Internet DRAFT - draft-dsawp-notify

draft-dsawp-notify







Network Working Group                                          J. Levine
Internet-Draft                                             Standcore LLC
Updates: 1996 (if approved)                                  29 May 2023
Intended status: Standards Track                                        
Expires: 30 November 2023


                       NOTIFY for DNSSEC updates
                         draft-dsawp-notify-00

Abstract

   This document specifes a new usage of DNS NOTIFY to install and
   update DNSSEC key information.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 30 November 2023.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.






Levine                  Expires 30 November 2023                [Page 1]

Internet-Draft                DNSSEC NOTIFY                     May 2023


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  NOTIFY usage for key updates  . . . . . . . . . . . . . . . .   2
   3.  Identifying the parent to notify  . . . . . . . . . . . . . .   3
   4.  Security considerations . . . . . . . . . . . . . . . . . . .   3
   5.  Normative References  . . . . . . . . . . . . . . . . . . . .   3
   6.  Informative References  . . . . . . . . . . . . . . . . . . .   4
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   4

1.  Introduction

   [RFC1996] defines the NOTIFY opcode for DNS and its use to alert
   secondary name servers that the contents of a zone has changed.

   [RFC7344] specifies the method to pass DNSSEC key changes from child
   to parent zones using CDS and CDNSKEY records.  [RFC8078] describes a
   method to pass initial DNSSEC key records from child to parent using
   CDS and CDNSKEY records, while [I-D.ietf-dnsop-dnssec-bootstrapping]
   describes a more secure alternative.

   All three of these methods currently depend on a parent zone
   periodically scanning child zones to check for updates, which limits
   the speed of DNSSEC updates and potentially puts a large load on
   parent zones with many child zones.  A new usage of DNS NOTIFY allows
   a child zone to tell the parent zone that DNSSEC key information has
   changed, so the parent can promptly scan the child zone and perform
   updates.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  NOTIFY usage for key updates

   In Section 2 of [RFC1996], the server sending the NOTIFY queries is
   called the Master and the one receiving and answering them is called
   the Slave.  In this application, a server for a child zone sends the
   queries, and a server for the parent zone receives and answers them.

   The format of a NOTIFY query and answer is unchanged from that in
   Section 3 of [RFC1996].  The QTYPE of the request MUST be CDS or
   CDNSKEY, to indicate that CDS or CDNSKEY records in the child zone
   have been added or updated.  The answer section SHOULD contain copies
   of the new CDS or CDNSKEY records, which the parent can use to
   disregard duplicate requests, as in Section 3.7 of [RFC1996].



Levine                  Expires 30 November 2023                [Page 2]

Internet-Draft                DNSSEC NOTIFY                     May 2023


   When the parent receives a non-duplicate request, if it already has
   DNSSEC key records for the child zone, it scans for updates as in
   [RFC7344].  If it does not, it uses the process from [RFC8078] or
   [I-D.ietf-dnsop-dnssec-bootstrapping] to possibly install new key
   records.

   A parent MUST ignore DNSSEC NOTIFY messages that are not for zones
   that are immediate children of the parent, other than optionally
   logging an error message.

   In some cases a zone may have multiple signers.  The multiple signers
   have to coordinate CDS and CDNSKEY updates as described in Section 8
   of [RFC8901] and it is up to them to coordinate which of them sends
   NOTIFY queries, or whether they both can do so.

3.  Identifying the parent to notify

   In some cases, NOTIFY messages are sent to one of the DNS servers for
   the parent zone, but in other cases they may be sent to a different
   host that manages the parent zone, analogous to Stealth servers in
   Section 2.1 of [RFC1996].

   This specification does not describe how to select or find the
   correct target of the NOTIFY.

4.  Security considerations

   The NOTIFY messages are only a hint to do a scan that the parent
   would eventually have done anyway, so they introduce no new DNSSEC
   security issues.

   Large numbers of NOTIFY messages could cause a denial of service
   attack, just like any other unwanted traffic.  Child servers MUST
   limit the number of NOTIFY queries they send and parents MUST limit
   the number of answers they send to avoid direct or reflection DoS
   attacks.

5.  Normative References

   [RFC1996]  Vixie, P., "A Mechanism for Prompt Notification of Zone
              Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996,
              August 1996, <https://www.rfc-editor.org/info/rfc1996>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.




Levine                  Expires 30 November 2023                [Page 3]

Internet-Draft                DNSSEC NOTIFY                     May 2023


   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

6.  Informative References

   [I-D.ietf-dnsop-dnssec-bootstrapping]
              Thomassen, P. and N. Wisiol, "Automatic DNSSEC
              Bootstrapping using Authenticated Signals from the Zone's
              Operator", Work in Progress, Internet-Draft, draft-ietf-
              dnsop-dnssec-bootstrapping-04, 1 May 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-
              dnssec-bootstrapping-04>.

   [RFC7344]  Kumari, W., Gudmundsson, O., and G. Barwood, "Automating
              DNSSEC Delegation Trust Maintenance", RFC 7344,
              DOI 10.17487/RFC7344, September 2014,
              <https://www.rfc-editor.org/info/rfc7344>.

   [RFC8078]  Gudmundsson, O. and P. Wouters, "Managing DS Records from
              the Parent via CDS/CDNSKEY", RFC 8078,
              DOI 10.17487/RFC8078, March 2017,
              <https://www.rfc-editor.org/info/rfc8078>.

   [RFC8901]  Huque, S., Aras, P., Dickinson, J., Vcelak, J., and D.
              Blacka, "Multi-Signer DNSSEC Models", RFC 8901,
              DOI 10.17487/RFC8901, September 2020,
              <https://www.rfc-editor.org/info/rfc8901>.

Author's Address

   John Levine
   Standcore LLC
   Email: standards@standcore.com

















Levine                  Expires 30 November 2023                [Page 4]