draft-ietf-dnsext-dnssec-online-signing-00.txt

bind 源码 最新实现 linux/unix/windows平台

Network Working Group                                          S. Weiler
Internet-Draft                                               SPARTA, Inc
Updates: 4034, 4035 (if approved)                               J. Ihren
Expires: November 13, 2005                                 Autonomica AB
                                                            May 12, 2005


       Minimally Covering NSEC Records and DNSSEC On-line Signing
               draft-ietf-dnsext-dnssec-online-signing-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on November 13, 2005.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes how to construct DNSSEC NSEC resource records
   that cover a smaller range of names than called for by RFC4034.  By
   generating and signing these records on demand, authoritative name
   servers can effectively stop the disclosure of zone contents
   otherwise made possible by walking the chain of NSEC records in a
   signed zone.




Weiler & Ihren          Expires November 13, 2005               [Page 1]

Internet-Draft                NSEC Epsilon                      May 2005


Changes from weiler-01 to ietf-00

   Inserted RFC numbers for 4033, 4034, and 4035.

   Specified contents of bitmap field in synthesized NSEC RR's, pointing
   out that this relaxes a constraint in 4035.  Added 4035 to the
   Updates header.

Changes from weiler-00 to weiler-01

   Clarified that this updates RFC4034 by relaxing requirements on the
   next name field.

   Added examples covering wildcard names.

   In the 'better functions' section, reiterated that perfect functions
   aren't needed.

   Added a reference to RFC 2119.
































Weiler & Ihren          Expires November 13, 2005               [Page 2]

Internet-Draft                NSEC Epsilon                      May 2005


Table of Contents

   1.   Introduction and Terminology . . . . . . . . . . . . . . . .   4
   2.   Minimally Covering NSEC Records  . . . . . . . . . . . . . .   4
   3.   Better Increment & Decrement Functions . . . . . . . . . . .   6
   4.   IANA Considerations  . . . . . . . . . . . . . . . . . . . .   7
   5.   Security Considerations  . . . . . . . . . . . . . . . . . .   7
   6.   Normative References . . . . . . . . . . . . . . . . . . . .   8
        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .   8
   A.   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . .   8
        Intellectual Property and Copyright Statements . . . . . . .  10








































Weiler & Ihren          Expires November 13, 2005               [Page 3]

Internet-Draft                NSEC Epsilon                      May 2005


1.  Introduction and Terminology

   With DNSSEC [1], an NSEC record lists the next instantiated name in
   its zone, proving that no names exist in the "span" between the
   NSEC's owner name and the name in the "next name" field.  In this
   document, an NSEC record is said to "cover" the names between its
   owner name and next name.

   Through repeated queries that return NSEC records, it is possible to
   retrieve all of the names in the zone, a process commonly called
   "walking" the zone.  Some zone owners have policies forbidding zone
   transfers by arbitrary clients; this side-effect of the NSEC
   architecture subverts those policies.

   This document presents a way to prevent zone walking by constructing
   NSEC records that cover fewer names.  These records can make zone
   walking take approximately as many queries as simply asking for all
   possible names in a zone, making zone walking impractical.  Some of
   these records must be created and signed on demand, which requires
   on-line private keys.  Anyone contemplating use of this technique is
   strongly encouraged to review the discussion of the risks of on-line
   signing in Section 5.

   The technique presented here may be useful to a zone owner that wants
   to use DNSSEC, is concerned about exposure of its zone contents via
   zone walking, and is willing to bear the costs of on-line signing.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [4].

2.  Minimally Covering NSEC Records

   This mechanism involves changes to NSEC records for instantiated
   names, which can still be generated and signed in advance, as well as
   the on-demand generation and signing of new NSEC records whenever a
   name must be proven not to exist.

   In the 'next name' field of instantiated names' NSEC records, rather
   than list the next instantiated name in the zone, list any name that
   falls lexically after the NSEC's owner name and before the next
   instantiated name in the zone, according to the ordering function in
   RFC4034 [2] section 6.2.  This relaxes the requirement in section
   4.1.1 of RFC4034 that the 'next name' field contains the next owner
   name in the zone.  This change is expected to be fully compatible
   with all existing DNSSEC validators.  These NSEC records are returned
   whenever proving something specifically about the owner name (e.g.
   that no resource records of a given type appear at that name).



Weiler & Ihren          Expires November 13, 2005               [Page 4]

Internet-Draft                NSEC Epsilon                      May 2005


   Whenever an NSEC record is needed to prove the non-existence of a
   name, a new NSEC record is dynamically produced and signed.  The new
   NSEC record has an owner name lexically before the QNAME but
   lexically following any existing name and a 'next name' lexically
   following the QNAME but before any existing name.

   The generated NSEC record's type bitmap SHOULD have the RRSIG and
   NSEC bits set and SHOULD NOT have any other bits set.  This relaxes
   the requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
   names that did not exist before the zone wsa signed.

   The functions to generate the lexically following and proceeding
   names need not be perfect nor consistent, but the generated NSEC
   records must not cover any existing names.  Furthermore, this
   technique works best when the generated NSEC records cover as few
   names as possible.

   An NSEC record denying the existence of a wildcard may be generated
   in the same way.  Since the NSEC record covering a non-existent
   wildcard is likely to be used in response to many queries,
   authoritative name servers using the techniques described here may
   want to pregenerate or cache that record and its corresponding RRSIG.

   For example, a query for an A record at the non-instantiated name
   example.com might produce the following two NSEC records, the first
   denying the existence of the name example.com and the second denying
   the existence of a wildcard:

             exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )

             ).com 3600 IN NSEC +.com ( RRSIG NSEC )

   Before answering a query with these records, an authoritative server
   must test for the existence of names between these endpoints.  If the
   generated NSEC would cover existing names (e.g. exampldd.com or
   *bizarre.example.com), a better increment or decrement function may
   be used or the covered name closest to the QNAME could be used as the
   NSEC owner name or next name, as appropriate.  If an existing name is
   used as the NSEC owner name, that name's real NSEC record MUST be
   returned.  Using the same example, assuming an exampldd.com
   delegation exists, this record might be returned from the parent:

             exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )

   Like every authoritative record in the zone, each generated NSEC
   record MUST have corresponding RRSIGs generated using each algorithm
   (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
   described in RFC4035 [3] section 2.2.  To minimize the number of



Weiler & Ihren          Expires November 13, 2005               [Page 5]

Internet-Draft                NSEC Epsilon                      May 2005