upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 05:39:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

new draft

Browse source
This commit is contained in:
Mark Andrews 2003-11-03 01:07:13 +00:00
parent 1edbf33625
commit 56484c0f85
9 changed files with 6925 additions and 6144 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

122
doc/draft/draft-ietf-dnsext-dhcid-rr-06.txt → doc/draft/draft-ietf-dnsext-dhcid-rr-07.txt
View file

@ -2,14 +2,14 @@
DNSEXT Working Group M. Stapp
Internet-Draft Cisco Systems, Inc.
Expires: May 2, 2003 T. Lemon
Expires: April 23, 2004 T. Lemon
A. Gustafsson
Nominum, Inc.
November 1, 2002
October 24, 2003
A DNS RR for Encoding DHCP Information (DHCID RR)
<draft-ietf-dnsext-dhcid-rr-06.txt>
<draft-ietf-dnsext-dhcid-rr-07.txt>
Status of this Memo
@ -32,11 +32,11 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 2, 2003.
This Internet-Draft will expire on April 23, 2004.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
@ -52,9 +52,9 @@ Abstract
Stapp, et. al. Expires May 2, 2003 [Page 1]
Stapp, et. al. Expires April 23, 2004 [Page 1]
Internet-Draft The DHCID RR November 2002
Internet-Draft The DHCID RR October 2003
Table of Contents
@ -75,6 +75,7 @@ Table of Contents
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
References . . . . . . . . . . . . . . . . . . . . . . . . . 7
References . . . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8
Full Copyright Statement . . . . . . . . . . . . . . . . . . 10
@ -107,10 +108,9 @@ Table of Contents
Stapp, et. al. Expires May 2, 2003 [Page 2]
Stapp, et. al. Expires April 23, 2004 [Page 2]
Internet-Draft The DHCID RR November 2002
Internet-Draft The DHCID RR October 2003
1. Terminology
@ -121,9 +121,9 @@ Internet-Draft The DHCID RR November 2002
2. Introduction
A set of procedures to allow DHCP[3] clients and servers to
automatically update the DNS (RFC1034[4], RFC1035[5]) is proposed in
"Resolution of DNS Name Conflicts"[1].
A set of procedures to allow DHCP[7] clients and servers to
automatically update the DNS (RFC 1034[3], RFC 1035[4]) is proposed
in "Resolution of DNS Name Conflicts"[1].
Conflicts can arise if multiple DHCP clients wish to use the same
DNS name. To resolve such conflicts, "Resolution of DNS Name
@ -135,7 +135,7 @@ Internet-Draft The DHCID RR November 2002
RR.
In order to avoid exposing potentially sensitive identifying
information, the data stored is the result of a one-way MD5[6] hash
information, the data stored is the result of a one-way MD5[5] hash
computation. The hash includes information from the DHCP client's
REQUEST message as well as the domain name itself, so that the data
stored in the DHCID RR will be dependent on both the client
@ -164,9 +164,9 @@ Internet-Draft The DHCID RR November 2002
Stapp, et. al. Expires May 2, 2003 [Page 3]
Stapp, et. al. Expires April 23, 2004 [Page 3]
Internet-Draft The DHCID RR November 2002
Internet-Draft The DHCID RR October 2003
3.1 DHCID RDATA format
@ -190,7 +190,7 @@ Internet-Draft The DHCID RR November 2002
In DNS master files, the RDATA is represented as a single block in
base 64 encoding identical to that used for representing binary data
in RFC2535[7]. The data may be divided up into any number of white
in RFC 2535[8]. The data may be divided up into any number of white
space separated substrings, down to single base 64 digits, which are
concatenated to form the complete RDATA. These substrings can span
lines using the standard parentheses.
@ -220,9 +220,9 @@ Internet-Draft The DHCID RR November 2002
Stapp, et. al. Expires May 2, 2003 [Page 4]
Stapp, et. al. Expires April 23, 2004 [Page 4]
Internet-Draft The DHCID RR November 2002
Internet-Draft The DHCID RR October 2003
3.4 Computation of the RDATA
@ -240,7 +240,7 @@ Internet-Draft The DHCID RR November 2002
data = MD5(< identifier > < FQDN >)
The FQDN is represented in the buffer in unambiguous canonical form
as described in RFC2535[7], section 8.1. The type code and the
as described in RFC 2535[8], section 8.1. The type code and the
identifier are related as specified in Section 3.3: the type code
describes the source of the identifier.
@ -276,9 +276,9 @@ Internet-Draft The DHCID RR November 2002
Stapp, et. al. Expires May 2, 2003 [Page 5]
Stapp, et. al. Expires April 23, 2004 [Page 5]
Internet-Draft The DHCID RR November 2002
Internet-Draft The DHCID RR October 2003
3.5 Examples
@ -332,9 +332,9 @@ Internet-Draft The DHCID RR November 2002
that the client desires to use to compute a client identity hash,
Stapp, et. al. Expires May 2, 2003 [Page 6]
Stapp, et. al. Expires April 23, 2004 [Page 6]
Internet-Draft The DHCID RR November 2002
Internet-Draft The DHCID RR October 2003
and then compare that hash to the data in any DHCID RRs on the name
@ -360,7 +360,7 @@ Internet-Draft The DHCID RR November 2002
Administrators should be wary of permitting unsecured DNS updates to
zones which are exposed to the global Internet. Both DHCP clients
and servers SHOULD use some form of update authentication (e.g.,
TSIG[10]) when performing DNS updates.
TSIG[11]) when performing DNS updates.
7. IANA Considerations
@ -376,77 +376,77 @@ Internet-Draft The DHCID RR November 2002
tentatively assigned after the specification for the associated type
code, published as an Internet Draft, has received expert review by
a designated expert. The final assignment of DHCID RR type codes is
through Standards Action, as defined in RFC2434[11].
through Standards Action, as defined in RFC 2434[6].
8. Acknowledgements
Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz,
and Ralph Droms for their review and suggestions.
References
Normative References
[1] Stapp, M., "Resolution of DNS Name Conflicts Among DHCP
[1] Stapp, M., "Resolution of DNS Name Conflicts Among DHCP Clients
Stapp, et. al. Expires May 2, 2003 [Page 7]
Stapp, et. al. Expires April 23, 2004 [Page 7]
Internet-Draft The DHCID RR November 2002
Internet-Draft The DHCID RR October 2003
Clients (draft-ietf-dhc-dns-resolution-*)", March 2001.
(draft-ietf-dhc-dns-resolution-*)", November 2002.
[2] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, March 1997.
[3] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
[3] Mockapetris, P., "Domain names - Concepts and Facilities", RFC
1034, Nov 1987.
[4] Mockapetris, P., "Domain names - Implementation and
Specification", RFC 1035, Nov 1987.
[5] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April
1992.
[6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", RFC 2434, October 1998.
Informative References
[7] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
Mar 1997.
[4] Mockapetris, P., "Domain names - Concepts and Facilities", RFC
1034, Nov 1987.
[5] Mockapetris, P., "Domain names - Implementation and
Specification", RFC 1035, Nov 1987.
[6] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,
April 1992.
[7] Eastlake, D., "Domain Name System Security Extensions", RFC
[8] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999.
[8] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
[9] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, Mar 1997.
[9] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
[10] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
(draft-ietf-dhc-dhcpv6-*.txt)", November 2002.
[10] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
[11] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
"Secret Key Transaction Authentication for DNS (TSIG)", RFC
2845, May 2000.
[11] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", RFC 2434, October 1998.
Authors' Addresses
Mark Stapp
Cisco Systems, Inc.
250 Apollo Dr.
Chelmsford, MA 01824
1414 Massachusetts Ave.
Boxborough, MA 01719
USA
Phone: 978.244.8498
Phone: 978.936.1535
EMail: mjs@cisco.com
Stapp, et. al. Expires May 2, 2003 [Page 8]
Stapp, et. al. Expires April 23, 2004 [Page 8]
Internet-Draft The DHCID RR November 2002
Internet-Draft The DHCID RR October 2003
Ted Lemon
@ -500,14 +500,14 @@ Internet-Draft The DHCID RR November 2002
Stapp, et. al. Expires May 2, 2003 [Page 9]
Stapp, et. al. Expires April 23, 2004 [Page 9]
Internet-Draft The DHCID RR November 2002
Internet-Draft The DHCID RR October 2003
Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
@ -556,5 +556,5 @@ Acknowledgement
Stapp, et. al. Expires May 2, 2003 [Page 10]
Stapp, et. al. Expires April 23, 2004 [Page 10]

348
doc/draft/draft-ietf-dnsext-dns-threats-03.txt → doc/draft/draft-ietf-dnsext-dns-threats-04.txt
View file

@ -5,10 +5,10 @@
Network Working Group D. Atkins
draft-ietf-dnsext-dns-threats-03.txt IHTFP Consulting
draft-ietf-dnsext-dns-threats-04.txt IHTFP Consulting
R. Austein
Grunchweather Associates
June 2003
October 2003
Threat Analysis Of The Domain Name System
@ -55,9 +55,9 @@ Abstract
Atkins & Austein Expires 29 December 2003 [Page 1]
Atkins & Austein Expires 30 April 2004 [Page 1]
draft-ietf-dnsext-dns-threats-03.txt June 2003
draft-ietf-dnsext-dns-threats-04.txt October 2003
1. Introduction
@ -77,9 +77,6 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
- While some participants in the meeting were interested in
authentication of DNS clients and servers as a basis for access
control, this work was also ruled out of scope for DNSSEC per se.
DNS Transaction Signatures (TSIG) were eventually developed as a
separate mechanism to address threats of unauthorized access to
DNS's zone transfer and dynamic update mechanisms.
- Backwards compatibility and co-existence with "insecure DNS" was
listed as an explicit requirement.
@ -108,17 +105,17 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
it, that is nevertheless what this note attempts to do. Better late
than never.
Atkins & Austein Expires 29 December 2003 [Page 2]
draft-ietf-dnsext-dns-threats-03.txt June 2003
This note assumes that the reader is familiar with both the DNS and
with DNSSEC, and does not attempt to provide a tutorial on either.
Atkins & Austein Expires 30 April 2004 [Page 2]
draft-ietf-dnsext-dns-threats-04.txt October 2003
For purposes of discussion, this note uses the term "DNSSEC" to refer
to the core hierarchical public key and signature mechanism specified
in the DNSSEC documents, and refers to TKEY and TSIG as separate
@ -164,17 +161,17 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
relationships between all the parties that might be involved in
resolving any particular query. For heavily used name servers (such
as the servers for the root zone), this cost would almost certainly
Atkins & Austein Expires 29 December 2003 [Page 3]
draft-ietf-dnsext-dns-threats-03.txt June 2003
be prohibitively high. Even more important, however, is that the
underlying trust model in such a design would be wrong, since at best
it would only provide a hop-by-hop integrity check on DNS messages
Atkins & Austein Expires 30 April 2004 [Page 3]
draft-ietf-dnsext-dns-threats-04.txt October 2003
and would not provide any sort of end-to-end integrity check between
the producer of DNS data (the zone administrator) and the consumer of
DNS data (the application that triggered the query).
@ -203,16 +200,18 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
2.2. ID Guessing and Query Prediction
Since the ID field in the DNS header is only a 16-bit field and the
server UDP port associated with DNS is a well-known value, there are
only 2**32 possible combinations of ID and client UDP port for a
given client and server. This is not a particularly large range, and
is not proof against a brute force search; furthermore, in practice
both the client UDP port and the ID can often be predicted from
previous traffic, and it is not uncommon for the client port to be a
known fixed value as well (due to firewalls or other restrictions),
thus frequently reducing the search space to a range smaller than
2**16.
Since DNS is for the most part used over UDP/IP, it is relatively
easy for an attacker to generate packets which will match the
transport protocol parameters. The ID field in the DNS header is
only a 16-bit field and the server UDP port associated with DNS is a
well-known value, so there are only 2**32 possible combinations of ID
and client UDP port for a given client and server. This is not a
particularly large range, and is not proof against a brute force
search; furthermore, in practice both the client UDP port and the ID
can often be predicted from previous traffic, and it is not uncommon
for the client port to be a known fixed value as well (due to
firewalls or other restrictions), thus frequently reducing the search
space to a range smaller than 2**16.
By itself, ID guessing is not enough to allow an attacker to inject
bogus data, but combined with knowledge (or guesses) about QNAMEs and
@ -220,15 +219,15 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
resolver only weakly defended against injection of bogus responses.
Since this attack relies on predicting a resolver's behavior, it's
Atkins & Austein Expires 29 December 2003 [Page 4]
draft-ietf-dnsext-dns-threats-03.txt June 2003
most likely to be successful when the victim is in a known state,
Atkins & Austein Expires 30 April 2004 [Page 4]
draft-ietf-dnsext-dns-threats-04.txt October 2003
whether because the victim rebooted recently, or because the victim's
behavior has been influenced by some other action by the attacker, or
because the victim is responding (in a predictable way) to some third
@ -276,16 +275,15 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
- Attacker injects response, whether via packet interception, query
guessing, or by being a legitimate name server that's involved at
some point in the process of answering the query that the victim
Atkins & Austein Expires 29 December 2003 [Page 5]
draft-ietf-dnsext-dns-threats-03.txt June 2003
issued.
Atkins & Austein Expires 30 April 2004 [Page 5]
draft-ietf-dnsext-dns-threats-04.txt October 2003
- Attacker's response includes one or more RRs with DNS names in
their RDATA; depending on which particular form this attack takes,
the object may be to inject false data associated with those names
@ -307,8 +305,10 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
This class of attack is particularly insidious given that it's quite
easy for an attacker to provoke a victim into querying for a
particular name of the attacker's choosing, for example, by embedding
a link to a 1x1-pixel "web bug" in a piece of Text/HTML mail to the
victim.
a link to a 1x1-pixel "web bug" graphic in a piece of Text/HTML mail
to the victim. If the victim's mail reading program attempts to
follow such a link, the result will be a DNS query for a name chosen
by the attacker.
DNSSEC should provide a good defense against most (all?) variations
on this class of attack. By checking signatures, a resolver can
@ -335,9 +335,9 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
Atkins & Austein Expires 29 December 2003 [Page 6]
Atkins & Austein Expires 30 April 2004 [Page 6]
draft-ietf-dnsext-dns-threats-03.txt June 2003
draft-ietf-dnsext-dns-threats-04.txt October 2003
resolvers, and use trusted servers to perform all of their DNS
@ -356,17 +356,31 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
matter what brand of middle boxes a particular hotel chain might have
installed when adding network drops in every guest room...).
From the protocol standpoint, the only difference between this sort
of betrayal and a packet interception attack is that in this case the
client has voluntarily sent its request to the attacker. The defense
against this is the same as with a packet interception attack: the
resolver must either check DNSSEC signatures itself or use TSIG (or
equivalent) to authenticate the server that it has chosen to trust.
Note that use of TSIG does not by itself guarantee that a name server
is at all trustworthy: all TSIG can do is help a resolver protect its
communication with a name server that it has already decided to trust
for other reasons. Protecting a resolver's communication with a
server that's giving out bogus answers is not particularly useful.
While the obvious solution to this problem would be for the client to
chose a more trustworthy server, in practice this may not be an
option for the client. In many network environments a client machine
has only a limited set of recursive name server from which to chose,
and none of them may be particularly trustworthy. In extreme cases,
port filtering or other forms of packet interception may prevent the
client host from being able to run an iterative resolver even if the
owner of the client machine is willing and able to do so. Thus,
while the initial source of this problem is not a DNS protocol attack
per se, this sort of betrayal is a threat to DNS clients, and simply
switching to a different recursive name server is not an adequate
defense.
Viewed strictly from the DNS protocol standpoint, the only difference
between this sort of betrayal and a packet interception attack is
that in this case the client has voluntarily sent its request to the
attacker. The defense against this is the same as with a packet
interception attack: the resolver must either check DNSSEC signatures
itself or use TSIG (or equivalent) to authenticate the server that it
has chosen to trust. Note that use of TSIG does not by itself
guarantee that a name server is at all trustworthy: all TSIG can do
is help a resolver protect its communication with a name server that
it has already decided to trust for other reasons. Protecting a
resolver's communication with a server that's giving out bogus
answers is not particularly useful.
Also note that if the stub resolver does not trust the name server
that is doing work on its behalf and wants to check the DNSSEC
@ -375,6 +389,13 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
(usually the public key for the root zone, but in some cases
knowledge of additional keys may also be appropriate).
Atkins & Austein Expires 30 April 2004 [Page 7]
draft-ietf-dnsext-dns-threats-04.txt October 2003
It is difficult to escape the conclusion that a properly paranoid
resolver must always perform its own signature checking, and that
this rule even applies to stub resolvers.
@ -389,13 +410,6 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
some cases can also increase the number of messages needed to answer
a query. TSIG (and similar mechanisms) have equivalent problems.
Atkins & Austein Expires 29 December 2003 [Page 7]
draft-ietf-dnsext-dns-threats-03.txt June 2003
DNS servers are also at risk of being used as denial of service
amplifiers, since DNS response packets tend to be significantly
longer than DNS query packets. Unsurprisingly, DNSSEC doesn't help
@ -430,6 +444,14 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
Much discussion has taken place over whether and how to provide data
integrity and data origin authentication for "wildcard" DNS names.
Conceptually, RRs with wildcard names are patterns for synthesizing
Atkins & Austein Expires 30 April 2004 [Page 8]
draft-ietf-dnsext-dns-threats-04.txt October 2003
RRs on the fly according to the matching rules described in section
4.3.2 of RFC 1034. While the rules that control the behavior of
wildcard names have a few quirks that can make them a trap for the
@ -444,14 +466,6 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
- We need to prove the non-existance of any RRs which, if they
existed, would make the wildcard RR irrelevant according to the
Atkins & Austein Expires 29 December 2003 [Page 8]
draft-ietf-dnsext-dns-threats-03.txt June 2003
synthesis rules the way in which wildcards are used (that is, we
need to prove that the synthesis rule is applicable).
@ -486,6 +500,14 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
delays that DNSSEC will impose into account, but that's a separate
topic for another document....)
Atkins & Austein Expires 30 April 2004 [Page 9]
draft-ietf-dnsext-dns-threats-04.txt October 2003
- Like DNS itself, DNSSEC's trust model is almost totally
hierarchical. While DNSSEC does allow resolvers to have special
additional knowledge of public keys beyond those for the root, in
@ -500,14 +522,6 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
come close to adequately specifying how the root key rolls over, or
even how it's configured in the first place.
Atkins & Austein Expires 29 December 2003 [Page 9]
draft-ietf-dnsext-dns-threats-03.txt June 2003
- DNSSEC creates a requirement of loose time synchronization between
the resolver and the host creating the DNSSEC signatures. Prior to
DNSSEC, all time-related actions in DNS could be performed by a
@ -541,6 +555,15 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
This section lists a few subjects not covered above which probably
need additional study, additional mechanisms, or both.
Atkins & Austein Expires 30 April 2004 [Page 10]
draft-ietf-dnsext-dns-threats-04.txt October 2003
4.1. Interactions With Other Protocols
The above discussion has concentrated exclusively on attacks within
@ -556,14 +579,6 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
authenticate the updating client to the server. While TSIG does not
scale very well (it requires manual configuration of shared keys
between the DNS name server and each TSIG client), it works well in a
Atkins & Austein Expires 29 December 2003 [Page 10]
draft-ietf-dnsext-dns-threats-03.txt June 2003
limited or closed environment such as a DHCP server updating a local
DNS name server.
@ -597,6 +612,14 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
access. For example, Alice may need to be able to add new nodes to
the zone or change existing nodes, but not remove them; Bob may need
to be able to remove zones but not add them; Carol may need to be
Atkins & Austein Expires 30 April 2004 [Page 11]
draft-ietf-dnsext-dns-threats-04.txt October 2003
able to add, remove, or modify nodes, but only A records.
Scaling properties of the key management problem here are a
@ -612,14 +635,6 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
DNSSEC does not provide object security, because zones include
unsigned NS RRs and glue at delegation points. Use of TSIG to
protect zone transfer (AXFR or IXFR) operations provides "channel
Atkins & Austein Expires 29 December 2003 [Page 11]
draft-ietf-dnsext-dns-threats-03.txt June 2003
security", but still does not provide object security for complete
zones, so the trust relationships involved in zone transfer are still
very much a hop-by-hop matter of name server operators trusting other
@ -650,6 +665,17 @@ IANA Considerations
None.
Atkins & Austein Expires 30 April 2004 [Page 12]
draft-ietf-dnsext-dns-threats-04.txt October 2003
Acknowledgments
This note is based both previous published works by others and on a
@ -669,13 +695,6 @@ Normative References
[DNS-IMPLEMENTATION] Mockapetris, P., "Domain names - implementation
and specification", RFC 1035, November 1987.
Atkins & Austein Expires 29 December 2003 [Page 12]
draft-ietf-dnsext-dns-threats-03.txt June 2003
[HOST-REQUIREMENTS] Braden, R., Editor, "Requirements for Internet
Hosts - Application and Support", RFC 1123, October 1989.
@ -685,9 +704,6 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
[NCACHE] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)"
RFC 2308, March 1998.
[DNSSEC] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999.
[EDNS0] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
August 1999.
@ -701,14 +717,23 @@ draft-ietf-dnsext-dns-threats-03.txt June 2003
[SECURE-UPDATE] Wellington, B., "Secure Domain Name System (DNS)
Dynamic Update" RFC 3007, November 2000.
[SIGNING-AUTHORITY] Wellington, B., "Domain Name System Security
(DNSSEC) Signing Authority" RFC 3008, November 2000.
[DNSSEC-ZONE-STATUS] Lewis, E., "DNS Security Extension Clarification
on Zone Status" RFC 3090, March 2001.
[DNSSEC] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999.
Informative References
[SEC-CONS] Rescorla, E., Korver, B., and the Internet Architecture
Board, "Guidelines for Writing RFC Text on Security
Atkins & Austein Expires 30 April 2004 [Page 13]
draft-ietf-dnsext-dns-threats-04.txt October 2003
Considerations", RFC 3552, July 2003.
[Bellovin95] Bellovin, S., "Using the Domain Name System for System
Break-Ins", Proceedings of the Fifth Usenix Unix Security
Symposium, June 1995.
@ -723,20 +748,6 @@ Informative References
[Vixie95] Vixie, P, "DNS and BIND Security Issues", Proceedings of
the Fifth Usenix Unix Security Symposium, June 1995.
Atkins & Austein Expires 29 December 2003 [Page 13]
draft-ietf-dnsext-dns-threats-03.txt June 2003
[SEC-CONS] Rescorla, E., Korver, B., and the Internet Architecture
Board, "Guidelines for Writing RFC Text on Security
Considerations", work in progress (draft-iab-sec-cons-03.txt),
January 2003.
Author's addresses:
Derek Atkins
@ -752,6 +763,36 @@ Author's addresses:
Email: sra@hactrn.net
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
Atkins & Austein Expires 30 April 2004 [Page 14]
draft-ietf-dnsext-dns-threats-04.txt October 2003
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
@ -780,14 +821,6 @@ Full Copyright Statement
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Atkins & Austein Expires 29 December 2003 [Page 14]
draft-ietf-dnsext-dns-threats-03.txt June 2003
Acknowledgement
Funding for the RFC Editor function is currently provided by the
@ -806,37 +839,4 @@ Acknowledgement
Atkins & Austein Expires 29 December 2003 [Page 15]
Atkins & Austein Expires 30 April 2004 [Page 15]

1288
doc/draft/draft-ietf-dnsext-dnssec-intro-05.txt
View file

File diff suppressed because it is too large Load diff

1400
doc/draft/draft-ietf-dnsext-dnssec-intro-07.txt Normal file
View file

File diff suppressed because it is too large Load diff

2632
doc/draft/draft-ietf-dnsext-dnssec-protocol-02.txt
View file

File diff suppressed because it is too large Load diff

3080
doc/draft/draft-ietf-dnsext-dnssec-protocol-03.txt Normal file
View file

File diff suppressed because it is too large Load diff

1848
doc/draft/draft-ietf-dnsext-dnssec-records-03.txt
View file

File diff suppressed because it is too large Load diff

2016
doc/draft/draft-ietf-dnsext-dnssec-records-05.txt Normal file
View file

File diff suppressed because it is too large Load diff

335
doc/draft/draft-ietf-dnsext-keyrr-key-signing-flag-10.txt → doc/draft/draft-ietf-dnsext-keyrr-key-signing-flag-11.txt
View file

@ -1,19 +1,16 @@
DNS Extensions O. Kolkman
Internet-Draft RIPE NCC
Expires: March 28, 2004 J. Schlyter
Expires: March 1, 2004 J. Schlyter
E. Lewis
ARIN
September 28, 2003
September 2003
KEY RR Secure Entry Point Flag
draft-ietf-dnsext-keyrr-key-signing-flag-10
DNSKEY RR Secure Entry Point Flag
draft-ietf-dnsext-keyrr-key-signing-flag-11
Status of this Memo
@ -35,7 +32,7 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 28, 2004.
This Internet-Draft will expire on March 1, 2004.
Copyright Notice
@ -43,39 +40,40 @@ Copyright Notice
Abstract
With the Delegation Signer (DS) resource record the concept of a key
acting as a secure entry point has been introduced. During
key-exchanges with the parent there is a need to differentiate secure
entry point keys from other keys in the KEY resource record (RR) set.
A flag bit in the KEY RR is defined to indicate that KEY is to be
used as a secure entry point. The flag bit is intended to assist in
operational procedures to correctly generate DS resource records, or
to indicate what keys are intended for static configuration. The flag
bit is not to be used in the DNS verification protocol. This document
With the Delegation Signer (DS) resource record the concept of a
public key acting as a secure entry point has been introduced. During
exchanges of public keys with the parent there is a need to
differentiate secure entry point keys from other public keys in the
DNSKEY resource record (RR) set. A flag bit in the DNSKEY RR is
defined to indicate that DNSKEY is to be used as a secure entry
point. The flag bit is intended to assist in operational procedures
to correctly generate DS resource records, or to indicate what
DNSKEYs are intended for static configuration. The flag bit is not to
Kolkman, et al. Expires March 28, 2004 [Page 1]
Kolkman, et al. Expires March 1, 2004 [Page 1]
Internet-Draft KEY RR Secure Entry Point Flag September 2003
Internet-Draft DNSKEY RR Secure Entry Point Flag September 2003
updates RFC 2535 and RFC 3445.
be used in the DNS verification protocol. This document updates RFC
2535 and RFC 3445.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Secure Entry Point (SEP) Flag . . . . . . . . . . . . . . . 4
3. DNSSEC Protocol Changes . . . . . . . . . . . . . . . . . . . . 4
4. Operational Guidelines . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
3. DNSSEC Protocol Changes . . . . . . . . . . . . . . . . . . . . 5
4. Operational Guidelines . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
7. Internationalization Considerations . . . . . . . . . . . . . . 6
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
Normative References . . . . . . . . . . . . . . . . . . . . . . 6
Informative References . . . . . . . . . . . . . . . . . . . . . 6
Normative References . . . . . . . . . . . . . . . . . . . . . . 7
Informative References . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
Intellectual Property and Copyright Statements . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . . 9
@ -110,10 +108,9 @@ Table of Contents
Kolkman, et al. Expires March 28, 2004 [Page 2]
Kolkman, et al. Expires March 1, 2004 [Page 2]
Internet-Draft KEY RR Secure Entry Point Flag September 2003
Internet-Draft DNSKEY RR Secure Entry Point Flag September 2003
1. Introduction
@ -121,57 +118,86 @@ Internet-Draft KEY RR Secure Entry Point Flag September 2003
"All keys are equal but some keys are more equal than others" [6]
With the definition of the Delegation Signer Resource Record (DS RR)
[5] it has become important to differentiate between the zone keys
that are (to be) pointed to by parental DS RRs and other keys in the
zone. We refer to these keys as Secure Entry Point (SEP) keys. A
SEP key is either used to generate a DS RR or is distributed to
resolvers that use the key as the root of a trusted subtree[3].
[5] it has become important to differentiate between the keys in the
DNSKEY RR set that are (to be) pointed to by parental DS RRs and the
other keys in the DNSKEY RR set. We refer to these public keys as
Secure Entry Point (SEP) keys. A SEP key either used to generate a
DS RR or is distributed to resolvers that use the key as the root of
a trusted subtree[3].
In early deployment tests, the use of two (kinds of) keys in each
zone has been prevalent. One key is used to sign just the zone's KEY
resource record (RR) set and is the key referenced by a DS RR at the
parent or configured statically in a resolver. Another key is used to
sign the rest of the zone's data sets. The former key is called a
key-signing key (KSK) and the latter is called a zone-signing key
(ZSK). In practice there have been usually one of each kind of key,
but there will be multiples of each at times.
In early deployment tests, the use of two (kinds of) key pairs for
each zone has been prevalent. For one kind of key pair the private
key is used to sign just the zone's DNSKEY resource record (RR) set.
Its public key is intended to be referenced by a DS RR at the parent
or configured statically in a resolver. The private key of the other
kind of key pair is used to sign the rest of the zone's data sets.
The former key pair is called a key-signing key (KSK) and the latter
is called a zone-signing key (ZSK). In practice there have been
usually one of each kind of key pair, but there will be multiples of
each at times.
It should be noted that division of zone keys into KSK's and ZSK's is
not mandatory in any definition of DNSSEC, not even with the
It should be noted that division of keys pairs into KSK's and ZSK's
is not mandatory in any definition of DNSSEC, not even with the
introduction of the DS RR. But, in testing, this distinction has
been helpful when designing key roll over (key super-cession)
schemes. Given that the distinction has proven helpful, the labels
KSK and ZSK have begun to stick.
There is a need to differentiate between a KSK and a ZSK by the zone
administrator. This need is driven by knowing which keys are to be
sent for DS RRs, which keys are to be distributed to resolvers, and
which keys are fed to the signer application at the appropriate time.
There is a need to differentiate the public keys for the key pairs
that are used for key signing from keys that are not used key signing
(KSKs vs ZSKs). This need is driven by knowing which DNSKEYs are to
be sent for generating DS RRs, which DNSKEYs are to be distributed to
resolvers, and which keys are fed to the signer application at the
appropriate time.
In the flow between signer and (parental) key-collector and in the
flow between the signer and the resolver configuration it is
important to be able to differentiate the SEP keys from the other
keys in a KEY RR set. The SEP flag is to be of no interest to the
flow between the verifier and the authoritative data store.
In other words, the SEP bit provides an in-band method to communicate
a DNSKEY RR's intended use to third parties. As an example we present
3 use cases in which the bit is useful:
The parent is a registry, the parent and the child use secured DNS
queries and responses, with a preexisting trust-relation, or plain
DNS over a secured channel to exchange the child's DNSKEY RR
sets. Since a DNSKEY RR set will contain a complete DNSKEY RRset
the SEP bit can be used to isolate the DNSKEYs for which a DS RR
needs to be created.
Kolkman, et al. Expires March 1, 2004 [Page 3]
Internet-Draft DNSKEY RR Secure Entry Point Flag September 2003
An administrator has configured a DNSKEY as root for a trusted
subtree into security aware resolver. Using a special purpose tool
that queries for the KEY RRs from that domain's apex, the
administrator will be able to notice the roll over of the trusted
anchor by a change of the subset of KEY RRs with the DS flag set.
A signer might use the SEP bit on the public key to determine
which private key to use to exclusively sign the DNSKEY RRset and
which private key to use to sign the other RRsets in the zone.
As demonstrated in the above examples it is important to be able to
differentiate the SEP keys from the other keys in a DNSKEY RR set in
the flow between signer and (parental) key-collector and in the flow
between the signer and the resolver configuration. The SEP flag is to
be of no interest to the flow between the verifier and the
authoritative data store.
The reason for the term "SEP" is a result of the observation that the
distinction between KSK and ZSK is made by the signer, a key could be
both a KSK and a ZSK. To be clear, the term SEP was coined to lessen
the confusion caused by the overlap. (Once this label was applied, it
had the side effect of removing the temptation to have a KSK flag bit
and a ZSK flag bit, setting on needing just one bit.)
distinction between KSK and ZSK key pairs is made by the signer, a
key pair could be used as both a KSK and a ZSK at the same time. To
be clear, the term SEP was coined to lessen the confusion caused by
the overlap. ( Once this label was applied, it had the side effect of
removing the temptation to have both a KSK flag bit and a ZSK flag
bit.)
The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
"RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
interpreted as described in RFC2119 [1].
Kolkman, et al. Expires March 28, 2004 [Page 3]
Internet-Draft KEY RR Secure Entry Point Flag September 2003
2. The Secure Entry Point (SEP) Flag
@ -187,17 +213,24 @@ Internet-Draft KEY RR Secure Entry Point Flag September 2003
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
KEY RR Format
DNSKEY RR Format
The SEP bit (TBD) in the flags field is assigned to be the secure
entry point flag. If the the bit is set to 1 the key is intended to
be used as secure entry point key. One SHOULD NOT assign special
meaning to the key if the bit is set to 0. This document assigns the
15'th bit [4] as the SEP bit. This way operators can recognize the
secure entry point key by the even or odd-ness of the decimal
representation of the flag field.
Kolkman, et al. Expires March 1, 2004 [Page 4]
Internet-Draft DNSKEY RR Secure Entry Point Flag September 2003
This document assigns the 15'th bit [4] in the flags field as the
secure entry point (SEP) bit. If the the bit is set to 1 the key is
intended to be used as secure entry point key. One SHOULD NOT assign
special meaning to the key if the bit is set to 0. Operators can
recognize the secure entry point key by the even or odd-ness of the
decimal representation of the flag field.
3. DNSSEC Protocol Changes
@ -209,25 +242,18 @@ Internet-Draft KEY RR Secure Entry Point Flag September 2003
4. Operational Guidelines
The SEP bit is set by the key-generator and MAY be used by the zone
signer to decide whether the key is to be prepared for input to a DS
RR generation function. The SEP bit is recommended to be set (to 1)
whenever the public key of the key pair will be distributed to the
parent zone to build the authentication chain or if the public key is
to be distributed for static configuration in verifiers.
The SEP bit is set by the key-pair-generator and MAY be used by the
zone signer to decide whether the public part of the key pair is to
be prepared for input to a DS RR generation function. The SEP bit is
recommended to be set (to 1) whenever the public key of the key pair
will be distributed to the parent zone to build the authentication
chain or if the public key is to be distributed for static
configuration in verifiers.
When a key pair is created, the operator needs to indicate whether
the SEP bit is to be set in the KEY RR. As the SEP bit is within the
data that is used to compute the 'key tag field' in the SIG RR,
the SEP bit is to be set in the DNSKEY RR. As the SEP bit is within
the data that is used to compute the 'key tag field' in the SIG RR,
changing the SEP bit will change the identity of the key within DNS.
Kolkman, et al. Expires March 28, 2004 [Page 4]
Internet-Draft KEY RR Secure Entry Point Flag September 2003
In other words, once a key is used to generate signatures, the
setting of the SEP bit is to remain constant. If not, a verifier will
not be able to find the relevant KEY RR.
@ -235,21 +261,29 @@ Internet-Draft KEY RR Secure Entry Point Flag September 2003
When signing a zone, it is intended that the key(s) with the SEP bit
set (if such keys exist) are used to sign the KEY RR set of the zone.
The same key can be used to sign the rest of the zone data too. It
is conceivable that not all keys with a SEP bit set will sign the KEY
RR set, such keys might be pending retirement or not yet in use.
is conceivable that not all keys with a SEP bit set will sign the
DNSKEY RR set, such keys might be pending retirement or not yet in
use.
When verifying a RR set, the SEP bit is not intended to play a role.
How the key is used by the verifier is not intended to be a
consideration at key creation time.
Although the SEP flag provides a hint on which key to be used as
trusted root, administrators can choose to ignore the fact that a KEY
has its SEP bit set or not when configuring a trusted root for their
resolvers.
Although the SEP flag provides a hint on which public key is to be
used as trusted root, administrators can choose to ignore the fact
that a DNSKEY has its SEP bit set or not when configuring a trusted
root for their resolvers.
Using the flag a key roll over can be automated. The parent can use
an existing trust relation to verify key sets in which a new key with
the SEP flag appears.
Kolkman, et al. Expires March 1, 2004 [Page 5]
Internet-Draft DNSKEY RR Secure Entry Point Flag September 2003
Using the SEP flag a key roll over can be automated. The parent can
use an existing trust relation to verify DNSKEY RR sets in which a
new DNSKEY RR with the SEP flag appears.
5. Security Considerations
@ -260,32 +294,27 @@ Internet-Draft KEY RR Secure Entry Point Flag September 2003
No trust in a key should be inferred from this flag - trust MUST be
inferred from an existing chain of trust or an out-of-band exchange.
Since this flag might be used for automating key exchanges, we think
the following consideration is in place.
Since this flag might be used for automating public key exchanges, we
think the following consideration is in place.
Automated mechanisms for roll over of the DS RR might be vulnerable
to a class of replay attacks. This might happen after a key exchange
where a key set, containing two keys with the SEP flag set, is sent
to the parent. The parent verifies the key set with the existing
trust relation and creates the new DS RR from the key that the
current DS is not pointing to. This key exchange might be replayed.
Parents are encouraged to implement a replay defense. A simple
defense can be based on a registry of keys that have been used to
generate DS RRs during the most recent roll over. These same
considerations apply to entities that configure keys in resolvers.
to a class of replay attacks. This might happen after a public key
exchange where a DNSKEY RR set, containing two DNSKEY RRs with the
SEP flag set, is sent to the parent. The parent verifies the DNSKEY
RR set with the existing trust relation and creates the new DS RR
from the DNSKEY RR that the current DS RR is not pointing to. This
key exchange might be replayed. Parents are encouraged to implement a
replay defense. A simple defense can be based on a registry of keys
that have been used to generate DS RRs during the most recent roll
over. These same considerations apply to entities that configure keys
in resolvers.
6. IANA Considerations
Kolkman, et al. Expires March 28, 2004 [Page 5]
Internet-Draft KEY RR Secure Entry Point Flag September 2003
IANA considerations: The flag bits in the KEY RR are assigned by
IETF consensus. There is no action on IANA.
IANA considerations: The flag bits in the DNSKEY RR are assigned by
IETF consensus. This document assigns the 15th bit in the DNSKEY RR
as the Secure Entry Point (SEP) bit. [Final text pending
clarification of the DNSKEY flag registry]
7. Internationalization Considerations
@ -296,9 +325,17 @@ Internet-Draft KEY RR Secure Entry Point Flag September 2003
The ideas documented in this document are inspired by communications
we had with numerous people and ideas published by other folk. Among
others Mark Andrews, Miek Gieben, Olafur Gudmundsson, Daniel
Karrenberg, Dan Massey, Scott Rose, Marcos Sanz and Sam Weiler have
contributed ideas and provided feedback.
others Mark Andrews, Rob Austein, Miek Gieben, Olafur Gudmundsson,
Daniel Karrenberg, Dan Massey, Scott Rose, Marcos Sanz and Sam Weiler
have contributed ideas and provided feedback.
Kolkman, et al. Expires March 1, 2004 [Page 6]
Internet-Draft DNSKEY RR Secure Entry Point Flag September 2003
This document saw the light during a workshop on DNSSEC operations
hosted by USC/ISI in August 2002.
@ -327,19 +364,6 @@ Informative References
Story", ISBN 0151002177 (50th anniversary edition), April 1996.
Kolkman, et al. Expires March 28, 2004 [Page 6]
Internet-Draft KEY RR Secure Entry Point Flag September 2003
Authors' Addresses
Olaf M. Kolkman
@ -361,6 +385,14 @@ Authors' Addresses
EMail: jakob@schlyter.se
Kolkman, et al. Expires March 1, 2004 [Page 7]
Internet-Draft DNSKEY RR Secure Entry Point Flag September 2003
Edward P. Lewis
ARIN
3635 Concorde Parkway Suite 200
@ -391,9 +423,30 @@ Authors' Addresses
Kolkman, et al. Expires March 28, 2004 [Page 7]
Kolkman, et al. Expires March 1, 2004 [Page 8]
Internet-Draft KEY RR Secure Entry Point Flag September 2003
Internet-Draft DNSKEY RR Secure Entry Point Flag September 2003
Intellectual Property Statement
@ -447,9 +500,9 @@ Full Copyright Statement
Kolkman, et al. Expires March 28, 2004 [Page 8]
Kolkman, et al. Expires March 1, 2004 [Page 9]
Internet-Draft KEY RR Secure Entry Point Flag September 2003
Internet-Draft DNSKEY RR Secure Entry Point Flag September 2003
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
@ -503,5 +556,5 @@ Acknowledgment
Kolkman, et al. Expires March 28, 2004 [Page 9]
Kolkman, et al. Expires March 1, 2004 [Page 10]