Internet DRAFT - draft-manderson-rdns-xml

draft-manderson-rdns-xml







Internet Engineering Task Force                             T. Manderson
Internet-Draft                                                     ICANN
Intended status: Informational                             June 22, 2015
Expires: December 24, 2015


                 XML Schemas for Reverse DNS Management
                      draft-manderson-rdns-xml-02

Abstract

   This document defines an Extensible Markup Language (XML) Schema for
   Reverse DNS Management in a tightly controlled Representational State
   Transfer (REST) environment.  This document describes a schema that
   has been developed and deployed by ICANN in a "RESTful" based system
   since 2011 and is being used by the registries responsible for
   reverse DNS (rDNS) delegations underneath IN-ADDR.ARPA and IP6.ARPA
   through an X.509 certificate mediated HTTPS transaction.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 24, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of



Manderson               Expires December 24, 2015               [Page 1]

Internet-Draft              Abbreviated Title                  June 2015


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Requirements Language . . . . . . . . . . . . . . . . . . . .   2
   2.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Implementation  . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Appendix A.  Schema Definition for rDNS updates . . . . . . . . .   7
   Appendix B.  Schema Definition for rDNS Queue Entries . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  Introduction

   This document defines an Extensible Markup Language (XML) Schema for
   Reverse DNS Management in a tightly controlled Representational State
   Transfer (REST) [REST] environment.  This document describes a schema
   that has been developed and deployed by ICANN in a "RESTful" based
   system since 2011 and is being used by the registries responsible for
   reverse DNS (rDNS) delegations underneath IN-ADDR.ARPA [RFC1034] and
   IP6.ARPA [RFC3152] through an X.509 [RFC5280] certificate mediated
   HTTPS [RFC2818] transaction.

   As DNSSEC [RFC4033]  adoption progresses the necessity to interact
   with a delegation in the IN-ADDR.ARPA and IP6.APRA zones becomes more
   frequent given that updates to DS records in the parent zone for
   child delegations follow the key rollover and expiry of the child
   zone.  The modification of such critical areas at a relative high
   frequency requires a system that allows the administrative holders of
   such delegations to make such changes in a secure and trustworthy
   manner where the chain of trust for submitting the necessary
   information remains unbroken between the IN-ADDR.ARPA and IP6.APRA
   zone maintainers and the zone customers.






Manderson               Expires December 24, 2015               [Page 2]

Internet-Draft              Abbreviated Title                  June 2015


   At the request of the Regional Internet Registries to automate
   reverse DNS updates with ICANN, a REST based HTTPS service was
   deployed that:

   o  Provides for a secure authenticated mechanism to update zone data
      (NS and DS records)

   o  Provides a well-formed data structure for both the IN-ADDR.ARPA
      and IP6.ARPA zones

   o  Allows for "out of band" acknowledgement and notification of
      updates

3.  Implementation

   The implemented system allows the entity responsible for its rDNS
   delegations to effect changes in the reverse DNS zones IN-ADDR.ARPA
   and IP6.ARPA by submitting an XML document to an atomic RESTful
   service via a HTTPS [RFC2818] connection.  In this service the HTTPS
   layer provides the end-to-end security of the transaction and it
   further provides authentication by use of mandatory X.509 [RFC5280]
   client certificates with a known server certificate issued by a
   Certificate Authority administered by the service operator.

   Certificates for use in this system, issued by the system operator,
   are specific to the entity responsible for the delegations in the
   zone.

   Updates are made to the system by using the HTTP [RFC2616] GET, PUT,
   and DELETE operations over HTTP 1.1 [RFC2616] via HTTPS [RFC2818]
   only.  These operations are sent to a resource Uniform Resource
   Identifier (URI) in the form of:

           https://host.example.org/<ipversion>/<zone>

   A synthetic example of an XML document submitted to the deployed
   system might take the following form (including all optional
   attributes) as per the schema in Appendix A.













Manderson               Expires December 24, 2015               [Page 3]

Internet-Draft              Abbreviated Title                  June 2015


   <zone xmlns="http://download.research.icann.org/rdns/1.1"
     name="10.in-addr.arpa" cust="IANA" ipversion="ipv4"
     version="1.1" modified="2012-01-18T01:00:06"
     state="active" href="https://host.example.org/ipv4/10">
     <nserver>
       <fqdn>BLACKHOLE-1.IANA.ORG.</fqdn>
     </nserver>
     <nserver>
       <fqdn>BLACKHOLE-2.IANA.ORG.</fqdn>
     </nserver>
     <ds>
       <rdata>33682 5 1 ea8afb5fce7caf381ab101039</rdata>
     </ds>
     <ds>
       <rdata>33682 5 2 7d44874f1d93aaceb793a88001739a</rdata>
     </ds>
   </zone>

   When PUT and DELETE operations are used, the well formed XML is
   required to be sent with the appropriate content-length headers.  The
   GET operation requires only the URI.

   One requirement of the system was to allow the separation of update
   and approval with an out of band notification mechanism.  When such
   options are configured for a customer of the service, submitted
   updates may be queued for later approval.  When a customer has queued
   updates pending approval, the customer may submit a GET request to
   retrieve either an individual entry, or a full listing of all queued
   entries.

   To fetch a listing of the customer's queue the customer would GET a
   URI in the form of:

           https://host.example.org/queuelist

   To fetch an individual queue entry the customer would GET the
   canonical URL (as per the schema) for this queue record:

           https://host.example.org/queue/<identifier>

   Were <identifier> is a system generated and system specific value
   that identifies this particular queue entry.  All XML returned from
   from queue based operations ('queue' and 'queuelist') would return an
   XML document following the specification in Appendix B.  A synthetic
   example from a GET of 'queuelist' would be:






Manderson               Expires December 24, 2015               [Page 4]

Internet-Draft              Abbreviated Title                  June 2015


   <queuelist xmlns="http://download.research.icann.org/rq/1.0"
    version="1.0">
    <queue xmlns="http://download.research.icann.org/rq/1.0"
     name="10.in-addr.arpa" cust="IANA" ipversion="ipv4"
     version="1.0" submitted="2013-01-11T05:22:15"
     state="pending" method="PUT"
     ack="https://host.example.org/ack/25a531f50e5ba45"
     href="https://host.example.org/queue/25a531f50e5ba45">
     <nserver>
       <fqdn>BLACKHOLE-1.IANA.ORG.</fqdn>
     </nserver>
     <nserver>
       <fqdn>BLACKHOLE-2.IANA.ORG.</fqdn>
     </nserver>
     <ds>
       <rdata>33682 5 1 ea8afb5fce7caf381ab101039</rdata>
     </ds>
     <ds>
       <rdata>33682 5 2 7d44874f1d93aaceb793a88001739a</rdata>
     </ds>
    </queue>
   </queuelist>

4.  IANA Considerations

   This memo includes no request to IANA.  This section may be removed
   by the RFC Editor prior to publication.

5.  Security Considerations

   This document provides an XML schema for facilitating the management
   of reverse DNS delegations in the IN-ADDR.ARPA and IP6.APRA zones.
   The schema itself contains no authentication data and all other
   information contained is considered public data as it is either
   published in DNS, or propagated to other public information sources
   like WHOIS.

   The system which implements this XML schema requires HTTPS to be used
   and also uses known server and client X.509 certificates for
   authentication to protect against message modification, message
   insertion/deletion, man-in-the-middle, and replay attacks.
   Authorisation for which delegations the X.509 certificate
   authentication sessions can affect are out of scope of this document,
   along with any denial of service type attack vectors.







Manderson               Expires December 24, 2015               [Page 5]

Internet-Draft              Abbreviated Title                  June 2015


6.  Acknowledgements

   An XML schema was initially provided by APNIC, however necessity
   required a branch and as such a new namespace and schema has been
   created.  Recognition goes to APNIC for prior efforts in this area.

   The author acknowledges feedback from a collective made up of various
   RIR technical folk, however heartfelt thanks goes to Anand Buddhdev
   of the RIPE-NCC and Robert Loomans of APNIC for being both alpha and
   beta testers and providing valuable feedback.

7.  References

7.1.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, November 1987.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC3152]  Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152,
              August 2001.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements", RFC
              4033, March 2005.

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for the DNS Security Extensions",
              RFC 4034, March 2005.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.

7.2.  Informative References







Manderson               Expires December 24, 2015               [Page 6]

Internet-Draft              Abbreviated Title                  June 2015


   [RELAXNG]  The Organization for the Advancement of Structured
              Information Standards [OASIS], "RELAX NG Compact
              Specification", 2002, <https://www.oasis-
              open.org/committees/relax-ng/compact-20021121.html>.

   [REST]     Fielding, R., "Architectural Styles and the Design of
              Network-based Software Architectures", 2000,
              <http://www.ics.uci.edu/~fielding/pubs/dissertation/
              top.htm>.

Appendix A.  Schema Definition for rDNS updates

   The following Schema, used for PUT, GET, and DELETE operations, is an
   XML document using the RelaxNG Compact [RELAXNG] specification.

   default namespace = "http://download.research.icann.org/rdns/1.1"

   # A document may either be a single zone (update) or
   # a collection of zones (view)
   start = zone | zonelist | zonereflist

   # A list of zone names for view only.
   zonereflist = element zonereflist {
     attribute version {
       xsd:decimal { minInclusive="1.1" fractionDigits="1" }
     },
     zoneref*
   }

   # A bulk list of zones for view only.
   zonelist = element zonelist {
     attribute version {
       xsd:decimal { minInclusive="1.1" fractionDigits="1" }
     },
     zone*
   }

   # A zone reference (accepted by REST engine for query)
   zoneref = element zoneref {
     attribute name { text },
     attribute href { xsd:anyURI }
   }

   # A single zone record
   zone = element zone {
     # The zone record's name, eg 10.in-addr.arpa
     attribute name { text },
     # The customer, optional, it is derived from known state.



Manderson               Expires December 24, 2015               [Page 7]

Internet-Draft              Abbreviated Title                  June 2015


     attribute cust { text }?,
     # The canonical URL for this zone record (optional)
     attribute href { xsd:anyURI }?,
     # The address IP version for the zone record (optional)
     attribute ipversion { "ipv4" | "ipv6" }?,
     # The administrative state of the zone (optional)
     attribute state { "active" | "pending" | "error" }?,
     # The last modified timestamp in UTC (optional)
     attribute modified  { xsd:dateTime }?,
     # The schema version (optional)
     attribute version {
       xsd:decimal { minInclusive="1.1" fractionDigits="1" }
     }?,
     # A zone NS RRset MUST have at least two NS records
     nserver,
     nserver+,
     # It MAY contain some DS records
     ds*
   }

   # DNS-SEC records
   ds = element ds {
     # rdata MUST contain
     #  <Keytag> | <Algorithm> | <Digest type> | <Digest>
     # as per RFC4034
     #
     element rdata { text }
   }


   # A single name server
   nserver = element nserver {
     # An nserver entry MUST contain a DNS FQDN
     # for a NS RR (RFC 1035)
     element fqdn { text }
   }


Appendix B.  Schema Definition for rDNS Queue Entries

   The XML schema definition below, in RelaxNG Compact [RELAXNG] form is
   used for queue interaction operations.

   default namespace = "http://download.research.icann.org/rq/1.0"

   # A document MAY either be a single queue entry
   #  or a collection of queued entries
   start = queue | queuelist



Manderson               Expires December 24, 2015               [Page 8]

Internet-Draft              Abbreviated Title                  June 2015


   # A list of zone names for view only.
   queuelist = element queuelist {
     attribute version {
       xsd:decimal { minInclusive="1.0" fractionDigits="0" }
     },
     queue*
   }

   # A single queued zone record
   queue = element queue {
     # The zone record's name, eg 10.in-addr.arpa
     attribute name { text },
     # The customer, optional, derived from known state.
     attribute cust { text }?,
     # The canonical URL for this queue record (optional)
     attribute href { xsd:anyURI }?,
     # The acknowlgement URL for this queue record (optional)
     attribute ack { xsd:anyURI }?,
     # The address IP version for the zone record (optional)
     attribute ipversion { "ipv4" | "ipv6" }?,
     # The state of the zone (optional, and for a queue
     # SHOULD always be pending)
     attribute state { "pending" }?,
     # The submitted  timestamp (optional)
     attribute submitted  { xsd:dateTime }?,
     # The HTTP method used to update
     attribute method { "PUT" | "DELETE" },
     # The schema version (1.0) (optional)
     attribute version {
       xsd:decimal { minInclusive="1.0" fractionDigits="1" }
     }?,
     # A zone NS RRset must have at least two NS records
     nserver,
     nserver+,
     # It MAY contain some DS records
     ds*
   }

   # DNS-SEC records
   ds = element ds {
     # rdata MUST contain  Flags | Protocol | Algorithm | Public Key
     # as per RFC4034
     #
     element rdata { text }
   }

   # A single name server
   nserver = element nserver {



Manderson               Expires December 24, 2015               [Page 9]

Internet-Draft              Abbreviated Title                  June 2015


     # An nserver entry MUST contain a DNS FQDN
     # for a NS RR (RFC 1035)
     element fqdn { text }
   }



Author's Address

   Terry Manderson
   ICANN

   Email: terry.manderson@icann.org






































Manderson               Expires December 24, 2015              [Page 10]