draft-ietf-dnsext-signed-nonexistence-requirements-01.txt

bind 源码 最新实现 linux/unix/windows平台

Network Working Group                                          B. Laurie
Internet-Draft                                                   Nominet
Expires: March 2, 2005                                         R. Loomis
                                                                    SAIC
                                                          September 2004



      Requirements related to DNSSEC Signed Proof of Non-Existence
         draft-ietf-dnsext-signed-nonexistence-requirements-01


Status of this Memo


   This document is an Internet-Draft and is subject to all provisions
   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
   author represents that any applicable patent or other IPR claims of
   which he or she is aware have been or will be disclosed, and any of
   which he or she become aware will be disclosed, in accordance with
   RFC 3668.


   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.


   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."


   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.


   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


   This Internet-Draft will expire on March 2, 2005.


Copyright Notice


   Copyright (C) The Internet Society (2004).


Abstract


   DNSSEC-bis uses the NSEC record to provide authenticated denial of
   existence of RRsets.  NSEC also has the side-effect of permitting
   zone enumeration, even if zone transfers have been forbidden.
   Because some see this as a problem, this document has been assembled
   to detail the possible requirements for denial of existence A/K/A
   signed proof of non-existence.




Laurie & Loomis          Expires March 2, 2005                  [Page 1]
Internet-Draft      signed-nonexistence-requirements      September 2004



Table of Contents


   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.   Non-purposes . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.   Zone Enumeration . . . . . . . . . . . . . . . . . . . . . .   3
   4.   Zone Enumeration II  . . . . . . . . . . . . . . . . . . . .   4
   5.   Zone Enumeration III . . . . . . . . . . . . . . . . . . . .   4
   6.   Exposure of Contents . . . . . . . . . . . . . . . . . . . .   4
   7.   Zone Size  . . . . . . . . . . . . . . . . . . . . . . . . .   4
   8.   Single Method  . . . . . . . . . . . . . . . . . . . . . . .   5
   9.   Empty Non-terminals  . . . . . . . . . . . . . . . . . . . .   5
   10.  Prevention of Precomputed Dictionary Attacks . . . . . . . .   6
   11.  DNSSEC-Adoption and Zone-Growth Relationship . . . . . . . .   6
   12.  Non-overlap of denial records with possible zone records . .   7
   13.  Exposure of Private Keys . . . . . . . . . . . . . . . . . .   7
   14.  Minimisation of Zone Signing Cost  . . . . . . . . . . . . .   8
   15.  Minimisation of Asymmetry  . . . . . . . . . . . . . . . . .   8
   16.  Minimisation of Client Complexity  . . . . . . . . . . . . .   8
   17.  Completeness . . . . . . . . . . . . . . . . . . . . . . . .   8
   18.  Purity of Namespace  . . . . . . . . . . . . . . . . . . . .   8
   19.  Replay Attacks . . . . . . . . . . . . . . . . . . . . . . .   8
   20.  Compatibility with NSEC  . . . . . . . . . . . . . . . . . .   8
   21.  Compatibility with NSEC II . . . . . . . . . . . . . . . . .   9
   22.  Compatibility with NSEC III  . . . . . . . . . . . . . . . .   9
   23.  Coexistence with NSEC  . . . . . . . . . . . . . . . . . . .   9
   24.  Coexistence with NSEC II . . . . . . . . . . . . . . . . . .   9
   25.  Protocol Design  . . . . . . . . . . . . . . . . . . . . . .   9
   26.  Process  . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   27.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . .   9
   28.  Requirements notation  . . . . . . . . . . . . . . . . . . .   9
   29.  Security Considerations  . . . . . . . . . . . . . . . . . .  10
   30.  References . . . . . . . . . . . . . . . . . . . . . . . . .  10
   30.1   Normative References . . . . . . . . . . . . . . . . . . .  10
   30.2   Informative References . . . . . . . . . . . . . . . . . .  10
        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  10
        Intellectual Property and Copyright Statements . . . . . . .  11
















Laurie & Loomis          Expires March 2, 2005                  [Page 2]
Internet-Draft      signed-nonexistence-requirements      September 2004



1.  Introduction


   NSEC records allow trivial enumeration of zones - a situation that
   has existed for several years but which has recently been raised as a
   significant concern for DNSSECbis deployment in several zones.
   Alternate proposals have been made that make zone enumeration more
   difficult, and some previous proposals to modify DNSSEC had related
   requirements/desirements that are relevant to the discussion.  In
   addition the original designs for NSEC/NXT records were based on
   working group discussions and the choices made were not always
   documented with context and requirements-- so some of those choices
   may need to be restated as requirements.  Overall, the working group
   needs to better understand the requirements for denial of existence
   (and certain other requirements related to DNSSECbis deployment) in
   order to evaluate the proposals that may replace NSEC.


   In the remainder of this document, "NSEC++" is used as shorthand for
   "a denial of existence proof that will replace NSEC".  "NSECbis" has
   also been used as shorthand for this, but we avoid that usage since
   NSECbis will not be part of DNSSECbis and therefore there might be
   some confusion.


2.  Non-purposes


   This document does not currently document the reasons why zone
   enumeration might be "bad" from a privacy, security, business, or
   other perspective--except insofar as those reasons result in
   requirements.  Once the list of requirements is complete and vaguely
   coherent, the trade-offs (reducing zone enumeration will have X cost,
   while providing Y benefit) may be revisited.  The editors of this
   compendium received inputs on the potential reasons why zone
   enumeration is bad (and there was significant discussion on the
   DNSEXT WG mailing list) but that information fell outside the scope
   of this document.


   Note also that this document does not assume that NSEC *must* be
   replaced with NSEC++, if the requirements can be met through other
   methods (e.g., "white lies" with the current NSEC).  As is stated
   above, this document is focused on requirements collection and
   (ideally) prioritization rather than on the actual implementation.


3.  Zone Enumeration


   Authenticated denial should not permit trivial zone enumeration.


   Additional discussion:  NSEC (and NXT before it) provide a linked
   list that could be "walked" to trivially enumerate all the signed
   records in a zone.  This requirement is primarily (though not




Laurie & Loomis          Expires March 2, 2005                  [Page 3]
Internet-Draft      signed-nonexistence-requirements      September 2004



   exclusively) important for zones that either are delegation-only/
   -mostly or do not have reverse lookup (PTR) records configured, since
   enterprises that have PTR records for all A records have already
   provided a similar capability to enumerate the contents of DNS zones.


   Contributor: various


4.  Zone Enumeration II


   Zone enumeration should be at least as difficult as it would be to
   effect a dictionary attack using simple DNS queries to do the same in
   an unsecured zone.


   (Editor comment: it is not clear how to measure difficulty in this
   case.  Some examples could be monetary cost, bandwidth, processing
   power or some combination of these.  It has also been suggested that
   the requirement is that the graph of difficulty of enumeration vs.
   the fraction of the zone enumerated should be approximately the same
   shape in the two cases)


   Contributor: Nominet


5.  Zone Enumeration III


   Enumeration of a zone with random contents should computationally
   infeasible.


   Editor comment: this is proposed as a way of evaluating the
   effectiveness of a proposal rather than as a requirement anyone would
   actually have in practice.


   Contributor: Alex Bligh


6.  Exposure of Contents


   NSEC++ should not expose any of the contents of the zone (apart from
   the NSEC++ records themselves, of course).


   Editor comment: this is a weaker requirement than prevention of
   enumeration, but certainly any zone that satisfied this requirement
   would also satisfy the trivial prevention of enumeration requirement.


   Contributor: Ed Lewis


7.  Zone Size


   Requirement:  NSEC++ should make it possible to take precautions
   against trivial zone size estimates.  Since not all zone owners care




Laurie & Loomis          Expires March 2, 2005                  [Page 4]
Internet-Draft      signed-nonexistence-requirements      September 2004



   about others estimation of the size of a zone, it is not always
   necessary to prohibit trivial estimation of the size of the zone but
   NSEC++ should allow such measures.


   Additional Discussion: Even with proposals based on obfuscating names
   with hashes it is trivial to give very good estimates of the number
   of domains in a certain zone.  Just send 10 random queries and look
   at the range between the two hash values returned in each NSEC++.  As
   hash output can be assumed to follow a rectangular random
   distribution, using the mean difference between the two values, you
   can estimate the total number of records.  It is probably sufficient
   to look at even one NSEC++, since the two hash values should follow a
   (I believe) Poisson distribution.


   The concern is motivated by some wording remembered from NSEC, which
   stated that NSEC MUST only be present for existing owner names in the
   zone, and MUST NOT be present for non-existing owner names.  If
   similar wording were carried over to NSEC++, introducing bogus owner
   names in the hash chain (an otherwise simple solution to guard
   against trivial estimates of zone size) wouldn't be allowed.


   One simple attempt at solving this is to describe in the
   specifications how zone signer tools can add a number of random
   "junk" records.


   Editor's comment: it is interesting that obfuscating names might
   actually make it easier to estimate zone size.


   Contributor: Simon Josefsson.


8.  Single Method


   Requirement:  A single NSEC++ method must be able to carry both
   old-style denial (i.e.  plain labels) and whatever the new style
   looks like.  Having two separate denial methods could result in
   cornercases where one method can deny the other and vice versa.


   Additional discussion:  This requirement can help -bis folks to a
   smooth upgrade to -ter.  First they'd change the method while the
   content is the same, then they can change content of the method.


   Contributor: Roy Arends.


9.  Empty Non-terminals


   Requirement:  Empty-non-terminals (ENT) should remain empty.  In
   other words, adding NSEC++ records to an existing DNS structure
   should not cause the creation of NSEC++ records (or related records)




Laurie & Loomis          Expires March 2, 2005                  [Page 5]
Internet-Draft      signed-nonexistence-requirements      September 2004



   at points that are otherwise ENT.


   Additional discussion:  Currently NSEC complies with ENT requirement:
   b.example.com NSEC a.c.example.com implies the existence of an ENT
   with ownername c.example.com.  NSEC2 breaks that requirement, since
   the ownername is entirely hashed causing the structure to disappear.
   This is why EXIST was introduced.  But EXIST causes ENT to be
   non-empty-terminals.  Next to the dissappearance of ENT, it causes
   (some) overhead since an EXIST record needs a SIG, NSEC2 and
   SIG(NSEC2).  DNSNR honours this requirement by hashing individual
   labels instead of ownernames.  However this causes very long labels.
   Truncation is a measure against very long ownernames, but that is
   controversial.  There is a fair discussion of the validity of
   truncation in the DNSNR draft, but that hasn't got proper review yet.


   Contributor: Roy Arends.


   (Editor comment: it is not clear to us that an EXIST record needs an
   NSEC2 record, since it is a special purpose record only used for
   denial of existence)


10.  Prevention of Precomputed Dictionary Attacks


   Requirement:  NSEC++ needs to provide a method to reduce the
   effectiveness of precomputed dictionary attacks.


   Additional Discussion:  Salt is a measure against dictionary attacks.
   There are other possible measures (such as iterating hashes in
   NSEC2).  The salt needs to be communicated in every response, since
   it is needed in every verification.  Some have suggested to move the
   salt to a special record instead of the denial record.  I think this
   is not wise.  Response size has more priority over zone size.  An
   extra record causes a larger response than a larger existing record.


   Contributor: Roy Arends.