mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

new draft

Browse Source
This commit is contained in:
Mark Andrews
2006-01-24 23:28:20 +00:00
parent 4afceb476f
commit 7f9da0f91c
1 changed files with 260 additions and 204 deletions
Download Patch File Download Diff File Expand all files Collapse all files

464
doc/draft/draft-ietf-dnsext-dnssec-online-signing-00.txt → doc/draft/draft-ietf-dnsext-dnssec-online-signing-02.txt
View File

@@ -4,12 +4,12 @@
Network Working Group S. Weiler
Internet-Draft SPARTA, Inc
Updates: 4034, 4035 (if approved) J. Ihren
Expires: November 13, 2005 Autonomica AB
May 12, 2005
Expires: July 24, 2006 Autonomica AB
January 20, 2006
Minimally Covering NSEC Records and DNSSEC On-line Signing
draft-ietf-dnsext-dnssec-online-signing-00
draft-ietf-dnsext-dnssec-online-signing-02
Status of this Memo
@@ -34,11 +34,11 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 13, 2005.
This Internet-Draft will expire on July 24, 2006.
Copyright Notice
Copyright (C) The Internet Society (2005).
Copyright (C) The Internet Society (2006).
Abstract
@@ -52,11 +52,39 @@ Abstract
Weiler & Ihren Expires November 13, 2005 [Page 1]
Weiler & Ihren Expires July 24, 2006 [Page 1]
Internet-Draft NSEC Epsilon May 2005
Internet-Draft NSEC Epsilon January 2006
Changes from ietf-01 to ietf-02
Clarified that a generated NSEC RR's type bitmap MUST have the RRSIG
and NSEC bits set, to be consistent with DNSSECbis -- previous text
said SHOULD.
Made the applicability statement a little less oppressive.
Changes from ietf-00 to ietf-01
Added an applicability statement, making reference to ongoing work on
NSEC3.
Added the phrase "epsilon functions", which has been commonly used to
describe the technique and already appeared in the header of each
page, in place of "increment and decrement functions". Also added an
explanatory sentence.
Corrected references from 4034 section 6.2 to section 6.1.
Fixed an out-of-date reference to [-bis] and other typos.
Replaced IANA Considerations text.
Escaped close parentheses in examples.
Added some more acknowledgements.
Changes from weiler-01 to ietf-00
Inserted RFC numbers for 4033, 4034, and 4035.
@@ -80,50 +108,23 @@ Changes from weiler-00 to weiler-01
Weiler & Ihren Expires November 13, 2005 [Page 2]
Weiler & Ihren Expires July 24, 2006 [Page 2]
Internet-Draft NSEC Epsilon May 2005
Internet-Draft NSEC Epsilon January 2006
Table of Contents
1. Introduction and Terminology . . . . . . . . . . . . . . . . 4
2. Minimally Covering NSEC Records . . . . . . . . . . . . . . 4
3. Better Increment & Decrement Functions . . . . . . . . . . . 6
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . 7
6. Normative References . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . 10
1. Introduction and Terminology . . . . . . . . . . . . . . . . . 4
2. Applicability of This Technique . . . . . . . . . . . . . . . 4
3. Minimally Covering NSEC Records . . . . . . . . . . . . . . . 5
4. Better Epsilon Functions . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. Normative References . . . . . . . . . . . . . . . . . . . . . 8
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
Intellectual Property and Copyright Statements . . . . . . . . . . 11
@@ -163,10 +164,9 @@ Table of Contents
Weiler & Ihren Expires November 13, 2005 [Page 3]
Weiler & Ihren Expires July 24, 2006 [Page 3]
Internet-Draft NSEC Epsilon May 2005
Internet-Draft NSEC Epsilon January 2006
1. Introduction and Terminology
@@ -190,17 +190,42 @@ Internet-Draft NSEC Epsilon May 2005
these records must be created and signed on demand, which requires
on-line private keys. Anyone contemplating use of this technique is
strongly encouraged to review the discussion of the risks of on-line
signing in Section 5.
The technique presented here may be useful to a zone owner that wants
to use DNSSEC, is concerned about exposure of its zone contents via
zone walking, and is willing to bear the costs of on-line signing.
signing in Section 6.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [4].
2. Minimally Covering NSEC Records
2. Applicability of This Technique
The technique presented here may be useful to a zone owner that wants
to use DNSSEC, is concerned about exposure of its zone contents via
zone walking, and is willing to bear the costs of on-line signing.
As discussed in Section 6, on-line signing has several security
risks, including an increased likelihood of private keys being
disclosed and an increased risk of denial of service attack. Anyone
contemplating use of this technique is strongly encouraged to review
the discussion of the risks of on-line signing in Section 6.
Furthermore, at the time this document was published, the DNSEXT
working group was actively working on a mechanism to prevent zone
walking that does not require on-line signing (tentatively called
NSEC3). The new mechanism is likely to expose slightly more
information about the zone than this technique (e.g. the number of
instantiated names), but it may be preferable to this technique.
Weiler & Ihren Expires July 24, 2006 [Page 4]
Internet-Draft NSEC Epsilon January 2006
3. Minimally Covering NSEC Records
This mechanism involves changes to NSEC records for instantiated
names, which can still be generated and signed in advance, as well as
@@ -211,36 +236,32 @@ Internet-Draft NSEC Epsilon May 2005
than list the next instantiated name in the zone, list any name that
falls lexically after the NSEC's owner name and before the next
instantiated name in the zone, according to the ordering function in
RFC4034 [2] section 6.2. This relaxes the requirement in section
RFC4034 [2] section 6.1. This relaxes the requirement in section
4.1.1 of RFC4034 that the 'next name' field contains the next owner
name in the zone. This change is expected to be fully compatible
with all existing DNSSEC validators. These NSEC records are returned
whenever proving something specifically about the owner name (e.g.
that no resource records of a given type appear at that name).
Weiler & Ihren Expires November 13, 2005 [Page 4]
Internet-Draft NSEC Epsilon May 2005
Whenever an NSEC record is needed to prove the non-existence of a
name, a new NSEC record is dynamically produced and signed. The new
NSEC record has an owner name lexically before the QNAME but
lexically following any existing name and a 'next name' lexically
following the QNAME but before any existing name.
The generated NSEC record's type bitmap SHOULD have the RRSIG and
NSEC bits set and SHOULD NOT have any other bits set. This relaxes
the requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
names that did not exist before the zone wsa signed.
The generated NSEC record's type bitmap MUST have the RRSIG and NSEC
bits set and SHOULD NOT have any other bits set. This relaxes the
requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
names that did not exist before the zone was signed.
The functions to generate the lexically following and proceeding
names need not be perfect nor consistent, but the generated NSEC
records must not cover any existing names. Furthermore, this
technique works best when the generated NSEC records cover as few
names as possible.
names as possible. In this document, the functions that generate the
nearby names are called 'epsilon' functions, a reference to the
mathematical convention of using the greek letter epsilon to
represent small deviations.
An NSEC record denying the existence of a wildcard may be generated
in the same way. Since the NSEC record covering a non-existent
@@ -253,19 +274,26 @@ Internet-Draft NSEC Epsilon May 2005
denying the existence of the name example.com and the second denying
the existence of a wildcard:
Weiler & Ihren Expires July 24, 2006 [Page 5]
Internet-Draft NSEC Epsilon January 2006
exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
).com 3600 IN NSEC +.com ( RRSIG NSEC )
\).com 3600 IN NSEC +.com ( RRSIG NSEC )
Before answering a query with these records, an authoritative server
must test for the existence of names between these endpoints. If the
generated NSEC would cover existing names (e.g. exampldd.com or
*bizarre.example.com), a better increment or decrement function may
be used or the covered name closest to the QNAME could be used as the
NSEC owner name or next name, as appropriate. If an existing name is
used as the NSEC owner name, that name's real NSEC record MUST be
returned. Using the same example, assuming an exampldd.com
delegation exists, this record might be returned from the parent:
*bizarre.example.com), a better epsilon function may be used or the
covered name closest to the QNAME could be used as the NSEC owner
name or next name, as appropriate. If an existing name is used as
the NSEC owner name, that name's real NSEC record MUST be returned.
Using the same example, assuming an exampldd.com delegation exists,
this record might be returned from the parent:
exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
@@ -273,27 +301,20 @@ Internet-Draft NSEC Epsilon May 2005
record MUST have corresponding RRSIGs generated using each algorithm
(but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
described in RFC4035 [3] section 2.2. To minimize the number of
Weiler & Ihren Expires November 13, 2005 [Page 5]
Internet-Draft NSEC Epsilon May 2005
signatures that must be generated, a zone may wish to limit the
number of algorithms in its DNSKEY RRset.
3. Better Increment & Decrement Functions
Section 6.2 of RFC4034 defines a strict ordering of DNS names.
4. Better Epsilon Functions
Section 6.1 of RFC4034 defines a strict ordering of DNS names.
Working backwards from that definition, it should be possible to
define increment and decrement functions that generate the
immediately following and preceding names, respectively. This
document does not define such functions. Instead, this section
presents functions that come reasonably close to the perfect ones.
As described above, an authoritative server should still ensure than
no generated NSEC covers any existing name.
define epsilon functions that generate the immediately following and
preceding names, respectively. This document does not define such
functions. Instead, this section presents functions that come
reasonably close to the perfect ones. As described above, an
authoritative server should still ensure than no generated NSEC
covers any existing name.
To increment a name, add a leading label with a single null (zero-
value) octet.
@@ -308,13 +329,21 @@ Internet-Draft NSEC Epsilon May 2005
In response to a query for the non-existent name foo.example.com,
these functions produce NSEC records of:
Weiler & Ihren Expires July 24, 2006 [Page 6]
Internet-Draft NSEC Epsilon January 2006
fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
@@ -327,26 +356,18 @@ Internet-Draft NSEC Epsilon May 2005
Both of these functions are imperfect: they don't take into account
constraints on number of labels in a name nor total length of a name.
As noted in the previous section, though, this technique does not
depend on the use of perfect increment or decrement functions: it is
sufficient to test whether any instantiated names fall into the span
depend on the use of perfect epsilon functions: it is sufficient to
test whether any instantiated names fall into the span covered by the
generated NSEC and, if so, substitute those instantiated owner names
for the NSEC owner name or next name, as appropriate.
5. IANA Considerations
Weiler & Ihren Expires November 13, 2005 [Page 6]
Internet-Draft NSEC Epsilon May 2005
This document specifies no IANA Actions.
covered by the generated NSEC and, if so, substitute those
instantiated owner names for the NSEC owner name or next name, as
appropriate.
4. IANA Considerations
Per RFC4041, IANA should think carefully about the protection of
their immortal souls.
5. Security Considerations
6. Security Considerations
This approach requires on-demand generation of RRSIG records. This
creates several new vulnerabilities.
@@ -356,51 +377,49 @@ Internet-Draft NSEC Epsilon May 2005
internet-accessible servers may make them more vulnerable to
unintended disclosure.
Second, since generation of public key signatures tends to be
Second, since generation of digital signatures tends to be
computationally demanding, the requirement for on-demand signing
makes authoritative servers vulnerable to a denial of service attack.
Lastly, if the increment and decrement functions are predictable, on-
demand signing may enable a chosen-plaintext attack on a zone's
private keys. Zones using this approach should attempt to use
cryptographic algorithms that are resistant to chosen-plaintext
attacks. It's worth noting that while DNSSEC has a "mandatory to
implement" algorithm, that is a requirement on resolvers and
validators -- there is no requirement that a zone be signed with any
given algorithm.
Lastly, if the epsilon functions are predictable, on-demand signing
may enable a chosen-plaintext attack on a zone's private keys. Zones
using this approach should attempt to use cryptographic algorithms
that are resistant to chosen-plaintext attacks. It's worth noting
Weiler & Ihren Expires July 24, 2006 [Page 7]
Internet-Draft NSEC Epsilon January 2006
that while DNSSEC has a "mandatory to implement" algorithm, that is a
requirement on resolvers and validators -- there is no requirement
that a zone be signed with any given algorithm.
The success of using minimally covering NSEC record to prevent zone
walking depends greatly on the quality of the increment and decrement
functions chosen. An increment function that chooses a name
obviously derived from the next instantiated name may be easily
reverse engineered, destroying the value of this technique. An
increment function that always returns a name close to the next
instantiated name is likewise a poor choice. Good choices of
increment and decrement functions are the ones that produce the
immediately following and preceding names, respectively, though zone
administrators may wish to use less perfect functions that return
more human-friendly names than the functions described in Section 3
above.
walking depends greatly on the quality of the epsilon functions
chosen. An increment function that chooses a name obviously derived
from the next instantiated name may be easily reverse engineered,
destroying the value of this technique. An increment function that
always returns a name close to the next instantiated name is likewise
a poor choice. Good choices of epsilon functions are the ones that
produce the immediately following and preceding names, respectively,
though zone administrators may wish to use less perfect functions
that return more human-friendly names than the functions described in
Section 4 above.
Another obvious but misguided concern is the danger from synthesized
NSEC records being replayed. It's possible for an attacker to replay
an old but still validly signed NSEC record after a new name has been
Weiler & Ihren Expires November 13, 2005 [Page 7]
Internet-Draft NSEC Epsilon May 2005
added in the span covered by that NSEC, incorrectly proving that
there is no record at that name. This danger exists with DNSSEC as
defined in [-bis]. The techniques described here actually decrease
the danger, since the span covered by any NSEC record is smaller than
before. Choosing better increment and decrement functions will
further reduce this danger.
defined in [3]. The techniques described here actually decrease the
danger, since the span covered by any NSEC record is smaller than
before. Choosing better epsilon functions will further reduce this
danger.
6. Normative References
7. Normative References
[1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033,
@@ -418,6 +437,74 @@ Internet-Draft NSEC Epsilon May 2005
Levels", BCP 14, RFC 2119, March 1997.
Appendix A. Acknowledgments
Many individuals contributed to this design. They include, in
addition to the authors of this document, Olaf Kolkman, Ed Lewis,
Weiler & Ihren Expires July 24, 2006 [Page 8]
Internet-Draft NSEC Epsilon January 2006
Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
Jakob Schlyter, Bill Manning, and Joao Damas.
In addition, the editors would like to thank Ed Lewis, Scott Rose,
and David Blacka for their careful review of the document.
Weiler & Ihren Expires July 24, 2006 [Page 9]
Internet-Draft NSEC Epsilon January 2006
Authors' Addresses
Samuel Weiler
@@ -437,72 +524,41 @@ Authors' Addresses
Email: johani@autonomica.se
Appendix A. Acknowledgments
Many individuals contributed to this design. They include, in
addition to the authors of this document, Olaf Kolkman, Ed Lewis,
Weiler & Ihren Expires November 13, 2005 [Page 8]
Weiler & Ihren Expires July 24, 2006 [Page 10]
Internet-Draft NSEC Epsilon May 2005
Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
Jakob Schlyter, Bill Manning, and Joao Damas.
The key innovation of this document, namely that perfect increment
and decrement functions are not necessary, arose during a discussion
among the above-listed people at the RIPE49 meeting in September
2004.
Weiler & Ihren Expires November 13, 2005 [Page 9]
Internet-Draft NSEC Epsilon May 2005
Internet-Draft NSEC Epsilon January 2006
Intellectual Property Statement
@@ -543,7 +599,7 @@ Disclaimer of Validity
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
@@ -556,5 +612,5 @@ Acknowledgment
Weiler & Ihren Expires November 13, 2005 [Page 10]
Weiler & Ihren Expires July 24, 2006 [Page 11]