2 DNS Extensions Working Group R. Arends
3 Internet-Draft Telematica Instituut
4 Expires: August 25, 2005 P. Koch
11 Evaluating DNSSEC Transition Mechanisms
12 draft-ietf-dnsext-dnssec-trans-02.txt
16 This document is an Internet-Draft and is subject to all provisions
17 of Section 3 of RFC 3667. By submitting this Internet-Draft, each
18 author represents that any applicable patent or other IPR claims of
19 which he or she is aware have been or will be disclosed, and any of
20 which he or she become aware will be disclosed, in accordance with
23 Internet-Drafts are working documents of the Internet Engineering
24 Task Force (IETF), its areas, and its working groups. Note that
25 other groups may also distribute working documents as
28 Internet-Drafts are draft documents valid for a maximum of six months
29 and may be updated, replaced, or obsoleted by other documents at any
30 time. It is inappropriate to use Internet-Drafts as reference
31 material or to cite them other than as "work in progress."
33 The list of current Internet-Drafts can be accessed at
34 http://www.ietf.org/ietf/1id-abstracts.txt.
36 The list of Internet-Draft Shadow Directories can be accessed at
37 http://www.ietf.org/shadow.html.
39 This Internet-Draft will expire on August 25, 2005.
43 Copyright (C) The Internet Society (2005).
47 This document collects and summarizes different proposals for
48 alternative and additional strategies for authenticated denial in DNS
49 responses, evaluates these proposals and gives a recommendation for a
53 Arends, et al. Expires August 25, 2005 [Page 1]
55 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
63 2. Transition Mechanisms . . . . . . . . . . . . . . . . . . . . 3
64 2.1 Mechanisms With Need of Updating DNSSEC-bis . . . . . . . 4
65 2.1.1 Dynamic NSEC Synthesis . . . . . . . . . . . . . . . . 4
66 2.1.2 Add Versioning/Subtyping to Current NSEC . . . . . . . 5
67 2.1.3 Type Bit Map NSEC Indicator . . . . . . . . . . . . . 6
68 2.1.4 New Apex Type . . . . . . . . . . . . . . . . . . . . 6
69 2.1.5 NSEC White Lies . . . . . . . . . . . . . . . . . . . 7
70 2.1.6 NSEC Optional via DNSSKEY Flag . . . . . . . . . . . . 8
71 2.1.7 New Answer Pseudo RR Type . . . . . . . . . . . . . . 9
72 2.1.8 SIG(0) Based Authenticated Denial . . . . . . . . . . 9
73 2.2 Mechanisms Without Need of Updating DNSSEC-bis . . . . . . 10
74 2.2.1 Partial Type-code and Signal Rollover . . . . . . . . 10
75 2.2.2 A Complete Type-code and Signal Rollover . . . . . . . 11
76 2.2.3 Unknown Algorithm in RRSIG . . . . . . . . . . . . . . 11
77 3. Recommendation . . . . . . . . . . . . . . . . . . . . . . . . 12
78 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
79 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
80 5.1 Normative References . . . . . . . . . . . . . . . . . . . 13
81 5.2 Informative References . . . . . . . . . . . . . . . . . . 13
82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
83 Intellectual Property and Copyright Statements . . . . . . . . 15
109 Arends, et al. Expires August 25, 2005 [Page 2]
111 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
116 This report shall document the process of dealing with the NSEC
117 walking problem late in the Last Call for
118 [I-D.ietf-dnsext-dnssec-intro, I-D.ietf-dnsext-dnssec-protocol,
119 I-D.ietf-dnsext-dnssec-records]. It preserves some of the discussion
120 that took place in the DNSEXT WG during the first half of June 2004
121 as well as some additional ideas that came up subsequently.
123 This is an edited excerpt of the chairs' mail to the WG:
124 The working group consents on not including NSEC-alt in the
125 DNSSEC-bis documents. The working group considers to take up
126 "prevention of zone enumeration" as a work item.
127 There may be multiple mechanisms to allow for co-existence with
128 DNSSEC-bis. The chairs allow the working group a little over a
129 week (up to June 12, 2004) to come to consensus on a possible
130 modification to the document to enable gentle rollover. If that
131 consensus cannot be reached the DNSSEC-bis documents will go out
134 To ease the process of getting consensus, a summary of the proposed
135 solutions and analysis of the pros and cons were written during the
138 This summary includes:
140 An inventory of the proposed mechanisms to make a transition to
141 future work on authenticated denial of existence.
142 List the known Pros and Cons, possibly provide new arguments, and
143 possible security considerations of these mechanisms.
144 Provide a recommendation on a way forward that is least disruptive
145 to the DNSSEC-bis specifications as they stand and keep an open
146 path to other methods for authenticated denial of existence.
148 The descriptions of the proposals in this document are coarse and do
149 not cover every detail necessary for implementation. In any case,
150 documentation and further study is needed before implementaion and/or
151 deployment, including those which seem to be solely operational in
154 2. Transition Mechanisms
156 In the light of recent discussions and past proposals, we have found
157 several ways to allow for transition to future expansion of
158 authenticated denial. We tried to illuminate the paths and pitfalls
159 in these ways forward. Some proposals lead to a versioning of
160 DNSSEC, where DNSSEC-bis may co-exist with DNSSEC-ter, other
161 proposals are 'clean' but may cause delay, while again others may be
165 Arends, et al. Expires August 25, 2005 [Page 3]
167 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
172 Some paths do not introduce versioning, and might require the current
173 DNSSEC-bis documents to be fully updated to allow for extensions to
174 authenticated denial mechanisms. Other paths introduce versioning
175 and do not (or minimally) require DNSSEC-bis documents to be updated,
176 allowing DNSSEC-bis to be deployed, while future versions can be
177 drafted independent from or partially depending on DNSSEC-bis.
179 2.1 Mechanisms With Need of Updating DNSSEC-bis
181 Mechanisms in this category demand updates to the DNSSEC-bis document
184 2.1.1 Dynamic NSEC Synthesis
186 This proposal assumes that NSEC RRs and the authenticating RRSIG will
187 be generated dynamically to just cover the (non existent) query name.
188 The owner name is (the) one preceding the name queried for, the Next
189 Owner Name Field has the value of the Query Name Field + 1 (first
190 successor in canonical ordering). A separate key (the normal ZSK or
191 a separate ZSK per authoritative server) would be used for RRSIGs on
192 NSEC RRs. This is a defense against enumeration, though it has the
193 presumption of online signing.
195 2.1.1.1 Coexistence and Migration
197 There is no change in interpretation other then that the next owner
198 name might or might not exist.
202 This introduces an unbalanced cost between query and response
203 generation due to dynamic generation of signatures.
205 2.1.1.3 Amendments to DNSSEC-bis
207 The current DNSSEC-bis documents might need to be updated to indicate
208 that the next owner name might not be an existing name in the zone.
209 This is not a real change to the spec since implementers have been
210 warned not to synthesize with previously cached NSEC records. A
211 specific bit to identify the dynamic signature generating key might
212 be useful as well, to prevent it from being used to fake positive
217 Unbalanced cost is a ground for DDoS. Though this protects against
221 Arends, et al. Expires August 25, 2005 [Page 4]
223 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
226 enumeration, it is not really a path for versioning.
230 Hardly any amendments to DNSSEC-bis.
232 2.1.2 Add Versioning/Subtyping to Current NSEC
234 This proposal introduces versioning for the NSEC RR type (a.k.a.
235 subtyping) by adding a (one octet) version field to the NSEC RDATA.
236 Version number 0 is assigned to the current (DNSSEC-bis) meaning,
237 making this an 'Must Be Zero' (MBZ) for the to be published docset.
239 2.1.2.1 Coexistence and Migration
241 Since the versioning is done inside the NSEC RR, different versions
242 may coexist. However, depending on future methods, that may or may
243 not be useful inside a single zone. Resolvers cannot ask for
244 specific NSEC versions but may be able to indicate version support by
245 means of a to be defined EDNS option bit.
249 There are no technical limitations, though it will cause delay to
250 allow testing of the (currently unknown) new NSEC interpretation.
252 Since the versioning and signaling is done inside the NSEC RR, future
253 methods will likely be restricted to a single RR type authenticated
254 denial (as opposed to e.g. NSEC-alt, which currently proposes three
257 2.1.2.3 Amendments to DNSSEC-bis
259 Full Update of the current DNSSEC-bis documents to provide for new
260 fields in NSEC, while specifying behavior in case of unknown field
265 Though this is a clean and clear path without versioning DNSSEC, it
266 takes some time to design, gain consensus, update the current
267 dnssec-bis document, test and implement a new authenticated denial
272 Does not introduce an iteration to DNSSEC while providing a clear and
273 clean migration strategy.
277 Arends, et al. Expires August 25, 2005 [Page 5]
279 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
282 2.1.3 Type Bit Map NSEC Indicator
284 Bits in the type-bit-map are reused or allocated to signify the
285 interpretation of NSEC.
287 This proposal assumes that future extensions make use of the existing
288 NSEC RDATA syntax, while it may need to change the interpretation of
289 the RDATA or introduce an alternative denial mechanism, invoked by
290 the specific type-bit-map-bits.
292 2.1.3.1 Coexistence and migration
294 Old and new NSEC meaning could coexist, depending how the signaling
295 would be defined. The bits for NXT, NSEC, RRSIG or other outdated RR
296 types are available as well as those covering meta/query types or
297 types to be specifically allocated.
301 This mechanism uses an NSEC field that was not designed for that
302 purpose. Similar methods were discussed during the Opt-In discussion
303 and the Silly-State discussion.
305 2.1.3.3 Amendments to DNSSEC-bis
307 The specific type-bit-map-bits must be allocated and they need to be
308 specified as 'Must Be Zero' (MBZ) when used for standard (dnssec-bis)
309 interpretation. Also, behaviour of the resolver and validator must
310 be documented in case unknown values are encountered for the MBZ
311 field. Currently the protocol document specifies that the validator
312 MUST ignore the setting of the NSEC and the RRSIG bits, while other
313 bits are only used for the specific purpose of the type-bit-map field
317 The type-bit-map was not designed for this purpose. It is a
318 straightforward hack. Text in protocol section 5.4 was put in
319 specially to defend against this usage.
323 No change needed to the on-the-wire protocol as specified in the
328 This introduces a new Apex type (parallel to the zone's SOA)
329 indicating the DNSSEC version (or authenticated denial) used in or
333 Arends, et al. Expires August 25, 2005 [Page 6]
335 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
340 2.1.4.1 Coexistence and Migration
342 Depending on the design of this new RR type multiple denial
343 mechanisms may coexist in a zone. Old validators will not understand
344 and thus ignore the new type, so interpretation of the new NSEC
345 scheme may fail, negative responses may appear 'bogus'.
349 A record of this kind is likely to carry additional
350 feature/versioning indications unrelated to the current question of
351 authenticated denial.
353 2.1.4.3 Amendments to DNSSEC-bis
355 The current DNSSEC-bis documents need to be updated to indicate that
356 the absence of this type indicates dnssec-bis, and that the (mere)
357 presence of this type indicated unknown versions.
361 The only other 'zone' or 'apex' record is the SOA record. Though
362 this proposal is not new, it is yet unknown how it might fulfill
363 authenticated denial extensions. This new RR type would only provide
364 for a generalized signaling mechanism, not the new authenticated
365 denial scheme. Since it is likely to be general in nature, due to
366 this generality consensus is not to be reached soon.
370 This approach would allow for a lot of other per zone information to
371 be transported or signaled to both (slave) servers and resolvers.
373 2.1.5 NSEC White Lies
375 This proposal disables one part of NSEC (the pointer part) by means
376 of a special target (root, apex, owner, ...), leaving intact only the
377 ability to authenticate denial of existence of RR sets, not denial of
378 existence of domain names (NXDOMAIN). It may be necessary to have
379 one working NSEC to prove the absence of a wildcard.
381 2.1.5.1 Coexistence and Migration
383 The NSEC target can be specified per RR, so standard NSEC and 'white
384 lie' NSEC can coexist in a zone. There is no need for migration
385 because no versioning is introduced or intended.
389 Arends, et al. Expires August 25, 2005 [Page 7]
391 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
396 This proposal breaks the protocol and is applicable to certain types
397 of zones only (no wildcard, no deep names, delegation only). Most of
398 the burden is put on the resolver side and operational consequences
399 are yet to be studied.
401 2.1.5.3 Amendments to DNSSEC-bis
403 The current DNSSEC-bis documents need to be updated to indicate that
404 the NXDOMAIN responses may be insecure.
408 Strictly speaking this breaks the protocol and doesn't fully fulfill
409 the requirements for authenticated denial of existence. Security
410 implications need to be carefully documented: search path problems
411 (forged denial of existence may lead to wrong expansion of non-FQDNs
412 [RFC1535]) and replay attacks to deny existence of records.
416 Hardly any amendments to DNSSEC-bis. Operational "trick" that is
419 2.1.6 NSEC Optional via DNSSKEY Flag
421 A new DNSKEY may be defined to declare NSEC optional per zone.
423 2.1.6.1 Coexistence and Migration
425 Current resolvers/validators will not understand the Flag bit and
426 will have to treat negative responses as bogus. Otherwise, no
427 migration path is needed since NSEC is simply turned off.
431 NSEC can only be made completely optional at the cost of being unable
432 to prove unsecure delegations (absence of a DS RR [RFC3658]). A next
433 to this approach would just disable authenticated denial for
434 non-existence of nodes.
436 2.1.6.3 Amendments to DNSSEC-bis
438 New DNSKEY Flag to be defined. Resolver/Validator behaviour needs to
439 be specified in the light of absence of authenticated denial.
445 Arends, et al. Expires August 25, 2005 [Page 8]
447 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
452 Doesn't fully meet requirements. Operational consequences to be
457 Official version of the "trick" presented in (8). Operational
458 problems can be addressed during future work on validators.
460 2.1.7 New Answer Pseudo RR Type
462 A new pseudo RR type may be defined that will be dynamically created
463 (and signed) by the responding authoritative server. The RR in the
464 response will cover the QNAME, QCLASS and QTYPE and will authenticate
465 both denial of existence of name (NXDOMAIN) or RRset.
467 2.1.7.1 Coexistence and Migration
469 Current resolvers/validators will not understand the pseudo RR and
470 will thus not be able to process negative responses so testified. A
471 signaling or solicitation method would have to be specified.
475 This method can only be used with online keys and online signing
478 2.1.7.3 Amendments to DNSSEC-bis
480 Signaling method needs to be defined.
484 Keys have to be held and processed online with all security
485 implications. An additional flag for those keys identifying them as
486 online or negative answer only keys should be considered.
490 Expands DNSSEC authentication to the RCODE.
492 2.1.8 SIG(0) Based Authenticated Denial
495 2.1.8.1 Coexistence and Migration
501 Arends, et al. Expires August 25, 2005 [Page 9]
503 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
509 2.1.8.3 Amendments to DNSSEC-bis
518 2.2 Mechanisms Without Need of Updating DNSSEC-bis
520 2.2.1 Partial Type-code and Signal Rollover
522 Carefully crafted type code/signal rollover to define a new
523 authenticated denial space that extends/replaces DNSSEC-bis
524 authenticated denial space. This particular path is illuminated by
525 Paul Vixie in a Message-Id <20040602070859.0F50913951@sa.vix.com>
526 posted to <namedroppers@ops.ietf.org> 2004-06-02.
528 2.2.1.1 Coexistence and Migration
530 To protect the current resolver for future versions, a new DNSSEC-OK
531 bit must be allocated to make clear it does or does not understand
532 the future version. Also, a new DS type needs to be allocated to
533 allow differentiation between a current signed delegation and a
534 'future' signed delegation. Also, current NSEC needs to be rolled
535 into a new authenticated denial type.
541 2.2.1.3 Amendments to DNSSEC-bis
547 It is cumbersome to carefully craft an TCR that 'just fits'. The
548 DNSSEC-bis protocol has many 'borderline' cases that needs special
549 consideration. It might be easier to do a full TCR, since a few of
550 the types and signals need upgrading anyway.
557 Arends, et al. Expires August 25, 2005 [Page 10]
559 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
564 Graceful adoption of future versions of NSEC, while there are no
565 amendments to DNSSEC-bis.
567 2.2.2 A Complete Type-code and Signal Rollover
569 A new DNSSEC space is defined which can exist independent of current
572 This proposal assumes that all current DNSSEC type-codes
573 (RRSIG/DNSKEY/NSEC/DS) and signals (DNSSEC-OK) are not used in any
574 future versions of DNSSEC. Any future version of DNSSEC has its own
575 types to allow for keys, signatures, authenticated denial, etcetera.
577 2.2.2.1 Coexistence and Migration
579 Both spaces can co-exist. They can be made completely orthogonal.
585 2.2.2.3 Amendments to DNSSEC-bis
591 With this path we abandon the current DNSSEC-bis. Though it is easy
592 to role specific well-known and well-tested parts into the re-write,
593 once deployment has started this path is very expensive for
594 implementers, registries, registrars and registrants as well as
595 resolvers/users. A TCR is not to be expected to occur frequently, so
596 while a next generation authenticated denial may be enabled by a TCR,
597 it is likely that that TCR will only be agreed upon if it serves a
598 whole basket of changes or additions. A quick introduction of
599 NSEC-ng should not be expected from this path.
603 No amendments/changes to current DNSSEC-bis docset needed. It is
604 always there as last resort.
606 2.2.3 Unknown Algorithm in RRSIG
608 This proposal assumes that future extensions make use of the existing
609 NSEC RDATA syntax, while it may need to change the interpretation of
613 Arends, et al. Expires August 25, 2005 [Page 11]
615 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
618 the RDATA or introduce an alternative denial mechanism, invoked by
619 the specific unknown signing algorithm. The different interpretation
620 would be signaled by use of different signature algorithms in the
621 RRSIG records covering the NSEC RRs.
623 When an entire zone is signed with a single unknown algorithm, it
624 will cause implementations that follow current dnssec-bis documents
625 to treat individual RRsets as unsigned.
627 2.2.3.1 Coexistence and migration
629 Old and new NSEC RDATA interpretation or known and unknown Signatures
630 can NOT coexist in a zone since signatures cover complete (NSEC)
635 Validating resolvers agnostic of new interpretation will treat the
636 NSEC RRset as "not signed". This affects wildcard and non-existence
637 proof, as well as proof for (un)secured delegations. Also, all
638 positive signatures (RRSIGs on RRSets other than DS, NSEC) appear
639 insecure/bogus to an old validator.
641 The algorithm version space is split for each future version of
642 DNSSEC. Violation of the 'modular components' concept. We use the
643 'validator' to protect the 'resolver' from unknown interpretations.
645 2.2.3.3 Amendments to DNSSEC-bis
651 The algorithm field was not designed for this purpose. This is a
652 straightforward hack.
656 No amendments/changes to current DNSSEC-bis docset needed.
660 The authors recommend that the working group commits to and starts
661 work on a partial TCR, allowing graceful transition towards a future
662 version of NSEC. Meanwhile, to accomodate the need for an
663 immediately, temporary, solution against zone-traversal, we recommend
664 On-Demand NSEC synthesis.
669 Arends, et al. Expires August 25, 2005 [Page 12]
671 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
674 This approach does not require any mandatory changes to DNSSEC-bis,
675 does not violate the protocol and fulfills the requirements. As a
676 side effect, it moves the cost of implementation and deployment to
677 the users (zone owners) of this mechanism.
681 The authors would like to thank Sam Weiler and Mark Andrews for their
682 input and constructive comments.
686 5.1 Normative References
688 [I-D.ietf-dnsext-dnssec-intro]
689 Arends, R., Austein, R., Massey, D., Larson, M. and S.
690 Rose, "DNS Security Introduction and Requirements",
691 Internet-Draft draft-ietf-dnsext-dnssec-intro-13, October
694 [I-D.ietf-dnsext-dnssec-protocol]
695 Arends, R., "Protocol Modifications for the DNS Security
697 Internet-Draft draft-ietf-dnsext-dnssec-protocol-09,
700 [I-D.ietf-dnsext-dnssec-records]
701 Arends, R., "Resource Records for the DNS Security
703 Internet-Draft draft-ietf-dnsext-dnssec-records-11,
706 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
707 STD 13, RFC 1034, November 1987.
709 [RFC1035] Mockapetris, P., "Domain names - implementation and
710 specification", STD 13, RFC 1035, November 1987.
712 [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures (
713 SIG(0)s)", RFC 2931, September 2000.
715 5.2 Informative References
717 [RFC1535] Gavron, E., "A Security Problem and Proposed Correction
718 With Widely Deployed DNS Software", RFC 1535, October
721 [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
725 Arends, et al. Expires August 25, 2005 [Page 13]
727 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
730 RFC 2535, March 1999.
732 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
735 [RFC3658] Gudmundsson, O., "Delegation Signer (DS) Resource Record
736 (RR)", RFC 3658, December 2003.
747 Phone: +31 53 4850485
748 Email: roy.arends@telin.nl
753 Wiesenh"uttenplatz 26
757 Phone: +49 69 27235 0
768 URI: http://www.nic.se/
781 Arends, et al. Expires August 25, 2005 [Page 14]
783 Internet-Draft Evaluating DNSSEC Transition Mechanisms February 2005
786 Intellectual Property Statement
788 The IETF takes no position regarding the validity or scope of any
789 Intellectual Property Rights or other rights that might be claimed to
790 pertain to the implementation or use of the technology described in
791 this document or the extent to which any license under such rights
792 might or might not be available; nor does it represent that it has
793 made any independent effort to identify any such rights. Information
794 on the procedures with respect to rights in RFC documents can be
795 found in BCP 78 and BCP 79.
797 Copies of IPR disclosures made to the IETF Secretariat and any
798 assurances of licenses to be made available, or the result of an
799 attempt made to obtain a general license or permission for the use of
800 such proprietary rights by implementers or users of this
801 specification can be obtained from the IETF on-line IPR repository at
802 http://www.ietf.org/ipr.
804 The IETF invites any interested party to bring to its attention any
805 copyrights, patents or patent applications, or other proprietary
806 rights that may cover technology that may be required to implement
807 this standard. Please address the information to the IETF at
811 Disclaimer of Validity
813 This document and the information contained herein are provided on an
814 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
815 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
816 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
817 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
818 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
819 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
824 Copyright (C) The Internet Society (2005). This document is subject
825 to the rights, licenses and restrictions contained in BCP 78, and
826 except as set forth therein, the authors retain all their rights.
831 Funding for the RFC Editor function is currently provided by the
837 Arends, et al. Expires August 25, 2005 [Page 15]
projects / FreeBSD / releng / 7.2.git / blob