From a45f11c75d305930721d1b3d0972b76cb2a894f0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 28 Jan 2005 00:41:31 +0000 Subject: [PATCH] new draft --- doc/draft/draft-ietf-dnsext-nsec3-00.txt | 840 ++++++++++++++++++ doc/draft/draft-ietf-dnsext-rfc2538bis-00.txt | 728 +++++++++++++++ 2 files changed, 1568 insertions(+) create mode 100644 doc/draft/draft-ietf-dnsext-nsec3-00.txt create mode 100644 doc/draft/draft-ietf-dnsext-rfc2538bis-00.txt diff --git a/doc/draft/draft-ietf-dnsext-nsec3-00.txt b/doc/draft/draft-ietf-dnsext-nsec3-00.txt new file mode 100644 index 0000000000..2b4ac79ec2 --- /dev/null +++ b/doc/draft/draft-ietf-dnsext-nsec3-00.txt @@ -0,0 +1,840 @@ + +Network Working Group B. Laurie +Internet-Draft G. Sisson +Expires: July 2, 2005 Nominet + R. Arends + Telematica Instituut + january 2005 + + DNSSEC Hash Authenticated Denial of Existence + draft-ietf-dnsext-nsec3-00 + +Status of this Memo + + This document is an Internet-Draft and is subject to all provisions + of section 3 of RFC 3667. By submitting this Internet-Draft, each + author represents that any applicable patent or other IPR claims of + which he or she is aware have been or will be disclosed, and any of + which he or she become aware will be disclosed, in accordance with + RFC 3668. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as + Internet-Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on July 2, 2005. + +Copyright Notice + + Copyright (C) The Internet Society (2005). + +Abstract + + The DNS Security (DNSSEC) NSEC resource record (RR) is intended to be + used to provide authenticated denial of existence of DNS ownernames + and types; however, it permits any user to traverse a zone and obtain + a listing of all ownernames. + + +Laurie, et al. Expires July 2, 2005 [Page 1] +Internet-Draft nsec3 january 2005 + + A complete zone file can be used either directly as a source of + probable e-mail addresses for spam, or indirectly as a key for + multiple WHOIS queries to reveal registrant data which many + registries (particularly in Europe) may be under strict legal + obligations to protect. Many registries therefore prohibit copying + of their zone file; however the use of NSEC RRs makes renders + policies unenforceable. + + This document proposes a scheme which obscures original ownernames + while permitting authenticated denial of existence of non-existent + names. Non-authoritative delegation point NS RR types may be + excluded. + + + + + + + + + + + + + + + + + + + + +Laurie, et al. Expires July 2, 2005 [Page 2] +Internet-Draft nsec3 january 2005 + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 1.1 Rationale . . . . . . . . . . . . . . . . . . . . . . . . 4 + 1.2 Reserved Words . . . . . . . . . . . . . . . . . . . . . . 4 + 1.3 Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 + 2. The NSEC3 Resource Record . . . . . . . . . . . . . . . . . . 5 + 2.1 NSEC3 RDATA Wire Format . . . . . . . . . . . . . . . . . 5 + 2.1.1 The Authoritative Only Flag Field . . . . . . . . . . 6 + 2.1.2 The Hash Function Field . . . . . . . . . . . . . . . 6 + 2.1.3 The Iterations Field . . . . . . . . . . . . . . . . . 6 + 2.1.4 The Salt Length Field . . . . . . . . . . . . . . . . 6 + 2.1.5 The Salt Field . . . . . . . . . . . . . . . . . . . . 6 + 2.1.6 The Next Hashed Ownername Field . . . . . . . . . . . 7 + 2.1.7 The list of Type Bit Map(s) Field . . . . . . . . . . 7 + 2.2 The NSEC3 RR Presentation Format . . . . . . . . . . . . . 8 + 3. Creating Additional NSEC3 RR for Empty Non Terminals . . . . . 9 + 4. Calculation of the Hash . . . . . . . . . . . . . . . . . . . 9 + 5. Special Considerations . . . . . . . . . . . . . . . . . . . . 9 + 5.1 delegation points . . . . . . . . . . . . . . . . . . . . 10 + 5.1.1 Unsigned Delegations . . . . . . . . . . . . . . . . . 10 + 5.2 Additional Complexity Caused by Wildcards . . . . . . . . 11 + 5.3 Salting . . . . . . . . . . . . . . . . . . . . . . . . . 11 + 5.4 Hash Collision . . . . . . . . . . . . . . . . . . . . . . 11 + 5.4.1 Avoiding Hash Collisions during generation . . . . . . 11 + 5.4.2 Second Preimage Requirement Analysis . . . . . . . . . 11 + 5.4.3 Possible Hash Value Truncation Method . . . . . . . . 12 + 6. Performance Considerations . . . . . . . . . . . . . . . . . . 12 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 + 9. Requirements notation . . . . . . . . . . . . . . . . . . . . 13 + 10. Security Considerations . . . . . . . . . . . . . . . . . . 13 + A. Example Zone . . . . . . . . . . . . . . . . . . . . . . . . . 13 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 11.1 Normative References . . . . . . . . . . . . . . . . . . . . 14 + 11.2 Informative References . . . . . . . . . . . . . . . . . . . 15 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 15 + Intellectual Property and Copyright Statements . . . . . . . . 17 + + + + + + + +Laurie, et al. Expires July 2, 2005 [Page 3] +Internet-Draft nsec3 january 2005 + +1. Introduction + + The DNS Security Extensions (DNSSEC) introduced the NSEC Resource + Record (RR) for Authenticated Denial of Existence. This document + introduces a new RR as an alternative to NSEC that provides measures + against zone traversal and allows for gradual expansion of + delegation-centric zones. + +1.1 Rationale + + The DNS Security Extensions included the NSEC RR to provide + authenticated denial of existence. Though the NSEC RR meets the + requirements for authenticated denial of Existence, it introduced a + side-effect in that the contents of a zone can be enumerated. This + property introduces undesired policy issues. + + A second requirement was that the existence of all record types in a + zone -including delegation point NS record types- can be accounted + for, despite the fact that delegation point NS RRsets are not + authoritative and not signed. This requirement has a side-effect + that the overhead of delegation centric signed zones is not related + to the increase in security of subzones. This requirement does not + allow delegation centric zones size to grow in relation to the growth + of signed subzones. + + In the past, solutions have been proposed as a measure against these + side effects but at the time were regarded as secondary over the need + to have a stable DNSSEC specification. With (draft-vixie-dnssec-ter) + a graceful transition path to future enhancements is introduced, + while current DNSSEC deployment can continue. This document + accumulates measures against the side effects introduced by NSEC, and + presents the NSEC3 Resource Record. + + The reader is assumed to be familiar with the basic DNS concepts + described in RFC1034 [RFC1034], RFC1035 [RFC1035] and subsequent RFCs + that update them: RFC2136 [RFC2136], RFC2181 [RFC2181] and RFC2308 + [RFC2308]. + +1.2 Reserved Words + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + +1.3 Terminology + + In this document the term "original ownername" refers to a standard + ownername. Because this proposal uses the result of a hash function + + +Laurie, et al. Expires July 2, 2005 [Page 4] +Internet-Draft nsec3 january 2005 + + over the original (unmodified) ownername, this result is refered to + as "hashed ownername". + +2. The NSEC3 Resource Record + + The NSEC3 RR provides Authenticated Denial of Existence for DNS + Resource Record Sets. + + The NSEC3 Resource Record lists RR types present at the NSEC3 RR's + original ownername. It includes the next hashed ownername in the + canonical ordering of the zone. The complete set of NSEC3 RRs in a + zone indicates which RRsets exist for the original ownername of the + RRset and form a chain of hashed ownernames in the zone. This + information is used to provide authenticated denial of existence for + DNS data, as described in RFC 2535 [RFC2535]. Unsigned delegation + point NS RR sets can optionally be excluded. To provide protection + against zone traversal, the ownernames used in the NSEC3 RR are + cryptographic hash-value prepended to the name of the zone. The + NSEC3 RR record indicates which Hash Function is used to construct to + hash, which Salt is used, and how many iterations of the Hash + Function are performed over the original ownername. + + The type value for the NSEC3 RR is XX. + + The NSEC3 RR RDATA format is class independent. + + The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL + field. This is in the spirit of negative caching [RFC2308]. + +2.1 NSEC3 RDATA Wire Format + + The RDATA of the NSEC3 RR is as shown below: + + 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |A|Hash Function| Iterations | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Salt Length | Salt / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + / Next Hashed Ownername / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + / Type Bit Maps / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + + +Laurie, et al. Expires July 2, 2005 [Page 5] +Internet-Draft nsec3 january 2005 + +2.1.1 The Authoritative Only Flag Field + + The Authoritative Only Flag field indicates whether the Type Bit Maps + include delegation point NS record types. + + If the flag is set to 1, the NS RR type bit for a delegation point + ownername SHOULD be clear when the NSEC3 RR is generated. The NS RR + type bit MUST be ignored during processing of the NSEC3 RR. The NS + RR type bit has no meaning in this context (it is not authoritative), + hence the NSEC3 does not contest the existence of a NS RR type record + for this ownername. When a delegation is not secured, there exist no + DS RR type nor any other authoritative types for this delegation, + hence the unsecured delegation has no NSEC3 record associated. + Please see the Special Consideration section for implications for + unsigned delegations. + + If the flag is set to 0, the NS RR type bit for a delegation point + ownername MUST be set if the NSEC3 covers a delegation, even though + the NS RR itself is not authoritative. This implies that all + delegations, signed or unsigned, have an NSEC3 record associated. + This behavior is identical to NSEC behavior. + +2.1.2 The Hash Function Field + + The Hash Function field identifies the cryptographic hash function + used to construct the hash-value. + + This document defines Value 1 for SHA-1 and Value 127 for + Experimental. All other values are reserved. + + On reception, a resolver MUST discard an NSEC3 RR with an unknown + Hash Function value. + +2.1.3 The Iterations Field + + The Iterations field defines the number of times the hash has been + iterated. More iterations results in greater resiliency of the hash + value against dictionary attacks, but at a higher cost for both the + server and resolver. + +2.1.4 The Salt Length Field + + The Salt Length Field defines the length of the salt in octets. + +2.1.5 The Salt Field + + The salt field is not present when the Salt Length Field has a value + of 0. + + +Laurie, et al. Expires July 2, 2005 [Page 6] +Internet-Draft nsec3 january 2005 + + The salt field is prepended to the original ownername before hashing + in order to defend against precalculated dictionary attacks. + + The salt is not prepended during iterations of the hash function. + + The Salt field value MUST be identical for all NSEC3 RRs generated + for the zone. If the salt were different for each NSEC3 RR, + collisions could occur where an NSEC3 denies the existence of + existing RRs due to the application of different salt values. + +2.1.6 The Next Hashed Ownername Field + + The Next Hashed Ownername Field contains the hash of the ownername of + the next RR in the canonical ordering of the hashed ownernames of the + zone. The value of the Next Hashed Ownername Field in the last NSEC3 + record in the zone is the same as the ownername of the first NSEC3 RR + in the zone in canonical order. + + A sender MUST NOT use DNS name compression on the Next Hashed + Ownername field when transmitting an NSEC3 RR. + + Hashed ownernames of RRsets not authoritative for the given zone + (such as glue records) MUST NOT be listed in the Hash of Next Domain + Name unless at least one authoritative RRset exists at the same owner + name. + +2.1.7 The list of Type Bit Map(s) Field + + The Type Bit Maps field identifies the RRset types which exist at the + NSEC3 RR's ownername. + + The Type bit for the NSEC3 and RRSIG MUST be set during generation, + and MUST be ignored during processing. + + The RR type space is split into 256 window blocks, each representing + the low-order 8 bits of the 16-bit RR type space. Each block that + has at least one active RR type is encoded using a single octet + window number (from 0 to 255), a single octet bitmap length (from 1 + to 32) indicating the number of octets used for the window block's + bitmap, and up to 32 octets (256 bits) of bitmap. + + Blocks are present in the NSEC3 RR RDATA in increasing numerical + order. + + "|" denotes concatenation + + Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) + + + +Laurie, et al. Expires July 2, 2005 [Page 7] +Internet-Draft nsec3 january 2005 + + Each bitmap encodes the low-order 8 bits of RR types within the + window block, in network bit order. The first bit is bit 0. For + window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds + to RR type 2 (NS), and so forth. For window block 1, bit 1 + corresponds to RR type 257, bit 2 to RR type 258. If a bit is set to + 1, it indicates that an RRset of that type is present for the NSEC3 + RR's ownername. If a bit is set to 0, it indicates that no RRset of + that type is present for the NSEC3 RR's ownername. + + The RR type 2 (NS) is authoritative at the apex of a zone and is not + authoritative at delegation points. If the Authoritative Only Flag + is set to 1, the delegation point NS RR type MUST NOT be included in + the type bit maps. If the Authoritative Only Flag is set to 0, the + NS RR type at a delegation point MUST be included in the type bit + maps. + + Since bit 0 in window block 0 refers to the non-existing RR type 0, + it MUST be set to 0. After verification, the validator MUST ignore + the value of bit 0 in window block 0. + + Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929 [4] + (section 3.1) or within the range reserved for assignment only to + QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in + zone data. If encountered, they must be ignored upon reading. + + Blocks with no types present MUST NOT be included. Trailing zero + octets in the bitmap MUST be omitted. The length of each block's + bitmap is determined by the type code with the largest numerical + value, within that block, among the set of RR types present at the + NSEC3 RR's actual ownername. Trailing zero octets not specified MUST + be interpretted as zero octets. + +2.2 The NSEC3 RR Presentation Format + + The presentation format of the RDATA portion is as follows: + + The Authoritative Only Field is represented as an unsigned decimal + integer. The value are either 0 or 1. + + The Hash field is presented as the name of the hash or as an unsigned + decimal integer. The value has a maximum of 127. + + The Iterations field is presented as an unsigned decimal integer. + + The Salt Length field is not presented. + + The Salt field is represented as a sequence of case-insensitive + hexadecimal digits. Whitespace is not allowed within the sequence. + + +Laurie, et al. Expires July 2, 2005 [Page 8] +Internet-Draft nsec3 january 2005 + + The Salt Field is represented as 00 when the Salt Length field has + value 0. + + The Hash of Next Domain Name field is represented as a sequence of + case-insensitive base32 digits. Whitespace is allowed within the + sequence. + + The List of Type Bit Map(s) Field is represented as a sequence of RR + type mnemonics. When the mnemonic is not known, the TYPE + representation as described in RFC 3597 [5] (section 5) MUST be used. + +3. Creating Additional NSEC3 RR for Empty Non Terminals + + In order to prove the nonexistence of a record that might be covered + by a wildcard, it is necessary to prove the existence of its closest + encloser. A closest encloser might be an Empty Non Terminal. + + Additional NSEC3 RRs cover every existing intermediate label level. + Additional NSEC3 RRs are identical in format to NSEC3 RRs that cover + existing RRs in the zone. The difference is that the type-bit-maps + only indicate the existence of an NSEC3 RR and a RRSIG type. + +4. Calculation of the Hash + + Define H(x) to be the hash of x using the hash function selected by + the NSEC3 record and || to indicate concatenation. Then define: + + IH(salt,x,0)=H(x || salt) + + IH(salt,x,k)=H(IH(salt,x,k-1) || salt) if k > 0 + + Then the calculated hash of an ownername is + IH(salt,ownername,iterations-1), where the ownername is the canonical + form. + + The canonical form of the ownername is the wire format of the + ownername where: + 1. The ownername is fully expanded (no DNS name compression) and + fully qualified; + 2. All uppercase US-ASCII letters are replaced by the corresponding + lowercase US-ASCII letters; + 3. If the ownername is a wildcard name, the ownername is in its + original unexpanded form, including the "*" label (no wildcard + substitution); + +5. Special Considerations + + The following paragraphs clarify specific behavior explain special + + +Laurie, et al. Expires July 2, 2005 [Page 9] +Internet-Draft nsec3 january 2005 + + considerations for implementations. + +5.1 delegation points + + This proposal introduces the Authoritative Only Flag which indicates + whether non authoritative delegation point NS records are included in + the type bit Maps. As discussed in paragraph 2.1.1, a flag value of + 0 indicates that the interpretation of the type bit maps is identical + to NSEC records. + + The following subsections describe behavior when the flag value is 1. + +5.1.1 Unsigned Delegations + + Delegation point NS records are not authoritative. They are + authoritative in the delegated zone. No other data exists at the + ownername of an unsigned delegation point. + + Since no authoritative data exist at this ownername, it is excluded + from the NSEC3 chain. This is an optimization since it relieves the + zone of including an NSEC3 record and its associated signature for + this name. + + An NSEC3 that denies existence of ownernames between X and X' with + the Authoritative Only Flag set to 1 can not be used to proof + presence nor absence of the delegation point NS records for unsigned + delegations in the interval X, X'. The Authoritative Only Flag + effectively states No Contest on the presence of delegation point NS + resource records. + + Since proof is absent, there exists a new attack vector. Unsigned + delegation point NS records can be deleted during a man in the middle + attack, effectively denying existence of the delegation. This is a + form of Denial of Service, where the victim has no information it is + under attack, since all signatures are valid and the fabricated + response form is a known type of response. + + The only possible mitigation is to either not use this method, hence + proving existence or absence of unsigned delegations, or signing the + delegated zone, changing the unsigned delegation into a signed + delegation. + + A second attack vector exists in that an adversary is able to + successfully fabricate a response claiming a not existent delegation + to exist, though unsigned. + + The only possible mitigation is to either not use this method, hence + proving absence of unsigned delegations. + + +Laurie, et al. Expires July 2, 2005 [Page 10] +Internet-Draft nsec3 january 2005 + +5.2 Additional Complexity Caused by Wildcards + + If a wildcard ownername appears in a zone, the wildcard label ("*") + is treated as a literal symbol and is treated in the same way as any + other ownername for purposes of generating NSEC3 RRs. RFC 2535 + [RFC2525] describes the impact of wildcards on authenticated denial + of existence. + + In order to prove there are no wildcards for a domain, as well as no + RRs that match directly, an RR must be shown for the closest + encloser, and nonexistence must be shown for all enclosers that could + be closer. + +5.3 Salting + + Augmenting original ownernames with salt before hashing increases the + cost of a dictionary of pre-generated hash-values. For every bit of + salt, the cost of the dictionary doubles. The NSEC3 RR can use + maximum 2040 bits of salt, multiplying the cost by 2^2040. + + The salt value for each NSEC3 RR MUST be equal for a single version + of the zone. + +5.4 Hash Collision + + Hash collisions occur when different messages have the same hash + value. The expected number of domain names needed to give a 1 in 2 + chance of a single collision is about 2^80. Though this probability + is extremely low, the following paragraphs deal with avoiding + collisions and assessing possible damage in the event of an attack + using Hash collisions. + +5.4.1 Avoiding Hash Collisions during generation + + During generation of NSEC3 RRs, hash values are supposedly unique. + In the (academic) case of a collision occuring, an alternative salt + SHOULD be chosen and all hash values SHOULD be regenerated. + + If hash values are not regenerated on collision, the NSEC3 RR MUST + list all authoritative RR types that exist for both owners, to avoid + a replay attack, spoofing an existing type as non-existent. + +5.4.2 Second Preimage Requirement Analysis + + A collision resistant hash function has a second-preimage resistance + property. The second-preimage resistance property means that it is + computationally infeasible to find another message with the same hash + value as a given message, i.e. given preimage X, to find a second + + +Laurie, et al. Expires July 2, 2005 [Page 11] +Internet-Draft nsec3 january 2005 + + preimage X' <> X such that hash(X) = hash(X'). The probability of + finding a second preimage is 1 in 2^160 for SHA-1 on average. To + mount an attack using an existing NSEC3 RR, an adversary needs to + find a second preimage. + + Assuming an adversary is capable of mounting such an extreme attack, + the actual damage is that a response message can be generated which + claims that a certain QNAME (i.e. the second pre-image) does exist, + while in reality QNAME does not exist (a false positive), which will + either cause a security aware resolver to re-query for the + non-existent name, or to fail the initial query. Note that the + adversary can't mount this attack on an existing name but only on a + name that the adversary can't choose and does not yet exist. + +5.4.3 Possible Hash Value Truncation Method + + The previous sections outlined the low probability and low impact of + a second-preimage attack. When impact and probability are low, while + space in a DNS message is costly, truncation is tempting. Truncation + might be considered to allow for shorter ownernames and rdata for + hashed labels. In general, if a cryptographic hash is truncated to n + bits, then the expected number of domains required to give a 1 in 2 + probability of a single collision is approximately 2^(n/2) and the + work factor to produce a second preimage resistance is 2^n. + + An extreme hash value truncation would be truncating to the shortest + possible unique label value. Considering that hash values are + presented in base32, which represents 5 bits per label character, + truncation must be done on a 5 bit boundary. This would be unwise, + since the work factor to produce collisions would then approximate + the size of the zone. + + Though the mentioned truncation can be maximized to a certain + extreme, the probability of collision increases exponentially for + every truncated bit. Given the low impact of hash value collisions + and limited space in DNS messages, the balance between truncation + profit and collision damage may be determined by local policy. + +6. Performance Considerations + + Iterated hashes will obviously impose a performance penalty on both + authoritative servers and resolvers. Therefore, the number of + iterations should be carefully chosen. + +7. IANA Considerations + + IANA has to create a new registry for NSEC3 Hash Functions. The + range for this registry is 0-127. Value 1 is marked as SHA-1. + + +Laurie, et al. Expires July 2, 2005 [Page 12] +Internet-Draft nsec3 january 2005 + + Values 0, 2-126 are marked as Reserved For Future Use. Value 127 is + marked as Experimental. + +8. Security Considerations + + The NSEC3 records are still susceptible to dictionary attacks (i.e. + the attacker retrieves all the NSEC3 records, then calculates the + hashes of all likely domain names, comparing against the hashes found + in the NSEC3 records, and thus enumerating the zone). These are + substantially more expensive than traversing the original NSEC + records would have been, and in any case, such an attack could also + be used directly against the name server itself by performing queries + for all likely names. The expense of this attack can be chosen by + setting the iterations in the NSEC3 RR. + + High-value domains are also susceptible to a precalculated dictionary + attack - that is, a list of hashes for all likely names is computed + once, then NSEC3 is scanned periodically and compared against the + precomputed hashes. This attack is prevented by changing the salt on + a regular basis. + + Walking the NSEC3 RRs will reveal the total number of records in the + zone, and also what types they are. This could be mitigated by + adding dummy entries, but certainly an upper limit can always be + found. + + Hash collisions may occur. If they do, it will be impossible to + prove the nonexistence of the colliding domain - however, this is + fantastically unlikely, and, in any case, DNSSEC already relies on + SHA-1 to not collide. + +9. Requirements notation + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + +10. Security Considerations + +Appendix A. Example Zone + + This is a zone showing its NSEC3 records. They can also be used as + test vectors for the hash algorithm. RRSIG records have been elided. + + + + +Laurie, et al. Expires July 2, 2005 [Page 13] +Internet-Draft nsec3 january 2005 + + example.com. 1000 IN SOA localhost. + postmaster.localhost.example.com. ( + 1 ; serial + 3600 ; refresh (1 hour) + 1800 ; retry (30 minutes) + 604800 ; expire (1 week) + 3600 ; minimum (1 hour) + ) + 1000 NS ns1.example.com. + 1000 NS ns2.example.com. + f519593e82969842a136e0f47814c881fa163833.example.com. 3600 IN NSEC3 \ + SHA-1 200 31323334 4EF8239D95C18403A509D7C336A5D0FA48FD1107 \ + NS SOA RRSIG DNSKEY NSEC3 + a.example.com. 1000 IN A 1.2.3.4 + 1000 IN A 1.2.3.5 + 1000 TXT "An example" + bfe6ea21dee9d228889ae11fa58c4bd551d15801.example.com. 3600 IN NSEC3 \ + SHA-1 200 31323334 F519593E82969842A136E0F47814C881FA163833 \ + A TXT RRSIG NSEC3 + b.example.com. 1000 IN A 1.2.3.7 + 83c06d3b7d01fbc9576c71af2bec1a1163435153.example.com. 3600 IN NSEC3 \ + SHA-1 200 31323334 A33559360EECB02F36B5C1B72C109126CA4F5A0D \ + A RRSIG NSEC3 + a.b.c.example.com. 1000 IN A 1.2.3.6 + a33559360eecb02f36b5c1b72c109126ca4f5a0d.example.com. 3600 IN NSEC3 \ + SHA-1 200 31323334 BFE6EA21DEE9D228889AE11FA58C4BD551D15801 \ + A RRSIG NSEC3 + ns1.example.com. 1000 IN A 1.2.3.8 + 4ef8239d95c18403a509d7c336a5d0fa48fd1107.example.com. 3600 IN NSEC3 \ + SHA-1 200 31323334 50016B56FD2F0FFC7B563C50FAF0E34259763BBB \ + A RRSIG NSEC3 + ns2.example.com. 1000 IN A 1.2.3.9 + 50016b56fd2f0ffc7b563c50faf0e34259763bbb.example.com. 3600 IN NSEC3 \ + SHA-1 200 31323334 83C06D3B7D01FBC9576C71AF2BEC1A1163435153 \ + A RRSIG NSEC3 + +11. References + +11.1 Normative References + + [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", + STD 13, RFC 1034, November 1987. + + [RFC1035] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + + +Laurie, et al. Expires July 2, 2005 [Page 14] +Internet-Draft nsec3 january 2005 + + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic + Updates in the Domain Name System (DNS UPDATE)", RFC 2136, + April 1997. + + [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS + Specification", RFC 2181, July 1997. + + [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS + NCACHE)", RFC 2308, March 1998. + + [RFC2535] Eastlake, D., "Domain Name System Security Extensions", + RFC 2535, March 1999. + +11.2 Informative References + + [RFC2026] Bradner, S., "The Internet Standards Process -- Revision + 3", BCP 9, RFC 2026, October 1996. + + [RFC2418] Bradner, S., "IETF Working Group Guidelines and + Procedures", BCP 25, RFC 2418, September 1998. + + [rollover] + Ihren, J., Kolkman, O. and B. Manning, "An In-Band + Rollover Algorithm and a Out-Of-Band Priming Method for + DNS Trust Anchors.", July 2004. + +Authors' Addresses + + Ben Laurie + Nominet + 17 Perryn Road + London W3 7LR + England + + Phone: +44 (20) 8735 0686 + EMail: ben@algroup.co.uk + + Geoffrey Sisson + Nominet + + + + +Laurie, et al. Expires July 2, 2005 [Page 15] +Internet-Draft nsec3 january 2005 + + Roy Arends + Telematica Instituut + Brouwerijstraat 1 + 7523 XC Enschede + The Netherlands + + Phone: +31 (53) 485 0485 + EMail: roy.arends@telin.nl + + + + + + + + + + + + + + + + + + + + + + +Laurie, et al. Expires July 2, 2005 [Page 16] +Internet-Draft nsec3 january 2005 + +Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Disclaimer of Validity + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Copyright Statement + + Copyright (C) The Internet Society (2005). This document is subject + to the rights, licenses and restrictions contained in BCP 78, and + except as set forth therein, the authors retain all their rights. + +Acknowledgment + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + +Laurie, et al. Expires July 2, 2005 [Page 17] diff --git a/doc/draft/draft-ietf-dnsext-rfc2538bis-00.txt b/doc/draft/draft-ietf-dnsext-rfc2538bis-00.txt new file mode 100644 index 0000000000..8cd32e316b --- /dev/null +++ b/doc/draft/draft-ietf-dnsext-rfc2538bis-00.txt @@ -0,0 +1,728 @@ + +Network Working Group S. Josefsson +Internet-Draft January 24, 2005 +Expires: July 25, 2005 + + + Storing Certificates in the Domain Name System (DNS) + draft-ietf-dnsext-rfc2538bis-00 + +Status of this Memo + + This document is an Internet-Draft and is subject to all provisions + of section 3 of RFC 3667. By submitting this Internet-Draft, each + author represents that any applicable patent or other IPR claims of + which he or she is aware have been or will be disclosed, and any of + which he or she become aware will be disclosed, in accordance with + RFC 3668. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as + Internet-Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on July 25, 2005. + +Copyright Notice + + Copyright (C) The Internet Society (2005). + +Abstract + + Cryptographic public key are frequently published and their + authenticity demonstrated by certificates. A CERT resource record + (RR) is defined so that such certificates and related certificate + revocation lists can be stored in the Domain Name System (DNS). + + + + + + + +Josefsson Expires July 25, 2005 [Page 1] + +Internet-Draft Storing Certificates in the DNS January 2005 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. The CERT Resource Record . . . . . . . . . . . . . . . . . . . 3 + 2.1 Certificate Type Values . . . . . . . . . . . . . . . . . 4 + 2.2 Text Representation of CERT RRs . . . . . . . . . . . . . 5 + 2.3 X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . . 5 + 3. Appropriate Owner Names for CERT RRs . . . . . . . . . . . . . 6 + 3.1 Content-based X.509 CERT RR Names . . . . . . . . . . . . 7 + 3.2 Purpose-based X.509 CERT RR Names . . . . . . . . . . . . 8 + 3.3 Content-based OpenPGP CERT RR Names . . . . . . . . . . . 8 + 3.4 Purpose-based OpenPGP CERT RR Names . . . . . . . . . . . 9 + 4. Performance Considerations . . . . . . . . . . . . . . . . . . 9 + 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 + 8. Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 11 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . 12 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 + 9.1 Normative References . . . . . . . . . . . . . . . . . . . . 11 + 9.2 Informative References . . . . . . . . . . . . . . . . . . . 12 + A. Copying conditions . . . . . . . . . . . . . . . . . . . . . . 12 + Intellectual Property and Copyright Statements . . . . . . . . 13 + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Josefsson Expires July 25, 2005 [Page 2] + +Internet-Draft Storing Certificates in the DNS January 2005 + + +1. Introduction + + Public keys are frequently published in the form of a certificate and + their authenticity is commonly demonstrated by certificates and + related certificate revocation lists (CRLs). A certificate is a + binding, through a cryptographic digital signature, of a public key, + a validity interval and/or conditions, and identity, authorization, + or other information. A certificate revocation list is a list of + certificates that are revoked, and incidental information, all signed + by the signer (issuer) of the revoked certificates. Examples are + X.509 certificates/CRLs in the X.500 directory system or OpenPGP + certificates/revocations used by OpenPGP software. + + Section 2 below specifies a CERT resource record (RR) for the storage + of certificates in the Domain Name System. + + Section 3 discusses appropriate owner names for CERT RRs. + + Sections 4, 5, and 6 below cover performance, IANA, and security + considerations, respectively. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [10]. + +2. The CERT Resource Record + + The CERT resource record (RR) has the structure given below. Its RR + type code is 37. + + 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | type | key tag | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | algorithm | / + +---------------+ certificate or CRL / + / / + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| + + The type field is the certificate type as define in section 2.1 + below. + + The algorithm field has the same meaning as the algorithm field in + DNSKEY and RRSIG RRs [9] except that a zero algorithm field indicates + the algorithm is unknown to a secure DNS, which may simply be the + result of the algorithm not having been standardized for DNSSEC. + + + + +Josefsson Expires July 25, 2005 [Page 3] + +Internet-Draft Storing Certificates in the DNS January 2005 + + + The key tag field is the 16 bit value computed for the key embedded + in the certificate, using the RRSIG Key Tag Algorithm described in + Appendix B of [9]. This field is used as an efficiency measure to + pick which CERT RRs may be applicable to a particular key. The key + tag can be calculated for the key in question and then only CERT RRs + with the same key tag need be examined. However, the key must always + be transformed to the format it would have as the public key portion + of a DNSKEY RR before the key tag is computed. This is only possible + if the key is applicable to an algorithm (and limits such as key size + limits) defined for DNS security. If it is not, the algorithm field + MUST BE zero and the tag field is meaningless and SHOULD BE zero. + +2.1 Certificate Type Values + + The following values are defined or reserved: + + Value Mnemonic Certificate Type + ----- -------- ----------- ---- + 0 reserved + 1 PKIX X.509 as per PKIX + 2 SPKI SPKI certificate + 3 PGP OpenPGP packet + 4-252 available for IANA assignment + 253 URI URI private + 254 OID OID private + 255-65534 available for IANA assignment + 65535 reserved + + The PKIX type is reserved to indicate an X.509 certificate conforming + to the profile being defined by the IETF PKIX working group. The + certificate section will start with a one byte unsigned OID length + and then an X.500 OID indicating the nature of the remainder of the + certificate section (see 2.3 below). (NOTE: X.509 certificates do + not include their X.500 directory type designating OID as a prefix.) + + The SPKI type is reserved to indicate a certificate formated as to be + specified by the IETF SPKI working group. + + The PGP type indicates an OpenPGP packet as described in [5] and its + extensions and successors. Two uses are to transfer public key + material and revocation signatures. The data is binary, and MUST NOT + be encoded into an ASCII armor. An implementation SHOULD process + transferable public keys as described in section 10.1 of [5], but it + MAY handle additional OpenPGP packets. + + The URI private type indicates a certificate format defined by an + absolute URI. The certificate portion of the CERT RR MUST begin with + a null terminated URI [4] and the data after the null is the private + + + +Josefsson Expires July 25, 2005 [Page 4] + +Internet-Draft Storing Certificates in the DNS January 2005 + + + format certificate itself. The URI SHOULD be such that a retrieval + from it will lead to documentation on the format of the certificate. + Recognition of private certificate types need not be based on URI + equality but can use various forms of pattern matching so that, for + example, subtype or version information can also be encoded into the + URI. + + The OID private type indicates a private format certificate specified + by a an ISO OID prefix. The certificate section will start with a + one byte unsigned OID length and then a BER encoded OID indicating + the nature of the remainder of the certificate section. This can be + an X.509 certificate format or some other format. X.509 certificates + that conform to the IETF PKIX profile SHOULD be indicated by the PKIX + type, not the OID private type. Recognition of private certificate + types need not be based on OID equality but can use various forms of + pattern matching such as OID prefix. + +2.2 Text Representation of CERT RRs + + The RDATA portion of a CERT RR has the type field as an unsigned + decimal integer or as a mnemonic symbol as listed in section 2.1 + above. + + The key tag field is represented as an unsigned decimal integer. + + The algorithm field is represented as an unsigned decimal integer or + a mnemonic symbol as listed in [9]. + + The certificate / CRL portion is represented in base 64 [11] and may + be divided up into any number of white space separated substrings, + down to single base 64 digits, which are concatenated to obtain the + full signature. These substrings can span lines using the standard + parenthesis. + + Note that the certificate / CRL portion may have internal sub-fields + but these do not appear in the master file representation. For + example, with type 254, there will be an OID size, an OID, and then + the certificate / CRL proper. But only a single logical base 64 + string will appear in the text representation. + +2.3 X.509 OIDs + + OIDs have been defined in connection with the X.500 directory for + user certificates, certification authority certificates, revocations + of certification authority, and revocations of user certificates. + The following table lists the OIDs, their BER encoding, and their + length prefixed hex format for use in CERT RRs: + + + + +Josefsson Expires July 25, 2005 [Page 5] + +Internet-Draft Storing Certificates in the DNS January 2005 + + + id-at-userCertificate + = { joint-iso-ccitt(2) ds(5) at(4) 36 } + == 0x 03 55 04 24 + id-at-cACertificate + = { joint-iso-ccitt(2) ds(5) at(4) 37 } + == 0x 03 55 04 25 + id-at-authorityRevocationList + = { joint-iso-ccitt(2) ds(5) at(4) 38 } + == 0x 03 55 04 26 + id-at-certificateRevocationList + = { joint-iso-ccitt(2) ds(5) at(4) 39 } + == 0x 03 55 04 27 + + +3. Appropriate Owner Names for CERT RRs + + It is recommended that certificate CERT RRs be stored under a domain + name related to their subject, i.e., the name of the entity intended + to control the private key corresponding to the public key being + certified. It is recommended that certificate revocation list CERT + RRs be stored under a domain name related to their issuer. + + Following some of the guidelines below may result in the use in DNS + names of characters that require DNS quoting which is to use a + backslash followed by the octal representation of the ASCII code for + the character such as \000 for NULL. + + The choice of name under which CERT RRs are stored is important to + clients that perform CERT queries. In some situations, the client + may not know all information about the CERT RR object it wishes to + retrieve. For example, a client may not know the subject name of an + X.509 certificate, or the e-mail address of the owner of an OpenPGP + key. Further, the client might only know the hostname of a service + that uses X.509 certificates or the Key ID of an OpenPGP key. + + This motivate describing two different owner name guidelines. We + call the two rules content-based owner names and purpose-based owner + names. A content-based owner name is derived from the content of the + CERT RR data; for example the Subject field in an X.509 certificate + or the User ID field in OpenPGP keys. A purpose-based owner name is + selected to be a name that clients that wishes to retrieve CERT RRs + are expected to know; for example the host name of a X.509 protected + service or a Key ID of an OpenPGP key. Note that in some situations, + the content-based and purpose-based owner name can be the same; for + example when a client look up keys based on e-mail addresses for + incoming e-mail. + + Implementations SHOULD use the purpose-based owner name guidelines + + + +Josefsson Expires July 25, 2005 [Page 6] + +Internet-Draft Storing Certificates in the DNS January 2005 + + + described in this document, and MAY use CNAMEs at content-based owner + names (or other names), pointing to the purpose-based owner name. + +3.1 Content-based X.509 CERT RR Names + + Some X.509 versions permit multiple names to be associated with + subjects and issuers under "Subject Alternate Name" and "Issuer + Alternate Name". For example, x.509v3 has such Alternate Names with + an ASN.1 specification as follows: + + GeneralName ::= CHOICE { + otherName [0] INSTANCE OF OTHER-NAME, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] EXPLICIT OR-ADDRESS.&Type, + directoryName [4] EXPLICIT Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER + } + + The recommended locations of CERT storage are as follows, in priority + order: + 1. If a domain name is included in the identification in the + certificate or CRL, that should be used. + 2. If a domain name is not included but an IP address is included, + then the translation of that IP address into the appropriate + inverse domain name should be used. + 3. If neither of the above it used but a URI containing a domain + name is present, that domain name should be used. + 4. If none of the above is included but a character string name is + included, then it should be treated as described for PGP names + below. + 5. If none of the above apply, then the distinguished name (DN) + should be mapped into a domain name as specified in [3]. + + Example 1: Assume that an X.509v3 certificate is issued to /CN=John + Doe/DC=Doe/DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative + names of (a) string "John (the Man) Doe", (b) domain name john- + doe.com, and (c) uri . Then + the storage locations recommended, in priority order, would be + 1. john-doe.com, + 2. www.secure.john-doe.com, and + 3. Doe.com.xy. + + Example 2: Assume that an X.509v3 certificate is issued to /CN=James + Hacker/L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names + + + +Josefsson Expires July 25, 2005 [Page 7] + +Internet-Draft Storing Certificates in the DNS January 2005 + + + of (a) domain name widget.foo.example, (b) IPv4 address + 10.251.13.201, and (c) string "James Hacker + ". Then the storage locations + recommended, in priority order, would be + 1. widget.foo.example, + 2. 201.13.251.10.in-addr.arpa, and + 3. hacker.mail.widget.foo.example. + +3.2 Purpose-based X.509 CERT RR Names + + It is difficult for clients that do not already posses a certificate + to reconstruct the content-based owner name that should be used to + retrieve the certificate. For this reason, purpose-based owner names + are recommended in this section. Because purpose-based owner names + by nature depend on the specific scenario, or purpose, for which the + certificate will be used, there are more than one recommendation. + The following table summarize the purpose-based X.509 CERT RR owner + name guidelines. + + Scenario Owner name + ------------------------------------------------------------------- + S/MIME Certificate Standard translation of RFC 822 email address. + Example: A S/MIME certificate for + "postmaster@example.org" will use a standard + hostname translation of the owner name, + i.e. "postmaster.example.org". + + SSL Certificate Hostname of the SSL server. + + IPSEC Certificate Hostname of the IPSEC machine, and/or + for the in-addr.arpa reverse lookup IP address. + + CRLs Hostname of the issuing CA. + + +3.3 Content-based OpenPGP CERT RR Names + + OpenPGP signed keys (certificates) use a general character string + User ID [5]. However, it is recommended by OpenPGP that such names + include the RFC 2822 [7] email address of the party, as in "Leslie + Example ". If such a format is used, the CERT + should be under the standard translation of the email address into a + domain name, which would be leslie.host.example in this case. If no + RFC 2822 name can be extracted from the string name no specific + domain name is recommended. + + If a user has more than one email address, the CNAME type can be used + to reduce the amount of data stored in the DNS. For example: + + + +Josefsson Expires July 25, 2005 [Page 8] + +Internet-Draft Storing Certificates in the DNS January 2005 + + + $ORIGIN example.org. + smith IN CERT PGP 0 0 + john.smith IN CNAME smith + js IN CNAME smith + + +3.4 Purpose-based OpenPGP CERT RR Names + + Applications that receive an OpenPGP packet but do not know the email + address of the sender will have difficulties constructing the correct + owner name, and cannot use the content-based owner name guidelines. + However, these clients commonly know the key fingerprint or the Key + ID. The key ID is found in OpenPGP packets, and the key fingerprint + is commonly found in auxilliary data that may be available. For + these situations, it is recommended to use an owner name identical to + the key fingerprint and key ID expressed in hexadecimal [11]. For + example: + + $ORIGIN example.org. + 0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ... + F835EDA21E94B565716F IN CERT PGP ... + B565716F IN CERT PGP ... + + If the same key material is stored at several owner names, the use of + CNAME may be used to avoid data duplication. Note that CNAME is not + always applicable, because it map an owner names to the other for all + purposes, and this may be sub-optimal when two keys with the same Key + ID are stored. + +4. Performance Considerations + + Current Domain Name System (DNS) implementations are optimized for + small transfers, typically not more than 512 bytes including + overhead. While larger transfers will perform correctly and work is + underway to make larger transfers more efficient, it is still + advisable at this time to make every reasonable effort to minimize + the size of certificates stored within the DNS. Steps that can be + taken may include using the fewest possible optional or extensions + fields and using short field values for variable length fields that + must be included. + + The RDATA field in the DNS protocol may only hold data of size 65535 + octets (64kb) or less. This means that each CERT RR cannot contain + more than 64kb worth of payload, even if the corresponding + certificate or certificate revocation list is larger. This document + do not address this limitation. + + + + + +Josefsson Expires July 25, 2005 [Page 9] + +Internet-Draft Storing Certificates in the DNS January 2005 + + +5. Acknowledgements + + The majority of this document is copied verbatim from RFC 2538, by + Donald Eastlake 3rd and Olafur Gudmundsson. + + The author wishes to thank David Shaw and Michael Graff for their + contributions to the earlier work that motivated this revised + document. + + Florian Weimer suggested to clarify wording regarding what data can + be stored in RRDATA portion of OpenPGP CERT RRs, and that the URI + type may include hashes to secure the indirection. Olivier Dubuisson + confirmed that the X.509 OID were indeed correct. + +6. Security Considerations + + By definition, certificates contain their own authenticating + signature. Thus it is reasonable to store certificates in non-secure + DNS zones or to retrieve certificates from DNS with DNS security + checking not implemented or deferred for efficiency. The results MAY + be trusted if the certificate chain is verified back to a known + trusted key and this conforms with the user's security policy. + + Alternatively, if certificates are retrieved from a secure DNS zone + with DNS security checking enabled and are verified by DNS security, + the key within the retrieved certificate MAY be trusted without + verifying the certificate chain if this conforms with the user's + security policy. + + When the URI type is used, it should be understood that is introduce + an additional indirection that may allow for a new attack vector. + One method to secure that indirection is to include a hash of the + certificate in the URI itself. + + CERT RRs are not used in connection with securing the DNS security + additions so there are no security considerations related to CERT RRs + and securing the DNS itself. + +7. IANA Considerations + + Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can + only be assigned by an IETF standards action [6]. This document + assigns 0x0001 through 0x0003 and 0x00FD and 0x00FE. Certificate + types 0x0100 through 0xFEFF are assigned through IETF Consensus [6] + based on RFC documentation of the certificate type. The availability + of private types under 0x00FD and 0x00FE should satisfy most + requirements for proprietary or private types. + + + + +Josefsson Expires July 25, 2005 [Page 10] + +Internet-Draft Storing Certificates in the DNS January 2005 + + +8. Changes since RFC 2538 + + 1. Editorial changes to conform with new document requirements, + including splitting reference section into two parts and updating + the references to point at latest versions, and to add some + additional references. + 2. Improve terminology. For example replace "PGP" with "OpenPGP", + to align with RFC 2440. + 3. In section 2.1, clarify that OpenPGP public key data are binary, + not the ASCII armored format, and reference 10.1 in RFC 2440 on + how to deal with OpenPGP keys, and acknowledge that + implementations may handle additional packet types. + 4. Clarify that integers in the representation format are decimal. + 5. Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis + terminology. Improve reference for Key Tag Algorithm + calculations. + 6. Add examples that suggest use of CNAME to reduce bandwidth. + 7. In section 3, appended the last paragraphs that discuss + "content-based" vs "purpose-based" owner names. Add section 3.2 + for purpose-based X.509 CERT owner names, and section 3.4 for + purpose-based OpenPGP CERT owner names. + 8. Added size considerations. + +9. References + +9.1 Normative References + + [1] Mockapetris, P., "Domain names - concepts and facilities", STD + 13, RFC 1034, November 1987. + + [2] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [3] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S. Sataluri, + "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247, + January 1998. + + [4] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource + Identifiers (URI): Generic Syntax", RFC 2396, August 1998. + + [5] Callas, J., Donnerhacke, L., Finney, H. and R. Thayer, "OpenPGP + Message Format", RFC 2440, November 1998. + + [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA + Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. + + [7] Resnick, P., "Internet Message Format", RFC 2822, April 2001. + + + + +Josefsson Expires July 25, 2005 [Page 11] + +Internet-Draft Storing Certificates in the DNS January 2005 + + + [8] Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose, + "DNS Security Introduction and Requirements", + draft-ietf-dnsext-dnssec-intro-13 (work in progress), October + 2004. + + [9] Arends, R., "Resource Records for the DNS Security Extensions", + draft-ietf-dnsext-dnssec-records-11 (work in progress), October + 2004. + +9.2 Informative References + + [10] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [11] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", + RFC 3548, July 2003. + + +Author's Address + + Simon Josefsson + + EMail: simon@josefsson.org + +Appendix A. Copying conditions + + Regarding the portion of this document that was written by Simon + Josefsson ("the author", for the remainder of this section), the + author makes no guarantees and is not responsible for any damage + resulting from its use. The author grants irrevocable permission to + anyone to use, modify, and distribute it in any way that does not + diminish the rights of anyone else to use, modify, and distribute it, + provided that redistributed derivative works do not contain + misleading author or version information. Derivative works need not + be licensed under similar terms. + + + + + + + + + + + + + + + + +Josefsson Expires July 25, 2005 [Page 12] + +Internet-Draft Storing Certificates in the DNS January 2005 + + +Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + +Disclaimer of Validity + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +Copyright Statement + + Copyright (C) The Internet Society (2005). This document is subject + to the rights, licenses and restrictions contained in BCP 78, and + except as set forth therein, the authors retain all their rights. + + +Acknowledgment + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + +Josefsson Expires July 25, 2005 [Page 13] + +