draft-ietf-dnsext-dnssec-opt-in-07.txt

bind 源码 最新实现 linux/unix/windows平台

DNSEXT                                                         R. Arends
Internet-Draft                                      Telematica Instituut
Expires: January 19, 2006                                     M. Kosters
                                                               D. Blacka
                                                          Verisign, Inc.
                                                           July 18, 2005


                             DNSSEC Opt-In
                   draft-ietf-dnsext-dnssec-opt-in-07

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 19, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   In the DNS security extensions (DNSSEC, defined in RFC 4033 [3], RFC
   4034 [4], and RFC 4035 [5]), delegations to unsigned subzones are
   cryptographically secured.  Maintaining this cryptography is not
   practical or necessary.  This document describes an experimental
   "Opt-In" model that allows administrators to omit this cryptography
   and manage the cost of adopting DNSSEC with large zones.



Arends, et al.          Expires January 19, 2006                [Page 1]

Internet-Draft                DNSSEC Opt-In                    July 2005


Table of Contents

   1.  Definitions and Terminology  . . . . . . . . . . . . . . . . .  3
   2.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Experimental Status  . . . . . . . . . . . . . . . . . . . . .  4
   4.  Protocol Additions . . . . . . . . . . . . . . . . . . . . . .  4
     4.1   Server Considerations  . . . . . . . . . . . . . . . . . .  5
       4.1.1   Delegations Only . . . . . . . . . . . . . . . . . . .  5
       4.1.2   Insecure Delegation Responses  . . . . . . . . . . . .  6
       4.1.3   Wildcards and Opt-In . . . . . . . . . . . . . . . . .  6
       4.1.4   Dynamic Update . . . . . . . . . . . . . . . . . . . .  7
     4.2   Client Considerations  . . . . . . . . . . . . . . . . . .  7
       4.2.1   Delegations Only . . . . . . . . . . . . . . . . . . .  7
       4.2.2   Validation Process Changes . . . . . . . . . . . . . .  7
       4.2.3   NSEC Record Caching  . . . . . . . . . . . . . . . . .  8
       4.2.4   Use of the AD bit  . . . . . . . . . . . . . . . . . .  8
   5.  Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . .  8
   6.  Example  . . . . . . . . . . . . . . . . . . . . . . . . . . .  9
   7.  Transition Issues  . . . . . . . . . . . . . . . . . . . . . . 10
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
   10.   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . 12
   11.   References . . . . . . . . . . . . . . . . . . . . . . . . . 13
     11.1  Normative References . . . . . . . . . . . . . . . . . . . 13
     11.2  Informative References . . . . . . . . . . . . . . . . . . 13
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
   A.  Implementing Opt-In using "Views"  . . . . . . . . . . . . . . 14
       Intellectual Property and Copyright Statements . . . . . . . . 16























Arends, et al.          Expires January 19, 2006                [Page 2]

Internet-Draft                DNSSEC Opt-In                    July 2005


1.  Definitions and Terminology

   Throughout this document, familiarity with the DNS system (RFC 1035
   [1]), DNS security extensions ([3], [4], and [5], referred to in this
   document as "standard DNSSEC"), and DNSSEC terminology (RFC 3090
   [10]) is assumed.

   The following abbreviations and terms are used in this document:

   RR: is used to refer to a DNS resource record.
   RRset: refers to a Resource Record Set, as defined by [8].  In this
      document, the RRset is also defined to include the covering RRSIG
      records, if any exist.
   signed name: refers to a DNS name that has, at minimum, a (signed)
      NSEC record.
   unsigned name: refers to a DNS name that does not (at least) have a
      NSEC record.
   covering NSEC record/RRset: is the NSEC record used to prove
      (non)existence of a particular name or RRset.  This means that for
      a RRset or name 'N', the covering NSEC record has the name 'N', or
      has an owner name less than 'N' and "next" name greater than 'N'.
   delegation: refers to a NS RRset with a name different from the
      current zone apex (non-zone-apex), signifying a delegation to a
      subzone.
   secure delegation: refers to a signed name containing a delegation
      (NS RRset), and a signed DS RRset, signifying a delegation to a
      signed subzone.
   insecure delegation: refers to a signed name containing a delegation
      (NS RRset), but lacking a DS RRset, signifying a delegation to an
      unsigned subzone.
   Opt-In insecure delegation: refers to an unsigned name containing
      only a delegation NS RRset.  The covering NSEC record uses the
      Opt-In methodology described in this document.

   The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [7].

2.  Overview

   The cost to cryptographically secure delegations to unsigned zones is
   high for large delegation-centric zones and zones where insecure
   delegations will be updated rapidly.  For these zones, the costs of
   maintaining the NSEC record chain may be extremely high relative to
   the gain of cryptographically authenticating existence of unsecured
   zones.

   This document describes an experimental method of eliminating the



Arends, et al.          Expires January 19, 2006                [Page 3]

Internet-Draft                DNSSEC Opt-In                    July 2005


   superfluous cryptography present in secure delegations to unsigned
   zones.  Using "Opt-In", a zone administrator can choose to remove
   insecure delegations from the NSEC chain.  This is accomplished by
   extending the semantics of the NSEC record by using a redundant bit
   in the type map.

3.  Experimental Status

   This document describes an EXPERIMENTAL extension to DNSSEC.  It
   interoperates with non-experimental DNSSEC using the technique
   described in [6].  This experiment is identified with the following
   private algorithms (using algorithm 253):

   "3.optin.verisignlabs.com": is an alias for DNSSEC algorithm 3, DSA,
      and
   "5.optin.verisignlabs.com": is an alias for DNSSEC algorithm 5,
      RSASHA1.

   Servers wishing to sign and serve zones that utilize Opt-In MUST sign
   the zone with only one or more of these private algorithms.  This
   requires the signing tools and servers to support private algorithms,
   as well as Opt-In.

   Resolvers wishing to validate Opt-In zones MUST only do so when the
   zone is only signed using one or more of these private algorithms.

   The remainder of this document assumes that the servers and resolvers
   involved are aware of and are involved in this experiment.

4.  Protocol Additions

   In DNSSEC, delegation NS RRsets are not signed, but are instead
   accompanied by a NSEC RRset of the same name and (possibly) a DS
   record.  The security status of the subzone is determined by the
   presence or absence of the DS RRset, cryptographically proven by the
   NSEC record.  Opt-In expands this definition by allowing insecure
   delegations to exist within an otherwise signed zone without the
   corresponding NSEC record at the delegation's owner name.  These
   insecure delegations are proven insecure by using a covering NSEC
   record.

   Since this represents a change of the interpretation of NSEC records,
   resolvers must be able to distinguish between RFC standard DNSSEC
   NSEC records and Opt-In NSEC records.  This is accomplished by
   "tagging" the NSEC records that cover (or potentially cover) insecure
   delegation nodes.  This tag is indicated by the absence of the NSEC
   bit in the type map.  Since the NSEC bit in the type map merely
   indicates the existence of the record itself, this bit is redundant



Arends, et al.          Expires January 19, 2006                [Page 4]

Internet-Draft                DNSSEC Opt-In                    July 2005


   and safe for use as a tag.

   An Opt-In tagged NSEC record does not assert the (non)existence of
   the delegations that it covers (except for a delegation with the same
   name).  This allows for the addition or removal of these delegations
   without recalculating or resigning records in the NSEC chain.
   However, Opt-In tagged NSEC records do assert the (non)existence of
   other RRsets.

   An Opt-In NSEC record MAY have the same name as an insecure
   delegation.  In this case, the delegation is proven insecure by the
   lack of a DS bit in type map and the signed NSEC record does assert
   the existence of the delegation.

   Zones using Opt-In MAY contain a mixture of Opt-In tagged NSEC
   records and standard DNSSEC NSEC records.  If a NSEC record is not
   Opt-In, there MUST NOT be any insecure delegations (or any other
   records) between it and the RRsets indicated by the 'next domain
   name' in the NSEC RDATA.  If it is Opt-In, there MUST only be
   insecure delegations between it and the next node indicated by the
   'next domain name' in the NSEC RDATA.

   In summary,

   o  An Opt-In NSEC type is identified by a zero-valued (or not-
      specified) NSEC bit in the type bit map of the NSEC record.
   o  A RFC2535bis NSEC type is identified by a one-valued NSEC bit in
      the type bit map of the NSEC record.

   and,

   o  An Opt-In NSEC record does not assert the non-existence of a name
      between its owner name and "next" name, although it does assert
      that any name in this span MUST be an insecure delegation.
   o  An Opt-In NSEC record does assert the (non)existence of RRsets
      with the same owner name.

4.1  Server Considerations

   Opt-In imposes some new requirements on authoritative DNS servers.

4.1.1  Delegations Only

   This specification dictates that only insecure delegations may exist
   between the owner and "next" names of an Opt-In tagged NSEC record.
   Signing tools SHOULD NOT generate signed zones that violate this
   restriction.  Servers SHOULD refuse to load and/or serve zones that
   violate this restriction.  Servers also SHOULD reject AXFR or IXFR



Arends, et al.          Expires January 19, 2006                [Page 5]

Internet-Draft                DNSSEC Opt-In                    July 2005


   responses that violate this restriction.

4.1.2  Insecure Delegation Responses

   When returning an Opt-In insecure delegation, the server MUST return
   the covering NSEC RRset in the Authority section.

   In standard DNSSEC, NSEC records already must be returned along with
   the insecure delegation.  The primary difference that this proposal
   introduces is that the Opt-In tagged NSEC record will have a
   different owner name from the delegation RRset.  This may require
   implementations to search for the covering NSEC RRset.

4.1.3  Wildcards and Opt-In

   Standard DNSSEC describes the practice of returning NSEC records to