From cf38d58b79761af2737911a19cb7790357754db4 Mon Sep 17 00:00:00 2001 From: Brian Wellington Date: Tue, 25 Sep 2001 21:29:47 +0000 Subject: [PATCH] update the opt-in draft --- ...=> draft-ietf-dnsext-dnssec-opt-in-00.txt} | 341 +++++++++--------- 1 file changed, 171 insertions(+), 170 deletions(-) rename doc/draft/{draft-kosters-dnsext-dnssec-opt-in-01.txt => draft-ietf-dnsext-dnssec-opt-in-00.txt} (50%) diff --git a/doc/draft/draft-kosters-dnsext-dnssec-opt-in-01.txt b/doc/draft/draft-ietf-dnsext-dnssec-opt-in-00.txt similarity index 50% rename from doc/draft/draft-kosters-dnsext-dnssec-opt-in-01.txt rename to doc/draft/draft-ietf-dnsext-dnssec-opt-in-00.txt index eb8152dda9..0727f74505 100644 --- a/doc/draft/draft-kosters-dnsext-dnssec-opt-in-01.txt +++ b/doc/draft/draft-ietf-dnsext-dnssec-opt-in-00.txt @@ -2,11 +2,11 @@ Network Working Group M. Kosters Internet-Draft Network Solutions, Inc. -Expires: August 31, 2001 March 2, 2001 +Expires: December 25, 2001 June 26, 2001 DNSSEC Opt-in for Large Zones - draft-kosters-dnsext-dnssec-opt-in-01.txt + draft-ietf-dnsext-dnssec-opt-in-00.txt Status of this Memo @@ -29,7 +29,7 @@ Status of this Memo The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on August 31, 2001. + This Internet-Draft will expire on December 25, 2001. Copyright Notice @@ -42,19 +42,19 @@ Abstract mechanism that allows for the separation of secure versus unsecure views of zones. This needs to be done in a transparent fashion that allows DNSSEC to be deployed in an incremental manner. This - document proposes the use of an extended RCODE to signify that a - DNSSEC-aware requestor may have to re-query for the information, if - and only if, the delegation is not yet secure. Thus, one can - maintain two views of the zone and expand the DNSSEC zone as demand - warrants. + document proposes a method using views to allow for incremental + growth of delegations that are registered as secure. This is + accomplished by extending the use of the NXT record to deal with + non-secure delegations as well as for non-existence. -Kosters Expires August 31, 2001 [Page 1] + +Kosters Expires December 25, 2001 [Page 1] -Internet-Draft DNSSEC Opt In March 2001 +Internet-Draft DNSSEC Opt In June 2001 Table of Contents @@ -64,8 +64,8 @@ Table of Contents 3. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 - 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 8 - References . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 7 + References . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 9 @@ -108,39 +108,43 @@ Table of Contents -Kosters Expires August 31, 2001 [Page 2] +Kosters Expires December 25, 2001 [Page 2] -Internet-Draft DNSSEC Opt In March 2001 +Internet-Draft DNSSEC Opt In June 2001 1. Introduction - DNS is an unsecure system. The key features that gives DNS its power + DNS is an unsecure system. The key features that give DNS its power can also be its chief weaknesses. One feature is the facility to delegate branches of information from one set of servers to another. Currently, this is done in a non-cryptographically verified way that - allows spoofing attacks. For example, an alternative domain registry - called AlterNIC exploited this vulnerability to redirect - www.netsol.com and www.internic.net websites to their own website in - July 1997 that gained widespread exposure. If this delegated - information had been cryptographically verified, this attack would - not have been able to occur. + allows spoofing attacks. For example, in July 1997, an alternative + domain registry called AlterNIC exploited this vulnerability to + redirect the www.netsol.com and www.internic.net websites to the + AtlerNIC website. If this delegated information had been + cryptographically verified, this attack would not have been able to + occur. In recent years, there has been much work within the IETF regarding - DNS security. There are a number of RFCs that integrate public key + DNS security. There are a number of RFCs that integrate public key technology within DNS to enable cryptographically-verified answers. To this end, three new resource record types (RR's) have been defined: - o KEY -- a public key of the zone - o SIG - a signature of an accompanying RR - o NXT - a negative response record + o KEY - one of the public keys of the zone + o SIG - a signature of an accompanying RR set + o NXT - a record that indicates the range of labels to show + negative proof - Within the zone, each authoritative RR will have accompanying SIG - RR's that can be verified with the KEY RR of the zone. Each KEY RR - can be verified hierarchically with a SIG RR from the direct parent - zone. For unsecure delegations, a null-KEY RR is inserted in the - parent zone. Finally, NXT RR's and their accompanying SIG RR's are + A zone's authoritative RR's are combined into groups for signing. A + set of RR's will be in the same group if and only if they have the + same name and the same RR type. Each group is then signed with each + of the zone's keys, and each of these signings produces one SIG + record. Each zone KEY RR can be verified hierarchically with a SIG + RR from the direct parent zone. For unsecure delegations, a NULL KEY + RR is inserted in the parent zone to verifiably attest the subdomain + is insecure. Finally, NXT RR's and their accompanying SIG RR's are issued in the case of a negative reply. As a zone maintainer, transitioning to a secure zone has a high @@ -148,39 +152,39 @@ Internet-Draft DNSSEC Opt In March 2001 KEY RR At a delegation point, the zone maintainer needs to place a NULL - key and accompanying SIG RR's when the child zone is not known to + KEY and accompanying SIG RR's when the child zone is not known to be secure. NXT RR Each delegation needs to be lexigraphically ordered so that a NXT RR can be generated and signed with SIG RR's. For large zone - operators, generating the zone file is a very time consuming + operators, ordering the zone file is a very time-consuming process. In the resolution process, NXT lookups require that the server replace efficient hash structures with a lexigraphically ordered search structure that degrades lookup performance. This lookup performance is a critical element for a high-query rate + + +Kosters Expires December 25, 2001 [Page 3] + +Internet-Draft DNSSEC Opt In June 2001 + + DNS server. Thus, the net effect is when one initially secures a zone as defined - in RFC2535[4], the net overhead is massive because of the following - - -Kosters Expires August 31, 2001 [Page 3] - -Internet-Draft DNSSEC Opt In March 2001 - - - factors: + in RFC2535[4], the amount of processing is massive because of the + following factors: 1. Zone ordering and maintenance for large zones is difficult and expensive. - 2. Adding null-KEY RR's, NXT RR's and their accompanying SIG RR's + 2. Adding NULL KEY RR's, NXT RR's and their accompanying SIG RR's for unsecure delegations will consume large amounts of memory - (6x the current memory requirements). - 3. Having a less efficient look-up algorithm to provide answers to + (six times the current memory requirements). + 3. Having a less efficient lookup algorithm to provide answers to queries will degrade overall performance. - 4. Very little initial payoff (anticipate only a small fraction of - delegations to be signed. This equates to less than 1% over the - first six months). + 4. There is very little initial payoff (anticipate only a small + fraction of delegations to be signed. This equates to less than + 1% over the first six months). 5. Unsecured delegations are more expensive at the parent than secure delegations (NULL KEY). @@ -188,7 +192,7 @@ Internet-Draft DNSSEC Opt In March 2001 As DNSSEC is initially deployed, it is anticipated that DNSSEC adoption will be slow to materialize. It is also anticipated that - DNSSEC security resolution will be top down. Thus for DNSSEC to be + DNSSEC security resolution will be top-down. Thus for DNSSEC to be widely adopted, the root zone and GTLD zones will need to be signed. Based on the implications previously listed, a large zone maintainer such as the administrator of COM, needs to create an infrastructure @@ -196,93 +200,63 @@ Internet-Draft DNSSEC Opt In March 2001 very little initial benefit. This document proposes an alternative opt-in approach that minimizes - the expense and complexity to ease adoption of DNSSEC for large - zones by allowing for an alternate view of secured only delegations. + the expense and complexity of DNSSEC adoption by large zones. This + is done by allowing for an alternate view with only secured + delegations. 3. Protocol Additions The opt-in proposal allows for a zone operator to maintain two views - of its delegations - one being non-DNSSEC and the other being - DNSSSEC aware. The non-DNSSEC view will have all delegations - both - secured and non-secured. The DNSSEC aware view will only have - secured delegations. It is assumed that neither view will have any - innate knowledge of the other's delegations. Thus, the cost of - securing a zone is proportional to the demand of its delegations - with the added benefit of no longer having to maintain NULL KEY RRs - for unsecure delegations. + of its delegations - one being signed and the other not. The + non-DNSSEC view will have all delegations - both secured and + non-secured. The DNSSEC aware view will only have secured + delegations. It is assumed that neither view will have any innate + knowledge of the other's delegations. Thus, the cost of securing a + zone is proportional to the demand of its delegations with the added + benefit of no longer having to maintain NULL KEY RRs for unsecure + delegations. - On the server side, identification of the zone being opt-in will be - identified by using one of the reserved bits of the flags section - within the KEY RR for that particular zone [note - the actual bit - needs yet to be selected out of reserved bits 4-5 or 8-11]. - - On the client side, the client MUST be identified by sending a - option-code of RETRY-NO-SEC-AWARE within the OPT RR RDATA to ensure + Since the opt-in model changes the semantics of the NXT RR, the + resolver needs to know if the zone itself follows a RFC2535[4] style -Kosters Expires August 31, 2001 [Page 4] +Kosters Expires December 25, 2001 [Page 4] -Internet-Draft DNSSEC Opt In March 2001 +Internet-Draft DNSSEC Opt In June 2001 - that it can accept and understand the RETRY-NO-SEC RCODE. The - RETRY-NO-SEC-AWARE option-code MUST have an option-length value of - zero with no option-data. The RETRY-NO-SEC-AWARE option-code will be - determined by IANA. + model or the opt-in model. An opt-in zone is identified by setting + bit 4 of the flags section within the KEY RR for that particular + zone. To determine which view each DNS query packet is to be queried against, there is a simple algorithm to be followed: - 1. The DNSSEC view is to be queried when the DO bit is set within + 1. The DNSSEC view MUST be queried when the DO bit is set within the EDNS0 OPT meta RR as indicated in [6] Additionally, - 2. The DNSSEC view is to be queried when the query type is SIG, - KEY, or NXT and the RRs added match the query name and query - type. + 2. The DNSSEC view MUST be queried when the query type is SIG, KEY, + or NXT. If the query does not follow either case (1) or (2), the non-DNSSEC view MUST be consulted by default. Since the DNSSEC view will have a subset of the actual delegations of that zone, it will not be able to respond to an unsecured - delegation. To that end, one of two things will happen: + delegation query. To that end, one of the two following events will + occur: - 1) If the client has been identified as RETRY-NO-SEC-AWARE, a new - extended RCODE MUST be set within the EDNS OPT RR for the resolver - to retry again with the DO bit not set. This RCODE is referred to - as "RETRY-NO-SEC" (RS). In the context of the EDNS0 OPT meta-RR, - the RS value will be determined by IANA. + 1) If the RR set exists within the unsecure view, the answer will + show up normally with in the Answer and Additional sections. + Additionally, the NXT RR from the secure view is folded into the + Authority section along with the related KEY RR's and its SIG in the + Additional section. The NXT RR is added to prove the answer does not + exist in the secure view. - Setting the RS RCODE in a response indicates to the resolver that - the resolver is retrying the query again without the DO bit set. The - behavior of the authority and additional records section being - populated should be the same using the RS RCODE as the RCODE being - set to NXDOMAIN. Therefore, the resolver will be able to verify that - the answer does not exist within the secure zone since the NXT RR - will be sent in the Authority section. To avoid caching, the server - SHOULD set the TTL on the NXT RR to 0. - - 2) If the client has been identified as not being - RETRY-NO-SEC-AWARE, the server itself MUST consult the non-secure - view to compile the answer and respond back to the client. If the - RR exists, the answer will show up normally with in the Answer and - Additional sections and the NXT RR's within the Authority section - along with the KEY RR and its SIG in the Additional section. If the - RR does not exist, RCODE will be set to NXDOMAIN with the NXT RR - will be sent in the Authority section along with the KEY RR and its - SIG in the Additional section . Again, to avoid caching, the server - SHOULD set the TTL on the NXT RR to 0. - - Note that latter case should be used during the transition of moving - to clients that understand the RS RCODE only. It should not be - - -Kosters Expires August 31, 2001 [Page 5] - -Internet-Draft DNSSEC Opt In March 2001 - - - viewed as a permanent solution and may deprecated in a short period - of time. + 2) If the RR set does not exist within the unsecure view, the RCODE + will be set to NXDOMAIN. Additionally, the NXT RR from the secure + view is sent in the Authority section along with the related KEY + RR's and its SIG in the Additional section. Again, the NXT RR is + added to prove the answer does not exist in the secure view. Example: @@ -301,70 +275,66 @@ Internet-Draft DNSSEC Opt In March 2001 8 NS 9 NS + +Kosters Expires December 25, 2001 [Page 5] + +Internet-Draft DNSSEC Opt In June 2001 + + Secured zone Contents: @ SOA, SIG SOA, NXT(3), SIG NXT 3 NS, SIG NS, NXT(6), SIG NXT 6 NS, SIG NS, NXT(9), SIG NXT 9 NS, SIG NS, NXT(@), SIG NXT - 1. Query for 5 RR type A with EDNS0 DO bit set along with the - RETRY-NO-SEC-AWARE option code, the response would return with - the extended RCODE RS bit set: - - - RCODE=RS - Authority Section: - SOA, SIG SOA, 3 NXT(6), SIG NXT - Additional Section: - KEY, SIG KEY - - - The source would then retry without the EDNS0 DO bit set which - would return an answer as defined in RFC1035[2]. - - 2. Query for 5 RR type A with EDNS0 DO bit only, the response would - return with the following: + 1. A query for 5 RR type A with EDNS0 DO bit set would return with + the following response: RCODE=NOERROR - Answer Section: - 5 NS Authority Section: - - -Kosters Expires August 31, 2001 [Page 6] - -Internet-Draft DNSSEC Opt In March 2001 - - + 5 NS 3 NXT(6), SIG NXT Additional Section: KEY, SIG KEY + The secure server would see that 5 is lexographically between 3 + and 6 and therefore know that 5 is insecure. - 3. Query for 55 RR type A with EDNS0 DO bit set along with the - RETRY-NO-SEC-AWARE option code, the response would return with - the extended RCODE RS bit set: + 2. A query for 55 RR type A with EDNS0 DO bit set would return with + the following response: - RCODE=RS + RCODE=NXDOMAIN Authority Section: SOA, SIG SOA, 3 NXT(6), SIG NXT Additional Section: KEY, SIG KEY - The source would then retry without the EDNS0 DO bit set which - would return an answer as defined in RFC1035[2]. The subsequent - 1035 answer would contain a RCODE of NXDOMAIN since the domain - 55 does not exist. + The secure server would see that 55 is lexographically between + 3 and 6 and therefore know that 55 is definitely does not exist + in the secure realm. - 4. Query for 3 RR type KEY without EDNS DO bit set. The response - would return with an answer as defined in RFC2535[4]. + 3. A query for 3 RR type KEY without EDNS DO bit set would return + with an response as defined in RFC2535[4]. - 5. Query for 3 RR type A, with EDNS0 DO bit set, the response would - be the same as defined in RFC2535[4]. + 4. A Query for 3 RR type A, with EDNS0 DO bit set would return with + a response as defined in RFC2535[4]. + + 5. A Query for 6 RR type A, without EDNS0 DO bit set would return + with a response as defined in RFC1035[2]. + + + + + + + +Kosters Expires December 25, 2001 [Page 6] + +Internet-Draft DNSSEC Opt In June 2001 4. Security Considerations @@ -377,26 +347,14 @@ Internet-Draft DNSSEC Opt In March 2001 5. IANA Considerations - 1) Allocation of a bit within the reserved portion of the KEY RR to - indicate that the zone is an opt-in zone. - - 2) Allocation of the most significant bit of the RCODE field in the - EDNS0 OPT meta-RR is required. - - 3) Allocation of an option-code within the OPT RR to indicate that - the client can understand the new RCODE. - - - -Kosters Expires August 31, 2001 [Page 7] - -Internet-Draft DNSSEC Opt In March 2001 - + The IANA is requested to reserve the use of the fourth bit of the + KEY RR to indicate that the zone is an opt-in zone. 6. Acknowledgements - This document is based on a rough draft by Brian Wellington, and - input from Olafur Gudmundsson. + This document is based on a rough draft by Brian Wellington along + with input from Olafur Gudmundsson, David Blacka, and Mike + Schiraldi. References @@ -419,6 +377,22 @@ References progress)", August 2000. + + + + + + + + + + + +Kosters Expires December 25, 2001 [Page 7] + +Internet-Draft DNSSEC Opt In June 2001 + + Author's Address Mark Kosters @@ -444,9 +418,35 @@ Author's Address -Kosters Expires August 31, 2001 [Page 8] + + + + + + + + + + + + + + + + + + + + + + + + + + +Kosters Expires December 25, 2001 [Page 8] -Internet-Draft DNSSEC Opt In March 2001 +Internet-Draft DNSSEC Opt In June 2001 Full Copyright Statement @@ -500,5 +500,6 @@ Acknowledgement -Kosters Expires August 31, 2001 [Page 9] +Kosters Expires December 25, 2001 [Page 9] +