Network Working Group O. Gudmundsson Request for Comments: 3658 December 2003 Updates: 3090, 3008, 2535, 1035 Category: Standards Track Delegation Signer (DS) Resource Record (RR) Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved.
AbstractThe delegation signer (DS) resource record (RR) is inserted at a zone cut (i.e., a delegation point) to indicate that the delegated zone is digitally signed and that the delegated zone recognizes the indicated key as a valid zone key for the delegated zone. The DS RR is a modification to the DNS Security Extensions definition, motivated by operational considerations. The intent is to use this resource record as an explicit statement about the delegation, rather than relying on inference. This document defines the DS RR, gives examples of how it is used and describes the implications on resolvers. This change is not backwards compatible with RFC 2535. This document updates RFC 1035, RFC 2535, RFC 3008 and RFC 3090.
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Reserved Words. . . . . . . . . . . . . . . . . . . . . 4 2. Specification of the Delegation key Signer. . . . . . . . . . 4 2.1. Delegation Signer Record Model. . . . . . . . . . . . . 4 2.2. Protocol Change . . . . . . . . . . . . . . . . . . . . 5 2.2.1. RFC 2535 2.3.4 and 3.4: Special Considerations at Delegation Points . . . . . . . . . . . . . 6 22.214.171.124. Special processing for DS queries. . . 6 126.96.36.199. Special processing when child and an ancestor share nameserver. . . . . . . 7 188.8.131.52. Modification on use of KEY RR in the construction of Responses. . . . . . . 8 2.2.2. Signer's Name (replaces RFC3008 section 2.7). . 9 2.2.3. Changes to RFC 3090 . . . . . . . . . . . . . . 9 184.108.40.206. RFC 3090: Updates to section 1: Introduction . . . . . . . . . . . . . 9 220.127.116.11. RFC 3090 section 2.1: Globally Secured. . . . . . . . . . . . . . . . 10 18.104.22.168. RFC 3090 section 3: Experimental Status . . . . . . . . . . . . . . . . 10 2.2.4. NULL KEY elimination. . . . . . . . . . . . . . 10 2.3. Comments on Protocol Changes. . . . . . . . . . . . . . 10 2.4. Wire Format of the DS record. . . . . . . . . . . . . . 11 2.4.1. Justifications for Fields . . . . . . . . . . . 12 2.5. Presentation Format of the DS Record. . . . . . . . . . 12 2.6. Transition Issues for Installed Base. . . . . . . . . . 12 2.6.1. Backwards compatibility with RFC 2535 and RFC 1035. . . . . . . . . . . . . . . . . . . . 12 2.7. KEY and corresponding DS record example . . . . . . . . 13 3. Resolver. . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.1. DS Example" . . . . . . . . . . . . . . . . . . . . . . 14 3.2. Resolver Cost Estimates for DS Records" . . . . . . . . 15 4. Security Considerations . . . . . . . . . . . . . . . . . . . 15 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 6. Intellectual Property Statement . . . . . . . . . . . . . . . 16 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 8. References. . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.1. Normative References. . . . . . . . . . . . . . . . . . 17 8.2. Informational References. . . . . . . . . . . . . . . . 17 9. Author's Address. . . . . . . . . . . . . . . . . . . . . . . 18 10. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 19
RFC1035], DNS security extensions [RFC2535], and DNSSEC terminology [RFC3090] is important. Experience shows that when the same data can reside in two administratively different DNS zones, the data frequently gets out of sync. The presence of an NS RRset in a zone anywhere other than at the apex indicates a zone cut or delegation. The RDATA of the NS RRset specifies the authoritative nameservers for the delegated or "child" zone. Based on actual measurements, 10-30% of all delegations on the Internet have differing NS RRsets at parent and child. There are a number of reasons for this, including a lack of communication between parent and child and bogus name servers being listed to meet registry requirements. DNSSEC [RFC2535, RFC3008, RFC3090] specifies that a child zone needs to have its KEY RRset signed by its parent to create a verifiable chain of KEYs. There has been some debate on where the signed KEY RRset should reside, whether at the child [RFC2535] or at the parent. If the KEY RRset resides at the child, maintaining the signed KEY RRset in the child requires frequent two-way communication between the two parties. First, the child transmits the KEY RRset to the parent and then the parent sends the signature(s) to the child. Storing the KEY RRset at the parent was thought to simplify the communication. DNSSEC [RFC2535] requires that the parent store a NULL KEY record for an unsecure child zone to indicate that the child is unsecure. A NULL KEY record is a waste: an entire signed RRset is used to communicate effectively one bit of information - that the child is unsecure. Chasing down NULL KEY RRsets complicates the resolution process in many cases, because nameservers for both parent and child need to be queried for the KEY RRset if the child nameserver does not return it. Storing the KEY RRset only in the parent zone simplifies this and would allow the elimination of the NULL KEY RRsets entirely. For large delegation zones, the cost of NULL keys is a significant barrier to deployment. Prior to the restrictions imposed by RFC 3445 [RFC3445], another implication of the DNSSEC key model is that the KEY record could be used to store public keys for other protocols in addition to DNSSEC keys. There are a number of potential problems with this, including: 1. The KEY RRset can become quite large if many applications and protocols store their keys at the zone apex. Possible protocols are IPSEC, HTTP, SMTP, SSH and others that use public key cryptography.
2. The KEY RRset may require frequent updates. 3. The probability of compromised or lost keys, which trigger emergency key roll-over procedures, increases. 4. The parent may refuse to sign KEY RRsets with non-DNSSEC zone keys. 5. The parent may not meet the child's expectations of turnaround time for resigning the KEY RRset. Given these reasons, SIG@parent isn't any better than SIG/KEY@Child. BCP 14, RFC 2119 [RFC2119]. RFC2535] that uses a new RR that resides only at the parent. This record identifies the key(s) that the child uses to self-sign its own KEY RRset. Even though DS identifies two roles for KEYs, Key Signing Key (KSK) and Zone Signing Key (ZSK), there is no requirement that zone uses two different keys for these roles. It is expected that many small zones will only use one key, while larger zones will be more likely to use multiple keys. The chain of trust is now established by verifying the parent KEY RRset, the DS RRset from the parent and the KEY RRset at the child. This is cryptographically equivalent to using just KEY records. Communication between the parent and child is greatly reduced, since the child only needs to notify the parent about changes in keys that sign its apex KEY RRset. The parent is ignorant of all other keys in the child's apex KEY RRset. Furthermore, the child maintains full control over the apex KEY RRset and its content. The child can maintain any policies regarding its KEY usage for DNSSEC with minimal impact on the parent. Thus, if the child wants to have frequent key
roll-over for its DNS zone keys, the parent does not need to be aware of it. The child can use one key to sign only its apex KEY RRset and a different key to sign the other RRsets in the zone. This model fits well with a slow roll out of DNSSEC and the islands of security model. In this model, someone who trusts "good.example." can preconfigure a key from "good.example." as a trusted key, and from then on trusts any data signed by that key or that has a chain of trust to that key. If "example." starts advertising DS records, "good.example." does not have to change operations by suspending self-signing. DS records can be used in configuration files to identify trusted keys instead of KEY records. Another significant advantage is that the amount of information stored in large delegation zones is reduced: rather than the NULL KEY record at every unsecure delegation demanded by RFC 2535, only secure delegations require additional information in the form of a signed DS RRset. The main disadvantage of this approach is that verifying a zone's KEY RRset requires two signature verification operations instead of the one in RFC 2535 chain of trust. There is no impact on the number of signatures verified for other types of RRsets. RFC3225] and a larger message size [RFC3226]. In order for a delegation to be considered secure the delegation MUST contain a DS RRset. If a query contains the OK bit, a nameserver returning a referral for the delegation MUST include the following RRsets in the authority section in this order: If DS RRset is present: parent's copy of child's NS RRset DS and SIG(DS) If no DS RRset is present: parent's copy of child's NS RRset parent's zone NXT and SIG(NXT) This increases the size of referral messages, possibly causing some or all glue to be omitted. If the DS or NXT RRsets with signatures do not fit in the DNS message, the TC bit MUST be set. Additional section processing is not changed. A DS RRset accompanying a NS RRset indicates that the child zone is secure. If a NS RRset exists without a DS RRset, the child zone is unsecure (from the parents point of view). DS RRsets MUST NOT appear at non-delegation points or at a zone's apex.
Section 2.2.1 defines special considerations related to authoritative nameservers responding to DS queries and replaces RFC 2535 sections 2.3.4 and 3.4. Section 2.2.2 replaces RFC 3008 section 2.7, and section 2.2.3 updates RFC 3090. RFC2181]. Each DS RRset stored in the parent zone MUST be signed by at least one of the parent zone's private keys. The parent zone MUST NOT contain a KEY RRset at any delegation point. Delegations in the parent MAY contain only the following RR types: NS, DS, NXT and SIG. The NS RRset MUST NOT be signed. The NXT RRset is the exceptional case: it will always appear differently and authoritatively in both the parent and child zones, if both are secure. A secure zone MUST contain a self-signed KEY RRset at its apex. Upon verifying the DS RRset from the parent, a resolver MAY trust any KEY identified in the DS RRset as a valid signer of the child's apex KEY RRset. Resolvers configured to trust one of the keys signing the KEY RRset MAY now treat any data signed by the zone keys in the KEY RRset as secure. In all other cases, resolvers MUST consider the zone unsecure. An authoritative nameserver queried for type DS MUST return the DS RRset in the answer section.
When the nameserver is authoritative for the child zone at a delegation point but not the parent zone, there is no natural response, since the child zone is not authoritative for the DS record at the zone's apex. As these queries are only expected to originate from recursive nameservers which are not DS-aware, the authoritative nameserver MUST answer with: RCODE: NOERROR AA bit: set Answer Section: Empty Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)] That is, it answers as if it is authoritative and the DS record does not exist. DS-aware recursive nameservers will query the parent zone at delegation points, so will not be affected by this. A nameserver authoritative for only the child zone, that is also a caching server MAY (if the RD bit is set in the query) perform recursion to find the DS record at the delegation point, or MAY return the DS record from its cache. In this case, the AA bit MUST NOT be set in the response.
3) If the nameserver is authoritative for the zone that holds the <QNAME>'s SOA RR set, the response is an authoritative negative answer as described in 22.214.171.124. 4) If the nameserver is authoritative for a zone or zones above the QNAME, a referral to the most enclosing (deepest match) zone's servers is made. 5) If the nameserver is not authoritative for any part of the QNAME, a response indicating a lame nameserver for QNAME is given. Using these rules will require some special processing on the part of a DS RR aware resolver. To illustrate this, an example is used. Assuming a nameserver is authoritative for roots.example.net. and for the root zone but not the intervening two zones (or the intervening two label deep zone). Assume that QNAME=roots.example.net., QTYPE=DS, and QCLASS=IN. The resolver will issue this request (assuming no cached data) expecting a referral to a nameserver for .net. Instead, rule number 3 above applies and a negative answer is returned by the nameserver. The reaction by the resolver is not to accept this answer as final, as it can determine from the SOA RR in the negative answer the context within which the nameserver has answered. A solution would be to instruct the resolver to hunt for the authoritative zone of the data in a brute force manner. This can be accomplished by taking the owner name of the returned SOA RR and striping off enough left-hand labels until a successful NS response is obtained. A successful response here means that the answer has NS records in it. (Entertaining the possibility that a cut point can be two labels down in a zone.) Returning to the example, the response will include a negative answer with either the SOA RR for "roots.example.net." or "example.net." depending on whether roots.example.net is a delegated domain. In either case, removing the left most label of the SOA owner name will lead to the location of the desired data. RFC 2535 section 3.5 by replacing it with the following:
A query for KEY RR MUST NOT trigger any additional section processing. Security aware resolvers will include corresponding SIG records in the answer section. KEY records SHOULD NOT be added to the additional records section in response to any query. RFC 2535 specified that KEY records be added to the additional section when SOA or NS records were included in an answer. This was done to reduce round trips (in the case of SOA) and to force out NULL KEYs (in the NS case). As this document obsoletes NULL keys, there is no need for the inclusion of KEYs with NSs. Furthermore, as SOAs are included in the authority section of negative answers, including the KEYs each time will cause redundant transfers of KEYs. RFC 2535 section 3.5 also included a rule for adding the KEY RRset to the response for a query for A and AAAA types. As Restrict KEY [RFC3445] eliminated use of KEY RR by all applications, this rule is no longer needed. RFC 3090 need to be updated to reflect the DS record. RFC 2535 that are replaced in section 2.2.1 above. Therefore, these paragraphs are now obsolete.
RFC 3445 section 3 eliminates the top two bits in the flags field of KEY RR. These two bits were used to indicate NULL KEY or NO KEY. RFC 3090 defines that zone as either secure or not and these rules eliminate the need to put NULL keys in the zone apex to indicate that the zone is not secured for a algorithm. Along with this document, these other two eliminate all uses for the NULL KEY. This document obsoletes NULL KEY. RFC 2535 version of DNSSEC, the presence of the NS bit in the NXT bit map proves there is a delegation at this name. Something more explicit is required and the DS record addresses this need for secure delegations. The DS record is a major change to DNS: it is the first resource record that can appear only on the upper side of a delegation. Adding it will cause interoperability problems and requires a flag day for DNSSEC. Many old nameservers and resolvers MUST be upgraded to take advantage of DS. Some old nameservers will be able to be authoritative for zones with DS records but will not add the NXT or DS records to the authority section. The same is true for caching nameservers; in fact, some might even refuse to pass on the DS or NXT records.
RFC 2535. Algorithm MUST be allowed to sign DNS data. The digest type is an identifier for the digest algorithm used. The digest is calculated over the canonical name of the delegated domain name followed by the whole RDATA of the KEY record (all four fields). digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata) KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key Digest type value 0 is reserved, value 1 is SHA-1, and reserving other types requires IETF standards action. For interoperability reasons, keeping number of digest algorithms low is strongly RECOMMENDED. The only reason to reserve additional digest types is to increase security. DS records MUST point to zone KEY records that are allowed to authenticate DNS data. The indicated KEY records protocol field MUST be set to 3; flag field bit 7 MUST be set to 1. The value of other flag bits is not significant for the purposes of this document. The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless of key size. New digest types probably will have larger digests.
RFC 2535 is provided. RFC 2535-compliant resolvers will assume that all DS-secured delegations are locally secure. This is bad, but the DNSEXT Working Group has determined that rather than dealing with both RFC 2535- secured zones and DS-secured zones, a rapid adoption of DS is preferable. Thus, the only option for early adopters is to upgrade to DS as soon as possible.
RFC 1035 delegation (in parent) has: RFC 1035 NS RFC 2535 adds the following two cases: Secure RFC 2535: NS + NXT + SIG(NXT) NXT bit map contains: NS SIG NXT Unsecure RFC 2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT) NXT bit map contains: NS SIG KEY NXT KEY must be a NULL key. DNSSEC with DS has the following two states: Secure DS: NS + DS + SIG(DS) NXT bit map contains: NS SIG NXT DS Unsecure DS: NS + NXT + SIG(NXT) NXT bit map contains: NS SIG NXT It is difficult for a resolver to determine if a delegation is secure RFC 2535 or unsecure DS. This could be overcome by adding a flag to the NXT bit map, but only upgraded resolvers would understand this flag, anyway. Having both parent and child signatures for a KEY RRset might allow old resolvers to accept a zone as secure, but the cost of doing this for a long time is much higher than just prohibiting RFC 2535-style signatures at child zone apexes and forcing rapid deployment of DS-enabled nameservers and resolvers. RFC 2535 and DS can, in theory, be deployed in parallel, but this would require resolvers to deal with RFC 2535 configurations forever. This document obsoletes the NULL KEY in parent zones, which is a difficult enough change that to cause a flag day.
The resolver determines the security status of "unsecure.example." by examining the parent zone's NXT record for this name. The absence of the DS bit indicates an unsecure delegation. Note the NXT record SHOULD only be examined after verifying the corresponding signature. RFC 2535 recursive resolver point of view, for each delegation followed to chase down an answer, one KEY RRset has to be verified. Additional RRsets might also need to be verified based on local policy (e.g., the contents of the NS RRset). Once the resolver gets to the appropriate delegation, validating the answer might require verifying one or more signatures. A simple A record lookup requires at least N delegations to be verified and one RRset. For a DS- enabled recursive resolver, the cost is 2N+1. For an MX record, where the target of the MX record is in the same zone as the MX record, the costs are N+2 and 2N+2, for RFC 2535 and DS, respectively. In the case of a negative answer, the same ratios hold true. The recursive resolver has to do an extra query to get the DS record, which will increase the overall cost of resolving this question, but it will never be worse than chasing down NULL KEY records from the parent in RFC 2535 DNSSEC. DS adds processing overhead on resolvers and increases the size of delegation answers, but much less than storing signatures in the parent zone. RFC 2535 DNSSEC, the child zone has to communicate keys to its parent and prudent parents will require some authentication with that transaction. The modified protocol will require the same authentication, but allows the child to exert more local control over its own KEY RRset. There is a remote possibility that an attacker could generate a valid KEY that matches all the DS fields, of a specific DS set, and thus forge data from the child. This possibility is considered impractical, as on average more than 2 ^ (160 - <Number of keys in DS set>) keys would have to be generated before a match would be found.
An attacker that wants to match any DS record will have to generate on average at least 2^80 keys. The DS record represents a change to the DNSSEC protocol and there is an installed base of implementations, as well as textbooks on how to set up secure delegations. Implementations that do not understand the DS record will not be able to follow the KEY to DS to KEY chain and will consider all zones secured that way as unsecure.
[RFC1035] Mockapetris, P., "Domain Names - Implementation and Specification", STD 13, RFC 1035, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999. [RFC3008] Wellington, B., "Domain Name System Security (DNSSEC) Signing Authority", RFC 3008, November 2000. [RFC3090] Lewis, E., "DNS Security Extension Clarification on Zone Status", RFC 3090, March 2001. [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC 3225, December 2001. [RFC3445] Massey, D. and S. Rose, "Limiting the scope of the KEY Resource Record (RR)", RFC 3445, December 2002. [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, July 1997. [RFC3226] Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver message size requirements", RFC 3226, December 2001.
Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.