📄 draft-ietf-dnsext-dnssec-opt-in-07.txt
字号:
prove the non-existence of an applicable wildcard in non-existent name responses. This NSEC record can be described as a "negative wildcard proof". The use of Opt-In NSEC records changes the necessity for this practice. For non-existent name responses when the query name (qname) is covered by an Opt-In tagged NSEC record, servers MAY choose to omit the wildcard proof record, and clients MUST NOT treat the absence of this NSEC record as a validation error. The intent of the standard DNSSEC negative wildcard proof requirement is to prevent malicious users from undetectably removing valid wildcard responses. In order for this cryptographic proof to work, the resolver must be able to prove: 1. The exact qname does not exist. This is done by the "normal" NSEC record. 2. No applicable wildcard exists. This is done by returning a NSEC record proving that the wildcard does not exist (this is the negative wildcard proof). However, if the NSEC record covering the exact qname is an Opt-In NSEC record, the resolver will not be able to prove the first part of this equation, as the qname might exist as an insecure delegation. Thus, since the total proof cannot be completed, the negative wildcard proof NSEC record is not useful. The negative wildcard proof is also not useful when returned as part of an Opt-In insecure delegation response for a similar reason: the resolver cannot prove that the qname does or does not exist, and therefore cannot prove that a wildcard expansion is valid. The presence of an Opt-In tagged NSEC record does not change the practice of returning a NSEC along with a wildcard expansion. EvenArends, et al. Expires January 19, 2006 [Page 6]
Internet-Draft DNSSEC Opt-In July 2005 though the Opt-In NSEC will not be able to prove that the wildcard expansion is valid, it will prove that the wildcard expansion is not masking any signed records.4.1.4 Dynamic Update Opt-In changes the semantics of Secure DNS Dynamic Update [9]. In particular, it introduces the need for rules that describe when to add or remove a delegation name from the NSEC chain. This document does not attempt to define these rules. Until these rules are defined, servers MUST NOT process DNS Dynamic Update requests against zones that use Opt-In NSEC records. Servers SHOULD return responses to update requests with RCODE=REFUSED.4.2 Client Considerations Opt-In imposes some new requirements on security-aware resolvers (caching or otherwise).4.2.1 Delegations Only As stated in the "Server Considerations" section above, this specification restricts the namespace covered by Opt-In tagged NSEC records to insecure delegations only. Thus, resolvers MUST reject as invalid any records that fall within an Opt-In NSEC record's span that are not NS records or corresponding glue records.4.2.2 Validation Process Changes This specification does not change the resolver's resolution algorithm. However, it does change the DNSSEC validation process. Resolvers MUST be able to use Opt-In tagged NSEC records to cryptographically prove the validity and security status (as insecure) of a referral. Resolvers determine the security status of the referred-to zone as follows: o In standard DNSSEC, the security status is proven by the existence or absence of a DS RRset at the same name as the delegation. The existence of the DS RRset indicates that the referred-to zone is signed. The absence of the DS RRset is proven using a verified NSEC record of the same name that does not have the DS bit set in the type map. This NSEC record MAY also be tagged as Opt-In. o Using Opt-In, the security status is proven by the existence of a DS record (for signed) or the presence of a verified Opt-In tagged NSEC record that covers the delegation name. That is, the NSEC record does not have the NSEC bit set in the type map, and the delegation name falls between the NSEC's owner and "next" name.Arends, et al. Expires January 19, 2006 [Page 7]
Internet-Draft DNSSEC Opt-In July 2005 Using Opt-In does not substantially change the nature of following referrals within DNSSEC. At every delegation point, the resolver will have cryptographic proof that the referred-to subzone is signed or unsigned. When receiving either an Opt-In insecure delegation response or a non-existent name response where that name is covered by an Opt-In tagged NSEC record, the resolver MUST NOT require proof (in the form of a NSEC record) that a wildcard did not exist.4.2.3 NSEC Record Caching Caching resolvers MUST be able to retrieve the appropriate covering Opt-In NSEC record when returning referrals that need them. This requirement differs from standard DNSSEC in that the covering NSEC will not have the same owner name as the delegation. Some implementations may have to use new methods for finding these NSEC records.4.2.4 Use of the AD bit The AD bit, as defined by [2] and [5], MUST NOT be set when: o sending a Name Error (RCODE=3) response where the covering NSEC is tagged as Opt-In. o sending an Opt-In insecure delegation response, unless the covering (Opt-In) NSEC record's owner name equals the delegation name. This rule is based on what the Opt-In NSEC record actually proves: for names that exist between the Opt-In NSEC record's owner and "next" names, the Opt-In NSEC record cannot prove the non-existence or existence of the name. As such, not all data in the response has been cryptographically verified, so the AD bit cannot be set.5. Benefits Using Opt-In allows administrators of large and/or changing delegation-centric zones to minimize the overhead involved in maintaining the security of the zone. Opt-In accomplishes this by eliminating the need for NSEC records for insecure delegations. This, in a zone with a large number of delegations to unsigned subzones, can lead to substantial space savings (both in memory and on disk). Additionally, Opt-In allows for the addition or removal of insecure delegations without modifying the NSEC record chain. Zones that are frequently updating insecure delegations (e.g., TLDs) can avoid the substantial overhead ofArends, et al. Expires January 19, 2006 [Page 8]
Internet-Draft DNSSEC Opt-In July 2005 modifying and resigning the affected NSEC records.6. Example Consider the zone EXAMPLE, shown below. This is a zone where all of the NSEC records are tagged as Opt-In. Example A: Fully Opt-In Zone. EXAMPLE. SOA ... EXAMPLE. RRSIG SOA ... EXAMPLE. NS FIRST-SECURE.EXAMPLE. EXAMPLE. RRSIG NS ... EXAMPLE. DNSKEY ... EXAMPLE. RRSIG DNSKEY ... EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. ( SOA NS RRSIG DNSKEY ) EXAMPLE. RRSIG NSEC ... FIRST-SECURE.EXAMPLE. A ... FIRST-SECURE.EXAMPLE. RRSIG A ... FIRST-SECURE.EXAMPLE. NSEC NOT-SECURE-2.EXAMPLE. A RRSIG FIRST-SECURE.EXAMPLE. RRSIG NSEC ... NOT-SECURE.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE. NS.NOT-SECURE.EXAMPLE. A ... NOT-SECURE-2.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE. NOT-SECURE-2.EXAMPLE NSEC SECOND-SECURE.EXAMPLE NS RRSIG NOT-SECURE-2.EXAMPLE RRSIG NSEC ... SECOND-SECURE.EXAMPLE. NS NS.ELSEWHERE. SECOND-SECURE.EXAMPLE. DS ... SECOND-SECURE.EXAMPLE. RRSIG DS ... SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DNSKEY SECOND-SECURE.EXAMPLE. RRSIG NSEC ... UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE. NS.UNSIGNED.EXAMPLE. A ... In this example, a query for a signed RRset (e.g., "FIRST- SECURE.EXAMPLE A"), or a secure delegation ("WWW.SECOND- SECURE.EXAMPLE A") will result in a standard DNSSEC response. A query for a nonexistent RRset will result in a response that differs from standard DNSSEC by: the NSEC record will be tagged as Opt-In, there may be no NSEC record proving the non-existence of aArends, et al. Expires January 19, 2006 [Page 9]
Internet-Draft DNSSEC Opt-In July 2005 matching wildcard record, and the AD bit will not be set. A query for an insecure delegation RRset (or a referral) will return both the answer (in the Authority section) and the corresponding Opt-In NSEC record to prove that it is not secure. Example A.1: Response to query for WWW.UNSIGNED.EXAMPLE. A RCODE=NOERROR, AD=0 Answer Section: Authority Section: UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DS SECOND-SECURE.EXAMPLE. RRSIG NSEC ... Additional Section: NS.UNSIGNED.EXAMPLE. A ... In the Example A.1 zone, the EXAMPLE. node MAY use either style of NSEC record, because there are no insecure delegations that occur between it and the next node, FIRST-SECURE.EXAMPLE. In other words, Example A would still be a valid zone if the NSEC record for EXAMPLE. was changed to the following RR: EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (SOA NS RRSIG DNSKEY NSEC ) However, the other NSEC records (FIRST-SECURE.EXAMPLE. and SECOND- SECURE.EXAMPLE.) MUST be tagged as Opt-In because there are insecure delegations in the range they define. (NOT-SECURE.EXAMPLE. and UNSIGNED.EXAMPLE., respectively). NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that is part of the NSEC chain and also covered by an Opt-In tagged NSEC record. Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot be removed from the zone without modifying and resigning the prior NSEC record. Delegations with names that fall between NOT-SECURE- 2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or removed without resigning any NSEC records.7. Transition Issues Opt-In is not backwards compatible with standard DNSSEC and is considered experimental. Standard DNSSEC compliant implementations would not recognize Opt-In tagged NSEC records as different fromArends, et al. Expires January 19, 2006 [Page 10]
Internet-Draft DNSSEC Opt-In July 2005 standard NSEC records. Because of this, standard DNSSEC implementations, if they were to validate Opt-In style responses, would reject all Opt-In insecure delegations within a zone as invalid. However, by only signing with private algorithms, standard DNSSEC implementations will treat Opt-In responses as unsigned. It should be noted that all elements in the resolution path between (and including) the validator and the authoritative name server must be aware of the Opt-In experiment and implement the Opt-In semantics for successful validation to be possible. In particular, this includes any caching middleboxes between the validator and authoritative name server.8. Security Considerations Opt-In allows for unsigned names, in the form of delegations to unsigned subzones, to exist within an otherwise signed zone. All unsigned names are, by definition, insecure, and their validity or existence cannot by cryptographically proven. In general: o Records with unsigned names (whether existing or not) suffer from the same vulnerabilities as records in an unsigned zone. These vulnerabilities are described in more detail in [12] (note in particular sections 2.3, "Name Games" and 2.6, "Authenticated Denial"). o Records with signed names have the same security whether or not Opt-In is used. Note that with or without Opt-In, an insecure delegation may have its contents undetectably altered by an attacker. Because of this, the primary difference in security that Opt-In introduces is the loss of the ability to prove the existence or nonexistence of an insecure delegation within the span of an Opt-In NSEC record.⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -