mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

update the opt-in draft

Browse Source
This commit is contained in:
Brian Wellington
2001-09-25 21:29:47 +00:00
parent 5044d03efa
commit cf38d58b79
1 changed files with 171 additions and 170 deletions
Download Patch File Download Diff File Expand all files Collapse all files

341
doc/draft/draft-kosters-dnsext-dnssec-opt-in-01.txt → doc/draft/draft-ietf-dnsext-dnssec-opt-in-00.txt
View File

@@ -2,11 +2,11 @@
Network Working Group M. Kosters Network Working Group M. Kosters
Internet-Draft Network Solutions, Inc. Internet-Draft Network Solutions, Inc.
Expires: August 31, 2001 March 2, 2001 Expires: December 25, 2001 June 26, 2001
DNSSEC Opt-in for Large Zones DNSSEC Opt-in for Large Zones
draft-kosters-dnsext-dnssec-opt-in-01.txt draft-ietf-dnsext-dnssec-opt-in-00.txt
Status of this Memo Status of this Memo
@@ -29,7 +29,7 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 31, 2001. This Internet-Draft will expire on December 25, 2001.
Copyright Notice Copyright Notice
@@ -42,19 +42,19 @@ Abstract
mechanism that allows for the separation of secure versus unsecure mechanism that allows for the separation of secure versus unsecure
views of zones. This needs to be done in a transparent fashion that views of zones. This needs to be done in a transparent fashion that
allows DNSSEC to be deployed in an incremental manner. This allows DNSSEC to be deployed in an incremental manner. This
document proposes the use of an extended RCODE to signify that a document proposes a method using views to allow for incremental
DNSSEC-aware requestor may have to re-query for the information, if growth of delegations that are registered as secure. This is
and only if, the delegation is not yet secure. Thus, one can accomplished by extending the use of the NXT record to deal with
maintain two views of the zone and expand the DNSSEC zone as demand non-secure delegations as well as for non-existence.
warrants.
Kosters Expires August 31, 2001 [Page 1]
Kosters Expires December 25, 2001 [Page 1]
Internet-Draft DNSSEC Opt In March 2001 Internet-Draft DNSSEC Opt In June 2001
Table of Contents Table of Contents
@@ -64,8 +64,8 @@ Table of Contents
3. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . . 4 3. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 8 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 7
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 9 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 9
@@ -108,39 +108,43 @@ Table of Contents
Kosters Expires August 31, 2001 [Page 2] Kosters Expires December 25, 2001 [Page 2]
Internet-Draft DNSSEC Opt In March 2001 Internet-Draft DNSSEC Opt In June 2001
1. Introduction 1. Introduction
DNS is an unsecure system. The key features that gives DNS its power DNS is an unsecure system. The key features that give DNS its power
can also be its chief weaknesses. One feature is the facility to can also be its chief weaknesses. One feature is the facility to
delegate branches of information from one set of servers to another. delegate branches of information from one set of servers to another.
Currently, this is done in a non-cryptographically verified way that Currently, this is done in a non-cryptographically verified way that
allows spoofing attacks. For example, an alternative domain registry allows spoofing attacks. For example, in July 1997, an alternative
called AlterNIC exploited this vulnerability to redirect domain registry called AlterNIC exploited this vulnerability to
www.netsol.com and www.internic.net websites to their own website in redirect the www.netsol.com and www.internic.net websites to the
July 1997 that gained widespread exposure. If this delegated AtlerNIC website. If this delegated information had been
information had been cryptographically verified, this attack would cryptographically verified, this attack would not have been able to
not have been able to occur. occur.
In recent years, there has been much work within the IETF regarding In recent years, there has been much work within the IETF regarding
DNS security. There are a number of RFCs that integrate public key DNS security. There are a number of RFCs that integrate public key
technology within DNS to enable cryptographically-verified answers. technology within DNS to enable cryptographically-verified answers.
To this end, three new resource record types (RR's) have been To this end, three new resource record types (RR's) have been
defined: defined:
o KEY -- a public key of the zone o KEY - one of the public keys of the zone
o SIG - a signature of an accompanying RR o SIG - a signature of an accompanying RR set
o NXT - a negative response record o NXT - a record that indicates the range of labels to show
negative proof
Within the zone, each authoritative RR will have accompanying SIG A zone's authoritative RR's are combined into groups for signing. A
RR's that can be verified with the KEY RR of the zone. Each KEY RR set of RR's will be in the same group if and only if they have the
can be verified hierarchically with a SIG RR from the direct parent same name and the same RR type. Each group is then signed with each
zone. For unsecure delegations, a null-KEY RR is inserted in the of the zone's keys, and each of these signings produces one SIG
parent zone. Finally, NXT RR's and their accompanying SIG RR's are record. Each zone KEY RR can be verified hierarchically with a SIG
RR from the direct parent zone. For unsecure delegations, a NULL KEY
RR is inserted in the parent zone to verifiably attest the subdomain
is insecure. Finally, NXT RR's and their accompanying SIG RR's are
issued in the case of a negative reply. issued in the case of a negative reply.
As a zone maintainer, transitioning to a secure zone has a high As a zone maintainer, transitioning to a secure zone has a high
@@ -148,39 +152,39 @@ Internet-Draft DNSSEC Opt In March 2001
KEY RR KEY RR
At a delegation point, the zone maintainer needs to place a NULL At a delegation point, the zone maintainer needs to place a NULL
key and accompanying SIG RR's when the child zone is not known to KEY and accompanying SIG RR's when the child zone is not known to
be secure. be secure.
NXT RR NXT RR
Each delegation needs to be lexigraphically ordered so that a NXT Each delegation needs to be lexigraphically ordered so that a NXT
RR can be generated and signed with SIG RR's. For large zone RR can be generated and signed with SIG RR's. For large zone
operators, generating the zone file is a very time consuming operators, ordering the zone file is a very time-consuming
process. In the resolution process, NXT lookups require that the process. In the resolution process, NXT lookups require that the
server replace efficient hash structures with a lexigraphically server replace efficient hash structures with a lexigraphically
ordered search structure that degrades lookup performance. This ordered search structure that degrades lookup performance. This
lookup performance is a critical element for a high-query rate lookup performance is a critical element for a high-query rate
Kosters Expires December 25, 2001 [Page 3]
Internet-Draft DNSSEC Opt In June 2001
DNS server. DNS server.
Thus, the net effect is when one initially secures a zone as defined Thus, the net effect is when one initially secures a zone as defined
in RFC2535[4], the net overhead is massive because of the following in RFC2535[4], the amount of processing is massive because of the
following factors:
Kosters Expires August 31, 2001 [Page 3]
Internet-Draft DNSSEC Opt In March 2001
factors:
1. Zone ordering and maintenance for large zones is difficult and 1. Zone ordering and maintenance for large zones is difficult and
expensive. expensive.
2. Adding null-KEY RR's, NXT RR's and their accompanying SIG RR's 2. Adding NULL KEY RR's, NXT RR's and their accompanying SIG RR's
for unsecure delegations will consume large amounts of memory for unsecure delegations will consume large amounts of memory
(6x the current memory requirements). (six times the current memory requirements).
3. Having a less efficient look-up algorithm to provide answers to 3. Having a less efficient lookup algorithm to provide answers to
queries will degrade overall performance. queries will degrade overall performance.
4. Very little initial payoff (anticipate only a small fraction of 4. There is very little initial payoff (anticipate only a small
delegations to be signed. This equates to less than 1% over the fraction of delegations to be signed. This equates to less than
first six months). 1% over the first six months).
5. Unsecured delegations are more expensive at the parent than 5. Unsecured delegations are more expensive at the parent than
secure delegations (NULL KEY). secure delegations (NULL KEY).
@@ -188,7 +192,7 @@ Internet-Draft DNSSEC Opt In March 2001
As DNSSEC is initially deployed, it is anticipated that DNSSEC As DNSSEC is initially deployed, it is anticipated that DNSSEC
adoption will be slow to materialize. It is also anticipated that adoption will be slow to materialize. It is also anticipated that
DNSSEC security resolution will be top down. Thus for DNSSEC to be DNSSEC security resolution will be top-down. Thus for DNSSEC to be
widely adopted, the root zone and GTLD zones will need to be signed. widely adopted, the root zone and GTLD zones will need to be signed.
Based on the implications previously listed, a large zone maintainer Based on the implications previously listed, a large zone maintainer
such as the administrator of COM, needs to create an infrastructure such as the administrator of COM, needs to create an infrastructure
@@ -196,93 +200,63 @@ Internet-Draft DNSSEC Opt In March 2001
very little initial benefit. very little initial benefit.
This document proposes an alternative opt-in approach that minimizes This document proposes an alternative opt-in approach that minimizes
the expense and complexity to ease adoption of DNSSEC for large the expense and complexity of DNSSEC adoption by large zones. This
zones by allowing for an alternate view of secured only delegations. is done by allowing for an alternate view with only secured
delegations.
3. Protocol Additions 3. Protocol Additions
The opt-in proposal allows for a zone operator to maintain two views The opt-in proposal allows for a zone operator to maintain two views
of its delegations - one being non-DNSSEC and the other being of its delegations - one being signed and the other not. The
DNSSSEC aware. The non-DNSSEC view will have all delegations - both non-DNSSEC view will have all delegations - both secured and
secured and non-secured. The DNSSEC aware view will only have non-secured. The DNSSEC aware view will only have secured
secured delegations. It is assumed that neither view will have any delegations. It is assumed that neither view will have any innate
innate knowledge of the other's delegations. Thus, the cost of knowledge of the other's delegations. Thus, the cost of securing a
securing a zone is proportional to the demand of its delegations zone is proportional to the demand of its delegations with the added
with the added benefit of no longer having to maintain NULL KEY RRs benefit of no longer having to maintain NULL KEY RRs for unsecure
for unsecure delegations. delegations.
On the server side, identification of the zone being opt-in will be Since the opt-in model changes the semantics of the NXT RR, the
identified by using one of the reserved bits of the flags section resolver needs to know if the zone itself follows a RFC2535[4] style
within the KEY RR for that particular zone [note - the actual bit
needs yet to be selected out of reserved bits 4-5 or 8-11].
On the client side, the client MUST be identified by sending a
option-code of RETRY-NO-SEC-AWARE within the OPT RR RDATA to ensure
Kosters Expires August 31, 2001 [Page 4] Kosters Expires December 25, 2001 [Page 4]
Internet-Draft DNSSEC Opt In March 2001 Internet-Draft DNSSEC Opt In June 2001
that it can accept and understand the RETRY-NO-SEC RCODE. The model or the opt-in model. An opt-in zone is identified by setting
RETRY-NO-SEC-AWARE option-code MUST have an option-length value of bit 4 of the flags section within the KEY RR for that particular
zero with no option-data. The RETRY-NO-SEC-AWARE option-code will be zone.
determined by IANA.
To determine which view each DNS query packet is to be queried To determine which view each DNS query packet is to be queried
against, there is a simple algorithm to be followed: against, there is a simple algorithm to be followed:
1. The DNSSEC view is to be queried when the DO bit is set within 1. The DNSSEC view MUST be queried when the DO bit is set within
the EDNS0 OPT meta RR as indicated in [6] Additionally, the EDNS0 OPT meta RR as indicated in [6] Additionally,
2. The DNSSEC view is to be queried when the query type is SIG, 2. The DNSSEC view MUST be queried when the query type is SIG, KEY,
KEY, or NXT and the RRs added match the query name and query or NXT.
type.
If the query does not follow either case (1) or (2), the non-DNSSEC If the query does not follow either case (1) or (2), the non-DNSSEC
view MUST be consulted by default. view MUST be consulted by default.
Since the DNSSEC view will have a subset of the actual delegations Since the DNSSEC view will have a subset of the actual delegations
of that zone, it will not be able to respond to an unsecured of that zone, it will not be able to respond to an unsecured
delegation. To that end, one of two things will happen: delegation query. To that end, one of the two following events will
occur:
1) If the client has been identified as RETRY-NO-SEC-AWARE, a new 1) If the RR set exists within the unsecure view, the answer will
extended RCODE MUST be set within the EDNS OPT RR for the resolver show up normally with in the Answer and Additional sections.
to retry again with the DO bit not set. This RCODE is referred to Additionally, the NXT RR from the secure view is folded into the
as "RETRY-NO-SEC" (RS). In the context of the EDNS0 OPT meta-RR, Authority section along with the related KEY RR's and its SIG in the
the RS value will be determined by IANA. Additional section. The NXT RR is added to prove the answer does not
exist in the secure view.
Setting the RS RCODE in a response indicates to the resolver that 2) If the RR set does not exist within the unsecure view, the RCODE
the resolver is retrying the query again without the DO bit set. The will be set to NXDOMAIN. Additionally, the NXT RR from the secure
behavior of the authority and additional records section being view is sent in the Authority section along with the related KEY
populated should be the same using the RS RCODE as the RCODE being RR's and its SIG in the Additional section. Again, the NXT RR is
set to NXDOMAIN. Therefore, the resolver will be able to verify that added to prove the answer does not exist in the secure view.
the answer does not exist within the secure zone since the NXT RR
will be sent in the Authority section. To avoid caching, the server
SHOULD set the TTL on the NXT RR to 0.
2) If the client has been identified as not being
RETRY-NO-SEC-AWARE, the server itself MUST consult the non-secure
view to compile the answer and respond back to the client. If the
RR exists, the answer will show up normally with in the Answer and
Additional sections and the NXT RR's within the Authority section
along with the KEY RR and its SIG in the Additional section. If the
RR does not exist, RCODE will be set to NXDOMAIN with the NXT RR
will be sent in the Authority section along with the KEY RR and its
SIG in the Additional section . Again, to avoid caching, the server
SHOULD set the TTL on the NXT RR to 0.
Note that latter case should be used during the transition of moving
to clients that understand the RS RCODE only. It should not be
Kosters Expires August 31, 2001 [Page 5]
Internet-Draft DNSSEC Opt In March 2001
viewed as a permanent solution and may deprecated in a short period
of time.
Example: Example:
@@ -301,70 +275,66 @@ Internet-Draft DNSSEC Opt In March 2001
8 NS 8 NS
9 NS 9 NS
Kosters Expires December 25, 2001 [Page 5]
Internet-Draft DNSSEC Opt In June 2001
Secured zone Contents: Secured zone Contents:
@ SOA, SIG SOA, NXT(3), SIG NXT @ SOA, SIG SOA, NXT(3), SIG NXT
3 NS, SIG NS, NXT(6), SIG NXT 3 NS, SIG NS, NXT(6), SIG NXT
6 NS, SIG NS, NXT(9), SIG NXT 6 NS, SIG NS, NXT(9), SIG NXT
9 NS, SIG NS, NXT(@), SIG NXT 9 NS, SIG NS, NXT(@), SIG NXT
1. Query for 5 RR type A with EDNS0 DO bit set along with the 1. A query for 5 RR type A with EDNS0 DO bit set would return with
RETRY-NO-SEC-AWARE option code, the response would return with the following response:
the extended RCODE RS bit set:
RCODE=RS
Authority Section:
SOA, SIG SOA, 3 NXT(6), SIG NXT
Additional Section:
KEY, SIG KEY
The source would then retry without the EDNS0 DO bit set which
would return an answer as defined in RFC1035[2].
2. Query for 5 RR type A with EDNS0 DO bit only, the response would
return with the following:
RCODE=NOERROR RCODE=NOERROR
Answer Section:
5 NS
Authority Section: Authority Section:
5 NS
Kosters Expires August 31, 2001 [Page 6]
Internet-Draft DNSSEC Opt In March 2001
3 NXT(6), SIG NXT 3 NXT(6), SIG NXT
Additional Section: Additional Section:
KEY, SIG KEY KEY, SIG KEY
The secure server would see that 5 is lexographically between 3
and 6 and therefore know that 5 is insecure.
3. Query for 55 RR type A with EDNS0 DO bit set along with the 2. A query for 55 RR type A with EDNS0 DO bit set would return with
RETRY-NO-SEC-AWARE option code, the response would return with the following response:
the extended RCODE RS bit set:
RCODE=RS RCODE=NXDOMAIN
Authority Section: Authority Section:
SOA, SIG SOA, 3 NXT(6), SIG NXT SOA, SIG SOA, 3 NXT(6), SIG NXT
Additional Section: Additional Section:
KEY, SIG KEY KEY, SIG KEY
The source would then retry without the EDNS0 DO bit set which The secure server would see that 55 is lexographically between
would return an answer as defined in RFC1035[2]. The subsequent 3 and 6 and therefore know that 55 is definitely does not exist
1035 answer would contain a RCODE of NXDOMAIN since the domain in the secure realm.
55 does not exist.
4. Query for 3 RR type KEY without EDNS DO bit set. The response 3. A query for 3 RR type KEY without EDNS DO bit set would return
would return with an answer as defined in RFC2535[4]. with an response as defined in RFC2535[4].
5. Query for 3 RR type A, with EDNS0 DO bit set, the response would 4. A Query for 3 RR type A, with EDNS0 DO bit set would return with
be the same as defined in RFC2535[4]. a response as defined in RFC2535[4].
5. A Query for 6 RR type A, without EDNS0 DO bit set would return
with a response as defined in RFC1035[2].
Kosters Expires December 25, 2001 [Page 6]
Internet-Draft DNSSEC Opt In June 2001
4. Security Considerations 4. Security Considerations
@@ -377,26 +347,14 @@ Internet-Draft DNSSEC Opt In March 2001
5. IANA Considerations 5. IANA Considerations
1) Allocation of a bit within the reserved portion of the KEY RR to The IANA is requested to reserve the use of the fourth bit of the
indicate that the zone is an opt-in zone. KEY RR to indicate that the zone is an opt-in zone.
2) Allocation of the most significant bit of the RCODE field in the
EDNS0 OPT meta-RR is required.
3) Allocation of an option-code within the OPT RR to indicate that
the client can understand the new RCODE.
Kosters Expires August 31, 2001 [Page 7]
Internet-Draft DNSSEC Opt In March 2001
6. Acknowledgements 6. Acknowledgements
This document is based on a rough draft by Brian Wellington, and This document is based on a rough draft by Brian Wellington along
input from Olafur Gudmundsson. with input from Olafur Gudmundsson, David Blacka, and Mike
Schiraldi.
References References
@@ -419,6 +377,22 @@ References
progress)", August 2000. progress)", August 2000.
Kosters Expires December 25, 2001 [Page 7]
Internet-Draft DNSSEC Opt In June 2001
Author's Address Author's Address
Mark Kosters Mark Kosters
@@ -444,9 +418,35 @@ Author's Address
Kosters Expires August 31, 2001 [Page 8]
Kosters Expires December 25, 2001 [Page 8]
Internet-Draft DNSSEC Opt In March 2001 Internet-Draft DNSSEC Opt In June 2001
Full Copyright Statement Full Copyright Statement
@@ -500,5 +500,6 @@ Acknowledgement
Kosters Expires August 31, 2001 [Page 9] Kosters Expires December 25, 2001 [Page 9]