |||
| possible security incident in progress. Care should be taken to | possible security incident in progress. Care should be taken to | |||
| ensure that logging of this type of event does not open the system to | ensure that logging of this type of event does not open the system to | |||
| a denial of service attack. | a denial of service attack. | |||
| Until these error checks are successfully passed, concluding that the | ||||
| signature is valid, the signature MUST be considered to be invalid. | ||||
| 5.3. Time values used in TSIG calculations | 5.3. Time values used in TSIG calculations | |||
| The data digested includes the two timer values in the TSIG header in | The data digested includes the two timer values in the TSIG header in | |||
| order to defend against replay attacks. If this were not done, an | order to defend against replay attacks. If this were not done, an | |||
| attacker could replay old messages but update the "Time Signed" and | attacker could replay old messages but update the "Time Signed" and | |||
| "Fudge" fields to make the message look new. This data is named | "Fudge" fields to make the message look new. This data is named | |||
| "TSIG Timers", and for the purpose of MAC calculation they are | "TSIG Timers", and for the purpose of MAC calculation they are hashed | |||
| invoked in their "on the wire" format, in the following order: first | in their "on the wire" format, in the following order: first Time | |||
| Time Signed, then Fudge. For example: | Signed, then Fudge. For example: | |||
| Field Name Value Wire Format Meaning | Field Name Value Wire Format Meaning | |||
| ----------- --------- ----------------- ------------------------ | ----------- --------- ----------------- ------------------------ | |||
| Time Signed 853804800 00 00 32 e4 07 00 Tue Jan 21 00:00:00 1997 | Time Signed 853804800 00 00 32 e4 07 00 Tue Jan 21 00:00:00 1997 | |||
| Fudge 300 01 2C 5 minutes | Fudge 300 01 2C 5 minutes | |||
| 5.4. TSIG Variables and Coverage | 5.4. TSIG Variables and Coverage | |||
| When generating or verifying the contents of a TSIG record, the | When generating or verifying the contents of a TSIG record, the | |||
| following data are passed as input to MAC computation, in network | following data are passed as input to MAC computation, in network | |||
| skipping to change at page 10, line 10 ¶ | skipping to change at page 10, line 20 ¶ | |||
| instead. (Section 6.3). | instead. (Section 6.3). | |||
| The request's MAC is digested in wire format, including the following | The request's MAC is digested in wire format, including the following | |||
| fields: | fields: | |||
| Field Type Description | Field Type Description | |||
| ---------- ------------ ---------------------- | ---------- ------------ ---------------------- | |||
| MAC Length uint16_t in network byte order | MAC Length uint16_t in network byte order | |||
| MAC Data octet stream exactly as transmitted | MAC Data octet stream exactly as transmitted | |||
| 5.5. Padding | 5.5. Component Padding | |||
| Digested components (i.e., inputs to HMAC computation) are fed into | Digested components (i.e., inputs to keyed hash computation) are fed | |||
| the hashing function as a continuous octet stream with no interfield | into the hashing function as a continuous octet stream with no | |||
| padding. | interfield separator or padding. | |||
| 6. Protocol Details | 6. Protocol Details | |||
| 6.1. TSIG generation on requests | 6.1. TSIG generation on requests | |||
| Client performs the HMAC computation and appends a TSIG record to the | Client performs the keyed hash (HMAC) computation and appends a TSIG | |||
| additional data section and transmits the request to the server. The | record to the additional data section and transmits the request to | |||
| client MUST store the MAC from the request while awaiting an answer. | the server. The client MUST store the MAC from the request while | |||
| The digest components for a request are: | awaiting an answer. The digest components for a request are: | |||
| DNS Message (request) | DNS Message (request) | |||
| TSIG Variables (request) | TSIG Variables (request) | |||
| Note that some older name servers will not accept requests with a | Note that some older name servers will not accept requests with a | |||
| nonempty additional data section. Clients SHOULD only attempt signed | nonempty additional data section. Clients SHOULD only attempt signed | |||
| transactions with servers who are known to support TSIG and share | transactions with servers who are known to support TSIG and share | |||
| some secret key with the client -- so, this is not a problem in | some algorithm and secret key with the client -- so, this is not a | |||
| practice. | problem in practice. | |||
| 6.2. TSIG on Answers | 6.2. TSIG on Answers | |||
| When a server has generated a response to a signed request, it signs | When a server has generated a response to a signed request, it signs | |||
| the response using the same algorithm and key. The server MUST NOT | the response using the same algorithm and key. The server MUST NOT | |||
| generate a signed response to an unsigned request or a request that | generate a signed response to a request if either the KEY is invalid | |||
| fails validation. The digest components are: | or the MAC fails validation. It also MUST NOT not generate a signed | |||
| response to an unsigned request, except in the case of a response to | ||||
| a client's unsigned TKEY request if the secret key is established on | ||||
| the server side after the server processed the client's request. | ||||
| Signing responses to unsigned TKEY requests MUST be explicitly | ||||
| specified in the description of an individual secret key | ||||
| establishment algorithm [RFC3645]. | ||||
| The digest components are: | ||||
| Request MAC | Request MAC | |||
| DNS Message (response) | DNS Message (response) | |||
| TSIG Variables (response) | TSIG Variables (response) | |||
| 6.3. TSIG on TSIG Error returns | 6.3. TSIG on TSIG Error returns | |||
| When a server detects an error relating to the key or MAC, the server | When a server detects an error relating to the key or MAC, the server | |||
| SHOULD send back an unsigned error message (MAC size == 0 and empty | SHOULD send back an unsigned error message (MAC size == 0 and empty | |||
| MAC). If an error is detected relating to the TSIG validity period | MAC). It MUST NOT send back a signed error message. | |||
| or the MAC is too short for the local policy, the server SHOULD send | ||||
| back a signed error message. The digest components are: | If an error is detected relating to the TSIG validity period or the | |||
| MAC is too short for the local policy, the server SHOULD send back a | ||||
| signed error message. The digest components are: | ||||
| Request MAC (if the request MAC validated) | Request MAC (if the request MAC validated) | |||
| DNS Message (response) | DNS Message (response) | |||
| TSIG Variables (response) | TSIG Variables (response) | |||
| The reason that the request is not included in this MAC in some cases | The reason that the request is not included in this MAC in some cases | |||
| is to make it possible for the client to verify the error. If the | is to make it possible for the client to verify the error. If the | |||
| error is not a TSIG error the response MUST be generated as specified | error is not a TSIG error the response MUST be generated as specified | |||
| in Section 6.2. | in Section 6.2. | |||
| 6.4. TSIG on zone tranfer over a TCP connection | 6.4. TSIG on zone transfer over a TCP connection | |||
| A zone transfer over a DNS TCP session can include multiple DNS | A zone transfer over a DNS TCP session can include multiple DNS | |||
| messages. Using TSIG on such a connection can protect the connection | messages. Using TSIG on such a connection can protect the connection | |||
| from hijacking and provide data integrity. The TSIG MUST be included | from hijacking and provide data integrity. The TSIG MUST be included | |||
| on the first and last DNS messages, and for new implementations | on the first and last DNS messages, and SHOULD be placed on all | |||
| SHOULD be placed on all intermediary messages. For backward | intermediary messages. For backward compatibility, a client which | |||
| compatibility the client which receives DNS messages and verifies | receives DNS messages and verifies TSIG MUST accept up to 99 | |||
| TSIG MUST accept up to 99 intermediary messages without a TSIG. The | intermediary messages without a TSIG. The first envelope is | |||
| first envelope is processed as a standard answer, and subsequent | processed as a standard answer, and subsequent messages have the | |||
| messages have the following digest components: | following digest components: | |||
| Prior MAC (running) | Prior MAC (running) | |||
| DNS Messages (any unsigned messages since the last TSIG) | DNS Messages (any unsigned messages since the last TSIG) | |||
| TSIG Timers (current message) | TSIG Timers (current message) | |||
| This allows the client to rapidly detect when the session has been | This allows the client to rapidly detect when the session has been | |||
| altered; at which point it can close the connection and retry. If a | altered; at which point it can close the connection and retry. If a | |||
| client TSIG verification fails, the client MUST close the connection. | client TSIG verification fails, the client MUST close the connection. | |||
| If the client does not receive TSIG records frequently enough (as | If the client does not receive TSIG records frequently enough (as | |||
| specified above) it SHOULD assume the connection has been hijacked | specified above) it SHOULD assume the connection has been hijacked | |||
| and it SHOULD close the connection. The client SHOULD treat this the | and it SHOULD close the connection. The client SHOULD treat this the | |||
| same way as they would any other interrupted transfer (although the | same way as they would any other interrupted transfer (although the | |||
| exact behavior is not specified). | exact behavior is not specified). | |||
| 6.5. Server TSIG checks | 6.5. Server TSIG checks | |||
| Upon receipt of a message, server will check if there is a TSIG RR. | Upon receipt of a message, server will check if there is a TSIG RR. | |||
| If one exists, the server is REQUIRED to return a TSIG RR in the | If one exists, the server is REQUIRED to return a TSIG RR in the | |||
| skipping to change at page 11, line 44 ¶ | skipping to change at page 12, line 16 ¶ | |||
| specified above) it SHOULD assume the connection has been hijacked | specified above) it SHOULD assume the connection has been hijacked | |||
| and it SHOULD close the connection. The client SHOULD treat this the | and it SHOULD close the connection. The client SHOULD treat this the | |||
| same way as they would any other interrupted transfer (although the | same way as they would any other interrupted transfer (although the | |||
| exact behavior is not specified). | exact behavior is not specified). | |||
| 6.5. Server TSIG checks | 6.5. Server TSIG checks | |||
| Upon receipt of a message, server will check if there is a TSIG RR. | Upon receipt of a message, server will check if there is a TSIG RR. | |||
| If one exists, the server is REQUIRED to return a TSIG RR in the | If one exists, the server is REQUIRED to return a TSIG RR in the | |||
| response. The server MUST perform the following checks in the | response. The server MUST perform the following checks in the | |||
| following order, check Key, check MAC, check Time values, check | following order, check KEY, check MAC, check TIME values, check | |||
| Truncation policy. | Truncation policy. | |||
| 6.5.1. Key check and error handling | 6.5.1. Key check and error handling | |||
| If a non-forwarding server does not recognize the key used by the | If a non-forwarding server does not recognize the key used by the | |||
| client, the server MUST generate an error response with RCODE 9 | client, the server MUST generate an error response with RCODE 9 | |||
| (NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be unsigned | (NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be unsigned | |||
| as specified in Section 6.3. The server SHOULD log the error. | as specified in Section 6.3. The server SHOULD log the error. | |||
| (Special considerations apply to forwarding servers, see | ||||
| Section 6.7.) | ||||
| 6.5.2. Specifying Truncation | 6.5.2. MAC check and error handling | |||
| When space is at a premium and the strength of the full length of an | If a TSIG fails to verify, the server MUST generate an error response | |||
| HMAC is not needed, it is reasonable to truncate the HMAC and use the | as specified in Section 6.3 with RCODE 9 (NOTAUTH) and TSIG ERROR 16 | |||
| truncated value for authentication. HMAC SHA-1 truncated to 96 bits | (BADSIG). This response MUST be unsigned as specified in | |||
| is an option available in several IETF protocols, including IPsec and | Section 6.3. The server SHOULD log the error. | |||
| TLS. | ||||
| 6.5.2.1. Specifying Truncation | ||||
| When space is at a premium and the strength of the full length of a | ||||
| MAC is not needed, it is reasonable to truncate the keyed hash and | ||||
| use the truncated value for authentication. HMAC SHA-1 truncated to | ||||
| 96 bits is an option available in several IETF protocols, including | ||||
| IPsec and TLS. | ||||
| Processing of a truncated MAC follows these rules | Processing of a truncated MAC follows these rules | |||
| 1. If "MAC size" field is greater than HMAC output length: | 1. If "MAC size" field is greater than keyed hash output length: | |||
| This case MUST NOT be generated and, if received, MUST cause the | This case MUST NOT be generated and, if received, MUST cause the | |||
| DNS message to be dropped and RCODE 1 (FORMERR) to be returned. | DNS message to be dropped and RCODE 1 (FORMERR) to be returned. | |||
| 2. If "MAC size" field equals HMAC output length: | 2. If "MAC size" field equals keyed hash output length: | |||
| The entire output HMAC output is present and used. | The entire output keyed hash output is present and used. | |||
| 3. "MAC size" field is less than HMAC output length but greater than | 3. "MAC size" field is less than keyed hash output length but | |||
| that specified in case 4, below: | greater than that specified in case 4, below: | |||
| This is sent when the signer has truncated the HMAC output to an | This is sent when the signer has truncated the keyed hash output | |||
| allowable length, as described in [RFC2104], taking initial | to an allowable length, as described in [RFC2104], taking initial | |||
| octets and discarding trailing octets. TSIG truncation can only | octets and discarding trailing octets. TSIG truncation can only | |||
| be to an integral number of octets. On receipt of a DNS message | be to an integral number of octets. On receipt of a DNS message | |||
| with truncation thus indicated, the locally calculated MAC is | with truncation thus indicated, the locally calculated MAC is | |||
| similarly truncated and only the truncated values are compared | similarly truncated and only the truncated values are compared | |||
| for authentication. The request MAC used when calculating the | for authentication. The request MAC used when calculating the | |||
| TSIG MAC for a reply is the truncated request MAC. | TSIG MAC for a reply is the truncated request MAC. | |||
| 4. "MAC size" field is less than the larger of 10 (octets) and half | 4. "MAC size" field is less than the larger of 10 (octets) and half | |||
| the length of the hash function in use: | the length of the hash function in use: | |||
| With the exception of certain TSIG error messages described in | With the exception of certain TSIG error messages described in | |||
| Section 6.3, where it is permitted that the MAC size be zero, | Section 6.3, where it is permitted that the MAC size be zero, | |||
| this case MUST NOT be generated and, if received, MUST cause the | this case MUST NOT be generated and, if received, MUST cause the | |||
| DNS message to be dropped and RCODE 1 (FORMERR) to be returned. | DNS message to be dropped and RCODE 1 (FORMERR) to be returned. | |||
| 6.5.3. MAC check and error handling | 6.5.3. Time check and error handling | |||
| If a TSIG fails to verify, the server MUST generate an error response | ||||
| as specified in Section 6.3 with RCODE 9 (NOTAUTH) and TSIG ERROR 16 | ||||
| (BADSIG). This response MUST be unsigned as specified in | ||||
| Section 6.3. The server SHOULD log the error. | ||||
| 6.5.4. Time check and error handling | ||||
| If the server time is outside the time interval specified by the | If the server time is outside the time interval specified by the | |||
| request (which is: Time Signed, plus/minus Fudge), the server MUST | request (which is: Time Signed, plus/minus Fudge), the server MUST | |||
| generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18 | generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18 | |||
| (BADTIME). The server SHOULD also cache the most recent time signed | (BADTIME). The server SHOULD also cache the most recent time signed | |||
| value in a message generated by a key, and SHOULD return BADTIME if a | value in a message generated by a key, and SHOULD return BADTIME if a | |||
| message received later has an earlier time signed value. A response | message received later has an earlier time signed value. A response | |||
| indicating a BADTIME error MUST be signed by the same key as the | indicating a BADTIME error MUST be signed by the same key as the | |||
| request. It MUST include the client's current time in the time | request. It MUST include the client's current time in the time | |||
| signed field, the server's current time (a uint48_t) in the other | signed field, the server's current time (a uint48_t) in the other | |||
| data field, and 6 in the other data length field. This is done so | data field, and 6 in the other data length field. This is done so | |||
| that the client can verify a message with a BADTIME error without the | that the client can verify a message with a BADTIME error without the | |||
| verification failing due to another BADTIME error. The data signed | verification failing due to another BADTIME error. The data signed | |||
| is specified in Section 6.3. The server SHOULD log the error. | is specified in Section 6.3. The server SHOULD log the error. | |||
| 6.5.5. Truncation check and error handling | 6.5.4. Truncation check and error handling | |||
| If a TSIG is received with truncation that is permitted under | If a TSIG is received with truncation that is permitted under | |||
| Section 6.5.2 above but the MAC is too short for the local policy in | Section 6.5.2.1 above but the MAC is too short for the local policy | |||
| force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be | in force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be | |||
| returned. The server SHOULD log the error. | returned. The server SHOULD log the error. | |||
| 6.6. Client processing of answer | 6.6. Client processing of answer | |||
| When a client receives a response from a server and expects to see a | When a client receives a response from a server and expects to see a | |||
| TSIG, it first checks if the TSIG RR is present in the response. | TSIG, it first checks if the TSIG RR is present in the response. | |||
| Otherwise, the response is treated as having a format error and | Otherwise, the response is treated as having a format error and | |||
| discarded. The client then extracts the TSIG, adjusts the ARCOUNT, | discarded. The client then extracts the TSIG, adjusts the ARCOUNT, | |||
| and calculates the MAC in the same way as the server, applying the | and calculates the MAC in the same way as the server, applying the | |||
| same rules to decide if truncated MAC is valid. If the TSIG does not | same rules to decide if truncated MAC is valid. If the TSIG does not | |||
| skipping to change at page 14, line 26 ¶ | skipping to change at page 14, line 45 ¶ | |||
| (BADTIME), or the current time does not fall in the range specified | (BADTIME), or the current time does not fall in the range specified | |||
| in the TSIG record, then this is a Time error. This is an indication | in the TSIG record, then this is a Time error. This is an indication | |||
| that the client and server clocks are not synchronized. In this case | that the client and server clocks are not synchronized. In this case | |||
| the client SHOULD log the event. DNS resolvers MUST NOT adjust any | the client SHOULD log the event. DNS resolvers MUST NOT adjust any | |||
| clocks in the client based on BADTIME errors, but the server's time | clocks in the client based on BADTIME errors, but the server's time | |||
| in the other data field SHOULD be logged. | in the other data field SHOULD be logged. | |||
| 6.6.4. Truncation error handling | 6.6.4. Truncation error handling | |||
| If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22 | If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22 | |||
| (BADTRUNC) the this is a Truncation error. The client MAY retry with | (BADTRUNC) then this is a Truncation error. The client MAY retry | |||
| lesser truncation up to the full HMAC output (no truncation), using | with a lesser truncation up to the full HMAC output (no truncation), | |||
| the truncation used in the response as a hint for what the server | using the truncation used in the response as a hint for what the | |||
| policy allowed (Section 8). Clients SHOULD log this event. | server policy allowed (Section 8). Clients SHOULD log this event. | |||
| 6.7. Special considerations for forwarding servers | 6.7. Special considerations for forwarding servers | |||
| A server acting as a forwarding server of a DNS message SHOULD check | A server acting as a forwarding server of a DNS message SHOULD check | |||
| for the existence of a TSIG record. If the name on the TSIG is not | for the existence of a TSIG record. If the name on the TSIG is not | |||
| of a secret that the server shares with the originator the server | of a secret that the server shares with the originator the server | |||
| MUST forward the message unchanged including the TSIG. If the name | MUST forward the message unchanged including the TSIG. If the name | |||
| of the TSIG is of a key this server shares with the originator, it | of the TSIG is of a key this server shares with the originator, it | |||
| MUST process the TSIG. If the TSIG passes all checks, the forwarding | MUST process the TSIG. If the TSIG passes all checks, the forwarding | |||
| server MUST, if possible, include a TSIG of his own, to the | server MUST, if possible, include a TSIG of his own, to the | |||
| skipping to change at page 15, line 15 ¶ | skipping to change at page 15, line 36 ¶ | |||
| The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as | The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as | |||
| compared to the 128 bits for MD5), and additional hash algorithms in | compared to the 128 bits for MD5), and additional hash algorithms in | |||
| the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384, | the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384, | |||
| and 512 bits may be preferred in some cases. This is because | and 512 bits may be preferred in some cases. This is because | |||
| increasingly successful cryptanalytic attacks are being made on the | increasingly successful cryptanalytic attacks are being made on the | |||
| shorter hashes. | shorter hashes. | |||
| Use of TSIG between two DNS agents is by mutual agreement. That | Use of TSIG between two DNS agents is by mutual agreement. That | |||
| agreement can include the support of additional algorithms and | agreement can include the support of additional algorithms and | |||
| criteria as to which algorithms and truncations are acceptable, | criteria as to which algorithms and truncations are acceptable, | |||
| subject to the restriction and guidelines in Section 6.5.2 above. | subject to the restriction and guidelines in Section 6.5.2.1 above. | |||
| Key agreement can be by the TKEY mechanism [RFC2930] or some other | Key agreement can be by the TKEY mechanism [RFC2930] or some other | |||
| mutually agreeable method. | mutually agreeable method. | |||
| The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig identifiers are | The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig [RFC3645] | |||
| included in the table below for convenience. Implementations that | identifiers are included in the table below for convenience. | |||
| support TSIG MUST also implement HMAC SHA1 and HMAC SHA256 and MAY | Implementations that support TSIG MUST also implement HMAC SHA1 and | |||
| implement gss-tsig and the other algorithms listed below. | HMAC SHA256 and MAY implement gss-tsig and the other algorithms | |||
| listed below. | ||||
| Requirement Name | Requirement Name | |||
| ----------- ------------------------ | ----------- ------------------------ | |||
| Mandatory HMAC-MD5.SIG-ALG.REG.INT | Mandatory HMAC-MD5.SIG-ALG.REG.INT | |||
| Optional gss-tsig | Optional gss-tsig | |||
| Mandatory hmac-sha1 | Mandatory hmac-sha1 | |||
| Optional hmac-sha224 | Optional hmac-sha224 | |||
| Mandatory hmac-sha256 | Mandatory hmac-sha256 | |||
| Optional hmac-sha384 | Optional hmac-sha384 | |||
| Optional hmac-sha512 | Optional hmac-sha512 | |||
| SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented. | SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented. | |||
| 8. TSIG Truncation Policy | 8. TSIG Truncation Policy | |||
| Use of TSIG is by mutual agreement between two DNS agents, e.g., a | As noted above, two DNS agents (e.g., resolver and server) must | |||
| resolver and server. Implicit in such an "agreement" are criteria as | mutually agree to use TSIG. Implicit in such an "agreement" are | |||
| to acceptable keys and algorithms and, with the extensions in this | criteria as to acceptable keys and algorithms and, with the | |||
| document, truncations. Note that it is common for implementations to | extensions in this document, truncations. Note that it is common for | |||
| bind the TSIG secret key or keys that may be in place at two parties | implementations to bind the TSIG secret key or keys that may be in | |||
| to particular algorithms. Thus, such implementations only permit the | place at two parties to particular algorithms. Thus, such | |||
| use of an algorithm if there is an associated key in place. Receipt | implementations only permit the use of an algorithm if there is an | |||
| of an unknown, unimplemented, or disabled algorithm typically results | associated key in place. Receipt of an unknown, unimplemented, or | |||
| in a BADKEY error. | disabled algorithm typically results in a BADKEY error. | |||
| Local policies MAY require the rejection of TSIGs, even though they | Local policies MAY require the rejection of TSIGs, even though they | |||
| use an algorithm for which implementation is mandatory. | use an algorithm for which implementation is mandatory. | |||
| When a local policy permits acceptance of a TSIG with a particular | When a local policy permits acceptance of a TSIG with a particular | |||
| algorithm and a particular non-zero amount of truncation, it SHOULD | algorithm and a particular non-zero amount of truncation, it SHOULD | |||
| also permit the use of that algorithm with lesser truncation (a | also permit the use of that algorithm with lesser truncation (a | |||
| longer MAC) up to the full HMAC output. | longer MAC) up to the full keyed hash output. | |||
| Regardless of a lower acceptable truncated MAC length specified by | Regardless of a lower acceptable truncated MAC length specified by | |||
| local policy, a reply SHOULD be sent with a MAC at least as long as | local policy, a reply SHOULD be sent with a MAC at least as long as | |||
| that in the corresponding request. Note if the request specified a | that in the corresponding request. Note if the request specified a | |||
| MAC length longer than the HMAC output it will be rejected by | MAC length longer than the keyed hash output it will be rejected by | |||
| processing rules Section 6.5.2 case 1. | processing rules Section 6.5.2.1 case 1. | |||
| Implementations permitting multiple acceptable algorithms and/or | Implementations permitting multiple acceptable algorithms and/or | |||
| truncations SHOULD permit this list to be ordered by presumed | truncations SHOULD permit this list to be ordered by presumed | |||
| strength and SHOULD allow different truncations for the same | strength and SHOULD allow different truncations for the same | |||
| algorithm to be treated as separate entities in this list. When so | algorithm to be treated as separate entities in this list. When so | |||
| implemented, policies SHOULD accept a presumed stronger algorithm and | implemented, policies SHOULD accept a presumed stronger algorithm and | |||
| truncation than the minimum strength required by the policy. | truncation than the minimum strength required by the policy. | |||
| 9. Shared Secrets | 9. Shared Secrets | |||
| skipping to change at page 16, line 40 ¶ | skipping to change at page 17, line 25 ¶ | |||
| A name server usually runs privileged, which means its configuration | A name server usually runs privileged, which means its configuration | |||
| data need not be visible to all users of the host. For this reason, | data need not be visible to all users of the host. For this reason, | |||
| a host that implements transaction-based authentication should | a host that implements transaction-based authentication should | |||
| probably be configured with a "stub resolver" and a local caching and | probably be configured with a "stub resolver" and a local caching and | |||
| forwarding name server. This presents a special problem for | forwarding name server. This presents a special problem for | |||
| [RFC2136] which otherwise depends on clients to communicate only with | [RFC2136] which otherwise depends on clients to communicate only with | |||
| a zone's authoritative name servers. | a zone's authoritative name servers. | |||
| Use of strong random shared secrets is essential to the security of | Use of strong random shared secrets is essential to the security of | |||
| TSIG. See [RFC4086] for a discussion of this issue. The secret | TSIG. See [RFC4086] for a discussion of this issue. The secret | |||
| SHOULD be at least as long as the HMAC output, i.e., 16 bytes for | SHOULD be at least as long as the keyed hash output, i.e., 16 bytes | |||
| HMAC-MD5 or 20 bytes for HMAC-SHA1. | for HMAC-MD5 or 20 bytes for HMAC-SHA1. | |||
| 10. IANA Considerations | 10. IANA Considerations | |||
| IANA maintains a registry of algorithm names to be used as "Algorithm | IANA maintains a registry of algorithm names to be used as "Algorithm | |||
| Names" as defined in Section 4.3. Algorithm names are text strings | Names" as defined in Section 4.3. Algorithm names are text strings | |||
| encoded using the syntax of a domain name. There is no structure | encoded using the syntax of a domain name. There is no structure | |||
| required other than names for different algorithms must be unique | required other than names for different algorithms must be unique | |||
| when compared as DNS names, i.e., comparison is case insensitive. | when compared as DNS names, i.e., comparison is case insensitive. | |||
| Previous specifications [RFC2845] and [RFC4635] defined values for | Previous specifications [RFC2845] and [RFC4635] defined values for | |||
| HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an | HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an | |||
| identifier for TSIG authentication where the cryptographic operations | identifier for TSIG authentication where the cryptographic operations | |||
| are delegated to the Generic Security Service (GSS) [RFC3645]. | are delegated to the Generic Security Service (GSS) [RFC3645]. | |||
| New algorithms are assigned using the IETF Consensus policy defined | New algorithms are assigned using the IETF Consensus policy defined | |||
| in [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like | in [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like | |||
| a fully-qualified domain name for historical reasons; other algorithm | a fully-qualified domain name for historical reasons; other algorithm | |||
| names are simple (i.e., single-component) names. | names are simple (i.e., single-component) names. | |||
| IANA maintains a registry of "TSIG Error values" to be used for | IANA maintains a registry of RCODES (error codes), including "TSIG | |||
| "Error" values as defined in Section 4.3. Initial values should be | Error values" to be used for "Error" values as defined in | |||
| those defined in Section 3. New TSIG error codes for the TSIG error | Section 4.3. New error codes are assigned and specified as in | |||
| field are assigned using the IETF Consensus policy defined in | [RFC6895]. | |||
| [RFC8126]. | ||||
| 11. Security Considerations | 11. Security Considerations | |||
| The approach specified here is computationally much less expensive | The approach specified here is computationally much less expensive | |||
| than the signatures specified in DNSSEC. As long as the shared | than the signatures specified in DNSSEC. As long as the shared | |||
| secret key is not compromised, strong authentication is provided for | secret key is not compromised, strong authentication is provided | |||
| the last hop from a local name server to the user resolver. | between two DNS systems, e.g., for the last hop from a local name | |||
| server to the user resolver, or between primary and secondary | ||||
| nameservers.. | ||||
| Secret keys should be changed periodically. If the client host has | Secret keys should be changed periodically. If the client host has | |||
| been compromised, the server should suspend the use of all secrets | been compromised, the server should suspend the use of all secrets | |||
| known to that client. If possible, secrets should be stored in | known to that client. If possible, secrets should be stored in | |||
| encrypted form. Secrets should never be transmitted in the clear | encrypted form. Secrets should never be transmitted in the clear | |||
| over any network. This document does not address the issue on how to | over any network. This document does not address the issue on how to | |||
| distribute secrets. Secrets should never be shared by more than two | distribute secrets except that it mentions the possibilities of | |||
| entities. | manual configuration and the use of TKEY [RFC2930]. Secrets SHOULD | |||
| NOT be shared by more than two entities. | ||||
| This mechanism does not authenticate source data, only its | This mechanism does not authenticate source data, only its | |||
| transmission between two parties who share some secret. The original | transmission between two parties who share some secret. The original | |||
| source data can come from a compromised zone master or can be | source data can come from a compromised zone master or can be | |||
| corrupted during transit from an authentic zone master to some | corrupted during transit from an authentic zone master to some | |||
| "caching forwarder." However, if the server is faithfully performing | "caching forwarder." However, if the server is faithfully performing | |||
| the full DNSSEC security checks, then only security checked data will | the full DNSSEC security checks, then only security checked data will | |||
| be available to the client. | be available to the client. | |||
| A fudge value that is too large may leave the server open to replay | A fudge value that is too large may leave the server open to replay | |||
| attacks. A fudge value that is too small may cause failures if | attacks. A fudge value that is too small may cause failures if | |||
| machines are not time synchronized or there are unexpected network | machines are not time synchronized or there are unexpected network | |||
| delays. The recommended value in most situation is 300 seconds. | delays. The recommended value in most situations is 300 seconds. | |||
| For all of the message authentication code algorithms listed in this | For all of the message authentication code algorithms listed in this | |||
| document, those producing longer values are believed to be stronger; | document, those producing longer values are believed to be stronger; | |||
| however, while there have been some arguments that mild truncation | however, while there have been some arguments that mild truncation | |||
| can strengthen a MAC by reducing the information available to an | can strengthen a MAC by reducing the information available to an | |||
| attacker, excessive truncation clearly weakens authentication by | attacker, excessive truncation clearly weakens authentication by | |||
| reducing the number of bits an attacker has to try to break the | reducing the number of bits an attacker has to try to break the | |||
| authentication by brute force [RFC2104]. | authentication by brute force [RFC2104]. | |||
| Significant progress has been made recently in cryptanalysis of hash | Significant progress has been made recently in cryptanalysis of hash | |||
| skipping to change at page 18, line 19 ¶ | skipping to change at page 19, line 7 ¶ | |||
| the design of MD4. While the results so far should not effect HMAC, | the design of MD4. While the results so far should not effect HMAC, | |||
| the stronger SHA-1 and SHA-256 algorithms are being made mandatory | the stronger SHA-1 and SHA-256 algorithms are being made mandatory | |||
| due to caution. Note that today SHA-3 [FIPS202] is available as an | due to caution. Note that today SHA-3 [FIPS202] is available as an | |||
| alternative to SHA-2 using a very different design. | alternative to SHA-2 using a very different design. | |||
| See also the Security Considerations section of [RFC2104] from which | See also the Security Considerations section of [RFC2104] from which | |||
| the limits on truncation in this RFC were taken. | the limits on truncation in this RFC were taken. | |||
| 11.1. Issue fixed in this document | 11.1. Issue fixed in this document | |||
| When signing a DNS reply message using TSIG, its MAC computation uses | When signing a DNS reply message using TSIG, the MAC computation uses | |||
| the request message's MAC as an input to cryptographically relate the | the request message's MAC as an input to cryptographically relate the | |||
| reply to the request. Unfortunately, the original TSIG specification | reply to the request. The original TSIG specification [RFC2845] | |||
| [RFC2845] failed to clearly require the request MAC to be | required that the TIME values be checked before the request's MAC. | |||
| successfully validated before using it. | If the TIME was invalid, some implementations failed to carry out | |||
| further checks and could use an invalid request MAC in the signed | ||||
| reply. | ||||
| This document proposes the principle that the MAC must be considered | This document proposes the principle that the request MAC must be | |||
| to be invalid until it was validated. This leads to the requirement | considered to be invalid until it has been validated: until then, any | |||
| that only a validated request MAC is included in a signed answer. Or | answer must be unsigned. For this reason, the request MAC is now | |||
| with other words when the request MAC was not validated the answer | checked before the TIME value. | |||
| must be unsigned with a BADKEY or BADSIG TSIG error. | ||||
| 11.2. Why not DNSSEC? | 11.2. Why not DNSSEC? | |||
| This section from the original document [RFC2845] analyzes DNSSEC in | This section from the original document [RFC2845] analyzes DNSSEC in | |||
| order to justify the introduction of TSIG. | order to justify the introduction of TSIG. | |||
| DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and | DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and | |||
| [RFC4035]) to provide for data origin authentication, and public key | [RFC4035]) to provide for data origin authentication, and public key | |||
| distribution, all based on public key cryptography and public key | distribution, all based on public key cryptography and public key | |||
| based digital signatures. To be practical, this form of security | based digital signatures. To be practical, this form of security | |||
| skipping to change at page 21, line 35 ¶ | skipping to change at page 22, line 20 ¶ | |||
| [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | |||
| (SHA and SHA-based HMAC and HKDF)", RFC 6234, | (SHA and SHA-based HMAC and HKDF)", RFC 6234, | |||
| DOI 10.17487/RFC6234, May 2011, | DOI 10.17487/RFC6234, May 2011, | |||
| <https://www.rfc-editor.org/info/rfc6234>. | <https://www.rfc-editor.org/info/rfc6234>. | |||
| [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms | |||
| for DNS (EDNS(0))", STD 75, RFC 6891, | for DNS (EDNS(0))", STD 75, RFC 6891, | |||
| DOI 10.17487/RFC6891, April 2013, | DOI 10.17487/RFC6891, April 2013, | |||
| <https://www.rfc-editor.org/info/rfc6891>. | <https://www.rfc-editor.org/info/rfc6891>. | |||
| [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA | ||||
| Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, | ||||
| April 2013, <https://www.rfc-editor.org/info/rfc6895>. | ||||
| [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
| <https://www.rfc-editor.org/info/rfc8126>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
| Appendix A. Acknowledgments | Appendix A. Acknowledgments | |||
| This document just consolidates and updates the earlier documents by | This document consolidates and updates the earlier documents by the | |||
| the authors of [RFC2845] (Paul Vixie, Olafur Gudmundsson, Donald E. | authors of [RFC2845] (Paul Vixie, Olafur Gudmundsson, Donald E. | |||
| Eastlake 3rd and Brian Wellington) and [RFC4635] (Donald E. Eastlake | Eastlake 3rd and Brian Wellington) and [RFC4635] (Donald E. Eastlake | |||
| 3rd). It would not be possible without their original work. | 3rd). It would not be possible without their original work. | |||
| The security problem addressed by this document was reported by | The security problem addressed by this document was reported by | |||
| Clement Berthaux from Synacktiv. | Clement Berthaux from Synacktiv. | |||
| Note for the RFC Editor (to be removed before publication): the first | Note for the RFC Editor (to be removed before publication): the first | |||
| 'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9. | 'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9. | |||
| I do not know if xml2rfc supports non ASCII characters so I prefer to | I do not know if xml2rfc supports non ASCII characters so I prefer to | |||
| not experiment with it. BTW I am French too too so I can help if you | not experiment with it. BTW I am French too so I can help if you | |||
| have questions like correct spelling... | have questions like correct spelling... | |||
| Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund | Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund | |||
| Sivaraman and Ralph Dolmans participated in the discussions that | Sivaraman and Ralph Dolmans participated in the discussions that | |||
| prompted this document. | prompted this document. | |||
| Appendix B. Change History | Appendix B. Change History (to be removed before publication) | |||
| draft-dupont-dnsop-rfc2845bis-00 | draft-dupont-dnsop-rfc2845bis-00 | |||
| [RFC4635] was merged. | [RFC4635] was merged. | |||
| Authors of original documents were moved to Acknowledgments | Authors of original documents were moved to Acknowledgments | |||
| (Appendix A). | (Appendix A). | |||
| Section 2 was updated to [RFC8174] style. | Section 2 was updated to [RFC8174] style. | |||
| skipping to change at page 22, line 42 ¶ | skipping to change at page 23, line 36 ¶ | |||
| Added the security clarifications: | Added the security clarifications: | |||
| 1. Emphasized that MAC is invalid until it is successfully | 1. Emphasized that MAC is invalid until it is successfully | |||
| validated. | validated. | |||
| 2. Added requirement that a request MAC that has not been | 2. Added requirement that a request MAC that has not been | |||
| successfully validated MUST NOT be included into a response. | successfully validated MUST NOT be included into a response. | |||
| 3. Added requirement that a request that has not been validated | 3. Added requirement that a request that has not been validated | |||
| to the MUST NOT generate a signed response. | MUST NOT generate a signed response. | |||
| 4. Added note about MAC too short for the local policy to the | 4. Added note about MAC too short for the local policy to | |||
| Section 6.3. | Section 6.3. | |||
| 5. Changed the order of server checks and swapped corresponding | 5. Changed the order of server checks and swapped corresponding | |||
| sections. | sections. | |||
| 6. Removed the truncation size limit "also case" as it does not | 6. Removed the truncation size limit "also case" as it does not | |||
| apply and added confusion. | apply and added confusion. | |||
| 7. Relocated the error provision for TSIG truncation to the new | 7. Relocated the error provision for TSIG truncation to the new | |||
| Section 6.5.5. Moved from RCODE 22 to RCODE 9 and TSIG ERROR | Section 6.5.4. Moved from RCODE 22 to RCODE 9 and TSIG ERROR | |||
| 22, i.e., aligned with other TSIG error cases. | 22, i.e., aligned with other TSIG error cases. | |||
| 8. Added Section 6.6.4 about truncation error handling by | 8. Added Section 6.6.4 about truncation error handling by | |||
| clients. | clients. | |||
| 9. Removed the limit to HMAC output in replies as a request | 9. Removed the limit to HMAC output in replies as a request | |||
| which specified a MAC length longer than the HMAC output is | which specified a MAC length longer than the HMAC output is | |||
| invalid according the the first processing rule in | invalid according to the first processing rule in | |||
| Section 6.5.2. | Section 6.5.2.1. | |||
| 10. Promoted the requirement that a secret length should be at | 10. Promoted the requirement that a secret length should be at | |||
| least as long as the HMAC output to a SHOULD [RFC2119] key | least as long as the HMAC output to a SHOULD [RFC2119] key | |||
| word. | word. | |||
| 11. Added a short text to explain the security issue. | 11. Added a short text to explain the security issue. | |||
| draft-dupont-dnsop-rfc2845bis-01 | draft-dupont-dnsop-rfc2845bis-01 | |||
| Improved wording (post-publication comments). | Improved wording (post-publication comments). | |||
| Specialized and renamed the "TSIG on TCP connection" (Section 6.4) | Specialized and renamed the "TSIG on TCP connection" (Section 6.4) | |||
| to "TSIG on zone tranfer over a TCP connection". Added a SHOULD | to "TSIG on zone transfer over a TCP connection". Added a SHOULD | |||
| for a TSIG in each message (was envelope) for new implementations. | for a TSIG in each message (was envelope) for new implementations. | |||
| draft-ietf-dnsop-rfc2845bis-00 | draft-ietf-dnsop-rfc2845bis-00 | |||
| Adopted by the IETF DNSOP working group: title updated and version | Adopted by the IETF DNSOP working group: title updated and version | |||
| counter reseted to 00. | counter reset to 00. | |||
| Authors' Addresses | draft-ietf-dnsop-rfc2845bis-01 | |||
| Francis Dupont (editor) | Relationship between protocol change and principle of assuming the | |||
| request MAC is invalid until validated clarified. (Jinmei Tatuya) | ||||
| Cross reference to considerations for forwarding servers added. | ||||
| (Bob Harold) | ||||
| Added text from [RFC3645] concerning the signing behavior if a | ||||
| secret key is added during a multi-message exchange. | ||||
| Added reference to [RFC6895]. | ||||
| Many improvements in the wording. | ||||
| Added RFC 2845 authors as co-authors of this document. | ||||
| Authors' Addresses | ||||
| Francis Dupont | ||||
| Internet Software Consortium | Internet Software Consortium | |||
| 950 Charter Street | 950 Charter Street | |||
| Redwood City, CA 94063 | Redwood City, CA 94063 | |||
| United States | United States of America | |||
| Email: Francis.Dupont@fdupont.fr | Email: Francis.Dupont@fdupont.fr | |||
| Stephen Morris | Stephen Morris | |||
| Internet Software Consortium | Internet Software Consortium | |||
| 950 Charter Street | 950 Charter Street | |||
| Redwood City, CA 94063 | Redwood City, CA 94063 | |||
| United States | United States of America | |||
| Email: stephen@isc.org | Email: stephen@isc.org | |||
| URI: http://www.isc.org | ||||
| Paul Vixie | ||||
| Farsight Security Inc | ||||
| 177 Bovet Road, Suite 180 | ||||
| San Mateo, CA 94402 | ||||
| United States of America | ||||
| Email: paul@redbarn.org | ||||
| Donald E. Eastlake 3rd | ||||
| Huawei Technologies | ||||
| 155 Beaver Street | ||||
| Milford, MA 01753 | ||||
| United States of America | ||||
| Email: d3e3e3@gmail.com | ||||
| Olafur Gudmundsson | ||||
| CloudFlare | ||||
| San Francisco, CA 94107 | ||||
| United States of America | ||||
| Email: olafur+ietf@cloudflare.com | ||||
| Brian Wellington | ||||
| Akamai | ||||
| United States of America | ||||
| Email: bwelling@akamai.com | ||||
| End of changes. 78 change blocks. | ||||
| 166 lines changed or deleted | 214 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||