mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

new draft

Browse Source
This commit is contained in:
Mark Andrews
2006-01-24 23:28:20 +00:00
parent 4afceb476f
commit 7f9da0f91c
1 changed files with 260 additions and 204 deletions
Download Patch File Download Diff File Expand all files Collapse all files

464
doc/draft/draft-ietf-dnsext-dnssec-online-signing-00.txt → doc/draft/draft-ietf-dnsext-dnssec-online-signing-02.txt
View File

@@ -4,12 +4,12 @@
Network Working Group S. Weiler Network Working Group S. Weiler
Internet-Draft SPARTA, Inc Internet-Draft SPARTA, Inc
Updates: 4034, 4035 (if approved) J. Ihren Updates: 4034, 4035 (if approved) J. Ihren
Expires: November 13, 2005 Autonomica AB Expires: July 24, 2006 Autonomica AB
May 12, 2005 January 20, 2006
Minimally Covering NSEC Records and DNSSEC On-line Signing Minimally Covering NSEC Records and DNSSEC On-line Signing
draft-ietf-dnsext-dnssec-online-signing-00 draft-ietf-dnsext-dnssec-online-signing-02
Status of this Memo Status of this Memo
@@ -34,11 +34,11 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 13, 2005. This Internet-Draft will expire on July 24, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
@@ -52,11 +52,39 @@ Abstract
Weiler & Ihren Expires November 13, 2005 [Page 1] Weiler & Ihren Expires July 24, 2006 [Page 1]
Internet-Draft NSEC Epsilon May 2005 Internet-Draft NSEC Epsilon January 2006
Changes from ietf-01 to ietf-02
Clarified that a generated NSEC RR's type bitmap MUST have the RRSIG
and NSEC bits set, to be consistent with DNSSECbis -- previous text
said SHOULD.
Made the applicability statement a little less oppressive.
Changes from ietf-00 to ietf-01
Added an applicability statement, making reference to ongoing work on
NSEC3.
Added the phrase "epsilon functions", which has been commonly used to
describe the technique and already appeared in the header of each
page, in place of "increment and decrement functions". Also added an
explanatory sentence.
Corrected references from 4034 section 6.2 to section 6.1.
Fixed an out-of-date reference to [-bis] and other typos.
Replaced IANA Considerations text.
Escaped close parentheses in examples.
Added some more acknowledgements.
Changes from weiler-01 to ietf-00 Changes from weiler-01 to ietf-00
Inserted RFC numbers for 4033, 4034, and 4035. Inserted RFC numbers for 4033, 4034, and 4035.
@@ -80,50 +108,23 @@ Changes from weiler-00 to weiler-01
Weiler & Ihren Expires July 24, 2006 [Page 2]
Weiler & Ihren Expires November 13, 2005 [Page 2]
Internet-Draft NSEC Epsilon May 2005 Internet-Draft NSEC Epsilon January 2006
Table of Contents Table of Contents
1. Introduction and Terminology . . . . . . . . . . . . . . . . 4 1. Introduction and Terminology . . . . . . . . . . . . . . . . . 4
2. Minimally Covering NSEC Records . . . . . . . . . . . . . . 4 2. Applicability of This Technique . . . . . . . . . . . . . . . 4
3. Better Increment & Decrement Functions . . . . . . . . . . . 6 3. Minimally Covering NSEC Records . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7 4. Better Epsilon Functions . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Normative References . . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8 7. Normative References . . . . . . . . . . . . . . . . . . . . . 8
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 8 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
Intellectual Property and Copyright Statements . . . . . . . . . . 11
@@ -163,10 +164,9 @@ Table of Contents
Weiler & Ihren Expires July 24, 2006 [Page 3]
Weiler & Ihren Expires November 13, 2005 [Page 3]
Internet-Draft NSEC Epsilon May 2005 Internet-Draft NSEC Epsilon January 2006
1. Introduction and Terminology 1. Introduction and Terminology
@@ -190,17 +190,42 @@ Internet-Draft NSEC Epsilon May 2005
these records must be created and signed on demand, which requires these records must be created and signed on demand, which requires
on-line private keys. Anyone contemplating use of this technique is on-line private keys. Anyone contemplating use of this technique is
strongly encouraged to review the discussion of the risks of on-line strongly encouraged to review the discussion of the risks of on-line
signing in Section 5. signing in Section 6.
The technique presented here may be useful to a zone owner that wants
to use DNSSEC, is concerned about exposure of its zone contents via
zone walking, and is willing to bear the costs of on-line signing.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [4]. document are to be interpreted as described in RFC 2119 [4].
2. Minimally Covering NSEC Records
2. Applicability of This Technique
The technique presented here may be useful to a zone owner that wants
to use DNSSEC, is concerned about exposure of its zone contents via
zone walking, and is willing to bear the costs of on-line signing.
As discussed in Section 6, on-line signing has several security
risks, including an increased likelihood of private keys being
disclosed and an increased risk of denial of service attack. Anyone
contemplating use of this technique is strongly encouraged to review
the discussion of the risks of on-line signing in Section 6.
Furthermore, at the time this document was published, the DNSEXT
working group was actively working on a mechanism to prevent zone
walking that does not require on-line signing (tentatively called
NSEC3). The new mechanism is likely to expose slightly more
information about the zone than this technique (e.g. the number of
instantiated names), but it may be preferable to this technique.
Weiler & Ihren Expires July 24, 2006 [Page 4]
Internet-Draft NSEC Epsilon January 2006
3. Minimally Covering NSEC Records
This mechanism involves changes to NSEC records for instantiated This mechanism involves changes to NSEC records for instantiated
names, which can still be generated and signed in advance, as well as names, which can still be generated and signed in advance, as well as
@@ -211,36 +236,32 @@ Internet-Draft NSEC Epsilon May 2005
than list the next instantiated name in the zone, list any name that than list the next instantiated name in the zone, list any name that
falls lexically after the NSEC's owner name and before the next falls lexically after the NSEC's owner name and before the next
instantiated name in the zone, according to the ordering function in instantiated name in the zone, according to the ordering function in
RFC4034 [2] section 6.2. This relaxes the requirement in section RFC4034 [2] section 6.1. This relaxes the requirement in section
4.1.1 of RFC4034 that the 'next name' field contains the next owner 4.1.1 of RFC4034 that the 'next name' field contains the next owner
name in the zone. This change is expected to be fully compatible name in the zone. This change is expected to be fully compatible
with all existing DNSSEC validators. These NSEC records are returned with all existing DNSSEC validators. These NSEC records are returned
whenever proving something specifically about the owner name (e.g. whenever proving something specifically about the owner name (e.g.
that no resource records of a given type appear at that name). that no resource records of a given type appear at that name).
Weiler & Ihren Expires November 13, 2005 [Page 4]
Internet-Draft NSEC Epsilon May 2005
Whenever an NSEC record is needed to prove the non-existence of a Whenever an NSEC record is needed to prove the non-existence of a
name, a new NSEC record is dynamically produced and signed. The new name, a new NSEC record is dynamically produced and signed. The new
NSEC record has an owner name lexically before the QNAME but NSEC record has an owner name lexically before the QNAME but
lexically following any existing name and a 'next name' lexically lexically following any existing name and a 'next name' lexically
following the QNAME but before any existing name. following the QNAME but before any existing name.
The generated NSEC record's type bitmap SHOULD have the RRSIG and The generated NSEC record's type bitmap MUST have the RRSIG and NSEC
NSEC bits set and SHOULD NOT have any other bits set. This relaxes bits set and SHOULD NOT have any other bits set. This relaxes the
the requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
names that did not exist before the zone wsa signed. names that did not exist before the zone was signed.
The functions to generate the lexically following and proceeding The functions to generate the lexically following and proceeding
names need not be perfect nor consistent, but the generated NSEC names need not be perfect nor consistent, but the generated NSEC
records must not cover any existing names. Furthermore, this records must not cover any existing names. Furthermore, this
technique works best when the generated NSEC records cover as few technique works best when the generated NSEC records cover as few
names as possible. names as possible. In this document, the functions that generate the
nearby names are called 'epsilon' functions, a reference to the
mathematical convention of using the greek letter epsilon to
represent small deviations.
An NSEC record denying the existence of a wildcard may be generated An NSEC record denying the existence of a wildcard may be generated
in the same way. Since the NSEC record covering a non-existent in the same way. Since the NSEC record covering a non-existent
@@ -253,19 +274,26 @@ Internet-Draft NSEC Epsilon May 2005
denying the existence of the name example.com and the second denying denying the existence of the name example.com and the second denying
the existence of a wildcard: the existence of a wildcard:
Weiler & Ihren Expires July 24, 2006 [Page 5]
Internet-Draft NSEC Epsilon January 2006
exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC ) exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
).com 3600 IN NSEC +.com ( RRSIG NSEC ) \).com 3600 IN NSEC +.com ( RRSIG NSEC )
Before answering a query with these records, an authoritative server Before answering a query with these records, an authoritative server
must test for the existence of names between these endpoints. If the must test for the existence of names between these endpoints. If the
generated NSEC would cover existing names (e.g. exampldd.com or generated NSEC would cover existing names (e.g. exampldd.com or
*bizarre.example.com), a better increment or decrement function may *bizarre.example.com), a better epsilon function may be used or the
be used or the covered name closest to the QNAME could be used as the covered name closest to the QNAME could be used as the NSEC owner
NSEC owner name or next name, as appropriate. If an existing name is name or next name, as appropriate. If an existing name is used as
used as the NSEC owner name, that name's real NSEC record MUST be the NSEC owner name, that name's real NSEC record MUST be returned.
returned. Using the same example, assuming an exampldd.com Using the same example, assuming an exampldd.com delegation exists,
delegation exists, this record might be returned from the parent: this record might be returned from the parent:
exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC ) exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
@@ -273,27 +301,20 @@ Internet-Draft NSEC Epsilon May 2005
record MUST have corresponding RRSIGs generated using each algorithm record MUST have corresponding RRSIGs generated using each algorithm
(but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
described in RFC4035 [3] section 2.2. To minimize the number of described in RFC4035 [3] section 2.2. To minimize the number of
Weiler & Ihren Expires November 13, 2005 [Page 5]
Internet-Draft NSEC Epsilon May 2005
signatures that must be generated, a zone may wish to limit the signatures that must be generated, a zone may wish to limit the
number of algorithms in its DNSKEY RRset. number of algorithms in its DNSKEY RRset.
3. Better Increment & Decrement Functions
Section 6.2 of RFC4034 defines a strict ordering of DNS names. 4. Better Epsilon Functions
Section 6.1 of RFC4034 defines a strict ordering of DNS names.
Working backwards from that definition, it should be possible to Working backwards from that definition, it should be possible to
define increment and decrement functions that generate the define epsilon functions that generate the immediately following and
immediately following and preceding names, respectively. This preceding names, respectively. This document does not define such
document does not define such functions. Instead, this section functions. Instead, this section presents functions that come
presents functions that come reasonably close to the perfect ones. reasonably close to the perfect ones. As described above, an
As described above, an authoritative server should still ensure than authoritative server should still ensure than no generated NSEC
no generated NSEC covers any existing name. covers any existing name.
To increment a name, add a leading label with a single null (zero- To increment a name, add a leading label with a single null (zero-
value) octet. value) octet.
@@ -308,13 +329,21 @@ Internet-Draft NSEC Epsilon May 2005
In response to a query for the non-existent name foo.example.com, In response to a query for the non-existent name foo.example.com,
these functions produce NSEC records of: these functions produce NSEC records of:
Weiler & Ihren Expires July 24, 2006 [Page 6]
Internet-Draft NSEC Epsilon January 2006
fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255 fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG ) \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
@@ -327,26 +356,18 @@ Internet-Draft NSEC Epsilon May 2005
Both of these functions are imperfect: they don't take into account Both of these functions are imperfect: they don't take into account
constraints on number of labels in a name nor total length of a name. constraints on number of labels in a name nor total length of a name.
As noted in the previous section, though, this technique does not As noted in the previous section, though, this technique does not
depend on the use of perfect increment or decrement functions: it is depend on the use of perfect epsilon functions: it is sufficient to
sufficient to test whether any instantiated names fall into the span test whether any instantiated names fall into the span covered by the
generated NSEC and, if so, substitute those instantiated owner names
for the NSEC owner name or next name, as appropriate.
5. IANA Considerations
Weiler & Ihren Expires November 13, 2005 [Page 6] This document specifies no IANA Actions.
Internet-Draft NSEC Epsilon May 2005
covered by the generated NSEC and, if so, substitute those 6. Security Considerations
instantiated owner names for the NSEC owner name or next name, as
appropriate.
4. IANA Considerations
Per RFC4041, IANA should think carefully about the protection of
their immortal souls.
5. Security Considerations
This approach requires on-demand generation of RRSIG records. This This approach requires on-demand generation of RRSIG records. This
creates several new vulnerabilities. creates several new vulnerabilities.
@@ -356,51 +377,49 @@ Internet-Draft NSEC Epsilon May 2005
internet-accessible servers may make them more vulnerable to internet-accessible servers may make them more vulnerable to
unintended disclosure. unintended disclosure.
Second, since generation of public key signatures tends to be Second, since generation of digital signatures tends to be
computationally demanding, the requirement for on-demand signing computationally demanding, the requirement for on-demand signing
makes authoritative servers vulnerable to a denial of service attack. makes authoritative servers vulnerable to a denial of service attack.
Lastly, if the increment and decrement functions are predictable, on- Lastly, if the epsilon functions are predictable, on-demand signing
demand signing may enable a chosen-plaintext attack on a zone's may enable a chosen-plaintext attack on a zone's private keys. Zones
private keys. Zones using this approach should attempt to use using this approach should attempt to use cryptographic algorithms
cryptographic algorithms that are resistant to chosen-plaintext that are resistant to chosen-plaintext attacks. It's worth noting
attacks. It's worth noting that while DNSSEC has a "mandatory to
implement" algorithm, that is a requirement on resolvers and
validators -- there is no requirement that a zone be signed with any
given algorithm. Weiler & Ihren Expires July 24, 2006 [Page 7]
Internet-Draft NSEC Epsilon January 2006
that while DNSSEC has a "mandatory to implement" algorithm, that is a
requirement on resolvers and validators -- there is no requirement
that a zone be signed with any given algorithm.
The success of using minimally covering NSEC record to prevent zone The success of using minimally covering NSEC record to prevent zone
walking depends greatly on the quality of the increment and decrement walking depends greatly on the quality of the epsilon functions
functions chosen. An increment function that chooses a name chosen. An increment function that chooses a name obviously derived
obviously derived from the next instantiated name may be easily from the next instantiated name may be easily reverse engineered,
reverse engineered, destroying the value of this technique. An destroying the value of this technique. An increment function that
increment function that always returns a name close to the next always returns a name close to the next instantiated name is likewise
instantiated name is likewise a poor choice. Good choices of a poor choice. Good choices of epsilon functions are the ones that
increment and decrement functions are the ones that produce the produce the immediately following and preceding names, respectively,
immediately following and preceding names, respectively, though zone though zone administrators may wish to use less perfect functions
administrators may wish to use less perfect functions that return that return more human-friendly names than the functions described in
more human-friendly names than the functions described in Section 3 Section 4 above.
above.
Another obvious but misguided concern is the danger from synthesized Another obvious but misguided concern is the danger from synthesized
NSEC records being replayed. It's possible for an attacker to replay NSEC records being replayed. It's possible for an attacker to replay
an old but still validly signed NSEC record after a new name has been an old but still validly signed NSEC record after a new name has been
Weiler & Ihren Expires November 13, 2005 [Page 7]
Internet-Draft NSEC Epsilon May 2005
added in the span covered by that NSEC, incorrectly proving that added in the span covered by that NSEC, incorrectly proving that
there is no record at that name. This danger exists with DNSSEC as there is no record at that name. This danger exists with DNSSEC as
defined in [-bis]. The techniques described here actually decrease defined in [3]. The techniques described here actually decrease the
the danger, since the span covered by any NSEC record is smaller than danger, since the span covered by any NSEC record is smaller than
before. Choosing better increment and decrement functions will before. Choosing better epsilon functions will further reduce this
further reduce this danger. danger.
6. Normative References 7. Normative References
[1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033, "DNS Security Introduction and Requirements", RFC 4033,
@@ -418,6 +437,74 @@ Internet-Draft NSEC Epsilon May 2005
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
Appendix A. Acknowledgments
Many individuals contributed to this design. They include, in
addition to the authors of this document, Olaf Kolkman, Ed Lewis,
Weiler & Ihren Expires July 24, 2006 [Page 8]
Internet-Draft NSEC Epsilon January 2006
Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
Jakob Schlyter, Bill Manning, and Joao Damas.
In addition, the editors would like to thank Ed Lewis, Scott Rose,
and David Blacka for their careful review of the document.
Weiler & Ihren Expires July 24, 2006 [Page 9]
Internet-Draft NSEC Epsilon January 2006
Authors' Addresses Authors' Addresses
Samuel Weiler Samuel Weiler
@@ -437,72 +524,41 @@ Authors' Addresses
Email: johani@autonomica.se Email: johani@autonomica.se
Appendix A. Acknowledgments
Many individuals contributed to this design. They include, in
addition to the authors of this document, Olaf Kolkman, Ed Lewis,
Weiler & Ihren Expires November 13, 2005 [Page 8]
Weiler & Ihren Expires July 24, 2006 [Page 10]
Internet-Draft NSEC Epsilon May 2005 Internet-Draft NSEC Epsilon January 2006
Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
Jakob Schlyter, Bill Manning, and Joao Damas.
The key innovation of this document, namely that perfect increment
and decrement functions are not necessary, arose during a discussion
among the above-listed people at the RIPE49 meeting in September
2004.
Weiler & Ihren Expires November 13, 2005 [Page 9]
Internet-Draft NSEC Epsilon May 2005
Intellectual Property Statement Intellectual Property Statement
@@ -543,7 +599,7 @@ Disclaimer of Validity
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
@@ -556,5 +612,5 @@ Acknowledgment
Weiler & Ihren Expires November 13, 2005 [Page 10] Weiler & Ihren Expires July 24, 2006 [Page 11]