diff options
Diffstat (limited to 'doc/rfc/rfc3658.txt')
-rw-r--r-- | doc/rfc/rfc3658.txt | 1067 |
1 files changed, 1067 insertions, 0 deletions
diff --git a/doc/rfc/rfc3658.txt b/doc/rfc/rfc3658.txt new file mode 100644 index 0000000..88cfb5a --- /dev/null +++ b/doc/rfc/rfc3658.txt @@ -0,0 +1,1067 @@ + + + + + + +Network Working Group O. Gudmundsson +Request for Comments: 3658 December 2003 +Updates: 3090, 3008, 2535, 1035 +Category: Standards Track + + + Delegation Signer (DS) Resource Record (RR) + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2003). All Rights Reserved. + +Abstract + + The delegation signer (DS) resource record (RR) is inserted at a zone + cut (i.e., a delegation point) to indicate that the delegated zone is + digitally signed and that the delegated zone recognizes the indicated + key as a valid zone key for the delegated zone. The DS RR is a + modification to the DNS Security Extensions definition, motivated by + operational considerations. The intent is to use this resource + record as an explicit statement about the delegation, rather than + relying on inference. + + This document defines the DS RR, gives examples of how it is used and + describes the implications on resolvers. This change is not + backwards compatible with RFC 2535. This document updates RFC 1035, + RFC 2535, RFC 3008 and RFC 3090. + + + + + + + + + + + + + + + + +Gudmundsson Standards Track [Page 1] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + +Table of Contents + + 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.2. Reserved Words. . . . . . . . . . . . . . . . . . . . . 4 + 2. Specification of the Delegation key Signer. . . . . . . . . . 4 + 2.1. Delegation Signer Record Model. . . . . . . . . . . . . 4 + 2.2. Protocol Change . . . . . . . . . . . . . . . . . . . . 5 + 2.2.1. RFC 2535 2.3.4 and 3.4: Special Considerations + at Delegation Points . . . . . . . . . . . . . 6 + 2.2.1.1. Special processing for DS queries. . . 6 + 2.2.1.2. Special processing when child and an + ancestor share nameserver. . . . . . . 7 + 2.2.1.3. Modification on use of KEY RR in the + construction of Responses. . . . . . . 8 + 2.2.2. Signer's Name (replaces RFC3008 section 2.7). . 9 + 2.2.3. Changes to RFC 3090 . . . . . . . . . . . . . . 9 + 2.2.3.1. RFC 3090: Updates to section 1: + Introduction . . . . . . . . . . . . . 9 + 2.2.3.2. RFC 3090 section 2.1: Globally + Secured. . . . . . . . . . . . . . . . 10 + 2.2.3.3. RFC 3090 section 3: Experimental + Status . . . . . . . . . . . . . . . . 10 + 2.2.4. NULL KEY elimination. . . . . . . . . . . . . . 10 + 2.3. Comments on Protocol Changes. . . . . . . . . . . . . . 10 + 2.4. Wire Format of the DS record. . . . . . . . . . . . . . 11 + 2.4.1. Justifications for Fields . . . . . . . . . . . 12 + 2.5. Presentation Format of the DS Record. . . . . . . . . . 12 + 2.6. Transition Issues for Installed Base. . . . . . . . . . 12 + 2.6.1. Backwards compatibility with RFC 2535 and + RFC 1035. . . . . . . . . . . . . . . . . . . . 12 + 2.7. KEY and corresponding DS record example . . . . . . . . 13 + 3. Resolver. . . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 3.1. DS Example" . . . . . . . . . . . . . . . . . . . . . . 14 + 3.2. Resolver Cost Estimates for DS Records" . . . . . . . . 15 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . 15 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 + 6. Intellectual Property Statement . . . . . . . . . . . . . . . 16 + 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 + 8. References. . . . . . . . . . . . . . . . . . . . . . . . . . 17 + 8.1. Normative References. . . . . . . . . . . . . . . . . . 17 + 8.2. Informational References. . . . . . . . . . . . . . . . 17 + 9. Author's Address. . . . . . . . . . . . . . . . . . . . . . . 18 + 10. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 19 + + + + + + + + +Gudmundsson Standards Track [Page 2] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + +1. Introduction + + Familiarity with the DNS system [RFC1035], DNS security extensions + [RFC2535], and DNSSEC terminology [RFC3090] is important. + + Experience shows that when the same data can reside in two + administratively different DNS zones, the data frequently gets out of + sync. The presence of an NS RRset in a zone anywhere other than at + the apex indicates a zone cut or delegation. The RDATA of the NS + RRset specifies the authoritative nameservers for the delegated or + "child" zone. Based on actual measurements, 10-30% of all + delegations on the Internet have differing NS RRsets at parent and + child. There are a number of reasons for this, including a lack of + communication between parent and child and bogus name servers being + listed to meet registry requirements. + + DNSSEC [RFC2535, RFC3008, RFC3090] specifies that a child zone needs + to have its KEY RRset signed by its parent to create a verifiable + chain of KEYs. There has been some debate on where the signed KEY + RRset should reside, whether at the child [RFC2535] or at the parent. + If the KEY RRset resides at the child, maintaining the signed KEY + RRset in the child requires frequent two-way communication between + the two parties. First, the child transmits the KEY RRset to the + parent and then the parent sends the signature(s) to the child. + Storing the KEY RRset at the parent was thought to simplify the + communication. + + DNSSEC [RFC2535] requires that the parent store a NULL KEY record for + an unsecure child zone to indicate that the child is unsecure. A + NULL KEY record is a waste: an entire signed RRset is used to + communicate effectively one bit of information - that the child is + unsecure. Chasing down NULL KEY RRsets complicates the resolution + process in many cases, because nameservers for both parent and child + need to be queried for the KEY RRset if the child nameserver does not + return it. Storing the KEY RRset only in the parent zone simplifies + this and would allow the elimination of the NULL KEY RRsets entirely. + For large delegation zones, the cost of NULL keys is a significant + barrier to deployment. + + Prior to the restrictions imposed by RFC 3445 [RFC3445], another + implication of the DNSSEC key model is that the KEY record could be + used to store public keys for other protocols in addition to DNSSEC + keys. There are a number of potential problems with this, including: + + 1. The KEY RRset can become quite large if many applications and + protocols store their keys at the zone apex. Possible protocols + are IPSEC, HTTP, SMTP, SSH and others that use public key + cryptography. + + + +Gudmundsson Standards Track [Page 3] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + + 2. The KEY RRset may require frequent updates. + + 3. The probability of compromised or lost keys, which trigger + emergency key roll-over procedures, increases. + + 4. The parent may refuse to sign KEY RRsets with non-DNSSEC zone + keys. + + 5. The parent may not meet the child's expectations of turnaround + time for resigning the KEY RRset. + + Given these reasons, SIG@parent isn't any better than SIG/KEY@Child. + +1.2. Reserved Words + + The key words "MAY", "MAY NOT", "MUST", "MUST NOT", "REQUIRED", + "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be + interpreted as described in BCP 14, RFC 2119 [RFC2119]. + +2. Specification of the Delegation key Signer + + This section defines the Delegation Signer (DS) RR type (type code + 43) and the changes to DNS to accommodate it. + +2.1. Delegation Signer Record Model + + This document presents a replacement for the DNSSEC KEY record chain + of trust [RFC2535] that uses a new RR that resides only at the + parent. This record identifies the key(s) that the child uses to + self-sign its own KEY RRset. + + Even though DS identifies two roles for KEYs, Key Signing Key (KSK) + and Zone Signing Key (ZSK), there is no requirement that zone uses + two different keys for these roles. It is expected that many small + zones will only use one key, while larger zones will be more likely + to use multiple keys. + + The chain of trust is now established by verifying the parent KEY + RRset, the DS RRset from the parent and the KEY RRset at the child. + This is cryptographically equivalent to using just KEY records. + + Communication between the parent and child is greatly reduced, since + the child only needs to notify the parent about changes in keys that + sign its apex KEY RRset. The parent is ignorant of all other keys in + the child's apex KEY RRset. Furthermore, the child maintains full + control over the apex KEY RRset and its content. The child can + maintain any policies regarding its KEY usage for DNSSEC with minimal + impact on the parent. Thus, if the child wants to have frequent key + + + +Gudmundsson Standards Track [Page 4] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + + roll-over for its DNS zone keys, the parent does not need to be aware + of it. The child can use one key to sign only its apex KEY RRset and + a different key to sign the other RRsets in the zone. + + This model fits well with a slow roll out of DNSSEC and the islands + of security model. In this model, someone who trusts "good.example." + can preconfigure a key from "good.example." as a trusted key, and + from then on trusts any data signed by that key or that has a chain + of trust to that key. If "example." starts advertising DS records, + "good.example." does not have to change operations by suspending + self-signing. DS records can be used in configuration files to + identify trusted keys instead of KEY records. Another significant + advantage is that the amount of information stored in large + delegation zones is reduced: rather than the NULL KEY record at every + unsecure delegation demanded by RFC 2535, only secure delegations + require additional information in the form of a signed DS RRset. + + The main disadvantage of this approach is that verifying a zone's KEY + RRset requires two signature verification operations instead of the + one in RFC 2535 chain of trust. There is no impact on the number of + signatures verified for other types of RRsets. + +2.2. Protocol Change + + All DNS servers and resolvers that support DS MUST support the OK bit + [RFC3225] and a larger message size [RFC3226]. In order for a + delegation to be considered secure the delegation MUST contain a DS + RRset. If a query contains the OK bit, a nameserver returning a + referral for the delegation MUST include the following RRsets in the + authority section in this order: + + If DS RRset is present: + parent's copy of child's NS RRset + DS and SIG(DS) + + If no DS RRset is present: + parent's copy of child's NS RRset + parent's zone NXT and SIG(NXT) + + This increases the size of referral messages, possibly causing some + or all glue to be omitted. If the DS or NXT RRsets with signatures + do not fit in the DNS message, the TC bit MUST be set. Additional + section processing is not changed. + + A DS RRset accompanying a NS RRset indicates that the child zone is + secure. If a NS RRset exists without a DS RRset, the child zone is + unsecure (from the parents point of view). DS RRsets MUST NOT appear + at non-delegation points or at a zone's apex. + + + +Gudmundsson Standards Track [Page 5] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + + Section 2.2.1 defines special considerations related to authoritative + nameservers responding to DS queries and replaces RFC 2535 sections + 2.3.4 and 3.4. Section 2.2.2 replaces RFC 3008 section 2.7, and + section 2.2.3 updates RFC 3090. + +2.2.1. RFC 2535 2.3.4 and 3.4: Special Considerations at Delegation + Points + + DNS security views each zone as a unit of data completely under the + control of the zone owner with each entry (RRset) signed by a special + private key held by the zone manager. But the DNS protocol views the + leaf nodes in a zone that are also the apex nodes of a child zone + (i.e., delegation points) as "really" belonging to the child zone. + The corresponding domain names appear in two master files and might + have RRsets signed by both the parent and child zones' keys. A + retrieval could get a mixture of these RRsets and SIGs, especially + since one nameserver could be serving both the zone above and below a + delegation point [RFC2181]. + + Each DS RRset stored in the parent zone MUST be signed by at least + one of the parent zone's private keys. The parent zone MUST NOT + contain a KEY RRset at any delegation point. Delegations in the + parent MAY contain only the following RR types: NS, DS, NXT and SIG. + The NS RRset MUST NOT be signed. The NXT RRset is the exceptional + case: it will always appear differently and authoritatively in both + the parent and child zones, if both are secure. + + A secure zone MUST contain a self-signed KEY RRset at its apex. Upon + verifying the DS RRset from the parent, a resolver MAY trust any KEY + identified in the DS RRset as a valid signer of the child's apex KEY + RRset. Resolvers configured to trust one of the keys signing the KEY + RRset MAY now treat any data signed by the zone keys in the KEY RRset + as secure. In all other cases, resolvers MUST consider the zone + unsecure. + + An authoritative nameserver queried for type DS MUST return the DS + RRset in the answer section. + +2.2.1.1. Special processing for DS queries + + When a nameserver is authoritative for the parent zone at a + delegation point and receives a query for the DS record at that name, + it MUST answer based on data in the parent zone, return DS or + negative answer. This is true whether or not it is also + authoritative for the child zone. + + + + + + +Gudmundsson Standards Track [Page 6] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + + When the nameserver is authoritative for the child zone at a + delegation point but not the parent zone, there is no natural + response, since the child zone is not authoritative for the DS record + at the zone's apex. As these queries are only expected to originate + from recursive nameservers which are not DS-aware, the authoritative + nameserver MUST answer with: + + RCODE: NOERROR + AA bit: set + Answer Section: Empty + Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)] + + That is, it answers as if it is authoritative and the DS record does + not exist. DS-aware recursive nameservers will query the parent zone + at delegation points, so will not be affected by this. + + A nameserver authoritative for only the child zone, that is also a + caching server MAY (if the RD bit is set in the query) perform + recursion to find the DS record at the delegation point, or MAY + return the DS record from its cache. In this case, the AA bit MUST + NOT be set in the response. + +2.2.1.2. Special processing when child and an ancestor share + nameserver + + Special rules are needed to permit DS RR aware nameservers to + gracefully interact with older caches which otherwise might falsely + label a nameserver as lame because of the placement of the DS RR set. + + Such a situation might arise when a nameserver is authoritative for + both a zone and it's grandparent, but not the parent. This sounds + like an obscure example, but it is very real. The root zone is + currently served on 13 machines, and "root-servers.net." is served on + 4 of the 13, but "net." is severed on different nameservers. + + When a nameserver receives a query for (<QNAME>, DS, <QCLASS>), the + response MUST be determined from reading these rules in order: + + 1) If the nameserver is authoritative for the zone that holds the DS + RR set (i.e., the zone that delegates <QNAME>, a.k.a. the "parent" + zone), the response contains the DS RR set as an authoritative + answer. + + 2) If the nameserver is offering recursive service and the RD bit is + set in the query, the nameserver performs the query itself + (according to the rules for resolvers described below) and returns + its findings. + + + + +Gudmundsson Standards Track [Page 7] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + + 3) If the nameserver is authoritative for the zone that holds the + <QNAME>'s SOA RR set, the response is an authoritative negative + answer as described in 2.2.1.1. + + 4) If the nameserver is authoritative for a zone or zones above the + QNAME, a referral to the most enclosing (deepest match) zone's + servers is made. + + 5) If the nameserver is not authoritative for any part of the QNAME, + a response indicating a lame nameserver for QNAME is given. + + Using these rules will require some special processing on the part of + a DS RR aware resolver. To illustrate this, an example is used. + + Assuming a nameserver is authoritative for roots.example.net. and for + the root zone but not the intervening two zones (or the intervening + two label deep zone). Assume that QNAME=roots.example.net., + QTYPE=DS, and QCLASS=IN. + + The resolver will issue this request (assuming no cached data) + expecting a referral to a nameserver for .net. Instead, rule number + 3 above applies and a negative answer is returned by the nameserver. + The reaction by the resolver is not to accept this answer as final, + as it can determine from the SOA RR in the negative answer the + context within which the nameserver has answered. + + A solution would be to instruct the resolver to hunt for the + authoritative zone of the data in a brute force manner. + + This can be accomplished by taking the owner name of the returned SOA + RR and striping off enough left-hand labels until a successful NS + response is obtained. A successful response here means that the + answer has NS records in it. (Entertaining the possibility that a + cut point can be two labels down in a zone.) + + Returning to the example, the response will include a negative answer + with either the SOA RR for "roots.example.net." or "example.net." + depending on whether roots.example.net is a delegated domain. In + either case, removing the left most label of the SOA owner name will + lead to the location of the desired data. + +2.2.1.3. Modification on use of KEY RR in the construction of Responses + + This section updates RFC 2535 section 3.5 by replacing it with the + following: + + + + + + +Gudmundsson Standards Track [Page 8] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + + A query for KEY RR MUST NOT trigger any additional section + processing. Security aware resolvers will include corresponding SIG + records in the answer section. + + KEY records SHOULD NOT be added to the additional records section in + response to any query. + + RFC 2535 specified that KEY records be added to the additional + section when SOA or NS records were included in an answer. This was + done to reduce round trips (in the case of SOA) and to force out NULL + KEYs (in the NS case). As this document obsoletes NULL keys, there + is no need for the inclusion of KEYs with NSs. Furthermore, as SOAs + are included in the authority section of negative answers, including + the KEYs each time will cause redundant transfers of KEYs. + + RFC 2535 section 3.5 also included a rule for adding the KEY RRset to + the response for a query for A and AAAA types. As Restrict KEY + [RFC3445] eliminated use of KEY RR by all applications, this rule is + no longer needed. + +2.2.2. Signer's Name (replaces RFC 3008 section 2.7) + + The signer's name field of a SIG RR MUST contain the name of the zone + to which the data and signature belong. The combination of signer's + name, key tag, and algorithm MUST identify a zone key if the SIG is + to be considered material. This document defines a standard policy + for DNSSEC validation; local policy MAY override the standard policy. + + There are no restrictions on the signer field of a SIG(0) record. The + combination of signer's name, key tag, and algorithm MUST identify a + key if this SIG(0) is to be processed. + +2.2.3. Changes to RFC 3090 + + A number of sections in RFC 3090 need to be updated to reflect the DS + record. + +2.2.3.1. RFC 3090: Updates to section 1: Introduction + + Most of the text is still relevant but the words "NULL key" are to be + replaced with "missing DS RRset". In section 1.3, the last three + paragraphs discuss the confusion in sections of RFC 2535 that are + replaced in section 2.2.1 above. Therefore, these paragraphs are now + obsolete. + + + + + + + +Gudmundsson Standards Track [Page 9] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + +2.2.3.2. RFC 3090 section 2.1: Globally Secured + + Rule 2.1.b is replaced by the following rule: + + 2.1.b. The KEY RRset at a zone's apex MUST be self-signed by a + private key whose public counterpart MUST appear in a zone signing + KEY RR (2.a) owned by the zone's apex and specifying a mandatory-to- + implement algorithm. This KEY RR MUST be identified by a DS RR in a + signed DS RRset in the parent zone. + + If a zone cannot get its parent to advertise a DS record for it, the + child zone cannot be considered globally secured. The only exception + to this is the root zone, for which there is no parent zone. + +2.2.3.3. RFC 3090 section 3: Experimental Status. + + The only difference between experimental status and globally secured + is the missing DS RRset in the parent zone. All locally secured + zones are experimental. + +2.2.4. NULL KEY elimination + + RFC 3445 section 3 eliminates the top two bits in the flags field of + KEY RR. These two bits were used to indicate NULL KEY or NO KEY. RFC + 3090 defines that zone as either secure or not and these rules + eliminate the need to put NULL keys in the zone apex to indicate that + the zone is not secured for a algorithm. Along with this document, + these other two eliminate all uses for the NULL KEY. This document + obsoletes NULL KEY. + +2.3. Comments on Protocol Changes + + Over the years, there have been various discussions surrounding the + DNS delegation model, declaring it to be broken because there is no + good way to assert if a delegation exists. In the RFC 2535 version + of DNSSEC, the presence of the NS bit in the NXT bit map proves there + is a delegation at this name. Something more explicit is required + and the DS record addresses this need for secure delegations. + + The DS record is a major change to DNS: it is the first resource + record that can appear only on the upper side of a delegation. + Adding it will cause interoperability problems and requires a flag + day for DNSSEC. Many old nameservers and resolvers MUST be upgraded + to take advantage of DS. Some old nameservers will be able to be + authoritative for zones with DS records but will not add the NXT or + DS records to the authority section. The same is true for caching + nameservers; in fact, some might even refuse to pass on the DS or NXT + records. + + + +Gudmundsson Standards Track [Page 10] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + +2.4. Wire Format of the DS record + + The DS (type=43) record contains these fields: key tag, algorithm, + digest type, and the digest of a public key KEY record that is + allowed and/or used to sign the child's apex KEY RRset. Other keys + MAY sign the child's apex KEY RRset. + + 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | key tag | algorithm | Digest type | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | digest (length depends on type) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | (SHA-1 digest is 20 bytes) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The key tag is calculated as specified in RFC 2535. Algorithm MUST + be allowed to sign DNS data. The digest type is an identifier for + the digest algorithm used. The digest is calculated over the + canonical name of the delegated domain name followed by the whole + RDATA of the KEY record (all four fields). + + digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata) + + KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key + + Digest type value 0 is reserved, value 1 is SHA-1, and reserving + other types requires IETF standards action. For interoperability + reasons, keeping number of digest algorithms low is strongly + RECOMMENDED. The only reason to reserve additional digest types is + to increase security. + + DS records MUST point to zone KEY records that are allowed to + authenticate DNS data. The indicated KEY records protocol field MUST + be set to 3; flag field bit 7 MUST be set to 1. The value of other + flag bits is not significant for the purposes of this document. + + The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless + of key size. New digest types probably will have larger digests. + + + + + +Gudmundsson Standards Track [Page 11] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + +2.4.1. Justifications for Fields + + The algorithm and key tag fields are present to allow resolvers to + quickly identify the candidate KEY records to examine. SHA-1 is a + strong cryptographic checksum: it is computationally infeasible for + an attacker to generate a KEY record that has the same SHA-1 digest. + Combining the name of the key and the key rdata as input to the + digest provides stronger assurance of the binding. Having the key + tag in the DS record adds greater assurance than the SHA-1 digest + alone, as there are now two different mapping functions. + + This format allows concise representation of the keys that the child + will use, thus keeping down the size of the answer for the + delegation, reducing the probability of DNS message overflow. The + SHA-1 hash is strong enough to uniquely identify the key and is + similar to the PGP key footprint. The digest type field is present + for possible future expansion. + + The DS record is well suited to listing trusted keys for islands of + security in configuration files. + +2.5. Presentation Format of the DS Record + + The presentation format of the DS record consists of three numbers + (key tag, algorithm, and digest type) followed by the digest itself + presented in hex: + + example. DS 12345 3 1 123456789abcdef67890123456789abcdef67890 + +2.6. Transition Issues for Installed Base + + No backwards compatibility with RFC 2535 is provided. + + RFC 2535-compliant resolvers will assume that all DS-secured + delegations are locally secure. This is bad, but the DNSEXT Working + Group has determined that rather than dealing with both RFC 2535- + secured zones and DS-secured zones, a rapid adoption of DS is + preferable. Thus, the only option for early adopters is to upgrade + to DS as soon as possible. + +2.6.1. Backwards compatibility with RFC 2535 and RFC 1035 + + This section documents how a resolver determines the type of + delegation. + + + + + + + +Gudmundsson Standards Track [Page 12] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + + RFC 1035 delegation (in parent) has: + + RFC 1035 NS + + RFC 2535 adds the following two cases: + + Secure RFC 2535: NS + NXT + SIG(NXT) + NXT bit map contains: NS SIG NXT + Unsecure RFC 2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT) + NXT bit map contains: NS SIG KEY NXT + KEY must be a NULL key. + + DNSSEC with DS has the following two states: + + Secure DS: NS + DS + SIG(DS) + NXT bit map contains: NS SIG NXT DS + Unsecure DS: NS + NXT + SIG(NXT) + NXT bit map contains: NS SIG NXT + + It is difficult for a resolver to determine if a delegation is secure + RFC 2535 or unsecure DS. This could be overcome by adding a flag to + the NXT bit map, but only upgraded resolvers would understand this + flag, anyway. Having both parent and child signatures for a KEY + RRset might allow old resolvers to accept a zone as secure, but the + cost of doing this for a long time is much higher than just + prohibiting RFC 2535-style signatures at child zone apexes and + forcing rapid deployment of DS-enabled nameservers and resolvers. + + RFC 2535 and DS can, in theory, be deployed in parallel, but this + would require resolvers to deal with RFC 2535 configurations forever. + This document obsoletes the NULL KEY in parent zones, which is a + difficult enough change that to cause a flag day. + +2.7. KEY and corresponding DS record example + + This is an example of a KEY record and the corresponding DS record. + + dskey.example. KEY 256 3 1 ( + AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj + 4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt + ) ; key id = 28668 + DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE + + + + + + + + + +Gudmundsson Standards Track [Page 13] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + +3. Resolver + +3.1. DS Example + + To create a chain of trust, a resolver goes from trusted KEY to DS to + KEY. + + Assume the key for domain "example." is trusted. Zone "example." + contains at least the following records: + example. SOA <soa stuff> + example. NS ns.example. + example. KEY <stuff> + example. NXT secure.example. NS SOA KEY SIG NXT + example. SIG(SOA) + example. SIG(NS) + example. SIG(NXT) + example. SIG(KEY) + secure.example. NS ns1.secure.example. + secure.example. DS tag=12345 alg=3 digest_type=1 <foofoo> + secure.example. NXT unsecure.example. NS SIG NXT DS + secure.example. SIG(NXT) + secure.example. SIG(DS) + unsecure.example NS ns1.unsecure.example. + unsecure.example. NXT example. NS SIG NXT + unsecure.example. SIG(NXT) + + In zone "secure.example." following records exist: + secure.example. SOA <soa stuff> + secure.example. NS ns1.secure.example. + secure.example. KEY <tag=12345 alg=3> + secure.example. KEY <tag=54321 alg=5> + secure.example. NXT <nxt stuff> + secure.example. SIG(KEY) <key-tag=12345 alg=3> + secure.example. SIG(SOA) <key-tag=54321 alg=5> + secure.example. SIG(NS) <key-tag=54321 alg=5> + secure.example. SIG(NXT) <key-tag=54321 alg=5> + + In this example, the private key for "example." signs the DS record + for "secure.example.", making that a secure delegation. The DS + record states which key is expected to sign the KEY RRset at + "secure.example.". Here "secure.example." signs its KEY RRset with + the KEY identified in the DS RRset, thus the KEY RRset is validated + and trusted. + + This example has only one DS record for the child, but parents MUST + allow multiple DS records to facilitate key roll-over and multiple + KEY algorithms. + + + + +Gudmundsson Standards Track [Page 14] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + + The resolver determines the security status of "unsecure.example." by + examining the parent zone's NXT record for this name. The absence of + the DS bit indicates an unsecure delegation. Note the NXT record + SHOULD only be examined after verifying the corresponding signature. + +3.2. Resolver Cost Estimates for DS Records + + From a RFC 2535 recursive resolver point of view, for each delegation + followed to chase down an answer, one KEY RRset has to be verified. + Additional RRsets might also need to be verified based on local + policy (e.g., the contents of the NS RRset). Once the resolver gets + to the appropriate delegation, validating the answer might require + verifying one or more signatures. A simple A record lookup requires + at least N delegations to be verified and one RRset. For a DS- + enabled recursive resolver, the cost is 2N+1. For an MX record, + where the target of the MX record is in the same zone as the MX + record, the costs are N+2 and 2N+2, for RFC 2535 and DS, + respectively. In the case of a negative answer, the same ratios hold + true. + + The recursive resolver has to do an extra query to get the DS record, + which will increase the overall cost of resolving this question, but + it will never be worse than chasing down NULL KEY records from the + parent in RFC 2535 DNSSEC. + + DS adds processing overhead on resolvers and increases the size of + delegation answers, but much less than storing signatures in the + parent zone. + +4. Security Considerations + + This document proposes a change to the validation chain of KEY + records in DNSSEC. The change is not believed to reduce security in + the overall system. In RFC 2535 DNSSEC, the child zone has to + communicate keys to its parent and prudent parents will require some + authentication with that transaction. The modified protocol will + require the same authentication, but allows the child to exert more + local control over its own KEY RRset. + + There is a remote possibility that an attacker could generate a valid + KEY that matches all the DS fields, of a specific DS set, and thus + forge data from the child. This possibility is considered + impractical, as on average more than + + 2 ^ (160 - <Number of keys in DS set>) + + keys would have to be generated before a match would be found. + + + + +Gudmundsson Standards Track [Page 15] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + + An attacker that wants to match any DS record will have to generate + on average at least 2^80 keys. + + The DS record represents a change to the DNSSEC protocol and there is + an installed base of implementations, as well as textbooks on how to + set up secure delegations. Implementations that do not understand + the DS record will not be able to follow the KEY to DS to KEY chain + and will consider all zones secured that way as unsecure. + +5. IANA Considerations + + IANA has allocated an RR type code for DS from the standard RR type + space (type 43). + + IANA has established a new registry for the DS RR type for digest + algorithms. Defined types are: + + 0 is Reserved, + 1 is SHA-1. + + Adding new reservations requires IETF standards action. + +6. Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + standards-related documentation can be found in BCP-11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementors or users of this specification can + be obtained from the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + + + + + + + + +Gudmundsson Standards Track [Page 16] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + +7. Acknowledgments + + Over the last few years a number of people have contributed ideas + that are captured in this document. The core idea of using one key + to sign only the KEY RRset comes from discussions with Bill Manning + and Perry Metzger on how to put in a single root key in all + resolvers. Alexis Yushin, Brian Wellington, Sam Weiler, Paul Vixie, + Jakob Schlyter, Scott Rose, Edward Lewis, Lars-Johan Liman, Matt + Larson, Mark Kosters, Dan Massey, Olaf Kolman, Phillip Hallam-Baker, + Miek Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David + Blacka, Steve Bellovin, Rob Austein, Derek Atkins, Roy Arends, Mark + Andrews, Harald Alvestrand, and others have provided useful comments. + +8. References + +8.1. Normative References + + [RFC1035] Mockapetris, P., "Domain Names - Implementation and + Specification", STD 13, RFC 1035, November 1987. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2535] Eastlake, D., "Domain Name System Security Extensions", + RFC 2535, March 1999. + + [RFC3008] Wellington, B., "Domain Name System Security (DNSSEC) + Signing Authority", RFC 3008, November 2000. + + [RFC3090] Lewis, E., "DNS Security Extension Clarification on Zone + Status", RFC 3090, March 2001. + + [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC + 3225, December 2001. + + [RFC3445] Massey, D. and S. Rose, "Limiting the scope of the KEY + Resource Record (RR)", RFC 3445, December 2002. + +8.2. Informational References + + [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS + Specification", RFC 2181, July 1997. + + [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver + message size requirements", RFC 3226, December 2001. + + + + + + +Gudmundsson Standards Track [Page 17] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + +9. Author's Address + + Olafur Gudmundsson + 3821 Village Park Drive + Chevy Chase, MD, 20815 + + EMail: ds-rfc@ogud.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Gudmundsson Standards Track [Page 18] + +RFC 3658 Delegation Signer (DS) Resource Record (RR) December 2003 + + +10. Full Copyright Statement + + Copyright (C) The Internet Society (2003). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assignees. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Gudmundsson Standards Track [Page 19] + |