📄 draft-ietf-dnsext-dnssec-opt-in-05.txt
字号:
DNSEXT R. ArendsInternet-Draft Telematica InstituutExpires: August 28, 2003 M. Kosters D. Blacka Verisign, Inc. February 27, 2003 DNSSEC Opt-In draft-ietf-dnsext-dnssec-opt-in-05Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 28, 2003.Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved.Abstract In RFC 2535, delegations to unsigned subzones are cryptographically secured. Maintaining this cryptography is not practical or necessary. This document describes an "Opt-In" model that allows administrators to omit this cryptography and manage the cost of adopting DNSSEC with large zones.Arends, et al. Expires August 28, 2003 [Page 1]
Internet-Draft DNSSEC Opt-In February 2003Table of Contents 1. Definitions and Terminology . . . . . . . . . . . . . . . . 3 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Protocol Additions . . . . . . . . . . . . . . . . . . . . . 5 3.1 Server Considerations . . . . . . . . . . . . . . . . . . . 6 3.1.1 Delegations Only . . . . . . . . . . . . . . . . . . . . . . 6 3.1.2 Insecure Delegation Responses . . . . . . . . . . . . . . . 6 3.1.3 Wildcards and Opt-In . . . . . . . . . . . . . . . . . . . . 6 3.1.4 Dynamic Update . . . . . . . . . . . . . . . . . . . . . . . 7 3.2 Client Considerations . . . . . . . . . . . . . . . . . . . 7 3.2.1 Delegations Only . . . . . . . . . . . . . . . . . . . . . . 7 3.2.2 Validation Process Changes . . . . . . . . . . . . . . . . . 7 3.2.3 NXT Record Caching . . . . . . . . . . . . . . . . . . . . . 8 3.2.4 Use of the AD bit . . . . . . . . . . . . . . . . . . . . . 8 4. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . 11 6. Transition Issues . . . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . 16 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 17 Normative References . . . . . . . . . . . . . . . . . . . . 18 Informative References . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 19 A. Implementing Opt-In using "Views" . . . . . . . . . . . . . 21 B. Changes from Prior Versions . . . . . . . . . . . . . . . . 23 Intellectual Property and Copyright Statements . . . . . . . 25Arends, et al. Expires August 28, 2003 [Page 2]
Internet-Draft DNSSEC Opt-In February 20031. Definitions and Terminology Throughout this document, familiarity with the DNS system, RFC 1035 [1], DNS security extensions, RFC 2535 [2], and DNSSEC terminology RFC 3090 [8] is assumed. The following abbreviations and terms are used in this document: RR: is used to refer to a DNS resource record. RRset: refers to a Resource Record Set, as defined by [6]. In this document, the RRset is also defined to include the covering SIG records, if any exist. signed name: refers to a DNS name that has, at minimum, a (signed) NXT record. unsigned name: refers to a DNS name that does not (at least) have a NXT record. covering NXT record/RRset: is the NXT record used to prove (non)existence of a particular name or RRset. This means that for a RRset or name 'N', the covering NXT record has the name 'N', or has an owner name less than 'N' and "next" name greater than 'N'. delegation: refers to a NS RRset with a name different from the current zone apex (non-zone-apex), signifying a delegation to a subzone. secure delegation: refers to a signed name containing a delegation (NS RRset), and a signed DS RRset, signifying a delegation to a signed subzone. 2535/DS insecure delegation: refers to a signed name containing a delegation (NS RRset), but lacking a DS RRset, signifying a delegation to an unsigned subzone. Opt-In insecure delegation: refers to an unsigned name containing only a delegation NS RRset. The covering NXT record uses the Opt-In methodology described in this document. The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [5].Arends, et al. Expires August 28, 2003 [Page 3]
Internet-Draft DNSSEC Opt-In February 20032. Overview The cost to cryptographically secure delegations to unsigned zones is high for large delegation-centric zones and zones where insecure delegations will be updated rapidly. For these zones, the costs of maintaining the NXT record chain may be extremely high relative to the gain of cryptographically authenticating existence of unsecured zones. This document describes a method of eliminating the superfluous cryptography present in secure delegations to insecure zones. Using "Opt-In", a zone administrator can choose to remove insecure delegations from the NXT chain. This is accomplished by extending the semantics of the NXT record by using a redundant bit in the type map.Arends, et al. Expires August 28, 2003 [Page 4]
Internet-Draft DNSSEC Opt-In February 20033. Protocol Additions In RFC 2535, delegation NS RRsets are not signed, but are instead accompanied by a NXT RRset of the same name, and possibly a ("no-key") KEY RR [2] or DS record [3]. The security status of the subzone is determined by the presence of the KEY or DS records, cryptographically proven by the NXT record. Opt-In expands this definition by allowing insecure delegations to exist within an otherwise signed zone without the corresponding NXT record at the delegation's owner name. These insecure delegations are proven insecure by using a covering NXT record. Since this represents a change of the interpretation of NXT records, resolvers must be able to distinguish between RFC 2535 NXT records and Opt-In NXT records. This is accomplished by "tagging" the NXT records that cover (or potentially cover) insecure delegation nodes. This tag is indicated by the absence of the NXT bit in the type map. Since the NXT bit in the type map merely indicates the existence of the record itself, this bit is redundant and safe for use as a tag. An Opt-In tagged NXT record does not assert the (non)existence of the delegations that it covers (except for a delegation with the same name). This allows for the addition or removal of these delegations without recalculating or resigning the NXT chain. However, Opt-In tagged NXT records do assert the (non)existence of other RRsets. An Opt-In NXT record MAY have the same name as an insecure delegation. In this case, the delegation is proven insecure by the lack of a DS bit in type map, or the presence of a "no-key" KEY RRset, and the NXT record does assert the existence of the delegation. Zones using Opt-In MAY contain a mixture of Opt-In tagged NXT records and RFC 2535 NXT records. If a NXT record is not Opt-In, there MUST NOT be any insecure delegations (or any other records) between it and the RRsets indicated by the 'next domain name' in the NXT RDATA. If it is Opt-In, there MUST only be insecure delegations between it and the next node indicated by the 'next domain name' in the NXT RDATA. In summary, o An Opt-In NXT type is identified by a zero-valued (or not-specified) NXT bit in the type bit map of the NXT record. o A RFC2535 NXT type is identified by a one-valued NXT bit in the type bit map of the NXT record. and,Arends, et al. Expires August 28, 2003 [Page 5]
Internet-Draft DNSSEC Opt-In February 2003 o An Opt-In NXT record does not assert the non-existence of a name between its owner name and "next" name, although it does assert that any name in this span MUST be an insecure delegation. o An Opt-In NXT record does assert the (non)existence of RRsets with the same owner name.3.1 Server Considerations Opt-In imposes some new requirements on authoritative DNS servers.3.1.1 Delegations Only This specification dictates that only insecure delegations may exist between the owner and "next" names of an Opt-In tagged NXT record. Signing tools SHOULD NOT generate signed zones that violate this restriction. Servers SHOULD refuse to load and/or serve zones that violate this restriction.3.1.2 Insecure Delegation Responses When returning an Opt-In insecure delegation, the server MUST return the covering NXT RRset in the Authority section. This presents a change from RFC 2535, where the "no-key" KEY RRset would be returned instead. However, in the delegation signer proposal, NXT records already must be returned along with the insecure delegation. The primary difference that this proposal introduces is that the Opt-In tagged NXT record will have a different owner name from the delegation RRset. This may require implementations to do a NXT search on cached responses.3.1.3 Wildcards and Opt-In RFC 2535, in section 5.3, describes the practice of returning NXT records to prove the non-existence of an applicable wildcard in non-existent name responses. This NXT record can be described as a "negative wildcard proof". The use of Opt-In NXT records changes the necessity for this practice. For non-existent name responses when the query name (qname) is covered by an Opt-In tagged NXT record, servers MAY choose to omit the wildcard proof record, and clients MUST NOT treat the absence of this NXT record as a validation error. The intent of the RFC 2535 negative wildcard proof requirement is to prevent malicious users from undetectably removing valid wildcard responses. In order for this cryptographic proof to work, the resolver must be able to prove:Arends, et al. Expires August 28, 2003 [Page 6]
Internet-Draft DNSSEC Opt-In February 2003 1. The exact qname does not exist. This is done by the "normal" NXT record. 2. No applicable wildcard exists. This is done by returning a NXT record proving that the wildcard does not exist (negative wildcard proof). However, if the NXT record covering the exact qname is an Opt-In NXT record, the resolver will not be able to prove the first part of this equation, as the qname might exist as an insecure delegation. Thus, since the total proof cannot be completed, the negative wildcard proof record is not useful. The negative wildcard proof is also not useful when returned as part of an Opt-In insecure delegation response for a similar reason: the resolver cannot prove that the qname does or does not exist, and therefore cannot prove that a wildcard expansion is valid. The presence of an Opt-In tagged NXT record does not change the practice of returning a NXT along with a wildcard expansion. Even though the Opt-In NXT will not be able to prove that the wildcard expansion is valid, it will prove that the wildcard expansion is not masking any signed records.3.1.4 Dynamic Update Opt-In changes the semantics of Secure DNS Dynamic Update [7]. In particular, it introduces the need for rules that describe when to add or remove a delegation name from the NXT chain. This document does not attempt to define these rules. Until these rules are defined, servers MUST NOT process DNS Dynamic Update requests against zones that use Opt-In NXT records.3.2 Client Considerations Opt-In imposes some new requirements on DNS resolvers (caching or otherwise).3.2.1 Delegations Only As stated in the "Server Considerations" section above, this specification restricts the namespace covered by Opt-In tagged NXT records to insecure delegations only. Thus, resolvers MUST reject as invalid any records that fall within an Opt-In NXT record's span that are not NS records or corresponding glue records.3.2.2 Validation Process ChangesArends, et al. Expires August 28, 2003 [Page 7]
Internet-Draft DNSSEC Opt-In February 2003 This specification does not change the resolver's resolution algorithm. However, it does change the DNSSEC validation process. Resolvers MUST be able to use Opt-In tagged NXT records to cryptographically prove the validity and security status (as insecure) of a referral. Resolvers determine the security status of the referred-to zone as follows: o In RFC 2535, the security status is proven by existence of a verified "no-key" KEY RRset. The absence of the "no-key" KEY RRset indicates that the referred-to zone is secure. o Using Delegation Signer, the security status is proven by the existence or absence of a DS RRset at the same name as the delegation. The existence of the DS RRset indicates that the referred-to zone is secure. The absence of the DS RRset is proven using a verified NXT record of the same name that does not have the DS bit set in the type map. This NXT record MAY also be tagged as Opt-In. o Using Opt-In, the security status is proven by the existence of a DS record (for secure) or the presence of a verified Opt-In tagged NXT record that covers the delegation name. That is, the NXT record does not have the NXT bit set in the type map, and the delegation name falls between the NXT's owner and "next" name. Using Opt-In does not substantially change the nature of following referrals within DNSSEC. At every delegation point, the resolver will have cryptographic proof that the subzone is secure or insecure. When receiving either an Opt-In insecure delegation response or a non-existent name response where that name is covered by an Opt-In tagged NXT record, the resolver MUST NOT require proof (in the form of a NXT record) that a wildcard did not exist.3.2.3 NXT Record Caching Caching resolvers MUST be able to retrieve the appropriate covering Opt-In NXT record when returning referrals that need them. This requirement differs from Delegation Signer in that the covering NXT will not have the same owner name as the delegation. Some implementations may have to use new methods for finding these NXT records.3.2.4 Use of the AD bit The AD bit, as defined by [4], MUST NOT be set when: o sending a non-existent name (NXDOMAIN) response where the coveringArends, et al. Expires August 28, 2003 [Page 8]
Internet-Draft DNSSEC Opt-In February 2003 NXT is tagged as Opt-In. o sending an Opt-In insecure delegation response, unless the covering (Opt-In) NXT record's owner name equals the delegation name. This rule is based on what the Opt-In NXT record actually proves. For names that exist between the Opt-In NXT record's owner and "next" names, the Opt-In NXT record cannot prove the non-existence or existence of the name. As such, not all data in the response has been cryptographically verified, so the AD bit cannot be set.⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -