--- doc/misc/rfc-compliance | 1 + doc/rfc/rfc7344.txt | 1011 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 1012 insertions(+) create mode 100644 doc/rfc/rfc7344.txt diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance index 9d991c0..c265f9a 100644 --- a/doc/misc/rfc-compliance +++ b/doc/misc/rfc-compliance @@ -85,6 +85,7 @@ or Best Current Practice (BCP) documents. The list is non exhaustive. RFC6891 RFC7043 RFC7314 + RFC7344 RFC7477 RFC7793 RFC7830 [16] diff --git a/doc/rfc/rfc7344.txt b/doc/rfc/rfc7344.txt new file mode 100644 index 0000000..e8db19d --- /dev/null +++ b/doc/rfc/rfc7344.txt @@ -0,0 +1,1011 @@ + + + + + + +Internet Engineering Task Force (IETF) W. Kumari +Request for Comments: 7344 Google +Category: Informational O. Gudmundsson +ISSN: 2070-1721 OGUD Consulting + G. Barwood + September 2014 + + + Automating DNSSEC Delegation Trust Maintenance + +Abstract + + This document describes a method to allow DNS Operators to more + easily update DNSSEC Key Signing Keys using the DNS as a + communication channel. The technique described is aimed at + delegations in which it is currently hard to move information from + the Child to Parent. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7344. + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + +Kumari, et al. Informational [Page 1] + +RFC 7344 Delegation Trust Maintenance September 2014 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 + 1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4 + 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 5 + 2.2. Relationship between Parent and Child DNS Operators . . . 5 + 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 + 2.2.2. DNSSEC Key Change Process . . . . . . . . . . . . . . 7 + 3. CDS (Child DS) and CDNSKEY (Child DNSKEY) Record Definitions 7 + 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 + 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 + 4. Automating DS Maintenance with CDS/CDNSKEY Records . . . . . 8 + 4.1. CDS and CDNSKEY Processing Rules . . . . . . . . . . . . 9 + 5. CDS/CDNSKEY Publication . . . . . . . . . . . . . . . . . . . 9 + 6. Parent-Side CDS/CDNSKEY Consumption . . . . . . . . . . . . . 9 + 6.1. Detecting a Changed CDS/CDNSKEY . . . . . . . . . . . . . 10 + 6.1.1. CDS/CDNSKEY Polling . . . . . . . . . . . . . . . . . 10 + 6.1.2. Polling Triggers . . . . . . . . . . . . . . . . . . 11 + 6.2. Using the New CDS/CDNSKEY Records . . . . . . . . . . . . 11 + 6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 12 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 + 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 + 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 + 11.1. Normative References . . . . . . . . . . . . . . . . . . 15 + 11.2. Informative References . . . . . . . . . . . . . . . . . 15 + Appendix A. RRR Background . . . . . . . . . . . . . . . . . . . 17 + Appendix B. CDS Key Rollover Example . . . . . . . . . . . . . . 17 + + + + + + + + + + + + + + + + + + + + +Kumari, et al. Informational [Page 2] + +RFC 7344 Delegation Trust Maintenance September 2014 + + +1. Introduction + + The first time a DNS Operator signs a zone, they need to communicate + the keying material to their Parent through some out-of-band method + to complete the chain of trust. Depending on the desires of the + Parent, the Child might send their DNSKEY record, a DS record, or + both. + + Each time the Child changes the key that is represented in the + Parent, the updated and/or deleted key information has to be + communicated to the Parent and published in the Parent's zone. How + this information is sent to the Parent depends on the relationship + the Child has with the Parent. In many cases this is a manual + process -- and not an easy one. For each key change, there may be up + to two interactions with the Parent. Any manual process is + susceptible to mistakes and/or errors. In addition, due to the + annoyance factor of the process, Operators may avoid changing keys or + skip needed steps to publish the new DS at the Parent. + + DNSSEC provides data integrity to information published in DNS; thus, + DNS publication can be used to automate maintenance of delegation + information. This document describes a method to automate + publication of subsequent DS records after the initial one has been + published. + + Readers are expected to be familiar with DNSSEC, including [RFC4033], + [RFC4034], [RFC4035], [RFC5011], and [RFC6781]. + + This document outlines a technique in which the Parent periodically + (or upon request) polls its signed Children and automatically + publishes new DS records. To a large extent, the procedures this + document follows are as described in [RFC6781], Section 4.1.2. + + This technique is designed to be friendly both to fully automated + tools and humans. Fully automated tools can perform all the actions + needed without human intervention and thus can monitor when it is + safe to move to the next step. + + The solution described in this document only allows transferring + information about DNSSEC keys (DS and DNSKEY) from the Child to the + Parental Agent. It lists exactly what the Parent should publish and + allows for publication of standby keys. A different protocol, + [CPSYNC-DNS], can be used to maintain other important delegation + information, such as NS and glue records. These two protocols have + been kept as separate solutions because the problems are + fundamentally different and a combined solution is overly complex. + + + + + +Kumari, et al. Informational [Page 3] + +RFC 7344 Delegation Trust Maintenance September 2014 + + + This document describes a method for automating maintenance of the + delegation trust information and proposes a polled/periodic trigger + for simplicity. Some users may prefer a different trigger, for + example, a button on a web page, a REST interface, or a DNS NOTIFY. + These alternate additional triggers are not discussed in this + document. + + This proposal does not include all operations needed for the + maintenance of DNSSEC key material, specifically the initial + introduction or complete removal of all keys. Because of this, + alternate communications mechanisms must always exist, potentially + introducing more complexity. + +1.1. Terminology + + The terminology we use is defined in this section. The highlighted + roles are as follows: + + o Child: The entity on record that has the delegation of the domain + from the Parent. + + o Parent: The domain in which the Child is registered. + + o Child DNS Operator: The entity that maintains and publishes the + zone information for the Child DNS. + + o Parental Agent: The entity that the Child has a relationship with + to change its delegation information. + + o Provisioning System: A system that the Operator of the master DNS + server operates to maintain the information published in the DNS. + This includes the systems that sign the DNS data. + + o CDS/CDNSKEY: This notation refers to CDS and/or CDNSKEY, i.e., one + or both. + +1.2. Requirements Notation + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + [RFC2119]. + + + + + + + + + +Kumari, et al. Informational [Page 4] + +RFC 7344 Delegation Trust Maintenance September 2014 + + +2. Background + +2.1. DNS Delegations + + DNS operation consists of delegations of authority. For each + delegation, there are (most of the time) two parties: the Parent and + the Child. + + The Parent publishes information about the delegations to the Child; + for the name servers, it publishes an NS [RFC1035] Resource Record + Set (RRset) that lists a hint for name servers that are authoritative + for the Child. The Child also publishes an NS RRset, and this set is + the authoritative list of name servers to the Child zone. + + The second RRset the Parent sometimes publishes is the DS [RFC4034] + set. The DS RRset provides information about the DNSKEY(s) that the + Child has told the Parent it will use to sign its DNSKEY RRset. In + DNSSEC, a trust relationship between zones is provided by the + following chain: + + Parent DNSKEY --> DS --> Child DNSKEY. + + A prior proposal [AUTO-CPSYNC] suggested that the Child send an + "update" to the Parent via a mechanism similar to DNS UPDATE. The + main issue became: how does the Child find the actual Parental Agent/ + server to send the update to? While that could have been solved via + technical means, it failed to reach consensus. There is also a + similar proposal in [PARENT-ZONES]. + + As the DS record can only be present at the Parent [RFC4034], some + other method is needed to automate which DNSKEYs are picked to be + represented in the Parent zone's DS records. One possibility is to + use flags in the DNSKEY record. If the Secure Entry Point (SEP) bit + is set, this indicates that the DNSKEY is intended for use as a + secure entry point. This DNSKEY signs the DNSKEY RRset, and the + Parental Agent can calculate DS records based on that. But this + fails to meet some operating needs, including the Child having no + influence on what DS digest algorithms are used and DS records that + can only be published for keys that are in the DNSKEY RRset; thus, + this technique would not be compatible with Double-DS rollover + [RFC6781]. + +2.2. Relationship between Parent and Child DNS Operators + + In practical application, there are many different relationships + between the Parent and Child DNS Operators. The type of relationship + affects how the Child DNS Operator communicates with the Parent. + + + + +Kumari, et al. Informational [Page 5] + +RFC 7344 Delegation Trust Maintenance September 2014 + + + This section will highlight some of the different situations but is + by no means a complete list. + + Different communication paths: + + o Direct/API: The Child can change the delegation information via + automated/scripted means. The Extensible Provisioning Protocol + (EPP) [RFC5730], used by many Top-Level Domains (TLDs), is an + example of this. Other examples are web-based programmatic + interfaces that Registrars make available to their Resellers. + + o User Interface: The Child uses a web site set up by the Parental + Agent for updating delegation information. + + o Indirect: The communication has to be transmitted via an out-of- + band mechanism between two parties, such as by email or telephone. + This is common when the Child DNS Operator is neither the Child + itself nor the Registrar for the domain, but a third party. + + o Multi-step Combinations: The information flows through an + intermediary. It is possible, but unlikely, that all the steps + are automated via APIs and there are no humans involved. + + A domain name holder (Child) may operate its own DNS servers or + outsource the operation. While we use the word "Parent" as singular, + a Parent can consist of a single entity or a composite of many + discrete parts that have rules and roles. We refer to the entity + that the Child corresponds with as the Parent. + + An organization (such as an enterprise) may delegate parts of its + name-space to be operated by a group that is not the same as that + which operates the organization's DNS servers. In some of these + cases, the flow of information is handled either in an ad hoc manner + or via some corporate mechanism; this can range from email to a fully + automated operation. + +2.2.1. Solution Space + + This document is aimed at the cases in which there is a separation + between the Child and Parent. + + A further complication is when the Child DNS Operator is not the + Child. There are two common cases of this: + + a) The Parental Agent (e.g., Registrar) handles the DNS operation. + + b) A third party takes care of the DNS operation. + + + + +Kumari, et al. Informational [Page 6] + +RFC 7344 Delegation Trust Maintenance September 2014 + + + If the Parental Agent is the DNS Operator, life is much easier; the + Parental Agent can inject any delegation changes directly into the + Parent's provisioning system. The techniques described below are not + needed in the case when the Parental Agent is the DNS Operator. + + In the case of a third-party DNS Operator, the Child either needs to + relay changes in DNS delegation or give the Child DNS Operator access + to its delegation/registration account. + + Some Parents want the Child to express their DNSKEYs in the form of + DS records, while others want to receive the DNSKEY records and + calculate the DS records themselves. There is no consensus on which + method is better; both have good reasons to exist. This solution is + DS vs. DNSKEY agnostic and allows operation with either. + +2.2.2. DNSSEC Key Change Process + + After a Child DNS Operator first signs the zone, there is a need to + interact with the Parent, for example, via a delegation account + interface to upload or paste in the zone's DS information. This + action of logging in through the delegation account user interface + authenticates that the user is authorized to change delegation + information for the Child published in the Parent zone. In the case + where the Child DNS Operator does not have access to the registration + account, the Child needs to perform the action. + + At a later date, the Child DNS Operator may want to publish a new DS + record in the Parent, either because they are changing keys or + because they want to publish a standby key. This involves performing + the same process as before. Furthermore, when this is a manual + process with cut and paste, operational mistakes will happen -- or + worse, the update action will not be performed at all. + + The Child DNS Operator may also introduce new keys and can do so when + old keys exist and can be used. The Child may also remove old keys, + but this document does not support removing all keys. This is to + avoid making signed zones unsigned. The Child may not enroll the + initial key or introduce a new key when there are no old keys that + can be used (without some additional out-of-band validation of the + keys) because there is no way to validate the information. + +3. CDS (Child DS) and CDNSKEY (Child DNSKEY) Record Definitions + + This document specifies two new DNS resource records, CDS and + CDNSKEY. These records are used to convey, from one zone to its + Parent, the desired contents of the zone's DS resource record set + residing in the Parent zone. + + + + +Kumari, et al. Informational [Page 7] + +RFC 7344 Delegation Trust Maintenance September 2014 + + + The CDS and CDNSKEY resource records are published in the Child zone + and give the Child control of what is published for it in the + parental zone. The Child can publish these manually, or they can be + automatically maintained by DNS provisioning tools. The CDS/CDNSKEY + RRset expresses what the Child would like the DS RRset to look like + after the change; it is a "replace" operation, and it is up to the + software that consumes the records to translate that into the + appropriate add/delete operations in the provisioning systems (and in + the case of CDNSKEY, to generate the DS from the DNSKEY). If neither + CDS nor CDNSKEY RRset is present in the Child, this means that no + change is needed. + +3.1. CDS Resource Record Format + + The wire and presentation format of the Child DS (CDS) resource + record is identical to the DS record [RFC4034]. IANA has allocated + RR code 59 for the CDS resource record via Expert Review + [DNS-TRANSPORT]. The CDS RR uses the same registries as DS for its + fields. + + No special processing is performed by authoritative servers or by + resolvers, when serving or resolving. For all practical purposes, + CDS is a regular RR type. + +3.2. CDNSKEY Resource Record Format + + The wire and presentation format of the CDNSKEY ("Child DNSKEY") + resource record is identical to the DNSKEY record. IANA has + allocated RR code 60 for the CDNSKEY resource record via Expert + Review. The CDNSKEY RR uses the same registries as DNSKEY for its + fields. + + No special processing is performed by authoritative servers or by + resolvers, when serving or resolving. For all practical purposes, + CDNSKEY is a regular RR type. + +4. Automating DS Maintenance with CDS/CDNSKEY Records + + CDS/CDNSKEY resource records are intended to be "consumed" by + delegation trust maintainers. The use of CDS/CDNSKEY is OPTIONAL. + + If the Child publishes either the CDS or the CDNSKEY resource record, + it SHOULD publish both. If the Child knows which the Parent + consumes, it MAY choose to only publish that record type (for + example, some Children wish the Parent to publish a DS, but they wish + to keep the DNSKEY "hidden" until needed). If the Child publishes + both, the two RRsets MUST match in content. + + + + +Kumari, et al. Informational [Page 8] + +RFC 7344 Delegation Trust Maintenance September 2014 + + +4.1. CDS and CDNSKEY Processing Rules + + If there is neither CDS nor CDNSKEY RRset in the Child, this signals + that no change should be made to the current DS set. This means + that, once the Child and Parent are in sync, the Child DNS Operator + MAY remove all CDS and CDNSKEY resource records from the zone. The + Child DNS Operator may choose to do this to decrease the size of the + zone or to decrease the workload for the Parent (if the Parent + receives no CDS/CDNSKEY records, it can go back to sleep). If it + does receive a CDS or CDNSKEY RRset, it needs to check them against + what is currently published (see Section 5). + + The following acceptance rules are placed on the CDS and CDNSKEY + resource records as follows: + + o Location: MUST be at the Child zone apex. + + o Signer: MUST be signed with a key that is represented in both the + current DNSKEY and DS RRsets, unless the Parent uses the CDS or + CDNSKEY RRset for initial enrollment; in that case, the Parent + validates the CDS/CDNSKEY through some other means (see + Section 6.1 and the Security Considerations). + + o Continuity: MUST NOT break the current delegation if applied to DS + RRset. + + If any these conditions fail, the CDS or CDNSKEY resource record MUST + be ignored, and this error SHOULD be logged. + +5. CDS/CDNSKEY Publication + + The Child DNS Operator publishes CDS/CDNSKEY RRset(s). In order to + be valid, the CDS/CDNSKEY RRset(s) MUST be compliant with the rules + in Section 4.1. When the Parent DS is in sync with the CDS/CDNSKEY + RRset(s), the Child DNS Operator MAY delete the CDS/CDNSKEY RRset(s); + the Child can determine if this is the case by querying for DS + records in the Parent. + +6. Parent-Side CDS/CDNSKEY Consumption + + The CDS/CDNSKEY RRset(s) SHOULD be used by the Parental Agent to + update the DS RRset in the Parent zone. The Parental Agent for this + uses a tool that understands the CDS/CDNSKEY signing rules in + Section 4.1, so it might not be able to use a standard validator. + + + + + + + +Kumari, et al. Informational [Page 9] + +RFC 7344 Delegation Trust Maintenance September 2014 + + + The Parent MUST choose to use either CDNSKEY or CDS resource records + as its default updating mechanism. The Parent MAY only accept either + CDNSKEY or CDS, but it MAY also accept both so it can use the other + in the absence of the default updating mechanism; it MUST NOT expect + there to be both. + +6.1. Detecting a Changed CDS/CDNSKEY + + How the Parental Agent gets the CDS/CDNSKEY RRset may differ. Below + are two examples of how this can take place. + + Polling: The Parental Agent operates a tool that periodically checks + each of the Children that has a DS record to see if there is a + CDS or CDNSKEY RRset. + + Pushing: The delegation user interface has a button {Fetch DS} that, + when pushed, performs the CDS/CDNSKEY processing. If the + Parent zone does not contain DS for this delegation, then the + "push" SHOULD be ignored. If the Parental Agent displays the + contents of the CDS/CDNSKEY to the user and gets confirmation + that this represents their key, the Parental Agent MAY use this + for initial enrollment (when the Parent zone does not contain + the DS for this delegation). + + In either case, the Parental Agent MAY apply additional rules that + defer the acceptance of a CDS/CDNSKEY change. These rules may + include a condition that the CDS/CDNSKEY remains in place and valid + for some time period before it is accepted. It may be appropriate in + the "Pushing" case to assume that the Child is ready and thus accept + changes without delay. + +6.1.1. CDS/CDNSKEY Polling + + This is the only defined use of CDS/CDNSKEY resource records in this + document. There are limits to the scalability of polling techniques; + thus, some other mechanism is likely to be specified later that + addresses CDS/CDNSKEY resource record usage in the situation where + polling runs into scaling issues. Having said that, polling will + work in many important cases such as enterprises, universities, and + smaller TLDs. In many regulatory environments, the Registry is + prohibited from talking to the Registrant. In most of these cases, + the Registrant has a business relationship with the Registrar, so the + Registrar can offer this as a service. + + If the CDS/CDNSKEY RRset(s) do not exist, the Parental Agent MUST + take no action. Specifically, it MUST NOT delete or alter the + existing DS RRset. + + + + +Kumari, et al. Informational [Page 10] + +RFC 7344 Delegation Trust Maintenance September 2014 + + +6.1.2. Polling Triggers + + It is assumed that other mechanisms will be implemented to trigger + the Parent to look for an updated CDS/CDNSKEY RRset. As the CDS/ + CDNSKEY resource records are validated with DNSSEC, these mechanisms + can be unauthenticated. As an example, a Child could telephone its + Parent and request that it process the new CDS or CDNSKEY resource + records, or an unauthenticated POST could be made to a web server + (with rate-limiting). + + Other documents can specify the trigger conditions. + +6.2. Using the New CDS/CDNSKEY Records + + Regardless of how the Parental Agent detected changes to a CDS/ + CDNSKEY RRset, the Parental Agent SHOULD use a DNSSEC validator to + obtain a validated CDS/CDNSKEY RRset from the Child zone. A NOT + RECOMMENDED exception to this is if the Parent performs some + additional validation on the data to confirm that it is the "correct" + key. + + The Parental Agent MUST ensure that previous versions of the CDS/ + CDNSKEY RRset do not overwrite more recent versions. This MAY be + accomplished by checking that the signature inception in the Resource + Record Signature (RRSIG) for CDS/CDNSKEY RRset is later and/or that + the serial number on the Child's Start of Authority (SOA) is greater. + This may require the Parental Agent to maintain some state + information. + + The Parental Agent MAY take extra security measures. For example, to + mitigate the possibility that a Child's Key Signing Key (KSK) has + been compromised, the Parental Agent may inform (by email or other + methods) the Child DNS Operator of the change. However, the precise + out-of-band measures that a Parent zone takes are outside the scope + of this document. + + Once the Parental Agent has obtained a valid CDS/CDNSKEY RRset it + MUST check the publication rules from Section 4.1. In particular, + the Parental Agent MUST check the Continuity rule and do its best not + to invalidate the Child zone. Once checked, if the information in + the CDS/CDNSKEY and DS differ, it may apply the changes to the Parent + zone. If the Parent consumes CDNSKEY, the Parent should calculate + the DS before doing this comparison. + + + + + + + + +Kumari, et al. Informational [Page 11] + +RFC 7344 Delegation Trust Maintenance September 2014 + + +6.2.1. Parent Calculates DS + + There are cases where the Parent wants to calculate the DS record due + to policy reasons. In this case, the Child publishes CDNSKEY + records, and the Parent calculates the DS records on behalf of the + Children. + + When a Parent operates in "calculate DS" mode, it can operate in one + of two sub-modes: + + full: The Parent only publishes DS records it calculates from DNSKEY + records. + + augment: The Parent will make sure there are DS records for the + digest algorithm(s) it requires(s). + + In the case where the Parent fetches the CDNSKEY RRset and calculates + the DS, the resulting DS can differ from the CDS published by the + Child. It is expected that the differences are only due to the + different set of digest algorithms used. + +7. IANA Considerations + + IANA has assigned RR Type code 59 for the CDS resource record. This + was done for a draft version whose content was later incorporated + into this document [DNS-TRANSPORT]. This document is the reference + for CDS RRtype. + + IANA has assigned an RR Type for the CDNSKEY as described below: + + Type: CDNSKEY + + Value: 60 + + Meaning: DNSKEY(s) the Child wants reflected in DS + + Reference: This document + +8. Privacy Considerations + + All of the information handled or transmitted by this protocol is + public information published in the DNS. + + + + + + + + + +Kumari, et al. Informational [Page 12] + +RFC 7344 Delegation Trust Maintenance September 2014 + + +9. Security Considerations + + This work is for the normal case; when things go wrong there is only + so much that automation can fix. + + If the Child breaks DNSSEC validation by removing all the DNSKEYs + that are represented in the DS set, its only repair actions are to + contact the Parent or restore the DNSKEYs in the DS set. + + In the event of a compromise of the server or system generating + signatures for a zone, an attacker might be able to generate and + publish new CDS/CDNSKEY resource records. The modified CDS/CDNSKEY + records will be picked up by this technique and may allow the + attacker to extend the effective time of his attack. If there is a + delay in accepting changes to DS, as in [RFC5011], then the attacker + needs to hope his activity is not detected before the DS in the + Parent is changed. If this type of change takes place, the Child + needs to contact the Parent (possibly via a Registrar web interface) + and remove any compromised DS keys. + + A compromise of the account with the Parent (e.g., Registrar) will + not be mitigated by this technique, as the "new Registrant" can + delete or modify the DS records at will. + + While it may be tempting, the techniques specified in this document + SHOULD NOT be used for initial enrollment of keys since there is no + way to ensure that the initial key is the correct one. If it is + used, strict rules for inclusion of keys -- such as hold-down times, + challenge data inclusion, or similar -- MUST be used along with some + kind of challenge mechanism. A Child cannot use this mechanism to go + from signed to unsigned (publishing an empty CDS/CDNSKEY RRset means + no change should be made in the Parent). + + The CDS RR type should allow for enhanced security by simplifying the + process. Since key change is automated, updating a DS RRset by other + means may be regarded as unusual and subject to extra security + checks. + + As this introduces a new mechanism to update information in the + Parent, it MUST be clear who is fetching the records and creating the + appropriate records in the Parent zone. Specifically, some + operations may use mechanisms other than what is described here. For + example, a Registrar may assume that it is maintaining the DNSSEC key + information in the Registry and may have this cached. If the + Registry is fetching the CDS/CDNSKEY RRset, then the Registry and + Registrar may have different views of the DNSSEC key material; the + + + + + +Kumari, et al. Informational [Page 13] + +RFC 7344 Delegation Trust Maintenance September 2014 + + + result of such a situation is unclear. Therefore, this mechanism + SHOULD NOT be used to bypass intermediaries that might cache + information and, because of that, get the wrong state. + + If there is a failure in applying changes in the Child zone to all + DNS servers listed in either Parent or Child NS set, it is possible + that the Parental Agent may get confused either because it gets + different answers on different checks or CDS RR validation fails. In + the worst case, the Parental Agent performs an action reversing a + prior action after the Child signing system decides to take the next + step in the key change process, resulting in a broken delegation. + + DNS is a loosely coherent distributed database with local caching; + therefore, it is important to allow old information to expire from + caches before deleting DS or DNSKEY records. Similarly, it is + important to allow new records to propagate through the DNS before + use (see [RFC6781]). + + It is common practice for users to outsource their DNS hosting to a + third-party DNS provider. In order for that provider to be able to + maintain the DNSSEC information, some users give the provider their + Registrar login credentials (which obviously has negative security + implications). Deploying the solution described in this document + allows third-party DNS providers to maintain the DNSSEC information + without Registrants giving their Registrar credentials, thereby + improving security. + + By automating the maintenance of the DNSSEC key information (and + removing humans from the process), we expect to decrease the number + of DNSSEC related outages, which should increase DNSSEC deployment. + +10. Acknowledgements + + We would like to thank a large number of folk, including Mark + Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian + Dickson, Paul Ebersman, Tony Finch, Jim Galvin, Paul Hoffman, Samir + Hussain, Tatuya Jinmei, Olaf Kolkman, Stephan Lagerholm, Cricket Liu, + Matt Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul + Wouters, John Dickinson, Timothe Litt, and Edward Lewis. + + Special thanks to Wes Hardaker for contributing significant text and + creating the complementary (CSYNC) solution, and to Patrik Faltstrom, + Paul Hoffman, Matthijs Mekking, Mukund Sivaraman, and Jeremy C. Reed + for text and in-depth review. Brian Carpenter provided a good + Gen-ART review. + + There were a number of other folk with whom we discussed this + document; apologies for not remembering everyone. + + + +Kumari, et al. Informational [Page 14] + +RFC 7344 Delegation Trust Maintenance September 2014 + + +11. References + +11.1. Normative References + + [RFC1035] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. + Rose, "DNS Security Introduction and Requirements", RFC + 4033, March 2005. + + [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. + Rose, "Resource Records for the DNS Security Extensions", + RFC 4034, March 2005. + + [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. + Rose, "Protocol Modifications for the DNS Security + Extensions", RFC 4035, March 2005. + + [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) + Trust Anchors", STD 74, RFC 5011, September 2007. + + [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC + Operational Practices, Version 2", RFC 6781, December + 2012. + +11.2. Informative References + + [AUTO-CPSYNC] + Mekking, W., "Automated (DNSSEC) Child Parent + Synchronization using DNS UPDATE", Work in Progress, + December 2010. + + [CPSYNC-DNS] + Hardaker, W., "Child To Parent Synchronization in DNS", + Work in Progress, July 2014. + + [DNS-TRANSPORT] + Barwood, G., "DNS Transport", Work in Progress, June 2011. + + [PARENT-ZONES] + Andrews, M., "Updating Parent Zones", Work in Progress, + November 2013. + + + + + +Kumari, et al. Informational [Page 15] + +RFC 7344 Delegation Trust Maintenance September 2014 + + + [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", + STD 69, RFC 5730, August 2009. + + [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) + Security Extensions Mapping for the Extensible + Provisioning Protocol (EPP)", RFC 5910, May 2010. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Kumari, et al. Informational [Page 16] + +RFC 7344 Delegation Trust Maintenance September 2014 + + +Appendix A. RRR Background + + RRR is our shorthand for the Registry/Registrar/Registrant model of + Parent-Child relationships. + + In the RRR world, the different parties are frequently from different + organizations. In the single enterprise world, there are also + organizational, geographical, and cultural separations that affect + how information flows from a Child to the Parent. + + Due to the complexity of the different roles and interconnections, + automation of delegation information has not yet occurred. There + have been proposals to automate this, in order to improve the + reliability of the DNS. These proposals have not gained enough + traction to become standards. + + For example, in many of the TLD cases, there is the RRR model + (Registry/Registrar/Registrant). The Registry operates DNS for the + TLD, and the Registrars accept registrations and place information + into the Registry's database. The Registrant only communicates with + the Registrar; frequently, the Registry is not allowed to communicate + with the Registrant. In that case, as far as the Registrant is + concerned, the Registrar is the same entity as the Parent. + + In many RRR cases, the Registrar and Registry communicate via EPP + [RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number of + Country Code TLDs (ccTLDs), there are other mechanisms in use as well + as EPP, but in general, there seems to be a movement towards EPP + usage when DNSSEC is enabled in the TLD. + +Appendix B. CDS Key Rollover Example + + This section shows an example on how CDS is used when performing a + KSK rollover. This example will demonstrate the Double-DS rollover + method from Section 4.1.2 of [RFC6781]. Other rollovers using + CDNSKEY and double KSK are left as an exercise to the reader. The + table below does not reflect the Zone Signing Keys (ZSKs) as they do + not matter during KSK rollovers. The wait steps highlight what RRset + needs to expire from caches before progressing to the next step. + + + + + + + + + + + + +Kumari, et al. Informational [Page 17] + +RFC 7344 Delegation Trust Maintenance September 2014 + + + +------+---------------+---------+---------+--------------+---------+ + | Step | State | Parent | Child | DNSKEY and | Child | + | | | DS | KSK | CDS signer | CDS | + +------+---------------+---------+---------+--------------+---------+ + | | Beginning | A | A | A | | + | 1 | Add CDS | A | A | A | AB | + | Wait | for DS change | A | A | A | AB | + | 2 | Updated DS | AB | A | A | AB | + | Wait | > DS TTL | AB | A | A | AB | + | 3 | Actual | AB | B | B | AB | + | | Rollover | | | | | + | Wait | > DNSKEY TTL | AB | B | B | AB | + | 4 | Child Cleanup | AB | B | B | B | + | 5 | Parent cleans | B | B | B | B | + | 6 | Optional CDS | B | B | B | | + | | delete | | | | | + +------+---------------+---------+---------+--------------+---------+ + + Table 1: States + +Authors' Addresses + + Warren Kumari + Google + 1600 Amphitheatre Parkway + Mountain View, CA 94043 + US + + EMail: warren@kumari.net + + + Olafur Gudmundsson + OGUD Consulting + 3821 Village Park Dr. + Chevy Chase, MD 20815 + US + + EMail: ogud@ogud.com + + + George Barwood + 33 Sandpiper Close + Gloucester GL2 4LZ + United Kingdom + + EMail: george.barwood@blueyonder.co.uk + + + + + +Kumari, et al. Informational [Page 18] + -- 2.10.1.445.g3cdd5d1