Network Working Group R. Arends Internet-Draft Expires: May 2, 2003 M. Kosters D. Blacka Verisign, Inc. November 1, 2002 DNSSEC Opt-In draft-ietf-dnsext-dnssec-opt-in-04 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on May 2, 2003. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract In RFC 2535, delegations to unsigned subzones are cryptographically secured. Maintaining this cryptography is not practical or necessary. This document describes an "Opt-In" model that allows administrators to omit this cryptography and manage the cost of adopting DNSSEC with large zones. Arends, et al. Expires May 2, 2003 [Page 1] Internet-Draft DNSSEC Opt-In November 2002 Table of Contents 1. Definitions and Terminology . . . . . . . . . . . . . . . . 3 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Protocol Additions . . . . . . . . . . . . . . . . . . . . . 5 3.1 Server Considerations . . . . . . . . . . . . . . . . . . . 6 3.1.1 Delegations Only . . . . . . . . . . . . . . . . . . . . . . 6 3.1.2 Insecure Delegation Responses . . . . . . . . . . . . . . . 6 3.1.3 Wildcards and Opt-In . . . . . . . . . . . . . . . . . . . . 6 3.2 Client Considerations . . . . . . . . . . . . . . . . . . . 7 3.2.1 Delegations Only . . . . . . . . . . . . . . . . . . . . . . 7 3.2.2 Validation Process Changes . . . . . . . . . . . . . . . . . 7 3.2.3 NXT Record Caching . . . . . . . . . . . . . . . . . . . . . 8 3.2.4 Use of the AD bit . . . . . . . . . . . . . . . . . . . . . 8 4. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . 10 6. Transition Issues . . . . . . . . . . . . . . . . . . . . . 12 7. Security Considerations . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . 14 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 15 References . . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 16 A. Implementing Opt-In using "Views" . . . . . . . . . . . . . 18 B. Changes from Prior Versions . . . . . . . . . . . . . . . . 20 Full Copyright Statement . . . . . . . . . . . . . . . . . . 21 Arends, et al. Expires May 2, 2003 [Page 2] Internet-Draft DNSSEC Opt-In November 2002 1. Definitions and Terminology Throughout this document, familiarity with the DNS system, RFC 1035 [1], DNS security extensions, RFC 2535 [4], and DNSSEC terminology RFC 3090 [5] is assumed. The following abbreviations and terms are used in this document: RR: is used to refer to a DNS resource record. RRset: refers to a Resource Record Set, as defined by [3]. In this document, the RRset is also defined to include the covering SIG records, if any exist. covering NXT record/RRset: is the NXT record used to prove (non)existence of a particular name or RRset. This means that for a RRset or name 'N', the covering NXT record has the name 'N', or has an owner name less than 'N' and "next" name greater than 'N'. delegation: refers to a NS RRset with a name different from the current zone apex (non-zone-apex), signifying a delegation to a subzone. secure delegation: refers to the NS, DS, NXT and SIG RRsets for a non-zone-apex owner name, signifying a delegation to a DNSSEC signed subzone. 2535/DS insecure delegation: refers to the NS, NXT, and SIG RRsets for a non-zone-apex owner name, signifying a delegation to an unsigned subzone. This differs from the secured delegation by the absence of a DS RRset, marked by the zero value for the DS type code in the NXT type map. Opt-In insecure delegation: refers to the NS RRset for a non-zone- apex owner name where the covering NXT record uses the Opt-In methodology described in this document. The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [2]. Arends, et al. Expires May 2, 2003 [Page 3] Internet-Draft DNSSEC Opt-In November 2002 2. Overview The cost to cryptographically secure delegations to unsigned zones is high for large delegation-centric zones and zones where insecure delegations will be updated rapidly. For these zones, the costs of maintaining the NXT record chain may be extremely high relative to the gain of cryptographically authenticating existence of unsecured zones. This document describes a method of eliminating the superfluous cryptography present in secure delegations to insecure zones. Using "Opt-In", a zone administrator can choose to remove insecure delegations from the NXT chain. This is accomplished by extending the semantics of the NXT record by using a redundant bit in the type map. Arends, et al. Expires May 2, 2003 [Page 4] Internet-Draft DNSSEC Opt-In November 2002 3. Protocol Additions In RFC 2535, delegation NS RRsets are not signed, but instead are accompanied by a NXT RRset of the same name, and possibly a ("no- key") KEY RR [4] or DS record [7]. The security status of the subzone is determined by the presence of the KEY or DS records, cryptographically proven by the NXT record. Opt-In expands this definition by allowing insecure delegations to exist within an otherwise signed zone without the corresponding NXT record at the delegation's owner name. These insecure delegations are proven insecure by using a covering NXT record. Since this represents a change of the interpretation of NXT records, resolvers must be able to distinguish between RFC 2535 NXT records and Opt-In NXT records. This is accomplished by "tagging" the NXT records that cover (or potentially cover) insecure delegation nodes. This tag is indicated by the absence of the NXT bit in the type map. Since the NXT bit in the type map merely indicates the existence of the record itself, this bit is redundant and safe for use as a tag. An Opt-In tagged NXT record does not assert the (non)existence of the delegations that it covers. This allows for the addition or removal of these delegations without recalculating the resigning the NXT chain. However, Opt-In tagged NXT records do assert the (non)existence of other signed RRsets. Zones using Opt-In MAY contain a mixture of Opt-In tagged NXT records and RFC 2535 NXT records. If a NXT record is not Opt-In, there MUST NOT be any insecure delegations between it and the RRsets indicated by the 'next domain name' in the NXT RDATA. If it is Opt-In, there MUST only be insecure delegations between it and the next node indicated by the 'next domain name' in the NXT RDATA. In summary, o An Opt-In NXT type is identified by a zero-valued (or not- specified) NXT bit in the type bit map of the NXT record. o A RFC2535 NXT type is identified by a one-valued NXT bit in the type bit map of the NXT record. and, o An Opt-In NXT record does not assert the non-existence of a name between its owner name and "next" name, although it does assert that any name in this span MUST be an insecure delegation. o An Opt-In NXT record does assert the (non)existence of RRsets with Arends, et al. Expires May 2, 2003 [Page 5] Internet-Draft DNSSEC Opt-In November 2002 the same owner name. 3.1 Server Considerations Opt-In imposes some new requirements on authoritative DNS servers. 3.1.1 Delegations Only This specification dictates that only insecure delegations may exist between the owner and "next" names of an Opt-In tagged NXT record. Servers and signing tools MUST enforce this restriction. 3.1.2 Insecure Delegation Responses When returning an Opt-In insecure delegation, the server MUST return the covering NXT RRset in the Authority section. This presents a change from RFC 2535, where the "no-key" KEY RRset would be returned instead. However, in the delegation signer proposal, NXT records already must be returned along with the insecure delegation. The primary difference that this proposal introduces is that the Opt-In tagged NXT record will have a different owner name from the delegation RRset. This may require implementations to do a NXT search on cached responses. 3.1.3 Wildcards and Opt-In RFC 2535, in section 5.3, describes the practice of returning NXT records to prove the non-existence of an applicable wildcard in non- existent name responses. This NXT record can be described as a "negative wildcard proof". The use of Opt-In NXT records changes the necessity for this practice. For non-existent name (NXDOMAIN) responses when the query name (qname) is covered by an Opt-In tagged NXT record, servers MUST NOT return negative wildcard proof records. The intent of the RFC 2535 negative wildcard proof requirement is to prevent malicious users from undetectably removing valid wildcard responses. In order for this cryptographic proof to work, the resolver must be able to prove: 1. The exact qname does not exist. This is done by the "normal" NXT record. 2. No applicable wildcard exists. This is done by returning one or more NXT records proving that the wildcards do not exist (negative wildcard proofs). Arends, et al. Expires May 2, 2003 [Page 6] Internet-Draft DNSSEC Opt-In November 2002 However, if the NXT record covering the exact qname is an Opt-In NXT record, the resolver will not be able to prove the first part of this equation, as the qname might exist as an insecure delegation. Thus, since the total proof cannot be completed, the negative wildcard proof records are not useful. The negative wildcard proofs are also not useful when returned as part of an Opt-In insecure delegation response for a similar reason: the resolver cannot prove that the qname does or does not exist, and therefore cannot prove that a wildcard expansion is valid. The presence of an Opt-In tagged NXT record does not change the practice of returning a NXT along with a wildcard expansion. Even though the Opt-In NXT will not be able to prove that the wildcard expansion is valid, it will prove that the wildcard expansion is not masking any signed records. 3.2 Client Considerations Opt-In imposes some new requirements on DNS resolvers (caching or otherwise). 3.2.1 Delegations Only As stated in the "Server Considerations" section above, this specification restricts the namespace covered by Opt-In tagged NXT records to insecure delegations only. Thus, resolvers MUST reject as invalid any records that fall within an Opt-In NXT record's span that are not NS records or corresponding glue records. 3.2.2 Validation Process Changes This specification does not change the resolver's resolution algorithm. However, it does change the DNSSEC validation process. Resolvers MUST be able to use Opt-In tagged NXT records to cryptographically prove the validity and security status (as insecure) of a referral. Resolvers determine the security status of the referred-to zone as follows: o In RFC 2535, the security status is proven by existence of a verified "no-key" KEY RRset. The absence of the "no-key" KEY RRset indicates that the referred-to zone is secure. o Using Delegation Signer, the security status is proven by the existence or absence of a DS record at the same name as the delegation. The absence is proven using a verified NXT record of the same name that does not have the DS bit set in the type map. This NXT record MAY also be tagged as Opt-In. Arends, et al. Expires May 2, 2003 [Page 7] Internet-Draft DNSSEC Opt-In November 2002 o Using Opt-In, the security status is proven by the existence of a DS record (for secure) or the presence of a verified Opt-In tagged NXT record that covers the delegation name. That is, the NXT record does not have the NXT bit set in the type map, and the delegation name falls between the NXT's owner and "next" name. Using Opt-In does not substantially change the nature of following referrals within DNSSEC. At every delegation point, the resolver will have cryptographic proof that the subzone is secure or insecure. When receiving either an Opt-In insecure delegation response or a non-existent name response where that name is covered by an Opt-In tagged NXT record, the resolver MUST NOT require proof (in the form of a NXT record) that a wildcard did not exist. 3.2.3 NXT Record Caching Caching resolvers MUST be able to retrieve the appropriate covering Opt-In NXT record when returning referrals that need them. This requirement differs from Delegation Signer in that the covering NXT will not have the same owner name as the delegation. Some implementations may have to use new methods for finding these NXT records. 3.2.4 Use of the AD bit The AD bit, as defined by [8], MUST NOT be set when: o sending a non-existent name (NXDOMAIN) response where the covering NXT is tagged as Opt-In. o sending an Opt-In insecure delegation response, unless the covering (Opt-In) NXT record's owner name equals the delegation name. This rule is based on what the Opt-In NXT record actually proves. For names that exist between the Opt-In NXT record's owner and "next" names, the Opt-In NXT record cannot prove the non-existence or existence of the name. As such, not all data in the response has been cryptographically verified, so the AD bit cannot be set. Arends, et al. Expires May 2, 2003 [Page 8] Internet-Draft DNSSEC Opt-In November 2002 4. Benefits Using Opt-In allows administrators of large and/or changing delegation-centric zones to minimize the overhead involved in maintaining the security of the zone. Opt-In accomplishes this by eliminating the need for both "no-key" KEY (in [4]) and NXT records for insecure delegations. This, in a zone with a large number of delegations to unsigned subzones, can lead to substantial space savings (both in memory and on disk). Additionally, Opt-In allows for the addition or removal of insecure delegations without modifying the NXT record chain. Zones that are frequently updating insecure delegations (e.g., TLDs) can avoid the substantial overhead of modifying and resigning the affected NXT records. Arends, et al. Expires May 2, 2003 [Page 9] Internet-Draft DNSSEC Opt-In November 2002 5. Example Consider the zone EXAMPLE, shown below. This is a zone where all of the NXT records are tagged as Opt-In. Example A: Fully Opt-In Zone. EXAMPLE. SOA ... EXAMPLE. SIG SOA ... EXAMPLE. NS FIRST-SECURE.EXAMPLE. EXAMPLE. SIG NS ... EXAMPLE. KEY ... EXAMPLE. SIG KEY ... EXAMPLE. NXT FIRST-SECURE.EXAMPLE. SOA NS SIG KEY EXAMPLE. SIG NXT ... FIRST-SECURE.EXAMPLE. A ... FIRST-SECURE.EXAMPLE. SIG A ... FIRST-SECURE.EXAMPLE. NXT SECOND-SECURE.EXAMPLE. A SIG FIRST-SECURE.EXAMPLE. SIG NXT ... NOT-SECURE.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE. NS.NOT-SECURE.EXAMPLE. A ... SECOND-SECURE.EXAMPLE. NS NS.ELSEWHERE. SECOND-SECURE.EXAMPLE. KEY ... SECOND-SECURE.EXAMPLE. SIG KEY ... SECOND-SECURE.EXAMPLE. NXT EXAMPLE. NS SIG KEY SECOND-SECURE.EXAMPLE. SIG NXT ... UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE. NS.UNSIGNED.EXAMPLE. A ... In this example, a query for a signed RRset (e.g., "FIRST- SECURE.EXAMPLE A"), or a secure delegation ("WWW.SECOND- SECURE.EXAMPLE A") will result in a standard RFC 2535 response. A query for a nonexistent RRset will result in a response that differs from RFC 2535 by: the NXT record will be tagged as Opt-In, there will be no NXT record proving the non-existence of a matching wildcard record, and the AD bit will not be set. A query for an insecure delegation RRset (or a referral) will return both the answer (in the Authority section) and the corresponding Opt- In NXT record to prove that it is not secure. Arends, et al. Expires May 2, 2003 [Page 10] Internet-Draft DNSSEC Opt-In November 2002 Example A.1: Response to query for WWW.UNSIGNED.EXAMPLE. A RCODE=NOERROR, AD=0 Answer Section: Authority Section: UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE SECOND-SECURE.EXAMPLE. NXT EXAMPLE. NS SIG KEY SECOND-SECURE.EXAMPLE. SIG NXT ... Additional Section: NS.UNSIGNED.EXAMPLE A ... EXAMPLE. KEY ... EXAMPLE. SIG KEY ... In the Example A zone, the EXAMPLE. node MAY use either style of NXT record, because there are no insecure delegations that occur between it and the next node, FIRST-SECURE.EXAMPLE. In other words, Example A would still be a valid zone if the NXT record for EXAMPLE. was changed to the following RR: EXAMPLE. NXT FIRST-SECURE.EXAMPLE. SOA NS SIG KEY NXT However, the other NXT records (FIRST-SECURE.EXAMPLE. and SECOND- SECURE.EXAMPLE.) MUST be tagged as Opt-In because there are insecure delegations in the range they define. (NOT-SECURE.EXAMPLE. and UNSIGNED.EXAMPLE., respectively). Arends, et al. Expires May 2, 2003 [Page 11] Internet-Draft DNSSEC Opt-In November 2002 6. Transition Issues Opt-In is not backwards compatible with RFC 2535. RFC 2535 compliant DNSSEC implementations will not recognize Opt-In tagged NXT records as different from RFC 2535 NXT records. Because of this, RFC 2535 implementations will reject all Opt-In insecure delegations within a zone as invalid. Arends, et al. Expires May 2, 2003 [Page 12] Internet-Draft DNSSEC Opt-In November 2002 7. Security Considerations Opt-In allows for unsigned names. All unsigned names are, by definition, insecure, and their validity (or existence) can not be cryptographically proven. With Opt-In, a malicious entity is able to: insert, modify, or delete insecure delegation RRsets within the Opt-In spans of a otherwise secured zone. In addition, a malicious entity is able to replay or delete wildcard expansions (if there is an existing applicable wildcard) in the Opt-In spans of the zone. For example, if a resolver received the following response from the example zone above: Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE. A RCODE=NOERROR Authority Section: DOES-NOT-EXIST.EXAMPLE. NS NS.FORGED. EXAMPLE. NXT FIRST-SECURE.EXAMPLE. SOA NS SIG KEY EXAMPLE. SIG NXT ... Additional Section: EXAMPLE. KEY ... EXAMPLE. SIG KEY ... The resolver would have no choice but to believe that the referral to NS.FORGED. is valid. While in particular cases, this issue may not present a significant security problem, in general it should not be lightly dismissed. It is strongly RECOMMENDED that Opt-In be used sparingly. In particular, zone signing tools SHOULD NOT default to Opt-In, and MAY choose to not support Opt-In at all. Arends, et al. Expires May 2, 2003 [Page 13] Internet-Draft DNSSEC Opt-In November 2002 8. IANA Considerations None. Arends, et al. Expires May 2, 2003 [Page 14] Internet-Draft DNSSEC Opt-In November 2002 9. Acknowledgments The contributions, suggestions and remarks of the following persons (in alphabetic order) to this draft are acknowledged: Mats Dufberg, Miek Gieben, Olafur Gudmundsson, Bob Halley, Olaf Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill Manning, Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter, Brian Wellington. Arends, et al. Expires May 2, 2003 [Page 15] Internet-Draft DNSSEC Opt-In November 2002 References [1] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [3] Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, July 1997. [4] Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999. [5] Lewis, E., "DNS Security Extension Clarification on Zone Status", RFC 3090, March 2001. [6] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC 3225, December 2001. [7] Gudmundsson, O., "Delegation Signer Resource Record", draft- ietf-dnsext-delegation-signer-09 (work in progress), September 2002. [8] Gudmundsson, O. and B. Wellington, "Redefinition of DNS AD bit", draft-ietf-dnsext-ad-is-secure-06 (work in progress), June 2002. Authors' Addresses Roy Arends Bankastraat 41-E 1094 EB Amsterdam NL Phone: +31206931681 EMail: roy@logmess.com Mark Kosters Verisign, Inc. 21355 Ridgetop Circle Dulles, VA 20166 US Phone: +1 703 948 3200 EMail: markk@verisign.com URI: http://www.verisignlabs.com Arends, et al. Expires May 2, 2003 [Page 16] Internet-Draft DNSSEC Opt-In November 2002 David Blacka Verisign, Inc. 21355 Ridgetop Circle Dulles, VA 20166 US Phone: +1 703 948 3200 EMail: davidb@verisign.com URI: http://www.verisignlabs.com Arends, et al. Expires May 2, 2003 [Page 17] Internet-Draft DNSSEC Opt-In November 2002 Appendix A. Implementing Opt-In using "Views" In many cases, it may be convenient to implement an Opt-In zone by combining two separately maintained "views" of a zone at request time. In this context, "view" refers to a particular version of a zone, not to any specific DNS implementation feature. In this scenario, one view is the secure view, the other is the insecure (or legacy) view. The secure view consists of an entirely signed zone using Opt-In tagged NXT records. The insecure view contains no DNSSEC information. It is helpful, although not necessary, for the secure view to be a subset (minus DNSSEC records) of the insecure view. In addition, the only RRsets that may solely exist in the insecure view are non-zone-apex NS RRsets. That is, all non-NS RRsets (and the zone apex NS RRset) MUST be signed and in the secure view. These two views may be combined at request time to provide a virtual, single opt-in zone. The following algorithm is used when responding to each query: V_A is the secure view as described above. V_B is the insecure view as described above. R_A is a response generated from V_A, following RFC 2535 [4]. R_B is a response generated from V_B, following DNS resolution as per RFC 1035 [1]. R_C is the response generated by combining R_A with R_B, as described below. A query is DNSSEC-aware if it either has the DO bit [6] turned on, or is for a DNSSEC-specific record type. 1. If V_A is a subset of V_B and the query is not DNSSEC-aware, generate and return R_B, otherwise 2. Generate R_A. 3. If R_A's RCODE != NXDOMAIN, return R_A, otherwise 4. Generate R_B and combine it with R_A to form R_C: Arends, et al. Expires May 2, 2003 [Page 18] Internet-Draft DNSSEC Opt-In November 2002 For each section (ANSWER, AUTHORITY, ADDITIONAL), copy the records from R_A into R_B, EXCEPT the AUTHORITY section SOA record, if R_B's RCODE = NOERROR. 5. Return R_C. Arends, et al. Expires May 2, 2003 [Page 19] Internet-Draft DNSSEC Opt-In November 2002 Appendix B. Changes from Prior Versions Changes from version 03: Editorial changes for clarification only. Changes from version 02: Added text on changes to validation process, use of the AD bit, and interactions with wildcards. Added wildcard caveats to the "Security Considerations" section. Added "Transition Issues" section. Changes from version 01: Changed to "delegation only". Strengthened "Security Considerations" section. Added "Server Considerations" and "Client Considerations" sections. Added AD bit requirement. Changes from version 00: Complete rewrite, altering approach from "views" to tagged NXT records Arends, et al. Expires May 2, 2003 [Page 20] Internet-Draft DNSSEC Opt-In November 2002 Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Arends, et al. Expires May 2, 2003 [Page 21]