draft-kosters-dnsext-dnssec-opt-in-01.txt

bind-3.2.

Network Working Group                                         M. Kosters
Internet-Draft                                   Network Solutions, Inc.
Expires: August 31, 2001                                   March 2, 2001


                     DNSSEC Opt-in for Large Zones
               draft-kosters-dnsext-dnssec-opt-in-01.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 31, 2001.

Copyright Notice

   Copyright (C) The Internet Society (2001). All Rights Reserved.

Abstract

   In order for DNSSEC to be deployed operationally with large zones
   and little operational impact, there needs to be included a
   mechanism that allows for the separation of secure versus unsecure
   views of zones. This needs to be done in a transparent fashion that
   allows DNSSEC to be deployed in an incremental manner.  This
   document proposes the use of an extended RCODE to signify that a
   DNSSEC-aware requestor may have to re-query for the information, if
   and only if, the delegation is not yet secure. Thus, one can
   maintain two views of the zone and expand the DNSSEC zone as demand
   warrants.





Kosters                 Expires August 31, 2001                 [Page 1]

Internet-Draft               DNSSEC Opt In                    March 2001


Table of Contents

   1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2. Rationale  . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
   3. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . . 4
   4. Security Considerations  . . . . . . . . . . . . . . . . . . . . 7
   5. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . . 7
   6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 8
      References . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
      Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
      Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 9








































Kosters                 Expires August 31, 2001                 [Page 2]

Internet-Draft               DNSSEC Opt In                    March 2001


1. Introduction

   DNS is an unsecure system. The key features that gives DNS its power
   can also be its chief weaknesses. One feature is the facility to
   delegate branches of information from one set of servers to another.
   Currently, this is done in a non-cryptographically verified way that
   allows spoofing attacks. For example, an alternative domain registry
   called AlterNIC exploited this vulnerability to redirect
   www.netsol.com and www.internic.net websites to their own website in
   July 1997 that gained widespread exposure. If this delegated
   information had been cryptographically verified, this attack would
   not have been able to occur. 

   In recent years, there has been much work within the IETF regarding
   DNS security. There are  a number of RFCs that integrate public key
   technology within DNS to enable cryptographically-verified answers.
   To this end, three new resource record types (RR's) have been
   defined: 

   o  KEY -- a public key of the zone
   o  SIG - a signature of an accompanying RR
   o  NXT - a negative response record

   Within the zone, each authoritative RR will have accompanying SIG
   RR's that can be verified with the KEY RR of the zone. Each KEY RR
   can be verified hierarchically with a SIG RR from the direct parent
   zone. For unsecure delegations, a null-KEY RR is inserted in the
   parent zone. Finally, NXT RR's and their accompanying SIG RR's are
   issued in the case of a negative reply. 

   As a zone maintainer, transitioning to a secure zone has a high
   overhead in the following areas: 

   KEY RR 
      At a delegation point, the zone maintainer needs to place a NULL
      key and accompanying SIG RR's when the child zone is not known to
      be secure. 
   NXT RR 
      Each delegation needs to be lexigraphically ordered so that a NXT
      RR can be generated and signed with SIG RR's. For large zone
      operators, generating the zone file is a very time consuming
      process. In the resolution process, NXT lookups require that the
      server replace efficient hash structures with a lexigraphically
      ordered search structure that degrades lookup performance. This
      lookup performance is a critical element for a high-query rate
      DNS server. 

   Thus, the net effect is when one initially secures a zone as defined
   in RFC2535[4], the net overhead is massive because of the following


Kosters                 Expires August 31, 2001                 [Page 3]

Internet-Draft               DNSSEC Opt In                    March 2001


   factors: 

   1.  Zone ordering and maintenance for large zones is difficult and
       expensive.
   2.  Adding null-KEY RR's, NXT RR's and their accompanying SIG RR's
       for unsecure delegations will consume large amounts of memory
       (6x the current memory requirements).
   3.  Having a less efficient look-up algorithm to provide answers to
       queries will degrade overall performance.
   4.  Very little initial payoff (anticipate only a small fraction of
       delegations to be signed. This equates to less than 1% over the
       first six months).
   5.  Unsecured delegations are more expensive at the parent than
       secure delegations (NULL KEY).

2. Rationale

   As DNSSEC is initially deployed, it is anticipated that DNSSEC
   adoption will be slow to materialize. It is also anticipated that
   DNSSEC security resolution will be top down. Thus for DNSSEC to be
   widely adopted, the root zone and GTLD zones will need to be signed.
   Based on the implications previously listed, a large zone maintainer
   such as the administrator of COM, needs to create an infrastructure
   that is an order of magnitude larger than its current state with
   very little initial benefit. 

   This document proposes an alternative opt-in approach that minimizes
   the expense and complexity to ease adoption of DNSSEC for large
   zones by allowing for an alternate view of secured only delegations. 

3. Protocol Additions

   The opt-in proposal allows for a zone operator to maintain two views
   of its delegations - one being non-DNSSEC and the other being
   DNSSSEC aware. The non-DNSSEC view will have all delegations - both
   secured and non-secured. The DNSSEC aware view will only have
   secured delegations. It is assumed that neither view will have any
   innate knowledge of the other's delegations. Thus, the cost of
   securing a zone is proportional to the demand of its delegations
   with the added benefit of no longer having to maintain NULL KEY RRs
   for unsecure delegations. 

   On the server side, identification of the zone being opt-in will be
   identified by using one of the reserved bits of the flags section
   within the KEY RR for that particular zone [note - the actual bit
   needs yet to be selected out of reserved bits 4-5 or 8-11]. 

   On the client side, the client MUST be identified by sending a
   option-code of RETRY-NO-SEC-AWARE within the OPT RR RDATA to ensure


Kosters                 Expires August 31, 2001                 [Page 4]

Internet-Draft               DNSSEC Opt In                    March 2001


   that it can accept and understand the RETRY-NO-SEC RCODE. The
   RETRY-NO-SEC-AWARE option-code MUST have an option-length value of
   zero with no option-data. The RETRY-NO-SEC-AWARE option-code will be
   determined by IANA. 

   To determine which view each DNS query packet is to be queried
   against, there is a simple algorithm to be followed: 

   1.  The DNSSEC view is to be queried when the DO bit is set within
       the EDNS0 OPT meta RR as indicated in [6] Additionally, 
   2.  The DNSSEC view is to be queried when the query type is SIG,
       KEY, or NXT and the RRs added match the query name and query
       type.

   If the query does not follow either case (1) or (2), the non-DNSSEC
   view MUST be consulted by default. 

   Since the DNSSEC view will have a subset of the actual delegations
   of that zone, it will not be able to respond to an unsecured
   delegation. To that end, one of two things will happen: 

   1) If the client has been identified as RETRY-NO-SEC-AWARE, a new
   extended RCODE MUST be set within the EDNS OPT RR for the resolver
   to retry again with the DO bit not set.  This RCODE is referred to
   as "RETRY-NO-SEC" (RS).  In the context of the EDNS0 OPT meta-RR,
   the RS value will be determined by IANA.