draft-ietf-dnsop-rfc2845bis-07.txt   draft-ietf-dnsop-rfc2845bis-08.txt 
Internet Engineering Task Force F. Dupont Internet Engineering Task Force F. Dupont
Internet-Draft S. Morris Internet-Draft S. Morris
Obsoletes: 2845, 4635 (if approved) ISC Obsoletes: 2845, 4635 (if approved) ISC
Intended status: Standards Track P. Vixie Intended status: Standards Track P. Vixie
Expires: August 23, 2020 Farsight Expires: November 5, 2020 Farsight
D. Eastlake 3rd D. Eastlake 3rd
Futurewei Futurewei
O. Gudmundsson O. Gudmundsson
Cloudflare Cloudflare
B. Wellington B. Wellington
Akamai Akamai
February 20, 2020 May 4, 2020
Secret Key Transaction Authentication for DNS (TSIG) Secret Key Transaction Authentication for DNS (TSIG)
draft-ietf-dnsop-rfc2845bis-07 draft-ietf-dnsop-rfc2845bis-08
Abstract Abstract
This document describes a protocol for transaction level This document describes a protocol for transaction level
authentication using shared secrets and one way hashing. It can be authentication using shared secrets and one way hashing. It can be
used to authenticate dynamic updates as coming from an approved used to authenticate dynamic updates to a DNS zone as coming from an
client, or to authenticate responses as coming from an approved name approved client, or to authenticate responses as coming from an
server. approved name server.
No recommendation is made here for distributing the shared secrets: No recommendation is made here for distributing the shared secrets:
it is expected that a network administrator will statically configure it is expected that a network administrator will statically configure
name servers and clients using some out of band mechanism. name servers and clients using some out of band mechanism.
This document obsoletes RFC2845 and RFC4635. This document obsoletes RFC2845 and RFC4635.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 23, 2020. This Internet-Draft will expire on November 5, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 4 skipping to change at page 3, line 4
4.3. MAC Computation . . . . . . . . . . . . . . . . . . . . . 8 4.3. MAC Computation . . . . . . . . . . . . . . . . . . . . . 8
4.3.1. Request MAC . . . . . . . . . . . . . . . . . . . . . 8 4.3.1. Request MAC . . . . . . . . . . . . . . . . . . . . . 8
4.3.2. DNS Message . . . . . . . . . . . . . . . . . . . . . 9 4.3.2. DNS Message . . . . . . . . . . . . . . . . . . . . . 9
4.3.3. TSIG Variables . . . . . . . . . . . . . . . . . . . 9 4.3.3. TSIG Variables . . . . . . . . . . . . . . . . . . . 9
5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10 5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10
5.1. Generation of TSIG on Requests . . . . . . . . . . . . . 10 5.1. Generation of TSIG on Requests . . . . . . . . . . . . . 10
5.2. Server Processing of Request . . . . . . . . . . . . . . 10 5.2. Server Processing of Request . . . . . . . . . . . . . . 10
5.2.1. Key Check and Error Handling . . . . . . . . . . . . 11 5.2.1. Key Check and Error Handling . . . . . . . . . . . . 11
5.2.2. MAC Check and Error Handling . . . . . . . . . . . . 11 5.2.2. MAC Check and Error Handling . . . . . . . . . . . . 11
5.2.3. Time Check and Error Handling . . . . . . . . . . . . 12 5.2.3. Time Check and Error Handling . . . . . . . . . . . . 12
5.2.4. Truncation Check and Error Handling . . . . . . . . . 12 5.2.4. Truncation Check and Error Handling . . . . . . . . . 13
5.3. Generation of TSIG on Answers . . . . . . . . . . . . . . 13 5.3. Generation of TSIG on Answers . . . . . . . . . . . . . . 13
5.3.1. TSIG on Zone Transfer Over a TCP Connection . . . . . 13 5.3.1. TSIG on TCP Connections . . . . . . . . . . . . . . . 13
5.3.2. Generation of TSIG on Error Returns . . . . . . . . . 14 5.3.2. Generation of TSIG on Error Returns . . . . . . . . . 14
5.4. Client Processing of Answer . . . . . . . . . . . . . . . 14 5.4. Client Processing of Answer . . . . . . . . . . . . . . . 15
5.4.1. Key Error Handling . . . . . . . . . . . . . . . . . 15 5.4.1. Key Error Handling . . . . . . . . . . . . . . . . . 15
5.4.2. MAC Error Handling . . . . . . . . . . . . . . . . . 15 5.4.2. MAC Error Handling . . . . . . . . . . . . . . . . . 15
5.4.3. Time Error Handling . . . . . . . . . . . . . . . . . 15 5.4.3. Time Error Handling . . . . . . . . . . . . . . . . . 15
5.4.4. Truncation Error Handling . . . . . . . . . . . . . . 15 5.4.4. Truncation Error Handling . . . . . . . . . . . . . . 16
5.5. Special Considerations for Forwarding Servers . . . . . . 16 5.5. Special Considerations for Forwarding Servers . . . . . . 16
6. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 16 6. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 16
7. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 17 7. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 17
8. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 17 8. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 18
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 10. Security Considerations . . . . . . . . . . . . . . . . . . . 19
10.1. Issue Fixed in this Document . . . . . . . . . . . . . . 19 10.1. Issue Fixed in this Document . . . . . . . . . . . . . . 20
10.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 20 10.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 20
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
11.1. Normative References . . . . . . . . . . . . . . . . . . 20 11.1. Normative References . . . . . . . . . . . . . . . . . . 21
11.2. Informative References . . . . . . . . . . . . . . . . . 21 11.2. Informative References . . . . . . . . . . . . . . . . . 22
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 23 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 24
Appendix B. Change History (to be removed before publication) . 23 Appendix B. Change History (to be removed before publication) . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
1. Introduction 1. Introduction
1.1. Background 1.1. Background
The Domain Name System (DNS, [RFC1034], [RFC1035]) is a replicated The Domain Name System (DNS, [RFC1034], [RFC1035]) is a replicated
hierarchical distributed database system that provides information hierarchical distributed database system that provides information
fundamental to Internet operations, such as name to address fundamental to Internet operations, such as name to address
translation and mail handling information. translation and mail handling information.
skipping to change at page 3, line 48 skipping to change at page 3, line 48
generated using certain keyed hash functions, to provide an efficient generated using certain keyed hash functions, to provide an efficient
means of point-to-point authentication and integrity checking for DNS means of point-to-point authentication and integrity checking for DNS
transactions. Such transactions include DNS update requests and transactions. Such transactions include DNS update requests and
responses for which this can provide a lightweight alternative to the responses for which this can provide a lightweight alternative to the
secure DNS dynamic update protocol described by [RFC3007]. secure DNS dynamic update protocol described by [RFC3007].
A further use of this mechanism is to protect zone transfers. In A further use of this mechanism is to protect zone transfers. In
this case the data covered would be the whole zone transfer including this case the data covered would be the whole zone transfer including
any glue records sent. The protocol described by DNSSEC ([RFC4033], any glue records sent. The protocol described by DNSSEC ([RFC4033],
[RFC4034], [RFC4035]) does not protect glue records and unsigned [RFC4034], [RFC4035]) does not protect glue records and unsigned
records unless SIG(0) (transaction signature) is used. records.
The authentication mechanism proposed in this document uses shared The authentication mechanism proposed here provides a simple and
efficient authentication between clients and servers, by using shared
secret keys to establish a trust relationship between two entities. secret keys to establish a trust relationship between two entities.
Such keys must be protected in a manner similar to private keys, lest Such keys must be protected in a manner similar to private keys, lest
a third party masquerade as one of the intended parties (by forging a third party masquerade as one of the intended parties (by forging
the MAC). There was a need to provide simple and efficient the MAC). The proposal is unsuitable for general server to server
authentication between clients and local servers and this proposal authentication and for servers which speak with many other servers,
addresses that need. The proposal is unsuitable for general server since key management would become unwieldy with the number of shared
to server authentication for servers which speak with many other keys going up quadratically. But it is suitable for many resolvers
servers, since key management would become unwieldy with the number on hosts that only talk to a few recursive servers.
of shared keys going up quadratically. But it is suitable for many
resolvers on hosts that only talk to a few recursive servers.
1.2. Protocol Overview 1.2. Protocol Overview
Secret Key Transaction Authentication makes use of signatures on Secret Key Transaction Authentication makes use of signatures on
messages sent between the parties involved (e.g. resolver and messages sent between the parties involved (e.g. resolver and
server). These are known as "transaction signatures", or TSIG. For server). These are known as "transaction signatures", or TSIG. For
historical reasons, in this document they are referred to as message historical reasons, in this document they are referred to as message
authentication codes (MAC). authentication codes (MAC).
Use of TSIG presumes prior agreement between the two parties involved Use of TSIG presumes prior agreement between the two parties involved
skipping to change at page 4, line 36 skipping to change at page 4, line 34
document. document.
A DNS message exchange involves the sending of a query and the A DNS message exchange involves the sending of a query and the
receipt of one of more DNS messages in response. For the query, the receipt of one of more DNS messages in response. For the query, the
MAC is calculated based on the hash of the contents and the agreed MAC is calculated based on the hash of the contents and the agreed
TSIG key. The MAC for the response is similar, but also includes the TSIG key. The MAC for the response is similar, but also includes the
MAC of the query as part of the calculation. Where a response MAC of the query as part of the calculation. Where a response
comprises multiple packets, the calculation of the MAC associated comprises multiple packets, the calculation of the MAC associated
with the second and subsequent packets includes in its inputs the MAC with the second and subsequent packets includes in its inputs the MAC
for the preceding packet. In this way it is possible to detect any for the preceding packet. In this way it is possible to detect any
interruption in the packet sequence. interruption in the packet sequence, although not its premature
termination.
The MAC is contained in a TSIG resource record included in the The MAC is contained in a TSIG resource record included in the
Additional Section of the DNS message. Additional Section of the DNS message.
1.3. Document History 1.3. Document History
TSIG was originally specified by [RFC2845]. In 2017, two nameservers TSIG was originally specified by [RFC2845]. In 2017, two nameserver
strictly following that document (and the related [RFC4635]) were implementations strictly following that document (and the related
discovered to have security problems related to this feature. The [RFC4635]) were discovered to have security problems related to this
feature ([CVE-2017-3142], [CVE-2017-3143], [CVE-2017-11104]). The
implementations were fixed but, to avoid similar problems in the implementations were fixed but, to avoid similar problems in the
future, the two documents were updated and merged, producing this future, the two documents were updated and merged, producing this
revised specification for TSIG. revised specification for TSIG.
While TSIG implemented according to this RFC provides for enhanced While TSIG implemented according to this RFC provides for enhanced
security, there are no changes in interoperability. TSIG is on the security, there are no changes in interoperability. TSIG is on the
wire still the same mechanism described in [RFC2845]; only the wire still the same mechanism described in [RFC2845]; only the
checking semantics have been changed. See Section 10.1 for further checking semantics have been changed. See Section 10.1 for further
details. details.
skipping to change at page 6, line 19 skipping to change at page 6, line 19
(see [RFC1035] 2.3.2). (see [RFC1035] 2.3.2).
NAME The name of the key used, in domain name syntax. The name NAME The name of the key used, in domain name syntax. The name
should reflect the names of the hosts and uniquely identify the should reflect the names of the hosts and uniquely identify the
key among a set of keys these two hosts may share at any given key among a set of keys these two hosts may share at any given
time. For example, if hosts A.site.example and B.example.net time. For example, if hosts A.site.example and B.example.net
share a key, possibilities for the key name include share a key, possibilities for the key name include
<id>.A.site.example, <id>.B.example.net, and <id>.A.site.example, <id>.B.example.net, and
<id>.A.site.example.B.example.net. It should be possible for <id>.A.site.example.B.example.net. It should be possible for
more than one key to be in simultaneous use among a set of more than one key to be in simultaneous use among a set of
interacting hosts. interacting hosts. This allows for periodic key rotation as
per best operational practices, as well as algorithm agility as
indicated by [BCP201].
The name may be used as a local index to the key involved and The name may be used as a local index to the key involved but
it is recommended that it be globally unique. Where a key is it is recommended that it be globally unique. Where a key is
just shared between two hosts, its name actually need only be just shared between two hosts, its name actually need only be
meaningful to them but it is recommended that the key name be meaningful to them but it is recommended that the key name be
mnemonic and incorporates the names of participating agents or mnemonic and incorporates the names of participating agents or
resources as suggested above. resources as suggested above.
TYPE This MUST be TSIG (250: Transaction SIGnature) TYPE This MUST be TSIG (250: Transaction SIGnature)
CLASS This MUST be ANY CLASS This MUST be ANY
skipping to change at page 7, line 29 skipping to change at page 7, line 29
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Other Len | / | Other Len | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data /
/ / / /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The contents of the RDATA fields are: The contents of the RDATA fields are:
* Algorithm Name - a octet sequence identifying the TSIG * Algorithm Name - a octet sequence identifying the TSIG
algorithm name in the domain name syntax. (Allowed names algorithm name in the domain name syntax. (Allowed names
are listed in Table 1.) The name is stored in the DNS name are listed in Table 2.) The name is stored in the DNS name
wire format as described in [RFC1034]. As per [RFC3597], wire format as described in [RFC1034]. As per [RFC3597],
this name MUST NOT be compressed. this name MUST NOT be compressed.
* Time Signed - an unsigned 48-bit integer containing the time * Time Signed - an unsigned 48-bit integer containing the time
signed as seconds since 00:00 on 1970-01-01 UTC, ignoring the message was signed as seconds since 00:00 on 1970-01-01
leap seconds. UTC, ignoring leap seconds.
* Fudge - an unsigned 16-bit integer specifying the allowed * Fudge - an unsigned 16-bit integer specifying the allowed
time difference in seconds permitted in the Time Signed time difference in seconds permitted in the Time Signed
field. field.
* MAC Size - an unsigned 16-bit integer giving the length of * MAC Size - an unsigned 16-bit integer giving the length of
MAC field in octets. Truncation is indicated by a MAC size MAC field in octets. Truncation is indicated by a MAC size
less than the size of the keyed hash produced by the less than the size of the keyed hash produced by the
algorithm specified by the Algorithm Name. algorithm specified by the Algorithm Name.
skipping to change at page 8, line 9 skipping to change at page 8, line 9
Size. The length of this field is given by the Mac Size. Size. The length of this field is given by the Mac Size.
Calculation of the MAC is detailed in Section 4.3. Calculation of the MAC is detailed in Section 4.3.
* Original ID - An unsigned 16-bit integer holding the message * Original ID - An unsigned 16-bit integer holding the message
ID of the original request message. For a TSIG RR on a ID of the original request message. For a TSIG RR on a
request, it is set equal to the DNS message ID. In a TSIG request, it is set equal to the DNS message ID. In a TSIG
attached to a response - or in cases such as the forwarding attached to a response - or in cases such as the forwarding
of a dynamic update request - the field contains the ID of of a dynamic update request - the field contains the ID of
the original DNS request. the original DNS request.
* Error - an unsigned 16-bit integer containing the extended * Error - in responses, an unsigned 16-bit integer containing
RCODE covering TSIG processing. the extended RCODE covering TSIG processing. In requests,
this MUST be zero.
* Other Len - an unsigned 16-bit integer specifying the length * Other Len - an unsigned 16-bit integer specifying the length
of the "Other Data" field in octets. of the "Other Data" field in octets.
* Other Data - this unsigned 48-bit integer field will be * Other Data - additional data relevant to the TSIG record.
empty unless the content of the Error field is BADTIME, in In responses, this will be empty (i.e. "Other Len" will be
which case it will contain the server's current time as the zero) unless the content of the Error field is BADTIME, in
number of seconds since 00:00 on 1970-01-01 UTC, ignoring which case it will be a 48-bit unsigned integer containing
leap seconds (see Section 5.2.3). the server's current time as the number of seconds since
00:00 on 1970-01-01 UTC, ignoring leap seconds (see
Section 5.2.3). This document assigns no meaning to its
contents in requests.
4.3. MAC Computation 4.3. MAC Computation
When generating or verifying the contents of a TSIG record, the data When generating or verifying the contents of a TSIG record, the data
listed in the rest of this section are passed, in the order listed listed in the rest of this section are passed, in the order listed
below, as input to MAC computation. The data are passed in network below, as input to MAC computation. The data are passed in network
byte order or wire format, as appropriate, and are fed into the byte order or wire format, as appropriate, and are fed into the
hashing function as a continuous octet sequence with no interfield hashing function as a continuous octet sequence with no inter-field
separator or padding. separator or padding.
4.3.1. Request MAC 4.3.1. Request MAC
Only included in the computation of a MAC for a response message (or Only included in the computation of a MAC for a response message (or
the first message in a multi-message response), the validated request the first message in a multi-message response), the validated request
MAC MUST be included in the MAC computation. If the request MAC MAC MUST be included in the MAC computation. If the request MAC
failed to validate, an unsigned error message MUST be returned failed to validate, an unsigned error message MUST be returned
instead. (Section 5.3.2). instead. (Section 5.3.2).
skipping to change at page 9, line 7 skipping to change at page 9, line 9
MAC Length Unsigned 16-bit integer in network byte order MAC Length Unsigned 16-bit integer in network byte order
MAC Data octet sequence exactly as transmitted MAC Data octet sequence exactly as transmitted
Special considerations apply to the TSIG calculation for the second Special considerations apply to the TSIG calculation for the second
and subsequent messages a response that consists of multiple DNS and subsequent messages a response that consists of multiple DNS
messages (e.g. a zone transfer). These are described in messages (e.g. a zone transfer). These are described in
Section 5.3.1. Section 5.3.1.
4.3.2. DNS Message 4.3.2. DNS Message
A whole and complete DNS message in wire format. When creating a The DNS message used in the MAC computation is a whole and complete
TSIG, this is the message before the TSIG RR has been added to the DNS message in wire format.
additional data section and before the DNS Message Header's ARCOUNT
field has been incremented to contain the TSIG RR.
When verifying an incoming message, this is the message after the When creating a TSIG, it is the message before the TSIG RR has been
TSIG RR and been removed and the ARCOUNT field has been decremented. added to the additional data section and before the DNS Message
If the message ID differs from the original message ID, the original Header's ARCOUNT field has been incremented to contain the TSIG RR.
message ID is substituted for the message ID. (This could happen,
for example, when forwarding a dynamic update request.) When verifying an incoming message, it is the message after the TSIG
RR has been removed and the ARCOUNT field decremented. If the
message ID differs from the original message ID, the original message
ID is substituted for the message ID. (This could happen, for
example, when forwarding a dynamic update request.)
4.3.3. TSIG Variables 4.3.3. TSIG Variables
Also included in the digest is certain information present in the Also included in the digest is certain information present in the
TSIG RR. Adding this data provides further protection against an TSIG RR. Adding this data provides further protection against an
attempt to interfere with the message. attempt to interfere with the message.
Source Field Name Notes Source Field Name Notes
---------- -------------- ----------------------------------------- ---------- -------------- -----------------------------------------
TSIG RR NAME Key name, in canonical wire format TSIG RR NAME Key name, in canonical wire format
TSIG RR CLASS (Always ANY in the current specification) TSIG RR CLASS (Always ANY in the current specification)
TSIG RR TTL (Always 0 in the current specification) TSIG RR TTL (Always 0 in the current specification)
TSIG RDATA Algorithm Name in canonical wire format TSIG RDATA Algorithm Name in canonical wire format
TSIG RDATA Time Signed in network byte order TSIG RDATA Time Signed in network byte order
TSIG RDATA Fudge in network byte order TSIG RDATA Fudge in network byte order
TSIG RDATA Error in network byte order TSIG RDATA Error in network byte order
TSIG RDATA Other Len in network byte order TSIG RDATA Other Len in network byte order
TSIG RDATA Other Data exactly as transmitted TSIG RDATA Other Data exactly as transmitted
Table 1
The RR RDLEN and RDATA MAC Length are not included in the input to The RR RDLEN and RDATA MAC Length are not included in the input to
MAC computation since they are not guaranteed to be knowable before MAC computation since they are not guaranteed to be knowable before
the MAC is generated. the MAC is generated.
The Original ID field is not included in this section, as it has The Original ID field is not included in this section, as it has
already been substituted for the message ID in the DNS header and already been substituted for the message ID in the DNS header and
hashed. hashed.
For each label type, there must be a defined "Canonical wire format" For each label type, there must be a defined "Canonical wire format"
that specifies how to express a label in an unambiguous way. For that specifies how to express a label in an unambiguous way. For
label type 00, this is defined in [RFC4034] Section 6.1. The use of label type 00, this is defined in [RFC4034] Section 6.2. The use of
label types other than 00 is not defined for this specification. label types other than 00 is not defined for this specification.
4.3.3.1. Time Values Used in TSIG Calculations 4.3.3.1. Time Values Used in TSIG Calculations
The data digested includes the two timer values in the TSIG header in The data digested includes the two timer values in the TSIG header in
order to defend against replay attacks. If this were not done, an order to defend against replay attacks. If this were not done, an
attacker could replay old messages but update the "Time Signed" and attacker could replay old messages but update the "Time Signed" and
"Fudge" fields to make the message look new. This data is named "Fudge" fields to make the message look new. This data is named
"TSIG Timers", and for the purpose of MAC calculation, they are "TSIG Timers", and for the purpose of MAC calculation, they are
hashed in their "on the wire" format, in the following order: first hashed in their "on the wire" format, in the following order: first
skipping to change at page 10, line 33 skipping to change at page 10, line 35
the server. This TSIG record MUST be the only TSIG RR in the message the server. This TSIG record MUST be the only TSIG RR in the message
and MUST be last record in the Additional Data section. The client and MUST be last record in the Additional Data section. The client
MUST store the MAC and the key name from the request while awaiting MUST store the MAC and the key name from the request while awaiting
an answer. an answer.
The digest components for a request are: The digest components for a request are:
DNS Message (request) DNS Message (request)
TSIG Variables (request) TSIG Variables (request)
Note that some older name servers will not accept requests with a
nonempty additional data section. Clients SHOULD only attempt signed
transactions with servers who are known to support TSIG and share
some algorithm and secret key with the client -- so, this is not a
problem in practice.
5.2. Server Processing of Request 5.2. Server Processing of Request
If an incoming message contains a TSIG record, it MUST be the last If an incoming message contains a TSIG record, it MUST be the last
record in the additional section. Multiple TSIG records are not record in the additional section. Multiple TSIG records are not
allowed. If multiple TSIG records are detected or a TSIG record is allowed. If multiple TSIG records are detected or a TSIG record is
present in any other position, the DNS message is dropped and a present in any other position, the DNS message is dropped and a
response with RCODE 1 (FORMERR) MUST be returned. Upon receipt of a response with RCODE 1 (FORMERR) MUST be returned. Upon receipt of a
message with exactly one correctly placed TSIG RR, the TSIG RR is message with exactly one correctly placed TSIG RR, a copy of the TSIG
copied to a safe location, removed from the DNS Message, and RR is stored, and the TSIG RR is removed from the DNS Message, and
decremented out of the DNS message header's ARCOUNT. decremented out of the DNS message header's ARCOUNT.
If the TSIG RR cannot be understood, the server MUST regard the If the TSIG RR cannot be interpreted, the server MUST regard the
message as corrupt and return a FORMERR to the server. Otherwise the message as corrupt and return a FORMERR to the server. Otherwise the
server is REQUIRED to return a TSIG RR in the response. server is REQUIRED to return a TSIG RR in the response.
To validate the received TSIG RR, the server MUST perform the To validate the received TSIG RR, the server MUST perform the
following checks in the following order: following checks in the following order:
1. Check KEY 1. Check KEY
2. Check MAC 2. Check MAC
3. Check TIME values 3. Check TIME values
4. Check Truncation policy 4. Check Truncation policy
5.2.1. Key Check and Error Handling 5.2.1. Key Check and Error Handling
If a non-forwarding server does not recognize the key or algorithm If a non-forwarding server does not recognize the key or algorithm
used by the client (or recognises the algorithm but does not used by the client (or recognizes the algorithm but does not
implement it), the server MUST generate an error response with RCODE implement it), the server MUST generate an error response with RCODE
9 (NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be 9 (NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be
unsigned as specified in Section 5.3.2. The server SHOULD log the unsigned as specified in Section 5.3.2. The server SHOULD log the
error. (Special considerations apply to forwarding servers, see error. (Special considerations apply to forwarding servers, see
Section 5.5.) Section 5.5.)
5.2.2. MAC Check and Error Handling 5.2.2. MAC Check and Error Handling
Using the information in the TSIG, the server should verify the MAC Using the information in the TSIG, the server MUST verify the MAC by
by doing its own calculation and comparing the result with the MAC doing its own calculation and comparing the result with the MAC
received. If the MAC fails to verify, the server MUST generate an received. If the MAC fails to verify, the server MUST generate an
error response as specified in Section 5.3.2 with RCODE 9 (NOTAUTH) error response as specified in Section 5.3.2 with RCODE 9 (NOTAUTH)
and TSIG ERROR 16 (BADSIG). This response MUST be unsigned as and TSIG ERROR 16 (BADSIG). This response MUST be unsigned as
specified in Section 5.3.2. The server SHOULD log the error. specified in Section 5.3.2. The server SHOULD log the error.
5.2.2.1. MAC Truncation 5.2.2.1. MAC Truncation
When space is at a premium and the strength of the full length of a When space is at a premium and the strength of the full length of a
MAC is not needed, it is reasonable to truncate the keyed hash and MAC is not needed, it is reasonable to truncate the keyed hash and
use the truncated value for authentication. HMAC SHA-1 truncated to use the truncated value for authentication. HMAC SHA-1 truncated to
96 bits is an option available in several IETF protocols, including 96 bits is an option available in several IETF protocols, including
IPsec and TLS. IPsec and TLS. However, while this option is kept for backwards
compatibility, it may not provide a security level appropriate for
all cases in the modern environment. In these cases, it is
preferable to use a hashing algorithm such as SHA-256-128, SHA-
384-192 or SHA-512-256 [RFC4868].
Processing of a truncated MAC follows these rules: Processing of a truncated MAC follows these rules:
1. If "MAC size" field is greater than keyed hash output length: 1. If "MAC size" field is greater than keyed hash output length:
This case MUST NOT be generated and, if received, MUST cause the This case MUST NOT be generated and, if received, MUST cause the
DNS message to be dropped and RCODE 1 (FORMERR) to be returned. DNS message to be dropped and RCODE 1 (FORMERR) to be returned.
2. If "MAC size" field equals keyed hash output length: 2. If "MAC size" field equals keyed hash output length:
skipping to change at page 12, line 26 skipping to change at page 12, line 29
with truncation thus indicated, the locally calculated MAC is with truncation thus indicated, the locally calculated MAC is
similarly truncated and only the truncated values are compared similarly truncated and only the truncated values are compared
for authentication. The request MAC used when calculating the for authentication. The request MAC used when calculating the
TSIG MAC for a reply is the truncated request MAC. TSIG MAC for a reply is the truncated request MAC.
5.2.3. Time Check and Error Handling 5.2.3. Time Check and Error Handling
If the server time is outside the time interval specified by the If the server time is outside the time interval specified by the
request (which is: Time Signed, plus/minus Fudge), the server MUST request (which is: Time Signed, plus/minus Fudge), the server MUST
generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18 generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18
(BADTIME). The server SHOULD also cache the most recent time signed (BADTIME). The server SHOULD also cache the most recent Time Signed
value in a message generated by a key, and SHOULD return BADTIME if a value in a message generated by a key, and SHOULD return BADTIME if a
message received later has an earlier time signed value. A response message received later has an earlier Time Signed value. A response
indicating a BADTIME error MUST be signed by the same key as the indicating a BADTIME error MUST be signed by the same key as the
request. It MUST include the client's current time in the time request. It MUST include the client's current time in the Time
signed field, the server's current time (an unsigned 48-bit integer) Signed field, the server's current time (an unsigned 48-bit integer)
in the other data field, and 6 in the other data length field. This in the Other Data field, and 6 in the Other Len field. This is done
is done so that the client can verify a message with a BADTIME error so that the client can verify a message with a BADTIME error without
without the verification failing due to another BADTIME error. In the verification failing due to another BADTIME error. In addition,
addition, the fudge field MUST be set to the fudge value received the Fudge field MUST be set to the fudge value received from the
from the client. The data signed is specified in Section 5.3.2. The client. The data signed is specified in Section 5.3.2. The server
server SHOULD log the error. SHOULD log the error.
Caching the most recent time signed value and rejecting requests with Caching the most recent Time Signed value and rejecting requests with
an earlier one could lead to valid messages being rejected if transit an earlier one could lead to valid messages being rejected if transit
through the network led to UDP packets arriving in a different order through the network led to UDP packets arriving in a different order
to the one in which they were sent. Implementations should be aware to the one in which they were sent. Implementations should be aware
of this possibility and be prepared to deal with it, e.g. by of this possibility and be prepared to deal with it, e.g. by
retransmitting the rejected request with a new TSIG once outstanding retransmitting the rejected request with a new TSIG once outstanding
requests have completed or the time given by their time signed plus requests have completed or the time given by their Time Signed plus
fudge value has passed. fudge value has passed. If implementations do retry requests in
these cases, a limit SHOULD be placed on the maximum number of
retries.
5.2.4. Truncation Check and Error Handling 5.2.4. Truncation Check and Error Handling
If a TSIG is received with truncation that is permitted under If a TSIG is received with truncation that is permitted under
Section 5.2.2.1 above but the MAC is too short for the local policy Section 5.2.2.1 above but the MAC is too short for the local policy
in force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be in force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be
returned. The server SHOULD log the error. returned. The server SHOULD log the error.
5.3. Generation of TSIG on Answers 5.3. Generation of TSIG on Answers
skipping to change at page 13, line 39 skipping to change at page 13, line 44
(This calculation is different for the second and subsequent message (This calculation is different for the second and subsequent message
in a multi-message answer, see below.) in a multi-message answer, see below.)
If addition of the TSIG record will cause the message to be If addition of the TSIG record will cause the message to be
truncated, the server MUST alter the response so that a TSIG can be truncated, the server MUST alter the response so that a TSIG can be
included. This response consists of only the question and a TSIG included. This response consists of only the question and a TSIG
record, and has the TC bit set and an RCODE of 0 (NOERROR). The record, and has the TC bit set and an RCODE of 0 (NOERROR). The
client SHOULD at this point retry the request using TCP (as per client SHOULD at this point retry the request using TCP (as per
[RFC1035] 4.2.2). [RFC1035] 4.2.2).
5.3.1. TSIG on Zone Transfer Over a TCP Connection 5.3.1. TSIG on TCP Connections
A zone transfer over a DNS TCP session can include multiple DNS A DNS TCP session such as a zone transfer can include multiple DNS
messages. Using TSIG on such a connection can protect the connection messages. Using TSIG on such a connection can protect the connection
from hijacking and provide data integrity. The TSIG MUST be included from attack and provide data integrity. The TSIG MUST be included on
on all DNS messages in the response. For backward compatibility, a all DNS messages in the response. For backward compatibility, a
client which receives DNS messages and verifies TSIG MUST accept up client which receives DNS messages and verifies TSIG MUST accept up
to 99 intermediary messages without a TSIG. The first message is to 99 intermediary messages without a TSIG and MUST verify that both
processed as a standard answer (see Section 5.3) but subsequent the first and last message contain a TSIG.
messages have the following digest components:
The first message is processed as a standard answer (see Section 5.3)
but subsequent messages have the following digest components:
Prior MAC (running) Prior MAC (running)
DNS Messages (any unsigned messages since the last TSIG) DNS Messages (any unsigned messages since the last TSIG)
TSIG Timers (current message) TSIG Timers (current message)
The "Prior MAC" is the MAC from the TSIG attached to the last message The "Prior MAC" is the MAC from the TSIG attached to the last message
containing a TSIG. "DNS Messages" comprises the concatenation (in containing a TSIG. "DNS Messages" comprises the concatenation (in
message order) of all messages after the last message that included a message order) of all messages after the last message that included a
TSIG and includes the current message. "TSIG timers" comprises the TSIG and includes the current message. "TSIG timers" comprises the
"Time Signed" and "Fudge" fields (in that order) pertaining to the "Time Signed" and "Fudge" fields (in that order) pertaining to the
skipping to change at page 14, line 23 skipping to change at page 14, line 29
Signed" fields. Note that only the timers are included in the second Signed" fields. Note that only the timers are included in the second
and subsequent messages, not all the TSIG variables. and subsequent messages, not all the TSIG variables.
This allows the client to rapidly detect when the session has been This allows the client to rapidly detect when the session has been
altered; at which point it can close the connection and retry. If a altered; at which point it can close the connection and retry. If a
client TSIG verification fails, the client MUST close the connection. client TSIG verification fails, the client MUST close the connection.
If the client does not receive TSIG records frequently enough (as If the client does not receive TSIG records frequently enough (as
specified above) it SHOULD assume the connection has been hijacked specified above) it SHOULD assume the connection has been hijacked
and it SHOULD close the connection. The client SHOULD treat this the and it SHOULD close the connection. The client SHOULD treat this the
same way as they would any other interrupted transfer (although the same way as they would any other interrupted transfer (although the
exact behavior is not specified here). exact behavior is not specified).
5.3.2. Generation of TSIG on Error Returns 5.3.2. Generation of TSIG on Error Returns
When a server detects an error relating to the key or MAC in the When a server detects an error relating to the key or MAC in the
incoming request, the server SHOULD send back an unsigned error incoming request, the server SHOULD send back an unsigned error
message (MAC size == 0 and empty MAC). It MUST NOT send back a message (MAC size == 0 and empty MAC). It MUST NOT send back a
signed error message. signed error message.
If an error is detected relating to the TSIG validity period or the If an error is detected relating to the TSIG validity period or the
MAC is too short for the local policy, the server SHOULD send back a MAC is too short for the local policy, the server SHOULD send back a
signed error message. The digest components are: signed error message. The digest components are:
Request MAC (if the request MAC validated) Request MAC (if the request MAC validated)
DNS Message (response) DNS Message (response)
TSIG Variables (response) TSIG Variables (response)
The reason that the request is not included in this MAC in some cases The reason that the request MAC is not included in this MAC in some
is to make it possible for the client to verify the error. If the cases is to make it possible for the client to verify the error. If
error is not a TSIG error the response MUST be generated as specified the error is not a TSIG error the response MUST be generated as
in Section 5.3. specified in Section 5.3.
5.4. Client Processing of Answer 5.4. Client Processing of Answer
When a client receives a response from a server and expects to see a When a client receives a response from a server and expects to see a
TSIG, it performs the same checks as described in Section 5.2, with TSIG, it first checks if the TSIG RR is present in the response. If
the following modifications: not, the response is treated as having a format error and is
discarded.
o If the TSIG RR does not validate, that response MUST be discarded, If the TSIG RR is present, the client performs the same checks as
unless the RCODE is 9 (NOTAUTH), in which case the client SHOULD described in Section 5.2. If the TSIG RR is unsigned as specified in
proceed as described in the following subsections. Section 5.3.2 or does not validate, the message MUST be discarded
unless the RCODE is 9 (NOAUTH). In this case, the client SHOULD
attempt to verify the response as if it were a TSIG error, as
described in the following subsections.
A message containing an unsigned TSIG record or a TSIG record which Regardless of the RCODE, a message containing a TSIG RR that is
fails verification SHOULD NOT be considered an acceptable response; unsigned as specified in Section 5.3.2 or which fails verification
the client SHOULD log an error and continue to wait for a signed SHOULD NOT be considered an acceptable response as it may have been
response until the request times out. spoofed or manipulated. Instead, the client SHOULD log an error and
continue to wait for a signed response until the request times out.
5.4.1. Key Error Handling 5.4.1. Key Error Handling
If an RCODE on a response is 9 (NOTAUTH), but the response TSIG If an RCODE on a response is 9 (NOTAUTH), but the response TSIG
validates and the TSIG key recognised by the client but different validates and the TSIG key is recognized by the client but different
from that used on the request, then this is a Key Error. The client from that used on the request, then this is a Key Error. The client
MAY retry the request using the key specified by the server. MAY retry the request using the key specified by the server.
However, this should never occur, as a server MUST NOT sign a However, this should never occur, as a server MUST NOT sign a
response with a different key to that used to sign the request. response with a different key to that used to sign the request.
5.4.2. MAC Error Handling 5.4.2. MAC Error Handling
If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG), If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG),
this is a MAC error, and client MAY retry the request with a new this is a MAC error, and client MAY retry the request with a new
request ID but it would be better to try a different shared key if request ID but it would be better to try a different shared key if
skipping to change at page 15, line 39 skipping to change at page 15, line 50
are associated with each key. Clients SHOULD log this event. are associated with each key. Clients SHOULD log this event.
5.4.3. Time Error Handling 5.4.3. Time Error Handling
If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18
(BADTIME), or the current time does not fall in the range specified (BADTIME), or the current time does not fall in the range specified
in the TSIG record, then this is a Time error. This is an indication in the TSIG record, then this is a Time error. This is an indication
that the client and server clocks are not synchronized. In this case that the client and server clocks are not synchronized. In this case
the client SHOULD log the event. DNS resolvers MUST NOT adjust any the client SHOULD log the event. DNS resolvers MUST NOT adjust any
clocks in the client based on BADTIME errors, but the server's time clocks in the client based on BADTIME errors, but the server's time
in the other data field SHOULD be logged. in the Other Data field SHOULD be logged.
5.4.4. Truncation Error Handling 5.4.4. Truncation Error Handling
If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22
(BADTRUNC) then this is a Truncation error. The client MAY retry (BADTRUNC) then this is a Truncation error. The client MAY retry
with a lesser truncation up to the full HMAC output (no truncation), with a lesser truncation up to the full HMAC output (no truncation),
using the truncation used in the response as a hint for what the using the truncation used in the response as a hint for what the
server policy allowed (Section 7). Clients SHOULD log this event. server policy allowed (Section 7). Clients SHOULD log this event.
5.5. Special Considerations for Forwarding Servers 5.5. Special Considerations for Forwarding Servers
skipping to change at page 16, line 25 skipping to change at page 16, line 33
available to the destination and the message is a query then, if the available to the destination and the message is a query then, if the
corresponding response has the AD flag (see [RFC4035]) set, the corresponding response has the AD flag (see [RFC4035]) set, the
forwarder MUST clear the AD flag before adding the TSIG to the forwarder MUST clear the AD flag before adding the TSIG to the
response and returning the result to the system from which it response and returning the result to the system from which it
received the query. received the query.
6. Algorithms and Identifiers 6. Algorithms and Identifiers
The only message digest algorithm specified in the first version of The only message digest algorithm specified in the first version of
these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321], these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321],
[RFC2104]). Although a review of its security [RFC6151] concluded [RFC2104]). Although a review of its security some years ago
that "it may not be urgent to remove HMAC-MD5 from the existing [RFC6151] concluded that "it may not be urgent to remove HMAC-MD5
protocols", with the availability of more secure alternatives the from the existing protocols", with the availability of more secure
opportunity has been taken to make the implementation of this alternatives the opportunity has been taken to make the
algorithm optional. implementation of this algorithm optional.
[RFC4635] added mandatory support in TSIG for SHA-1 [FIPS180-4], [RFC4635] added mandatory support in TSIG for SHA-1 [FIPS180-4],
[RFC3174]. SHA-1 collisions have been demonstrated so the MD5 [RFC3174]. SHA-1 collisions have been demonstrated [SHA1SHAMBLES] so
security considerations apply to SHA-1 in a similar manner. Although the MD5 security considerations described in section 2 of [RFC6151]
support for hmac-sha1 in TSIG is still mandatory for compatibility apply to SHA-1 in a similar manner. Although support for hmac-sha1
reasons, existing uses should be replaced with hmac-sha256 or other in TSIG is still mandatory for compatibility reasons, existing uses
SHA-2 digest algorithms [FIPS180-4], [RFC3874], [RFC6234]. SHOULD be replaced with hmac-sha256 or other SHA-2 digest algorithms
[FIPS180-4], [RFC3874], [RFC6234].
Use of TSIG between two DNS agents is by mutual agreement. That Use of TSIG between two DNS agents is by mutual agreement. That
agreement can include the support of additional algorithms and agreement can include the support of additional algorithms and
criteria as to which algorithms and truncations are acceptable, criteria as to which algorithms and truncations are acceptable,
subject to the restriction and guidelines in Section 5.2.2.1 above. subject to the restriction and guidelines in Section 5.2.2.1 above.
Key agreement can be by the TKEY mechanism [RFC2930] or some other Key agreement can be by the TKEY mechanism [RFC2930] or some other
mutually agreeable method. mutually agreeable method.
Implementations that support TSIG MUST also implement HMAC SHA1 and Implementations that support TSIG MUST also implement HMAC SHA1 and
HMAC SHA256 and MAY implement gss-tsig and the other algorithms HMAC SHA256 and MAY implement gss-tsig and the other algorithms
listed below. SHA-1 truncated to 96 bits (12 octets) SHOULD be listed below. SHA-1 truncated to 96 bits (12 octets) SHOULD be
implemented. implemented.
Requirement Name Name Implementation Use
----------- ------------------------ ------------------------ -------------- ---------------
Optional HMAC-MD5.SIG-ALG.REG.INT HMAC-MD5.SIG-ALG.REG.INT MAY MUST NOT
Optional gss-tsig gss-tsig MAY MAY
Mandatory hmac-sha1 hmac-sha1 MUST NOT RECOMMENDED
Optional hmac-sha224 hmac-sha224 MAY NOT RECOMMENDED
Mandatory hmac-sha256 hmac-sha256 MUST RECOMMENDED
Optional hmac-sha384 hmac-sha256-128 MAY MAY
Optional hmac-sha512 hmac-sha384 MAY MAY
hmac-sha384-192 MAY MAY
hmac-sha512 MAY MAY
hmac-sha512-256 MAY MAY
Table 1 Table 2
7. TSIG Truncation Policy 7. TSIG Truncation Policy
As noted above, two DNS agents (e.g., resolver and server) must As noted above, two DNS agents (e.g., resolver and server) must
mutually agree to use TSIG. Implicit in such an "agreement" are mutually agree to use TSIG. Implicit in such an "agreement" are
criteria as to acceptable keys and algorithms and, with the criteria as to acceptable keys and algorithms and, with the
extensions in this document, truncations. Local policies MAY require extensions in this document, truncations. Local policies MAY require
the rejection of TSIGs, even though they use an algorithm for which the rejection of TSIGs, even though they use an algorithm for which
implementation is mandatory. implementation is mandatory.
skipping to change at page 18, line 21 skipping to change at page 18, line 31
a zone's authoritative name servers. a zone's authoritative name servers.
Use of strong random shared secrets is essential to the security of Use of strong random shared secrets is essential to the security of
TSIG. See [RFC4086] for a discussion of this issue. The secret TSIG. See [RFC4086] for a discussion of this issue. The secret
SHOULD be at least as long as the keyed hash output [RFC2104]. SHOULD be at least as long as the keyed hash output [RFC2104].
9. IANA Considerations 9. IANA Considerations
IANA maintains a registry of algorithm names to be used as "Algorithm IANA maintains a registry of algorithm names to be used as "Algorithm
Names" as defined in Section 4.2. Algorithm names are text strings Names" as defined in Section 4.2. Algorithm names are text strings
encoded using the syntax of a domain name. There is no structure encoded using the syntax of a domain name. There is no structure to
required other than names for different algorithms must be unique the names, and algorithm names are compared as if they were DNS
when compared as DNS names, i.e., comparison is case insensitive. names, i.e., comparison is case insensitive. Previous specifications
Previous specifications [RFC2845] and [RFC4635] defined values for [RFC2845] and [RFC4635] defined values for the HMAC-MD5 and some
HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an HMAC-SHA algorithms. IANA has also registered "gss-tsig" as an
identifier for TSIG authentication where the cryptographic operations identifier for TSIG authentication where the cryptographic operations
are delegated to the Generic Security Service (GSS) [RFC3645]. are delegated to the Generic Security Service (GSS) [RFC3645]. This
document adds to allowed algorithms, and the registry should be
updated with the names listed in Table 2.
New algorithms are assigned using the IETF Review policy defined in New algorithms are assigned using the IETF Review policy defined in
[RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like a [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like a
fully-qualified domain name for historical reasons; other algorithm fully-qualified domain name for historical reasons; other algorithm
names are simple (i.e., single-component) names. names are simple, single-component names.
IANA maintains a registry of RCODES (error codes), including "TSIG IANA maintains a registry of RCODES (error codes), including "TSIG
Error values" to be used for "Error" values as defined in Error values" to be used for "Error" values as defined in
Section 4.2. New error codes are assigned and specified as in Section 4.2. New error codes are assigned and specified as in
[RFC6895]. [RFC6895].
10. Security Considerations 10. Security Considerations
The approach specified here is computationally much less expensive The approach specified here is computationally much less expensive
than the signatures specified in DNSSEC. As long as the shared than the signatures specified in DNSSEC. As long as the shared
skipping to change at page 19, line 7 skipping to change at page 19, line 22
nameservers. nameservers.
Recommendations for choosing and maintaining secret keys can be found Recommendations for choosing and maintaining secret keys can be found
in [RFC2104]. If the client host has been compromised, the server in [RFC2104]. If the client host has been compromised, the server
should suspend the use of all secrets known to that client. If should suspend the use of all secrets known to that client. If
possible, secrets should be stored in encrypted form. Secrets should possible, secrets should be stored in encrypted form. Secrets should
never be transmitted in the clear over any network. This document never be transmitted in the clear over any network. This document
does not address the issue on how to distribute secrets except that does not address the issue on how to distribute secrets except that
it mentions the possibilities of manual configuration and the use of it mentions the possibilities of manual configuration and the use of
TKEY [RFC2930]. Secrets SHOULD NOT be shared by more than two TKEY [RFC2930]. Secrets SHOULD NOT be shared by more than two
entities. entities; any such additional sharing would allow any party knowing
the key to impersonate any other such party to members of the group.
This mechanism does not authenticate source data, only its This mechanism does not authenticate source data, only its
transmission between two parties who share some secret. The original transmission between two parties who share some secret. The original
source data can come from a compromised zone master or can be source data can come from a compromised zone master or can be
corrupted during transit from an authentic zone master to some corrupted during transit from an authentic zone master to some
"caching forwarder." However, if the server is faithfully performing "caching forwarder." However, if the server is faithfully performing
the full DNSSEC security checks, then only security checked data will the full DNSSEC security checks, then only security checked data will
be available to the client. be available to the client.
A fudge value that is too large may leave the server open to replay A fudge value that is too large may leave the server open to replay
attacks. A fudge value that is too small may cause failures if attacks. A fudge value that is too small may cause failures if
machines are not time synchronized or there are unexpected network machines are not time synchronized or there are unexpected network
delays. The RECOMMENDED value in most situations is 300 seconds. delays. The RECOMMENDED value in most situations is 300 seconds.
For all of the message authentication code algorithms listed in this To prevent cross-algorithm attacks, there SHOULD only be one
document, those producing longer values are believed to be stronger; algorithm associated with any given key name.
however, while there have been some arguments that mild truncation
can strengthen a MAC by reducing the information available to an In several cases where errors are detected, an unsigned error message
attacker, excessive truncation clearly weakens authentication by must be returned. This can allow for an attacker to spoof or
reducing the number of bits an attacker has to try to break the manipulate these responses. Section 5.4 recommends logging these as
authentication by brute force [RFC2104]. errors and continuing to wait for a signed response until the request
times out.
Although the strength of an algorithm determines its security, there
have been some arguments that mild truncation can strengthen a MAC by
reducing the information available to an attacker. However,
excessive truncation clearly weakens authentication by reducing the
number of bits an attacker has to try to break the authentication by
brute force [RFC2104].
Significant progress has been made recently in cryptanalysis of hash Significant progress has been made recently in cryptanalysis of hash
functions of the types used here. While the results so far should functions of the types used here. While the results so far should
not affect HMAC, the stronger SHA-1 and SHA-256 algorithms are being not affect HMAC, the stronger SHA-256 algorithm is being made
made mandatory as a precaution. mandatory as a precaution.
See also the Security Considerations section of [RFC2104] from which See also the Security Considerations section of [RFC2104] from which
the limits on truncation in this RFC were taken. the limits on truncation in this RFC were taken.
10.1. Issue Fixed in this Document 10.1. Issue Fixed in this Document
When signing a DNS reply message using TSIG, the MAC computation uses When signing a DNS reply message using TSIG, the MAC computation uses
the request message's MAC as an input to cryptographically relate the the request message's MAC as an input to cryptographically relate the
reply to the request. The original TSIG specification [RFC2845] reply to the request. The original TSIG specification [RFC2845]
required that the TIME values be checked before the request's MAC. required that the TIME values be checked before the request's MAC.
If the TIME was invalid, some implementations failed to carry out If the TIME was invalid, some implementations failed to carry out
further checks and could use an invalid request MAC in the signed further checks and could use an invalid request MAC in the signed
reply. reply.
This document makes it a madatory that the request MAC is considered This document makes it a mandatory that the request MAC is considered
to be invalid until it has been validated: until then, any answer to be invalid until it has been validated: until then, any answer
must be unsigned. For this reason, the request MAC is now checked must be unsigned. For this reason, the request MAC is now checked
before the TIME value. before the TIME value.
10.2. Why not DNSSEC? 10.2. Why not DNSSEC?
This section from the original document [RFC2845] analyzes DNSSEC in These extracts from the original document [RFC2845] (updated to
order to justify the introduction of TSIG. reference current standards) analyze DNSSEC in order to justify the
introduction of TSIG.
"DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and
[RFC4035]) to provide for data origin authentication, and public key [RFC4035]) to provide for data origin authentication, and public
distribution, all based on public key cryptography and public key key distribution, all based on public key cryptography and public
based digital signatures. To be practical, this form of security key based digital signatures. To be practical, this form of
generally requires extensive local caching of keys and tracing of security generally requires extensive local caching of keys and
authentication through multiple keys and signatures to a pre-trusted tracing of authentication through multiple keys and signatures to
locally configured key. a pre-trusted locally configured key.
One difficulty with the DNSSEC scheme is that common DNS One difficulty with the DNSSEC scheme is that common DNS
implementations include simple "stub" resolvers which do not have implementations include simple "stub" resolvers which do not have
caches. Such resolvers typically rely on a caching DNS server on caches. Such resolvers typically rely on a caching DNS server on
another host. It is impractical for these stub resolvers to perform another host. It is impractical for these stub resolvers to
general DNSSEC authentication and they would naturally depend on perform general DNSSEC authentication and they would naturally
their caching DNS server to perform such services for them. To do so depend on their caching DNS server to perform such services for
securely requires secure communication of queries and responses. them. To do so securely requires secure communication of queries
DNSSEC provides public key transaction signatures to support this, and responses. DNSSEC provides public key transaction signatures
but such signatures are very expensive computationally to generate. to support this, but such signatures are very expensive
In general, these require the same complex public key logic that is computationally to generate. In general, these require the same
impractical for stubs. complex public key logic that is impractical for stubs.
A second area where use of straight DNSSEC public key based and
mechanisms may be impractical is authenticating dynamic update
[RFC2136] requests. DNSSEC provides for request signatures but with A second area where use of straight DNSSEC public key based
DNSSEC they, like transaction signatures, require computationally mechanisms may be impractical is authenticating dynamic update
expensive public key cryptography and complex authentication logic. [RFC2136] requests. DNSSEC provides for request signatures but
Secure Domain Name System Dynamic Update ([RFC3007]) describes how with DNSSEC they, like transaction signatures, require
different keys are used in dynamically updated zones." computationally expensive public key cryptography and complex
authentication logic. Secure Domain Name System Dynamic Update
([RFC3007]) describes how different keys are used in dynamically
updated zones.
11. References 11. References
11.1. Normative References 11.1. Normative References
[FIPS180-4] [FIPS180-4]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard (SHS)", FIPS PUB 180-4, August 2015. Hash Standard (SHS)", FIPS PUB 180-4, August 2015.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
skipping to change at page 21, line 30 skipping to change at page 22, line 11
Code, Secure Hash Algorithm) TSIG Algorithm Identifiers", Code, Secure Hash Algorithm) TSIG Algorithm Identifiers",
RFC 4635, DOI 10.17487/RFC4635, August 2006, RFC 4635, DOI 10.17487/RFC4635, August 2006,
<https://www.rfc-editor.org/info/rfc4635>. <https://www.rfc-editor.org/info/rfc4635>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
11.2. Informative References 11.2. Informative References
[BCP201] Housley, R., "Guidelines for Cryptographic Algorithm
Agility and Selecting Mandatory-to-Implement Algorithms",
BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015,
<https://www.rfc-editor.org/info/bcp201>.
[CVE-2017-11104]
Common Vulnerabilities and Exposures, "CVE-2017-11104:
Improper TSIG validity period check can allow TSIG
forgery", June 2017, <https://cve.mitre.org/cgi-bin/
cvename.cgi?name=CVE-2017-11104>.
[CVE-2017-3142]
Common Vulnerabilities and Exposures, "CVE-2017-3142: An
error in TSIG authentication can permit unauthorized zone
transfers", June 2017, <https://cve.mitre.org/cgi-bin/
cvename.cgi?name=CVE-2017-3142>.
[CVE-2017-3143]
Common Vulnerabilities and Exposures, "CVE-2017-3143: An
error in TSIG authentication can permit unauthorized
dynamic updates", June 2017, <https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2017-3143>.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
DOI 10.17487/RFC1321, April 1992, DOI 10.17487/RFC1321, April 1992,
<https://www.rfc-editor.org/info/rfc1321>. <https://www.rfc-editor.org/info/rfc1321>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997, DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>. <https://www.rfc-editor.org/info/rfc2104>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
skipping to change at page 22, line 39 skipping to change at page 23, line 43
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<https://www.rfc-editor.org/info/rfc4035>. <https://www.rfc-editor.org/info/rfc4035>.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086, "Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005, DOI 10.17487/RFC4086, June 2005,
<https://www.rfc-editor.org/info/rfc4086>. <https://www.rfc-editor.org/info/rfc4086>.
[RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
384, and HMAC-SHA-512 with IPsec", RFC 4868,
DOI 10.17487/RFC4868, May 2007,
<https://www.rfc-editor.org/info/rfc4868>.
[RFC6151] Turner, S. and L. Chen, "Updated Security Considerations [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations
for the MD5 Message-Digest and the HMAC-MD5 Algorithms", for the MD5 Message-Digest and the HMAC-MD5 Algorithms",
RFC 6151, DOI 10.17487/RFC6151, March 2011, RFC 6151, DOI 10.17487/RFC6151, March 2011,
<https://www.rfc-editor.org/info/rfc6151>. <https://www.rfc-editor.org/info/rfc6151>.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, (SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011, DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>. <https://www.rfc-editor.org/info/rfc6234>.
[RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
April 2013, <https://www.rfc-editor.org/info/rfc6895>. April 2013, <https://www.rfc-editor.org/info/rfc6895>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[SHA1SHAMBLES]
Leurent, G. and T. Peyrin, "SHA-1 is a Shambles", January
2020, <https://eprint.iacr.org/2020/014.pdf>.
Appendix A. Acknowledgments Appendix A. Acknowledgments
This document consolidates and updates the earlier documents by the This document consolidates and updates the earlier documents by the
authors of [RFC2845] (Paul Vixie, Olafur Gudmundsson, Donald E. authors of [RFC2845] (Paul Vixie, Olafur Gudmundsson, Donald E.
Eastlake 3rd and Brian Wellington) and [RFC4635] (Donald E. Eastlake Eastlake 3rd and Brian Wellington) and [RFC4635] (Donald E. Eastlake
3rd). 3rd).
The security problem addressed by this document was reported by The security problem addressed by this document was reported by
Clement Berthaux from Synacktiv. Clement Berthaux from Synacktiv.
skipping to change at page 25, line 41 skipping to change at page 27, line 5
Added a recommendation to copy time fields in BADKEY errors. Added a recommendation to copy time fields in BADKEY errors.
(Mark Andrews) (Mark Andrews)
draft-ietf-dnsop-rfc2845bis-03 draft-ietf-dnsop-rfc2845bis-03
Further changes as a result of comments by Mukund Sivaraman. Further changes as a result of comments by Mukund Sivaraman.
Miscellaneous changes to wording. Miscellaneous changes to wording.
draft-ietf-dnsop-rfc2845bis-04 Major restructuring as a result of comprehensive review by Martin
Major restructing as a result of comprehensive review by Martin
Hoffman. Amongst the more significant changes: Hoffman. Amongst the more significant changes:
* More comprehensive introduction. * More comprehensive introduction.
* Merged "Protocol Description" and "Protocol Details" sections. * Merged "Protocol Description" and "Protocol Details" sections.
* Reordered sections so as to follow message exchange through * Reordered sections so as to follow message exchange through
"client "sending", "server receipt", "server sending", "client "client "sending", "server receipt", "server sending", "client
receipt". receipt".
skipping to change at page 26, line 28 skipping to change at page 27, line 39
Wording changes and minor corrections after feedback. Wording changes and minor corrections after feedback.
draft-ietf-dnsop-rfc2845bis-07 draft-ietf-dnsop-rfc2845bis-07
Updated text about use of hmac-sha1 using suggestion from Tony Updated text about use of hmac-sha1 using suggestion from Tony
Finch. Finch.
Corrected name of review policy used for new algorithms. Corrected name of review policy used for new algorithms.
draft-ietf-dnsop-rfc2845bis-08
Addressed comments from IESG review. These can be found at
https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc2845bis/
ballot. Significant changes are:
* Added references to CVEs that initiated this draft.
* Added reference to paper describing SHA1 collisions.
* Modified some paragraphs to remove language that has not "aged
well".
* Mentioned that multiple keys allows for periodic key rotation.
* Noted that TSIG detects interruption of packet sequence but not
premature termination.
* Added new algorithms to the algorithm list.
* Marked hmac-sha224 as NOT RECOMMENDED.
* Added recommendation that there should only be one algorithm
for each key.
* Added some paragraphs to the security recommendations section.
Other changes:
* Explicitly define contents Error field in requests. State that
"Other Data" currently has no meaning in requests.
* Reworked the section on client processing of response to remove
ambiguity.
* Section on TSIG over TCP now mentions zone transfer as an
example, rather than the entire section being about zone
transfers.
* Note that quote from RFC2845 in "What is DNSSEC?" section has
been edited to refer to the latest standards.
Authors' Addresses Authors' Addresses
Francis Dupont Francis Dupont
Internet Software Consortium Internet Systems Consortium, Inc.
950 Charter Street PO Box 360
Redwood City, CA 94063 Newmarket, NH 03857
United States of America United States of America
Email: Francis.Dupont@fdupont.fr Email: Francis.Dupont@fdupont.fr
Stephen Morris Stephen Morris
Internet Software Consortium Internet Systems Consortium, Inc.
950 Charter Street PO Box 360
Redwood City, CA 94063 Newmarket, NH 03857
United States of America United States of America
Email: sa.morris8@gmail.com Email: sa.morris8@gmail.com
Paul Vixie Paul Vixie
Farsight Security Inc Farsight Security Inc
177 Bovet Road, Suite 180 177 Bovet Road, Suite 180
San Mateo, CA 94402 San Mateo, CA 94402
United States of America United States of America
Email: paul@redbarn.org Email: paul@redbarn.org
 End of changes. 73 change blocks. 
180 lines changed or deleted 288 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/