Clarifications and Implementation Notes for DNSSECbis
SPARTA, Inc.
7110 Samuel Morse Drive
Columbia, Maryland
21046
US
weiler@tislabs.com
VeriSign, Inc.
21345 Ridgetop Circle
Dulles
VA
20166
US
davidb@verisign.com
DNSSEC
This document is a collection of technical clarifications to
the DNSSECbis document set. It is meant to serve as a resource
to implementors as well as a repository of DNSSECbis errata.
This document lists some additions, clarifications and
corrections to the core DNSSECbis specification, as originally
described in , ,
and .
It is intended to serve as a resource for implementors and as
a repository of items that need to be addressed when advancing
the DNSSECbis documents from Proposed Standard to Draft
Standard.
The clarifications to DNSSECbis are sorted according to
their importance, starting with ones which could, if ignored,
lead to security problems and progressing down to
clarifications that are expected to have little operational
impact.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in .
This section updates the set of core DNSSEC protocol
documents originally specified in Section 10 of .
describes the use and behavior of
the NSEC3 and NSEC3PARAM records for hashed denial of
existence. Validator implementations are strongly encouraged
to include support for NSEC3 because a number of highly
visible zones are expected to use it. Validators that do not
support validation of responses using NSEC3 will likely be
hampered in validating large portions of the DNS space.
should be considered part of the
DNS Security Document Family as described by , Section 10.
describes the use of SHA-256 as a
digest algorithm for use with Delegation Signer (DS) RRs.
describes
the use of the RSASHA256 algorithm for use in DNSKEY and RRSIG
RRs. Validator implementations are strongly encouraged to
include support for this algorithm for DS, DNSKEY, and RRSIG
records.
Both and should also be
considered part of the DNS Security Document Family as
described by , Section 10.
This section provides clarifications that, if overlooked,
could lead to security issues.
Section 5.4 under-specifies the
algorithm for checking non-existence proofs. In particular,
the algorithm as presented would incorrectly allow an NSEC or
NSEC3 RR from an ancestor zone to prove the non-existence of
RRs in the child zone.
An "ancestor delegation" NSEC RR (or NSEC3 RR) is one
with:
the NS bit set,
the SOA bit clear, and
a signer field that is shorter than the owner name of
the NSEC RR, or the original owner name for the NSEC3
RR.
Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to
assume non-existence of any RRs below that zone cut, which
include all RRs at that (original) owner name other than DS
RRs, and all RRs below that owner name regardless of type.
Similarly, the algorithm would also allow an NSEC RR at the
same owner name as a DNAME RR, or an NSEC3 RR at the same
original owner name as a DNAME, to prove the non-existence of
names beneath that DNAME. An NSEC or NSEC3 RR with the DNAME
bit set MUST NOT be used to assume the non-existence of any
subdomain of that NSEC/NSEC3 RR's (original) owner name.
does not address how to validate
responses when QTYPE=*. As described in Section 6.2.2 of
, a proper response to QTYPE=* may
include a subset of the RRsets at a given name. That is, it is
not necessary to include all RRsets at the QNAME in the
response.
When validating a response to QTYPE=*, all received RRsets
that match QNAME and QCLASS MUST be validated. If any of
those RRsets fail validation, the answer is considered Bogus.
If there are no RRsets matching QNAME and QCLASS, that fact
MUST be validated according to the rules in Section 5.4 (as clarified in this
document). To be clear, a validator must not expect to
receive all records at the QNAME in response to QTYPE=*.
Section 5 of says little about
validating responses based on (or that should be based on)
CNAMEs. When validating a NOERROR/NODATA response, validators
MUST check the CNAME bit in the matching NSEC or NSEC3 RR's
type bitmap in addition to the bit for the query type.
Without this check, an attacker could successfully transform a
positive CNAME response into a NOERROR/NODATA response.
Section 5.2 specifies that a
validator, when proving a delegation is not secure, needs to
check for the absence of the DS and SOA bits in the NSEC (or
NSEC3) type bitmap. The validator also needs to check for the
presence of the NS bit in the matching NSEC (or NSEC3) RR
(proving that there is, indeed, a delegation), or alternately
make sure that the delegation is covered by an NSEC3 RR with
the Opt-Out flag set. If this is not checked, spoofed
unsigned delegations might be used to claim that an existing
signed record is not signed.
When canonicalizing DNS names, DNS names in the RDATA
section of NSEC and RRSIG resource records are not
downcased.
Section 6.2 item 3 has a list of
resource record types for which DNS names in the RDATA are
downcased for purposes of DNSSEC canonical form (for both
ordering and signing). That list erroneously contains NSEC
and RRSIG. According to , DNS names
in the RDATA of NSEC and RRSIG should not be downcased.
The same section also erroneously lists HINFO, and twice at
that. Since HINFO records contain no domain names, they are
not subject to downcasing.
Section 5.2 of includes rules for
how to handle delegations to zones that are signed with
entirely unsupported public key algorithms, as indicated by
the key algorithms shown in those zone's DS RRsets. It does
not explicitly address how to handle DS records that use
unsupported message digest algorithms. In brief, DS records
using unknown or unsupported message digest algorithms MUST be
treated the same way as DS records referring to DNSKEY RRs of
unknown or unsupported public key algorithms.
The existing text says:
If the validator does not support any of the algorithms
listed in an authenticated DS RRset, then the resolver has
no supported authentication path leading from the parent
to the child. The resolver should treat this case as it
would the case of an authenticated NSEC RRset proving that
no DS RRset exists, as described above.
To paraphrase the above, when determining the security
status of a zone, a validator disregards any DS records
listing unknown or unsupported algorithms. If none are left,
the zone is treated as if it were unsigned.
Modified to consider DS message digest algorithms, a
validator also disregards any DS records using unknown or
unsupported message digest algorithms.
As discussed above, section 5.2 of
requires that validators make decisions about the security
status of zones based on the public key algorithms shown in
the DS records for those zones. In the case of private
algorithms, as described in Appendix
A.1.1, the eight-bit algorithm field in the DS RR is not
conclusive about what algorithm(s) is actually in use.
If no private algorithms appear in the DS set or if any
supported algorithm appears in the DS set, no special
processing will be needed. In the remaining cases, the
security status of the zone depends on whether or not the
resolver supports any of the private algorithms in use
(provided that these DS records use supported hash functions,
as discussed in ). In these cases, the
resolver MUST retrieve the corresponding DNSKEY for each
private algorithm DS record and examine the public key field
to determine the algorithm in use. The security-aware
resolver MUST ensure that the hash of the DNSKEY RR's owner
name and RDATA matches the digest in the DS RR. If they do
not match, and no other DS establishes that the zone is
secure, the referral should be considered Bogus data, as
discussed in .
This clarification facilitates the broader use of private
algorithms, as suggested by .
When multiple RRSIGs cover a given RRset, Section 5.3.3 suggests that "the local
resolver security policy determines whether the resolver also
has to test these RRSIG RRs and how to resolve conflicts if
these RRSIG RRs lead to differing results." In most cases, a
resolver would be well advised to accept any valid RRSIG as
sufficient. If the first RRSIG tested fails validation, a
resolver would be well advised to try others, giving a
successful validation result if any can be validated and
giving a failure only if all RRSIGs fail validation.
If a resolver adopts a more restrictive policy, there's a
danger that properly-signed data might unnecessarily fail
validation, perhaps because of cache timing issues.
Furthermore, certain zone management techniques, like the
Double Signature Zone-signing Key Rollover method described in
section 4.2.1.2 of might not work
reliably.
Appendix B.1 incorrectly defines
the Key Tag field calculation for algorithm 1. It correctly
says that the Key Tag is the most significant 16 of the least
significant 24 bits of the public key modulus. However, then goes on to incorrectly say that this
is 4th to last and 3rd to last octets of the public key
modulus. It is, in fact, the 3rd to last and 2nd to last
octets.
does not provide any instructions
to servers as to how to set the DO bit. Some authoritative
server implementations have chosen to copy the DO bit settings
from the incoming query to the outgoing response. Others have
chosen to never set the DO bit in responses. Either behavior
is permitted. To be clear, in replies to queries with the
DO-bit set servers may or may not set the DO bit.
Section 3.2.3 of describes under
which conditions a validating resolver should set or clear the
AD bit in a response. In order to protect legacy stub
resolvers and middleboxes, validating resolvers SHOULD only
set the AD bit when a response both meets the conditions
listed in RFC 4035, section 3.2.3, and the request contained
either a set DO bit or a set AD bit.
Note that the use of the AD bit in the query was previously
undefined. This document defines it as a signal indicating
that the requester understands and is interested in the value
of the AD bit in the response. This allows a requestor to
indicate that it understands the AD bit without also
requesting DNSSEC data via the DO bit.
When processing a request with the CD bit set, the resolver
MUST set the CD bit on its upstream queries.
A DNSSEC validator may be configured such that, for a given
response, more than one trust anchor could be used to validate
the chain of trust to the response zone. For example, imagine
a validator configured with trust anchors for "example." and
"zone.example." When the validator is asked to validate a
response to "www.sub.zone.example.", either trust anchor could
apply.
When presented with this situation, DNSSEC validators
SHOULD try all applicable trust anchors until one
succeeds.
There are some scenarios where different behaviors, such as
choosing the trust anchor closest to the QNAME of the
response, may be desired. A DNSSEC validator MAY enable such
behaviors as configurable overrides.
Appendix C.8 of discusses sending
DS queries to the servers for a parent zone. To do that, a
resolver may first need to apply special rules to discover
what those servers are.
As explained in Section 3.1.4.1 of , security-aware name servers need to apply
special processing rules to handle the DS RR, and in some
situations the resolver may also need to apply special rules
to locate the name servers for the parent zone if the resolver
does not already have the parent's NS RRset. Section 4.2 of
specifies a mechanism for doing
that.
Questions of the form "can I use a different DNSKEY for
signing this RRset" have occasionally arisen.
The short answer is "yes, absolutely". You can even use a
different DNSKEY for each RRset in a zone, subject only to
practical limits on the size of the DNSKEY RRset. However, be
aware that there is no way to tell resolvers what a
particularly DNSKEY is supposed to be used for -- any DNSKEY
in the zone's signed DNSKEY RRset may be used to authenticate
any RRset in the zone. For example, if a weaker or less
trusted DNSKEY is being used to authenticate NSEC RRsets or
all dynamically updated records, that same DNSKEY can also be
used to sign any other RRsets from the zone.
Furthermore, note that the SEP bit setting has no effect on
how a DNSKEY may be used -- the validation process is
specifically prohibited from using that bit by section 2.1.2. It is possible to use a
DNSKEY without the SEP bit set as the sole secure entry point
to the zone, yet use a DNSKEY with the SEP bit set to sign all
RRsets in the zone (other than the DNSKEY RRset). It's also
possible to use a single DNSKEY, with or without the SEP bit
set, to sign the entire zone, including the DNSKEY RRset
itself.
The text in Section C.1 refers to
the examples in B.1 as "x.w.example.com" while B.1 uses
"x.w.example". This is painfully obvious in the second
paragraph where it states that the RRSIG labels field value of
3 indicates that the answer was not the result of wildcard
expansion. This is true for "x.w.example" but not for
"x.w.example.com", which of course has a label count of 4
(antithetically, a label count of 3 would imply the answer was
the result of a wildcard expansion).
The first paragraph of Section C.6
also has a minor error: the reference to "a.z.w.w.example"
should instead be "a.z.w.example", as in the previous
line.
A NSEC3 record that matches an Empty Non-Terminal
effectively has no type associated with it. This NSEC3 record
has an empty type bit map. Section 3.2.1 of contains the statement:
Blocks with no types present MUST NOT be included.
However, the same section contains a regular expression:
Type Bit Maps Field = ( Window Block # | Bitmap Length |
Bitmap )+
The plus sign in the regular expression indicates that
there is one or more of the preceding element. This means that
there must be at least one window block. If this window block
has no types, it contradicts with the first
statement. Therefore, the correct text in RFC 5155 3.2.1
should be:
Type Bit Maps Field = ( Window Block # | Bitmap Length |
Bitmap )*
This document specifies no IANA Actions.
This document adds two cryptographic features to the core
DNSSEC protocol. Additionally, it addresses some ambiguities
and omissions in the core DNSSEC documents that, if not
recognized and addressed in implementations, could lead to
security failures. In particular, the validation algorithm
clarifications in are critical for
preserving the security properties DNSSEC offers. Furthermore,
failure to address some of the interoperability concerns in
could limit the ability to later change
or expand DNSSEC, including adding new algorithms.
DNS Security Introduction and Requirements
domain name system
authentication
origin integrity
dnssec
domain name system security extensions
The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS TRACK]
Resource Records for the DNS Security Extensions
domain name system
authentication
origin integrity
dnssec
domain name system security extensions
This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS TRACK]
Protocol Modifications for the DNS Security Extensions
domain name system
authentication
origin integrity
dnssec
domain name system security extensions
This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS TRACK]
Key words for use in RFCs to Indicate Requirement Levels
Standards
Track
Documents
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Domain names - concepts and facilities
DOMAIN
This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.
DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
domain name system
nsec
resource record
nsec3
The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones. [STANDARDS TRACK]
Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
domain name system
dns
dnskey
This document specifies how to use the SHA-256 digest type in DNS Delegation Signer (DS) Resource Records (RRs). DS records, when stored in a parent zone, point to DNSKEYs in a child zone. [STANDARDS TRACK]
Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
DNS Security (DNSSEC) Experiments
domain namespace
This document describes a methodology for deploying alternate, non-backwards-compatible, DNS Security (DNSSEC) methodologies in an experimental fashion without disrupting the deployment of standard DNSSEC. [STANDARDS TRACK]
DNSSEC Operational Practices
dns
domain name space
security extensions
zone administrator
DNS-SOC
cryptology
resource records
rrs
This document describes a set of practices for operating the DNS with security extensions (DNSSEC). The target audience is zone administrators deploying DNSSEC. The document discusses operational aspects of using keys and signatures in the DNS. It discusses issues of key generation, key storage, signature generation, key rollover, and related policies. This document obsoletes RFC 2541, as it covers more operational ground and gives more up-to-date requirements with respect to key sizes and the new DNSSEC specification. This memo provides information for the Internet community.
Legacy Resolver Compatibility for Delegation Signer (DS)
dnssec
DNS Security
rr
resource record
DNS-SECEXT
dns
authentication
nsec
nextsecure
As the DNS Security (DNSSEC) specifications have evolved, the syntax and semantics of the DNSSEC resource records (RRs) have changed. Many deployed nameservers understand variants of these semantics. Dangerous interactions can occur when a resolver that understands an earlier version of these semantics queries an authoritative server that understands the new delegation signer semantics, including at least one failure scenario that will cause an unsecured zone to be unresolvable. This document changes the type codes and mnemonics of the DNSSEC RRs (SIG, KEY, and NXT) to avoid those interactions. [STANDARDS TRACK]
The editors would like the thank Rob Austein for his previous
work as an editor of this document.
The editors are extremely grateful to those who, in addition
to finding errors and omissions in the DNSSECbis document set,
have provided text suitable for inclusion in this document.
The lack of specificity about handling private algorithms, as
described in , and the lack of
specificity in handling ANY queries, as described in , were discovered by David Blacka.
The error in algorithm 1 key tag calculation, as described in
, was found by Abhijit Hayatnagarkar.
Donald Eastlake contributed text for .
The bug relating to delegation NSEC RR's in was found by Roy Badami. Roy Arends found
the related problem with DNAME.
The errors in the examples were
found by Roy Arends, who also contributed text for of this document.
The editors would like to thank Ed Lewis, Danny Mayer, Olafur
Gudmundsson, Suzanne Woolf, and Scott Rose for their substantive
comments on the text of this document.