diff --git a/doc/draft/draft-ietf-dnsext-dnssec-experiments-00.txt b/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt similarity index 68% rename from doc/draft/draft-ietf-dnsext-dnssec-experiments-00.txt rename to doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt index 6c897b92b1..ee03583a13 100644 --- a/doc/draft/draft-ietf-dnsext-dnssec-experiments-00.txt +++ b/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt @@ -1,26 +1,25 @@ -Network Working Group D. Blacka + +DNSEXT D. Blacka Internet-Draft Verisign, Inc. -Expires: August 3, 2005 February 2, 2005 +Expires: January 19, 2006 July 18, 2005 DNSSEC Experiments - draft-ietf-dnsext-dnssec-experiments-00 + draft-ietf-dnsext-dnssec-experiments-01 Status of this Memo - This document is an Internet-Draft and is subject to all provisions - of section 3 of RFC 3667. By submitting this Internet-Draft, each - author represents that any applicable patent or other IPR claims of - which he or she is aware have been or will be disclosed, and any of - which he or she become aware will be disclosed, in accordance with - RFC 3668. + By submitting this Internet-Draft, each author represents that any + applicable patent or other IPR claims of which he or she is aware + have been or will be disclosed, and any of which he or she becomes + aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. + other groups may also distribute working documents as Internet- + Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any @@ -33,7 +32,7 @@ Status of this Memo The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on August 3, 2005. + This Internet-Draft will expire on January 19, 2006. Copyright Notice @@ -41,20 +40,21 @@ Copyright Notice Abstract - In the long history of the development of the DNS security [1] - extensions (DNSSEC), a number of alternate methodologies and - modifications have been proposed and rejected for practical, rather - than strictly technical, reasons. There is a desire to be able to - experiment with these alternate methods in the public DNS. This - document describes a methodology for deploying alternate, - non-backwards-compatible, DNSSEC methodologies in an experimental - fashion without disrupting the deployment of standard DNSSEC. + In the long history of the development of the DNS security extensions + [1] (DNSSEC), a number of alternate methodologies and modifications + have been proposed and rejected for practical, rather than strictly + technical, reasons. There is a desire to be able to experiment with + these alternate methods in the public DNS. This document describes a + methodology for deploying alternate, non-backwards-compatible, DNSSEC + methodologies in an experimental fashion without disrupting the + deployment of standard DNSSEC. -Blacka Expires August 3, 2005 [Page 1] + +Blacka Expires January 19, 2006 [Page 1] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 Table of Contents @@ -69,11 +69,10 @@ Table of Contents 8. Security Considerations . . . . . . . . . . . . . . . . . . 11 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . 12 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 - 10.1 Normative References . . . . . . . . . . . . . . . . . . . 13 - 10.2 Informative References . . . . . . . . . . . . . . . . . . 13 - Editorial Comments . . . . . . . . . . . . . . . . . . . . . 14 - Author's Address . . . . . . . . . . . . . . . . . . . . . . 14 - Intellectual Property and Copyright Statements . . . . . . . 15 + 10.1 Normative References . . . . . . . . . . . . . . . . . . 13 + 10.2 Informative References . . . . . . . . . . . . . . . . . 13 + Author's Address . . . . . . . . . . . . . . . . . . . . . . 13 + Intellectual Property and Copyright Statements . . . . . . . 14 @@ -108,9 +107,10 @@ Table of Contents -Blacka Expires August 3, 2005 [Page 2] + +Blacka Expires January 19, 2006 [Page 2] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 1. Definitions and Terminology @@ -164,9 +164,9 @@ Internet-Draft DNSSEC Experiments February 2005 -Blacka Expires August 3, 2005 [Page 3] +Blacka Expires January 19, 2006 [Page 3] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 2. Overview @@ -176,12 +176,12 @@ Internet-Draft DNSSEC Experiments February 2005 introduce non-backwards-compatible changes to DNSSEC, and to try these changes on real zones in the public DNS. This creates a problem when the change to DNSSEC would make all or part of the zone - using those changes appear bogus or otherwise broken to existing - DNSSEC-aware resolvers. + using those changes appear bogus (bad) or otherwise broken to + existing DNSSEC-aware resolvers. This document describes a standard methodology for setting up public - DNSSEC experiments. This methodology addresses the issue of - co-existence with standard DNSSEC and DNS by using unknown algorithm + DNSSEC experiments. This methodology addresses the issue of co- + existence with standard DNSSEC and DNS by using unknown algorithm identifiers to hide the experimental DNSSEC protocol modifications from standard DNSSEC-aware resolvers. @@ -220,9 +220,9 @@ Internet-Draft DNSSEC Experiments February 2005 -Blacka Expires August 3, 2005 [Page 4] +Blacka Expires January 19, 2006 [Page 4] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 3. Experiments @@ -234,6 +234,7 @@ Internet-Draft DNSSEC Experiments February 2005 strictly adhering to the DNSSEC standard, are nonetheless interoperable with clients and server that do implement the DNSSEC standard. + Non-Backwards-Compatible: describes experiments that would cause a standard DNSSEC-aware resolver to (incorrectly) determine that all or part of a zone is bogus, or to otherwise not interoperable with @@ -275,18 +276,17 @@ Internet-Draft DNSSEC Experiments February 2005 - -Blacka Expires August 3, 2005 [Page 5] +Blacka Expires January 19, 2006 [Page 5] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 4. Method - The core of the methodology is the use of only "unknown" algorithms - to sign the experimental zone, and more importantly, having only - unknown algorithm DS records for the delegation to the zone at the - parent. + The core of the methodology is the use of strictly "unknown" + algorithms to sign the experimental zone, and more importantly, + having only unknown algorithm DS records for the delegation to the + zone at the parent. This technique works because of the way DNSSEC-compliant validators are expected to work in the presence of a DS set with only unknown @@ -311,32 +311,34 @@ Internet-Draft DNSSEC Experiments February 2005 more to the point, it will not violate this behavior in an unsafe way (see below (Section 6).) - Because we are talking about experiments, it is recommended that - private algorithm numbers be used (see [2], appendix A.1.1 - [Comment.1].) Normally, instead of actually inventing new signing - algorithms, the recommended path is to create alternate algorithm - identifiers that are aliases for the existing, known algorithms. - While, strictly speaking, it is only necessary to create an alternate - identifier for the mandatory algorithms (currently, this is only - algorithm 5, RSASHA1), it is RECOMMENDED that all OPTIONAL defined - algorithms be aliased as well. + Because we are talking about experiments, it is RECOMMENDED that + private algorithm numbers be used (see [2], appendix A.1.1. Note + that secure handling of private algorithms requires special handing + by the validator logic. See [6] for futher details.) Normally, + instead of actually inventing new signing algorithms, the recommended + path is to create alternate algorithm identifiers that are aliases + for the existing, known algorithms. While, strictly speaking, it is + only necessary to create an alternate identifier for the mandatory + algorithms, it is RECOMMENDED that all OPTIONAL defined algorithms be + aliased as well. It is RECOMMENDED that for a particular DNSSEC experiment, a particular domain name base is chosen for all new algorithms, then the algorithm number (or name) is prepended to it. For example, for experiment A, the base name of "dnssec-experiment-a.example.com" is chosen. Then, aliases for algorithms 3 (DSA) and 5 (RSASHA1) are - defined to be "3.dnssec-experiment-a.example.com" and - "5.dnssec-experiment-a.example.com". However, any unique identifier - will suffice. + defined to be "3.dnssec-experiment-a.example.com" and "5.dnssec- + experiment-a.example.com". However, any unique identifier will -Blacka Expires August 3, 2005 [Page 6] +Blacka Expires January 19, 2006 [Page 6] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 + suffice. + Using this method, resolvers (or, more specificially, DNSSEC validators) essentially indicate their ability to understand the DNSSEC experiment's semantics by understanding what the new algorithm @@ -348,6 +350,10 @@ Internet-Draft DNSSEC Experiments February 2005 experimental semantics), and servers and resolvers that are unware of the experiment. + This method also precludes any zone from being both in an experiment + and in a classic DNSSEC island of security. That is, a zone is + either in an experiment and only experimentally validatable, or it + isn't. @@ -382,15 +388,9 @@ Internet-Draft DNSSEC Experiments February 2005 - - - - - - -Blacka Expires August 3, 2005 [Page 7] +Blacka Expires January 19, 2006 [Page 7] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 5. Defining an Experiment @@ -402,7 +402,7 @@ Internet-Draft DNSSEC Experiments February 2005 this will be a mapping of private algorithm identifiers to existing, known algorithms. - Typically, the experiment will choose a DNS name as the algorithm + Normally the experiment will choose a DNS name as the algorithm identifier base. This DNS name SHOULD be under the control of the authors of the experiment. Then the experiment will define a mapping between known mandatory and optional algorithms into this private @@ -422,8 +422,7 @@ Internet-Draft DNSSEC Experiments February 2005 In general, however, resolvers involved in the experiment are expected to understand both standard DNSSEC and the defined - experimental DNSSEC protocol, although this isn't, strictly speaking, - required. + experimental DNSSEC protocol, although this isn't required. @@ -444,9 +443,10 @@ Internet-Draft DNSSEC Experiments February 2005 -Blacka Expires August 3, 2005 [Page 8] + +Blacka Expires January 19, 2006 [Page 8] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 6. Considerations @@ -460,7 +460,8 @@ Internet-Draft DNSSEC Experiments February 2005 conclude that the response is bogus, either due to local policy or implementation details. This is not expected to be the common case, however. - 2. It will, in general, not be possible for DNSSEC-aware resolvers + + 2. In general, it will not be possible for DNSSEC-aware resolvers not aware of the experiment to build a chain of trust through an experimental zone. @@ -499,10 +500,9 @@ Internet-Draft DNSSEC Experiments February 2005 - -Blacka Expires August 3, 2005 [Page 9] +Blacka Expires January 19, 2006 [Page 9] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 7. Transitions @@ -556,9 +556,9 @@ Internet-Draft DNSSEC Experiments February 2005 -Blacka Expires August 3, 2005 [Page 10] +Blacka Expires January 19, 2006 [Page 10] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 8. Security Considerations @@ -612,9 +612,9 @@ Internet-Draft DNSSEC Experiments February 2005 -Blacka Expires August 3, 2005 [Page 11] +Blacka Expires January 19, 2006 [Page 11] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 9. IANA Considerations @@ -668,27 +668,26 @@ Internet-Draft DNSSEC Experiments February 2005 -Blacka Expires August 3, 2005 [Page 12] +Blacka Expires January 19, 2006 [Page 12] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 10. References 10.1 Normative References - [1] Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose, - "DNS Security Introduction and Requirements", - draft-ietf-dnsext-dnssec-intro-13 (work in progress), October - 2004. + [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "DNS Security Introduction and Requirements", RFC 4033, + March 2005. - [2] Arends, R., "Resource Records for the DNS Security Extensions", - draft-ietf-dnsext-dnssec-records-11 (work in progress), October - 2004. + [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Resource Records for the DNS Security Extensions", RFC 4034, + March 2005. - [3] Arends, R., "Protocol Modifications for the DNS Security - Extensions", draft-ietf-dnsext-dnssec-protocol-09 (work in - progress), October 2004. + [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Protocol Modifications for the DNS Security Extensions", + RFC 4035, March 2005. 10.2 Informative References @@ -698,43 +697,9 @@ Internet-Draft DNSSEC Experiments February 2005 [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. - - - - - - - - - - - - - - - - - - - - - - - - - - -Blacka Expires August 3, 2005 [Page 13] - -Internet-Draft DNSSEC Experiments February 2005 - - -Editorial Comments - - [Comment.1] Note: how private algorithms work in DNSSEC is not well - explained in the DNSSECbis RFCs. In particular, how to - validate that the DS records contain only unknown - algorithms is not explained at all. + [6] Weiler, S., "Clarifications and Implementation Notes for + DNSSECbis", draft-weiler-dnsext-dnssec-bis-updates-00 (work in + progress), March 2005. Author's Address @@ -746,7 +711,7 @@ Author's Address US Phone: +1 703 948 3200 - EMail: davidb@verisign.com + Email: davidb@verisign.com URI: http://www.verisignlabs.com @@ -759,30 +724,9 @@ Author's Address - - - - - - - - - - - - - - - - - - - - - -Blacka Expires August 3, 2005 [Page 14] +Blacka Expires January 19, 2006 [Page 13] -Internet-Draft DNSSEC Experiments February 2005 +Internet-Draft DNSSEC Experiments July 2005 Intellectual Property Statement @@ -836,6 +780,5 @@ Acknowledgment -Blacka Expires August 3, 2005 [Page 15] +Blacka Expires January 19, 2006 [Page 14] - diff --git a/doc/draft/draft-ietf-dnsext-dnssec-opt-in-06.txt b/doc/draft/draft-ietf-dnsext-dnssec-opt-in-07.txt similarity index 71% rename from doc/draft/draft-ietf-dnsext-dnssec-opt-in-06.txt rename to doc/draft/draft-ietf-dnsext-dnssec-opt-in-07.txt index c4103183d5..17e28e8286 100644 --- a/doc/draft/draft-ietf-dnsext-dnssec-opt-in-06.txt +++ b/doc/draft/draft-ietf-dnsext-dnssec-opt-in-07.txt @@ -1,29 +1,28 @@ + DNSEXT R. Arends Internet-Draft Telematica Instituut -Expires: August 4, 2005 M. Kosters +Expires: January 19, 2006 M. Kosters D. Blacka Verisign, Inc. - February 3, 2005 + July 18, 2005 DNSSEC Opt-In - draft-ietf-dnsext-dnssec-opt-in-06 + draft-ietf-dnsext-dnssec-opt-in-07 Status of this Memo - This document is an Internet-Draft and is subject to all provisions - of section 3 of RFC 3667. By submitting this Internet-Draft, each - author represents that any applicable patent or other IPR claims of - which he or she is aware have been or will be disclosed, and any of - which he or she become aware will be disclosed, in accordance with - RFC 3668. + By submitting this Internet-Draft, each author represents that any + applicable patent or other IPR claims of which he or she is aware + have been or will be disclosed, and any of which he or she becomes + aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as - Internet-Drafts. + other groups may also distribute working documents as Internet- + Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any @@ -36,7 +35,7 @@ Status of this Memo The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on August 4, 2005. + This Internet-Draft will expire on January 19, 2006. Copyright Notice @@ -44,49 +43,48 @@ Copyright Notice Abstract - In the DNS security extensions (DNSSEC, defined in RFC 2535bis, [3], - [4], and [5]), delegations to unsigned subzones are cryptographically - secured. Maintaining this cryptography is not practical or - necessary. This document describes an experimental "Opt-In" model - that allows administrators to omit this cryptography and manage the + In the DNS security extensions (DNSSEC, defined in RFC 4033 [3], RFC + 4034 [4], and RFC 4035 [5]), delegations to unsigned subzones are + cryptographically secured. Maintaining this cryptography is not + practical or necessary. This document describes an experimental + "Opt-In" model that allows administrators to omit this cryptography + and manage the cost of adopting DNSSEC with large zones. -Arends, et al. Expires August 4, 2005 [Page 1] +Arends, et al. Expires January 19, 2006 [Page 1] -Internet-Draft DNSSEC Opt-In February 2005 +Internet-Draft DNSSEC Opt-In July 2005 - cost of adopting DNSSEC with large zones. - Table of Contents 1. Definitions and Terminology . . . . . . . . . . . . . . . . . 3 - 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 3. Experimental Status . . . . . . . . . . . . . . . . . . . . . 5 - 4. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . 6 - 4.1 Server Considerations . . . . . . . . . . . . . . . . . . 7 - 4.1.1 Delegations Only . . . . . . . . . . . . . . . . . . . 7 - 4.1.2 Insecure Delegation Responses . . . . . . . . . . . . 7 - 4.1.3 Wildcards and Opt-In . . . . . . . . . . . . . . . . . 7 - 4.1.4 Dynamic Update . . . . . . . . . . . . . . . . . . . . 8 - 4.2 Client Considerations . . . . . . . . . . . . . . . . . . 8 - 4.2.1 Delegations Only . . . . . . . . . . . . . . . . . . . 8 - 4.2.2 Validation Process Changes . . . . . . . . . . . . . . 8 - 4.2.3 NSEC Record Caching . . . . . . . . . . . . . . . . . 9 - 4.2.4 Use of the AD bit . . . . . . . . . . . . . . . . . . 9 - 5. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 - 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 - 7. Transition Issues . . . . . . . . . . . . . . . . . . . . . . 13 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 - 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 17 - 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 - 11.1 Normative References . . . . . . . . . . . . . . . . . . . . 18 - 11.2 Informative References . . . . . . . . . . . . . . . . . . . 18 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19 - A. Implementing Opt-In using "Views" . . . . . . . . . . . . . . 20 - Intellectual Property and Copyright Statements . . . . . . . . 21 + 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 3. Experimental Status . . . . . . . . . . . . . . . . . . . . . 4 + 4. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . 4 + 4.1 Server Considerations . . . . . . . . . . . . . . . . . . 5 + 4.1.1 Delegations Only . . . . . . . . . . . . . . . . . . . 5 + 4.1.2 Insecure Delegation Responses . . . . . . . . . . . . 6 + 4.1.3 Wildcards and Opt-In . . . . . . . . . . . . . . . . . 6 + 4.1.4 Dynamic Update . . . . . . . . . . . . . . . . . . . . 7 + 4.2 Client Considerations . . . . . . . . . . . . . . . . . . 7 + 4.2.1 Delegations Only . . . . . . . . . . . . . . . . . . . 7 + 4.2.2 Validation Process Changes . . . . . . . . . . . . . . 7 + 4.2.3 NSEC Record Caching . . . . . . . . . . . . . . . . . 8 + 4.2.4 Use of the AD bit . . . . . . . . . . . . . . . . . . 8 + 5. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 + 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 + 7. Transition Issues . . . . . . . . . . . . . . . . . . . . . . 10 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 + 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 12 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 + 11.1 Normative References . . . . . . . . . . . . . . . . . . . 13 + 11.2 Informative References . . . . . . . . . . . . . . . . . . 13 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14 + A. Implementing Opt-In using "Views" . . . . . . . . . . . . . . 14 + Intellectual Property and Copyright Statements . . . . . . . . 16 @@ -108,17 +106,19 @@ Table of Contents -Arends, et al. Expires August 4, 2005 [Page 2] + + +Arends, et al. Expires January 19, 2006 [Page 2] -Internet-Draft DNSSEC Opt-In February 2005 +Internet-Draft DNSSEC Opt-In July 2005 1. Definitions and Terminology Throughout this document, familiarity with the DNS system (RFC 1035 [1]), DNS security extensions ([3], [4], and [5], referred to in this - document as "RFC 2535bis"), and DNSSEC terminology (RFC 3090 [10]) is - assumed. + document as "standard DNSSEC"), and DNSSEC terminology (RFC 3090 + [10]) is assumed. The following abbreviations and terms are used in this document: @@ -151,24 +151,6 @@ Internet-Draft DNSSEC Opt-In February 2005 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [7]. - - - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 3] - -Internet-Draft DNSSEC Opt-In February 2005 - - 2. Overview The cost to cryptographically secure delegations to unsigned zones is @@ -179,52 +161,20 @@ Internet-Draft DNSSEC Opt-In February 2005 zones. This document describes an experimental method of eliminating the + + + +Arends, et al. Expires January 19, 2006 [Page 3] + +Internet-Draft DNSSEC Opt-In July 2005 + + superfluous cryptography present in secure delegations to unsigned zones. Using "Opt-In", a zone administrator can choose to remove insecure delegations from the NSEC chain. This is accomplished by extending the semantics of the NSEC record by using a redundant bit in the type map. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 4] - -Internet-Draft DNSSEC Opt-In February 2005 - - 3. Experimental Status This document describes an EXPERIMENTAL extension to DNSSEC. It @@ -234,71 +184,47 @@ Internet-Draft DNSSEC Opt-In February 2005 "3.optin.verisignlabs.com": is an alias for DNSSEC algorithm 3, DSA, and - "4.optin.verisignlabs.com": is an alias for DNSSEC algorithm 5, + "5.optin.verisignlabs.com": is an alias for DNSSEC algorithm 5, RSASHA1. Servers wishing to sign and serve zones that utilize Opt-In MUST sign - the zone with one or more of these private algorithms. This requires - the signing tools and servers to support private algorithms, as well - as Opt-In. + the zone with only one or more of these private algorithms. This + requires the signing tools and servers to support private algorithms, + as well as Opt-In. Resolvers wishing to validate Opt-In zones MUST only do so when the - zone is signed using one or more of these private algorithms. + zone is only signed using one or more of these private algorithms. The remainder of this document assumes that the servers and resolvers involved are aware of and are involved in this experiment. - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 5] - -Internet-Draft DNSSEC Opt-In February 2005 - - 4. Protocol Additions - In RFC 2535bis, delegation NS RRsets are not signed, but are instead - accompanied by a NSEC RRset of the same name and a DS record. The - security status of the subzone is determined by the presence or - absence of the DS RRset, cryptographically proven by the NSEC record. - Opt-In expands this definition by allowing insecure delegations to - exist within an otherwise signed zone without the corresponding NSEC - record at the delegation's owner name. These insecure delegations - are proven insecure by using a covering NSEC record. + In DNSSEC, delegation NS RRsets are not signed, but are instead + accompanied by a NSEC RRset of the same name and (possibly) a DS + record. The security status of the subzone is determined by the + presence or absence of the DS RRset, cryptographically proven by the + NSEC record. Opt-In expands this definition by allowing insecure + delegations to exist within an otherwise signed zone without the + corresponding NSEC record at the delegation's owner name. These + insecure delegations are proven insecure by using a covering NSEC + record. Since this represents a change of the interpretation of NSEC records, - resolvers must be able to distinguish between RFC 2535bis NSEC - records and Opt-In NSEC records. This is accomplished by "tagging" - the NSEC records that cover (or potentially cover) insecure + resolvers must be able to distinguish between RFC standard DNSSEC + NSEC records and Opt-In NSEC records. This is accomplished by + "tagging" the NSEC records that cover (or potentially cover) insecure delegation nodes. This tag is indicated by the absence of the NSEC bit in the type map. Since the NSEC bit in the type map merely indicates the existence of the record itself, this bit is redundant + + + +Arends, et al. Expires January 19, 2006 [Page 4] + +Internet-Draft DNSSEC Opt-In July 2005 + + and safe for use as a tag. An Opt-In tagged NSEC record does not assert the (non)existence of @@ -314,7 +240,7 @@ Internet-Draft DNSSEC Opt-In February 2005 the existence of the delegation. Zones using Opt-In MAY contain a mixture of Opt-In tagged NSEC - records and RFC 2535bis NSEC records. If a NSEC record is not + records and standard DNSSEC NSEC records. If a NSEC record is not Opt-In, there MUST NOT be any insecure delegations (or any other records) between it and the RRsets indicated by the 'next domain name' in the NSEC RDATA. If it is Opt-In, there MUST only be @@ -323,20 +249,13 @@ Internet-Draft DNSSEC Opt-In February 2005 In summary, - o An Opt-In NSEC type is identified by a zero-valued (or - not-specified) NSEC bit in the type bit map of the NSEC record. + o An Opt-In NSEC type is identified by a zero-valued (or not- + specified) NSEC bit in the type bit map of the NSEC record. o A RFC2535bis NSEC type is identified by a one-valued NSEC bit in the type bit map of the NSEC record. and, - - -Arends, et al. Expires August 4, 2005 [Page 6] - -Internet-Draft DNSSEC Opt-In February 2005 - - o An Opt-In NSEC record does not assert the non-existence of a name between its owner name and "next" name, although it does assert that any name in this span MUST be an insecure delegation. @@ -353,46 +272,46 @@ Internet-Draft DNSSEC Opt-In February 2005 between the owner and "next" names of an Opt-In tagged NSEC record. Signing tools SHOULD NOT generate signed zones that violate this restriction. Servers SHOULD refuse to load and/or serve zones that - violate this restriction. + violate this restriction. Servers also SHOULD reject AXFR or IXFR + + + +Arends, et al. Expires January 19, 2006 [Page 5] + +Internet-Draft DNSSEC Opt-In July 2005 + + + responses that violate this restriction. 4.1.2 Insecure Delegation Responses When returning an Opt-In insecure delegation, the server MUST return the covering NSEC RRset in the Authority section. - In RFC 2535bis, NSEC records already must be returned along with the - insecure delegation. The primary difference that this proposal + In standard DNSSEC, NSEC records already must be returned along with + the insecure delegation. The primary difference that this proposal introduces is that the Opt-In tagged NSEC record will have a different owner name from the delegation RRset. This may require - implementations to do a NSEC search on cached responses. + implementations to search for the covering NSEC RRset. 4.1.3 Wildcards and Opt-In - RFC 2535bis describes the practice of returning NSEC records to prove - the non-existence of an applicable wildcard in non-existent name - responses. This NSEC record can be described as a "negative wildcard - proof". The use of Opt-In NSEC records changes the necessity for - this practice. For non-existent name responses when the query name - (qname) is covered by an Opt-In tagged NSEC record, servers MAY - choose to omit the wildcard proof record, and clients MUST NOT treat - the absence of this NSEC record as a validation error. + Standard DNSSEC describes the practice of returning NSEC records to + prove the non-existence of an applicable wildcard in non-existent + name responses. This NSEC record can be described as a "negative + wildcard proof". The use of Opt-In NSEC records changes the + necessity for this practice. For non-existent name responses when + the query name (qname) is covered by an Opt-In tagged NSEC record, + servers MAY choose to omit the wildcard proof record, and clients + MUST NOT treat the absence of this NSEC record as a validation error. - The intent of the RFC 2535bis negative wildcard proof requirement is - to prevent malicious users from undetectably removing valid wildcard - responses. In order for this cryptographic proof to work, the - resolver must be able to prove: + The intent of the standard DNSSEC negative wildcard proof requirement + is to prevent malicious users from undetectably removing valid + wildcard responses. In order for this cryptographic proof to work, + the resolver must be able to prove: 1. The exact qname does not exist. This is done by the "normal" NSEC record. - - - - -Arends, et al. Expires August 4, 2005 [Page 7] - -Internet-Draft DNSSEC Opt-In February 2005 - - 2. No applicable wildcard exists. This is done by returning a NSEC record proving that the wildcard does not exist (this is the negative wildcard proof). @@ -410,6 +329,14 @@ Internet-Draft DNSSEC Opt-In February 2005 The presence of an Opt-In tagged NSEC record does not change the practice of returning a NSEC along with a wildcard expansion. Even + + + +Arends, et al. Expires January 19, 2006 [Page 6] + +Internet-Draft DNSSEC Opt-In July 2005 + + though the Opt-In NSEC will not be able to prove that the wildcard expansion is valid, it will prove that the wildcard expansion is not masking any signed records. @@ -421,7 +348,8 @@ Internet-Draft DNSSEC Opt-In February 2005 add or remove a delegation name from the NSEC chain. This document does not attempt to define these rules. Until these rules are defined, servers MUST NOT process DNS Dynamic Update requests against - zones that use Opt-In NSEC records. + zones that use Opt-In NSEC records. Servers SHOULD return responses + to update requests with RCODE=REFUSED. 4.2 Client Considerations @@ -441,20 +369,12 @@ Internet-Draft DNSSEC Opt-In February 2005 This specification does not change the resolver's resolution algorithm. However, it does change the DNSSEC validation process. Resolvers MUST be able to use Opt-In tagged NSEC records to - - - -Arends, et al. Expires August 4, 2005 [Page 8] - -Internet-Draft DNSSEC Opt-In February 2005 - - cryptographically prove the validity and security status (as insecure) of a referral. Resolvers determine the security status of the referred-to zone as follows: - o In RFC 2535bis, the security status is proven by the existence or - absence of a DS RRset at the same name as the delegation. The + o In standard DNSSEC, the security status is proven by the existence + or absence of a DS RRset at the same name as the delegation. The existence of the DS RRset indicates that the referred-to zone is signed. The absence of the DS RRset is proven using a verified NSEC record of the same name that does not have the DS bit set in @@ -465,9 +385,18 @@ Internet-Draft DNSSEC Opt-In February 2005 record does not have the NSEC bit set in the type map, and the delegation name falls between the NSEC's owner and "next" name. + + + +Arends, et al. Expires January 19, 2006 [Page 7] + +Internet-Draft DNSSEC Opt-In July 2005 + + Using Opt-In does not substantially change the nature of following referrals within DNSSEC. At every delegation point, the resolver - will have cryptographic proof that the subzone is signed or unsigned. + will have cryptographic proof that the referred-to subzone is signed + or unsigned. When receiving either an Opt-In insecure delegation response or a non-existent name response where that name is covered by an Opt-In @@ -478,16 +407,17 @@ Internet-Draft DNSSEC Opt-In February 2005 Caching resolvers MUST be able to retrieve the appropriate covering Opt-In NSEC record when returning referrals that need them. This - requirement differs from RFC 2535bis in that the covering NSEC will - not have the same owner name as the delegation. Some implementations - may have to use new methods for finding these NSEC records. + requirement differs from standard DNSSEC in that the covering NSEC + will not have the same owner name as the delegation. Some + implementations may have to use new methods for finding these NSEC + records. 4.2.4 Use of the AD bit The AD bit, as defined by [2] and [5], MUST NOT be set when: - o sending a non-existent name (NXDOMAIN) response where the covering - NSEC is tagged as Opt-In. + o sending a Name Error (RCODE=3) response where the covering NSEC is + tagged as Opt-In. o sending an Opt-In insecure delegation response, unless the covering (Opt-In) NSEC record's owner name equals the delegation name. @@ -498,13 +428,6 @@ Internet-Draft DNSSEC Opt-In February 2005 or existence of the name. As such, not all data in the response has been cryptographically verified, so the AD bit cannot be set. - - -Arends, et al. Expires August 4, 2005 [Page 9] - -Internet-Draft DNSSEC Opt-In February 2005 - - 5. Benefits Using Opt-In allows administrators of large and/or changing @@ -518,49 +441,16 @@ Internet-Draft DNSSEC Opt-In February 2005 for the addition or removal of insecure delegations without modifying the NSEC record chain. Zones that are frequently updating insecure delegations (e.g., TLDs) can avoid the substantial overhead of - modifying and resigning the affected NSEC records. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 10] +Arends, et al. Expires January 19, 2006 [Page 8] -Internet-Draft DNSSEC Opt-In February 2005 +Internet-Draft DNSSEC Opt-In July 2005 + modifying and resigning the affected NSEC records. + 6. Example Consider the zone EXAMPLE, shown below. This is a zone where all of @@ -574,7 +464,8 @@ Internet-Draft DNSSEC Opt-In February 2005 EXAMPLE. RRSIG NS ... EXAMPLE. DNSKEY ... EXAMPLE. RRSIG DNSKEY ... - EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. SOA NS RRSIG DNSKEY + EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. ( + SOA NS RRSIG DNSKEY ) EXAMPLE. RRSIG NSEC ... FIRST-SECURE.EXAMPLE. A ... @@ -599,24 +490,23 @@ Internet-Draft DNSSEC Opt-In February 2005 NS.UNSIGNED.EXAMPLE. A ... - In this example, a query for a signed RRset (e.g., - "FIRST-SECURE.EXAMPLE A"), or a secure delegation - ("WWW.SECOND-SECURE.EXAMPLE A") will result in a normal RFC 2535bis - response. + In this example, a query for a signed RRset (e.g., "FIRST- + SECURE.EXAMPLE A"), or a secure delegation ("WWW.SECOND- + SECURE.EXAMPLE A") will result in a standard DNSSEC response. A query for a nonexistent RRset will result in a response that - differs from RFC 2535bis by: the NSEC record will be tagged as + differs from standard DNSSEC by: the NSEC record will be tagged as Opt-In, there may be no NSEC record proving the non-existence of a - matching wildcard record, and the AD bit will not be set. - -Arends, et al. Expires August 4, 2005 [Page 11] +Arends, et al. Expires January 19, 2006 [Page 9] -Internet-Draft DNSSEC Opt-In February 2005 +Internet-Draft DNSSEC Opt-In July 2005 + matching wildcard record, and the AD bit will not be set. + A query for an insecure delegation RRset (or a referral) will return both the answer (in the Authority section) and the corresponding Opt-In NSEC record to prove that it is not secure. @@ -636,7 +526,7 @@ Internet-Draft DNSSEC Opt-In February 2005 Additional Section: NS.UNSIGNED.EXAMPLE. A ... - In the Example A.1 zone, the EXAMPLE. node MAY use either style of + In the Example A.1 zone, the EXAMPLE. node MAY use either style of NSEC record, because there are no insecure delegations that occur between it and the next node, FIRST-SECURE.EXAMPLE. In other words, Example A would still be a valid zone if the NSEC record for EXAMPLE. @@ -645,90 +535,45 @@ Internet-Draft DNSSEC Opt-In February 2005 EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (SOA NS RRSIG DNSKEY NSEC ) - However, the other NSEC records (FIRST-SECURE.EXAMPLE. and - SECOND-SECURE.EXAMPLE.) MUST be tagged as Opt-In because there are - insecure delegations in the range they define. (NOT-SECURE.EXAMPLE. - and UNSIGNED.EXAMPLE., respectively). - - NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that - is part of the NSEC chain and also covered by an Opt-In tagged NSEC - record. Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot - be removed from the zone without modifying and resigning the prior - NSEC record. Delegations with names that fall between - NOT-SECURE-2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or - removed without resigning any NSEC records. - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 12] - -Internet-Draft DNSSEC Opt-In February 2005 + However, the other NSEC records (FIRST-SECURE.EXAMPLE. and SECOND- + SECURE.EXAMPLE.) MUST be tagged as Opt-In because there are insecure + delegations in the range they define. (NOT-SECURE.EXAMPLE. and + UNSIGNED.EXAMPLE., respectively). + NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that is + part of the NSEC chain and also covered by an Opt-In tagged NSEC + record. Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot be + removed from the zone without modifying and resigning the prior NSEC + record. Delegations with names that fall between NOT-SECURE- + 2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or removed without + resigning any NSEC records. 7. Transition Issues - Opt-In is not backwards compatible with RFC 2535bis. RFC 2535bis - compliant DNSSEC implementations will not recognize Opt-In tagged - NSEC records as different from RFC 2535bis NSEC records. Because of - this, RFC 2535bis implementations will reject all Opt-In insecure - delegations within a zone as invalid. + Opt-In is not backwards compatible with standard DNSSEC and is + considered experimental. Standard DNSSEC compliant implementations + would not recognize Opt-In tagged NSEC records as different from - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 13] +Arends, et al. Expires January 19, 2006 [Page 10] -Internet-Draft DNSSEC Opt-In February 2005 +Internet-Draft DNSSEC Opt-In July 2005 + standard NSEC records. Because of this, standard DNSSEC + implementations, if they were to validate Opt-In style responses, + would reject all Opt-In insecure delegations within a zone as + invalid. However, by only signing with private algorithms, standard + DNSSEC implementations will treat Opt-In responses as unsigned. + + It should be noted that all elements in the resolution path between + (and including) the validator and the authoritative name server must + be aware of the Opt-In experiment and implement the Opt-In semantics + for successful validation to be possible. In particular, this + includes any caching middleboxes between the validator and + authoritative name server. + 8. Security Considerations Opt-In allows for unsigned names, in the form of delegations to @@ -740,7 +585,7 @@ Internet-Draft DNSSEC Opt-In February 2005 o Records with unsigned names (whether existing or not) suffer from the same vulnerabilities as records in an unsigned zone. These - vulnerabilites are described in more detail in [12] (note in + vulnerabilities are described in more detail in [12] (note in particular sections 2.3, "Name Games" and 2.6, "Authenticated Denial"). o Records with signed names have the same security whether or not @@ -767,22 +612,9 @@ Internet-Draft DNSSEC Opt-In February 2005 - - - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 14] +Arends, et al. Expires January 19, 2006 [Page 11] -Internet-Draft DNSSEC Opt-In February 2005 +Internet-Draft DNSSEC Opt-In July 2005 Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE. A @@ -801,7 +633,7 @@ Internet-Draft DNSSEC Opt-In February 2005 The resolver would have no choice but to believe that the referral to - NS.FORGED. is valid. If a wildcard existed that would have been + NS.FORGED. is valid. If a wildcard existed that would have been expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could have undetectably removed it and replaced it with the forged delegation. @@ -817,86 +649,10 @@ Internet-Draft DNSSEC Opt-In February 2005 In particular, zone signing tools SHOULD NOT default to Opt-In, and MAY choose to not support Opt-In at all. - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 15] - -Internet-Draft DNSSEC Opt-In February 2005 - - 9. IANA Considerations None. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 16] - -Internet-Draft DNSSEC Opt-In February 2005 - - 10. Acknowledgments The contributions, suggestions and remarks of the following persons @@ -907,54 +663,16 @@ Internet-Draft DNSSEC Opt-In February 2005 Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter, Brian Wellington. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 17] - -Internet-Draft DNSSEC Opt-In February 2005 - - 11. References + + + +Arends, et al. Expires January 19, 2006 [Page 12] + +Internet-Draft DNSSEC Opt-In July 2005 + + 11.1 Normative References [1] Mockapetris, P., "Domain names - implementation and @@ -963,22 +681,21 @@ Internet-Draft DNSSEC Opt-In February 2005 [2] Wellington, B. and O. Gudmundsson, "Redefinition of DNS Authenticated Data (AD) bit", RFC 3655, November 2003. - [3] Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose, - "DNS Security Introduction and Requirements", - draft-ietf-dnsext-dnssec-intro-13 (work in progress), October - 2004. + [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "DNS Security Introduction and Requirements", RFC 4033, + March 2005. - [4] Arends, R., "Resource Records for the DNS Security Extensions", - draft-ietf-dnsext-dnssec-records-11 (work in progress), October - 2004. + [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Resource Records for the DNS Security Extensions", RFC 4034, + March 2005. - [5] Arends, R., "Protocol Modifications for the DNS Security - Extensions", draft-ietf-dnsext-dnssec-protocol-09 (work in - progress), October 2004. + [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, + "Protocol Modifications for the DNS Security Extensions", + RFC 4035, March 2005. [6] Blacka, D., "DNSSEC Experiments", - draft-blacka-dnssec-experiments-00 (work in progress), December - 2004. + draft-ietf-dnsext-dnssec-experiments-01 (work in progress), + July 2005. 11.2 Informative References @@ -988,8 +705,8 @@ Internet-Draft DNSSEC Opt-In February 2005 [8] Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, July 1997. - [9] Eastlake, D., "Secure Domain Name System Dynamic Update", RFC - 2137, April 1997. + [9] Eastlake, D., "Secure Domain Name System Dynamic Update", + RFC 2137, April 1997. [10] Lewis, E., "DNS Security Extension Clarification on Zone Status", RFC 3090, March 2001. @@ -1004,9 +721,12 @@ Internet-Draft DNSSEC Opt-In February 2005 -Arends, et al. Expires August 4, 2005 [Page 18] + + + +Arends, et al. Expires January 19, 2006 [Page 13] -Internet-Draft DNSSEC Opt-In February 2005 +Internet-Draft DNSSEC Opt-In July 2005 Authors' Addresses @@ -1017,7 +737,7 @@ Authors' Addresses 7522 NB Enschede NL - EMail: roy.arends@telin.nl + Email: roy.arends@telin.nl Mark Kosters @@ -1027,7 +747,7 @@ Authors' Addresses US Phone: +1 703 948 3200 - EMail: markk@verisign.com + Email: markk@verisign.com URI: http://www.verisignlabs.com @@ -1038,33 +758,9 @@ Authors' Addresses US Phone: +1 703 948 3200 - EMail: davidb@verisign.com + Email: davidb@verisign.com URI: http://www.verisignlabs.com - - - - - - - - - - - - - - - - - - - -Arends, et al. Expires August 4, 2005 [Page 19] - -Internet-Draft DNSSEC Opt-In February 2005 - - Appendix A. Implementing Opt-In using "Views" In many cases, it may be convenient to implement an Opt-In zone by @@ -1081,6 +777,14 @@ Appendix A. Implementing Opt-In using "Views" In addition, the only RRsets that may solely exist in the insecure view are non-zone-apex NS RRsets. That is, all non-NS RRsets (and + + + +Arends, et al. Expires January 19, 2006 [Page 14] + +Internet-Draft DNSSEC Opt-In July 2005 + + the zone apex NS RRset) MUST be signed and in the secure view. These two views may be combined at request time to provide a virtual, @@ -1116,9 +820,25 @@ Appendix A. Implementing Opt-In using "Views" -Arends, et al. Expires August 4, 2005 [Page 20] + + + + + + + + + + + + + + + + +Arends, et al. Expires January 19, 2006 [Page 15] -Internet-Draft DNSSEC Opt-In February 2005 +Internet-Draft DNSSEC Opt-In July 2005 Intellectual Property Statement @@ -1172,6 +892,5 @@ Acknowledgment -Arends, et al. Expires August 4, 2005 [Page 21] +Arends, et al. Expires January 19, 2006 [Page 16] -