1 Network Working Group J. Ihren
2 Internet-Draft Autonomica AB
3 Expires: April 18, 2005 O. Kolkman
11 An In-Band Rollover Mechanism and an Out-Of-Band Priming Method for
13 draft-ietf-dnsext-trustupdate-threshold-00
19 By submitting this Internet-Draft, I certify that any applicable
20 patent or other IPR claims of which I am aware have been disclosed,
21 and any of which I become aware will be disclosed, in accordance with
25 Internet-Drafts are working documents of the Internet Engineering
26 Task Force (IETF), its areas, and its working groups. Note that
27 other groups may also distribute working documents as
31 Internet-Drafts are draft documents valid for a maximum of six months
32 and may be updated, replaced, or obsoleted by other documents at any
33 time. It is inappropriate to use Internet-Drafts as reference
34 material or to cite them other than as "work in progress."
37 The list of current Internet-Drafts can be accessed at
38 http://www.ietf.org/ietf/1id-abstracts.txt.
41 The list of Internet-Draft Shadow Directories can be accessed at
42 http://www.ietf.org/shadow.html.
45 This Internet-Draft will expire on April 18, 2005.
51 Copyright (C) The Internet Society (2004). All Rights Reserved.
57 The DNS Security Extensions (DNSSEC) works by validating so called
58 chains of authority. The start of these chains of authority are
59 usually public keys that are anchored in the DNS clients. These keys
60 are known as the so called trust anchors.
66 Ihren, et al. Expires April 18, 2005 [Page 1]
67 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
71 This memo describes a method how these client trust anchors can be
72 replaced using the DNS validation and querying mechanisms (in-band)
73 when the key pairs used for signing by zone owner are rolled.
76 This memo also describes a method to establish the validity of trust
77 anchors for initial configuration, or priming, using out of band
84 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
85 1.1 Key Signing Keys, Zone Signing Keys and Secure Entry
86 Points . . . . . . . . . . . . . . . . . . . . . . . . . . 3
87 2. Introduction and Background . . . . . . . . . . . . . . . . . 5
88 2.1 Dangers of Stale Trust Anchors . . . . . . . . . . . . . . 5
89 3. Threshold-based Trust Anchor Rollover . . . . . . . . . . . . 7
90 3.1 The Rollover . . . . . . . . . . . . . . . . . . . . . . . 7
91 3.2 Threshold-based Trust Update . . . . . . . . . . . . . . . 8
92 3.3 Possible Trust Update States . . . . . . . . . . . . . . . 9
93 3.4 Implementation notes . . . . . . . . . . . . . . . . . . . 10
94 3.5 Possible transactions . . . . . . . . . . . . . . . . . . 11
95 3.5.1 Single DNSKEY replaced . . . . . . . . . . . . . . . . 12
96 3.5.2 Addition of a new DNSKEY (no removal) . . . . . . . . 12
97 3.5.3 Removal of old DNSKEY (no addition) . . . . . . . . . 12
98 3.5.4 Multiple DNSKEYs replaced . . . . . . . . . . . . . . 12
99 3.6 Removal of trust anchors for a trust point . . . . . . . . 12
100 3.7 No need for resolver-side overlap of old and new keys . . 13
101 4. Bootstrapping automatic rollovers . . . . . . . . . . . . . . 14
102 4.1 Priming Keys . . . . . . . . . . . . . . . . . . . . . . . 14
103 4.1.1 Bootstrapping trust anchors using a priming key . . . 14
104 4.1.2 Distribution of priming keys . . . . . . . . . . . . . 15
105 5. The Threshold Rollover Mechanism vs Priming . . . . . . . . . 16
106 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17
107 6.1 Threshold-based Trust Update Security Considerations . . . 17
108 6.2 Priming Key Security Considerations . . . . . . . . . . . 17
109 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
110 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
111 8.1 Normative References . . . . . . . . . . . . . . . . . . . . 20
112 8.2 Informative References . . . . . . . . . . . . . . . . . . . 20
113 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 20
114 A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22
115 B. Document History . . . . . . . . . . . . . . . . . . . . . . . 23
116 B.1 prior to version 00 . . . . . . . . . . . . . . . . . . . 23
117 B.2 version 00 . . . . . . . . . . . . . . . . . . . . . . . . 23
118 Intellectual Property and Copyright Statements . . . . . . . . 24
126 Ihren, et al. Expires April 18, 2005 [Page 2]
127 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
134 The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
135 and "MAY" in this document are to be interpreted as described in
139 The term "zone" refers to the unit of administrative control in the
140 Domain Name System. In this document "name server" denotes a DNS
141 name server that is authoritative (i.e. knows all there is to know)
142 for a DNS zone. A "zone owner" is the entity responsible for signing
143 and publishing a zone on a name server. The terms "authentication
144 chain", "bogus", "trust anchors" and "Island of Security" are defined
145 in [4]. Throughout this document we use the term "resolver" to mean
146 "Validating Stub Resolvers" as defined in [4].
149 We use the term "security apex" as the zone for which a trust anchor
150 has been configured (by validating clients) and which is therefore,
151 by definition, at the root of an island of security. The
152 configuration of trust anchors is a client side issue. Therefore a
153 zone owner may not always know if their zone has become a security
157 A "stale anchor" is a trust anchor (a public key) that relates to a
158 key that is not used for signing. Since trust anchors indicate that
159 a zone is supposed to be secure a validator will mark the all data in
160 an island of security as bogus when all trust anchors become stale.
163 It is assumed that the reader is familiar with public key
164 cryptography concepts [REF: Schneier Applied Cryptography] and is
165 able to distinguish between the private and public parts of a key
166 based on the context in which we use the term "key". If there is a
167 possible ambiguity we will explicitly mention if a private or a
168 public part of a key is used.
171 The term "administrator" is used loosely throughout the text. In
172 some cases an administrator is meant to be a person, in other cases
173 the administrator may be a process that has been delegated certain
177 1.1 Key Signing Keys, Zone Signing Keys and Secure Entry Points
180 Although the DNSSEC protocol does not make a distinction between
181 different keys the operational practice is that a distinction is made
182 between zone signing keys and key signing keys. A key signing key is
183 used to exclusively sign the DNSKEY Resource Record (RR) set at the
184 apex of a zone and the zone signing keys sign all the data in the
185 zone (including the DNSKEY RRset at the apex).
191 Ihren, et al. Expires April 18, 2005 [Page 3]
192 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
196 Keys that are intended to be used as the start of the authentication
197 chain for a particular zone, either because they are pointed to by a
198 parental DS RR or because they are configured as a trust anchor, are
199 called Secure Entry Point (SEP) keys. In practice these SEP keys
200 will be key signing keys.
203 In order for the mechanism described herein to work the keys that are
204 intended to be used as secure entry points MUST have the SEP [2] flag
205 set. In the examples it is assumed that keys with the SEP flag set
206 are used as key signing keys and thus exclusively sign the DNSKEY
207 RRset published at the apex of the zone.
249 Ihren, et al. Expires April 18, 2005 [Page 4]
250 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
254 2. Introduction and Background
257 When DNSSEC signatures are validated the resolver constructs a chain
258 of authority from a pre-configured trust anchor to the DNSKEY
259 Resource Record (RR), which contains the public key that validates
260 the signature stored in an RRSIG RR. DNSSEC is designed so that the
261 administrator of a resolver can validate data in multiple islands of
262 security by configuring multiple trust anchors.
265 It is expected that resolvers will have more than one trust anchor
266 configured. Although there is no deployment experience it is not
267 unreasonable to expect resolvers to be configured with a number of
268 trust anchors that varies between order 1 and order 1000. Because
269 zone owners are expected to roll their keys, trust anchors will have
270 to be maintained (in the resolver end) in order not to become stale.
273 Since there is no global key maintenance policy for zone owners and
274 there are no mechanisms in the DNS to signal the key maintenance
275 policy it may be very hard for resolvers administrators to keep their
276 set of trust anchors up to date. For instance, if there is only one
277 trust anchor configured and the key maintenance policy is clearly
278 published, through some out of band trusted channel, then a resolver
279 administrator can probably keep track of key rollovers and update the
280 trust anchor manually. However, with an increasing number of trust
281 anchors all rolled according to individual policies that are all
282 published through different channels this soon becomes an
283 unmanageable problem.
286 2.1 Dangers of Stale Trust Anchors
289 Whenever a SEP key at a security apex is rolled there exists a danger
290 that "stale anchors" are created. A stale anchor is a trust anchor
291 (i.e. a public key configured in a validating resolver) that relates
292 to a private key that is no longer used for signing.
295 The problem with a stale anchors is that they will (from the
296 validating resolvers point of view) prove data to be false even
297 though it is actually correct. This is because the data is either
298 signed by a new key or is no longer signed and the resolver expects
299 data to be signed by the old (now stale) key.
302 This situation is arguably worse than not having a trusted key
303 configured for the secure entry point, since with a stale key no
304 lookup is typically possible (presuming that the default
305 configuration of a validating recursive nameserver is to not give out
306 data that is signed but failed to verify.
309 The danger of making configured trust anchors become stale anchors
314 Ihren, et al. Expires April 18, 2005 [Page 5]
315 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
319 may be a reason for zone owners not to roll their keys. If a
320 resolver is configured with many trust anchors that need manual
321 maintenance it may be easy to not notice a key rollover at a security
322 apex, resulting in a stale anchor.
325 In Section 3 this memo sets out a lightweight, in-DNS, mechanism to
326 track key rollovers and modify the configured trust anchors
327 accordingly. The mechanism is stateless and does not need protocol
328 extensions. The proposed design is that this mechanism is
329 implemented as a "trust updating machine" that is run entirely
330 separate from the validating resolver except that the trust updater
331 will have influence over the trust anchors used by the latter.
334 In Section 4 we describe a method [Editors note: for now only the
335 frame work and a set of requirements] to install trust anchors. This
336 method can be used at first configuration or when the trust anchors
337 became stale (typically due to a failure to track several rollover
341 The choice for which domains trust anchors are to be configured is a
342 local policy issue. So is the choice which trust anchors has
343 prevalence if there are multiple chains of trust to a given piece of
344 DNS data (e.g. when a parent zone and its child both have trust
345 anchors configured). Both issues are out of the scope of this
374 Ihren, et al. Expires April 18, 2005 [Page 6]
375 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
379 3. Threshold-based Trust Anchor Rollover
385 When a key pair is replaced all signatures (in DNSSEC these are the
386 RRSIG records) created with the old key will be replaced by new
387 signatures created by the new key. Access to the new public key is
388 needed to verify these signatures.
391 Since zone signing keys are in "the middle" of a chain of authority
392 they can be verified using the signature made by a key signing key.
393 Rollover of zone signing keys is therefore transparent to validators
394 and requires no action in the validator end.
397 But if a key signing key is rolled a resolver can determine its
398 authenticity by either following the authorization chain from the
399 parents DS record, an out-of-DNS authentication mechanism or by
400 relying on other trust anchors known for the zone in which the key is
404 The threshold trust anchor rollover mechanism (or trust update),
405 described below, is based on using existing trust anchors to verify a
406 subset of the available signatures. This is then used as the basis
407 for a decision to accept the new keys as valid trust anchors.
410 Our example pseudo zone below contains a number of key signing keys
411 numbered 1 through Y and two zone signing keys A and B. During a key
412 rollover key 2 is replaced by key Y+1. The zone content changes
416 example.com. DNSKEY key1
417 example.com. DNSKEY key2
418 example.com. DNSKEY key3
420 example.com. DNSKEY keyY
423 example.com. DNSKEY keyA
424 example.com. DNSKEY keyB
427 example.com. RRSIG DNSKEY ... (key1)
428 example.com. RRSIG DNSKEY ... (key2)
429 example.com. RRSIG DNSKEY ... (key3)
431 example.com. RRSIG DNSKEY ... (keyY)
432 example.com. RRSIG DNSKEY ... (keyA)
433 example.com. RRSIG DNSKEY ... (keyB)
441 Ihren, et al. Expires April 18, 2005 [Page 7]
442 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
446 example.com. DNSKEY key1
447 example.com. DNSKEY key3
449 example.com. DNSKEY keyY
450 example.com. DNSKEY keyY+1
453 example.com. RRSIG DNSKEY ... (key1)
454 example.com. RRSIG DNSKEY ... (key3)
456 example.com. RRSIG DNSKEY ... (keyY)
457 example.com. RRSIG DNSKEY ... (keyY+1)
458 example.com. RRSIG DNSKEY ... (keyA)
459 example.com. RRSIG DNSKEY ... (keyB)
462 When the rollover becomes visible to the verifying stub resolver it
463 will be able to verify the RRSIGs associated with key1, key3 ...
464 keyY. There will be no RRSIG by key2 and the RRSIG by keyY+1 will
465 not be used for validation, since that key is previously unknown and
466 therefore not trusted.
469 Note that this example is simplified. Because of operational
470 considerations described in [5] having a period during which the two
471 key signing keys are both available is necessary.
474 3.2 Threshold-based Trust Update
477 The threshold-based trust update algorithm applies as follows. If
478 for a particular secure entry point
479 o if the DNSKEY RRset in the zone has been replaced by a more recent
480 one (as determined by comparing the RRSIG inception dates)
482 o if at least M configured trust anchors directly verify the related
483 RRSIGs over the new DNSKEY RRset
485 o the number of configured trust anchors that verify the related
486 RRSIGs over the new DNSKEY RRset exceed a locally defined minimum
487 number that should be greater than one
488 then all the trust anchors for the particular secure entry point are
489 replaced by the set of keys from the zones DNSKEY RRset that have the
493 The choices for the rollover acceptance policy parameter M is left to
494 the administrator of the resolver. To be certain that a rollover is
495 accepted up by resolvers using this mechanism zone owners should roll
496 as few SEP keys at a time as possible (preferably just one). That
497 way they comply to the most strict rollover acceptance policy of
504 Ihren, et al. Expires April 18, 2005 [Page 8]
505 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
509 The value of M has an upper bound, limited by the number of of SEP
510 keys a zone owner publishes (i.e. N). But there is also a lower
511 bound, since it will not be safe to base the trust in too few
512 signatures. The corner case is M=1 when any validating RRSIG will be
513 sufficient for a complete replacement of the trust anchors for that
514 secure entry point. This is not a recommended configuration, since
515 that will allow an attacker to initiate rollover of the trust anchors
516 himself given access to just one compromised key. Hence M should in
517 be strictly larger than 1 as shown by the third requirement above.
520 If the rollover acceptance policy is M=1 then the result for the
521 rollover in our example above should be that the local database of
522 trust anchors is updated by removing key "key2" from and adding key
523 "keyY+1" to the key store.
526 3.3 Possible Trust Update States
529 We define five states for trust anchor configuration at the client
531 PRIMING: There are no trust anchors configured. There may be priming
532 keys available for initial priming of trust anchors.
533 IN-SYNC: The set of trust anchors configured exactly matches the set
534 of SEP keys used by the zone owner to sign the zone.
535 OUT-OF-SYNC: The set of trust anchors is not exactly the same as the
536 set of SEP keys used by the zone owner to sign the zone but there
537 are enough SEP key in use by the zone owner that is also in the
538 trust anchor configuration.
539 UNSYNCABLE: There is not enough overlap between the configured trust
540 anchors and the set of SEP keys used to sign the zone for the new
541 set to be accepted by the validator (i.e. the number of
542 signatures that verify is not sufficient).
543 STALE: There is no overlap between the configured trust anchors and
544 the set of SEP keys used to sign the zone. Here validation of
545 data is no longer possible and hence we are in a situation where
546 the trust anchors are stale.
549 Of these five states only two (IN-SYNC and OUT-OF-SYNC) are part of
550 the automatic trust update mechanism. The PRIMING state is where a
551 validator is located before acquiring an up-to-date set of trust
552 anchors. The transition from PRIMING to IN-SYNC is manual (see
556 Example: assume a secure entry point with four SEP keys and a
557 validator with the policy that it will accept any update to the set
558 of trust anchors as long as no more than two signatures fail to
559 validate (i.e. M >= N-2) and at least two signature does validate
560 (i.e. M >= 2). In this case the rollover of a single key will move
561 the validator from IN-SYNC to OUT-OF-SYNC. When the trust update
566 Ihren, et al. Expires April 18, 2005 [Page 9]
567 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
571 state machine updates the trust anchors it returns to state IN-SYNC.
574 If if for some reason it fails to update the trust anchors then the
575 next rollover (of a different key) will move the validator from
576 OUT-OF-SYNC to OUT-OF-SYNC (again), since there are still two keys
577 that are configured as trust anchors and that is sufficient to accpt
578 an automatic update of the trust anchors.
581 The UNSYNCABLE state is where a validator is located if it for some
582 reason fails to incorporate enough updates to the trust anchors to be
583 able to accept new updates according to its local policy. In this
584 example (i.e. with the policy specified above) this will either be
585 because M < N-2 or M < 2, which does not suffice to authenticate a
586 successful update of trust anchors.
589 Continuing with the previous example where two of the four SEP keys
590 have already rolled, but the validator has failed to update the set
591 of trust anchors. When the third key rolls over there will only be
592 one trust anchor left that can do successful validation. This is not
593 sufficient to enable automatic update of the trust anchors, hence the
594 new state is UNSYNCABLE. Note, however, that the remaining
595 up-to-date trust anchor is still enough to do successful validation
596 so the validator is still "working" from a DNSSEC point of view.
599 The STALE state, finally, is where a validator ends up when it has
600 zero remaining current trust anchors. This is a dangerous state,
601 since the stale trust anchors will cause all validation to fail. The
602 escape is to remove the stale trust anchors and thereby revert to the
606 3.4 Implementation notes
609 The DNSSEC protocol specification ordains that a DNSKEY to which a DS
610 record points should be self-signed. Since the keys that serve as
611 trust anchors and the keys that are pointed to by DS records serve
612 the same purpose, they are both secure entry points, we RECOMMEND
613 that zone owners who want to facilitate the automated rollover scheme
614 documented herein self-sign DNSKEYs with the SEP bit set and that
615 implementation check that DNSKEYs with the SEP bit set are
619 In order to maintain a uniform way of determining that a keyset in
620 the zone has been replaced by a more recent set the automatic trust
621 update machine SHOULD only accept new DNSKEY RRsets if the
622 accompanying RRSIGs show a more recent inception date than the
623 present set of trust anchors. This is also needed as a safe guard
624 against possible replay attacks where old updates are replayed
625 "backwards" (i.e. one change at a time, but going in the wrong
630 Ihren, et al. Expires April 18, 2005 [Page 10]
631 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
635 direction, thereby luring the validator into the UNSYNCABLE and
636 finally STALE states).
639 In order to be resilient against failures the implementation should
640 collect the DNSKEY RRsets from (other) authoritative servers if
641 verification of the self signatures fails.
644 The threshold-based trust update mechanism SHOULD only be applied to
645 algorithms, as represented in the algorithm field in the DNSKEY/RRSIG
646 [3], that the resolver is aware of. In other words the SEP keys of
647 unknown algorithms should not be used when counting the number of
648 available signatures (the N constant) and the SEP keys of unknown
649 algorithm should not be entered as trust anchors.
652 When in state UNSYNCABLE or STALE manual intervention will be needed
653 to return to the IN-SYNC state. These states should be flagged. The
654 most appropriate action is human audit possibly followed by
655 re-priming (Section 4) the keyset (i.e. manual transfer to the
656 PRIMING state through removal of the configured trust anchors).
659 An implementation should regularly probe the the authoritative
660 nameservers for new keys. Since there is no mechanism to publish
661 rollover frequencies this document RECOMMENDS zone owners not to roll
662 their key signing keys more often than once per month and resolver
663 administrators to probe for key rollsovers (and apply the threshold
664 criterion for acceptance of trust update) not less often than once
665 per month. If the rollover frequency is higher than the probing
666 frequency then trust anchors may become stale. The exact relation
667 between the frequencies depends on the number of SEP keys rolled by
668 the zone owner and the value M configured by the resolver
672 In all the cases below a transaction where the threshold criterion is
673 not satisfied should be considered bad (i.e. possibly spoofed or
674 otherwise corrupted data). The most appropriate action is human
678 There is one case where a "bad" state may be escaped from in an
679 automated fashion. This is when entering the STALE state where all
680 DNSSEC validation starts to fail. If this happens it is concievable
681 that it is better to completely discard the stale trust anchors
682 (thereby reverting to the PRIMING state where validation is not
683 possible). A local policy that automates removal of stale trust
684 anchors is therefore suggested.
687 3.5 Possible transactions
694 Ihren, et al. Expires April 18, 2005 [Page 11]
695 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
699 3.5.1 Single DNSKEY replaced
702 This is probably the most typical transaction on the zone owners
703 part. The result should be that if the threshold criterion is
704 satisfied then the key store is updated by removal of the old trust
705 anchor and addition of the new key as a new trust anchor. Note that
706 if the DNSKEY RRset contains exactly M keys replacement of keys is
707 not possible, i.e. for automatic rollover to work M must be stricly
711 3.5.2 Addition of a new DNSKEY (no removal)
714 If the threshold criterion is satisfied then the new key is added as
715 a configured trust anchor. Not more than N-M keys can be added at
716 once, since otherwise the algorithm will fail.
719 3.5.3 Removal of old DNSKEY (no addition)
722 If the threshold criterion is satisfied then the old key is removed
723 from being a configured trust anchor. Note that it is not possible
724 to reduce the size of the DNSKEY RRset to a size smaller than the
725 minimum required value for M.
728 3.5.4 Multiple DNSKEYs replaced
731 Arguably it is not a good idea for the zone administrator to replace
732 several keys at the same time, but from the resolver point of view
733 this is exactly what will happen if the validating resolver for some
734 reason failed to notice a previous rollover event.
737 Not more than N-M keys can be replaced at one time or the threshold
738 criterion will not be satisfied. Or, expressed another way: as long
739 as the number of changed keys is less than or equal to N-M the
740 validator is in state OUT-OF-SYNC. When the number of changed keys
741 becomes greater than N-M the state changes to UNSYNCABLE and manual
745 3.6 Removal of trust anchors for a trust point
748 If the parent of a secure entry point gets signed and it's trusted
749 keys get configured in the key store of the validating resolver then
750 the configured trust anchors for the child should be removed entirely
751 unless explicitly configured (in the utility configuration) to be an
755 The reason for such a configuration would be that the resolver has a
756 local policy that requires maintenance of trusted keys further down
757 the tree hierarchy than strictly needed from the point of view.
762 Ihren, et al. Expires April 18, 2005 [Page 12]
763 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
767 The default action when the parent zone changes from unsigned to
768 signed should be to remove the configured trust anchors for the
769 child. This form of "garbage collect" will ensure that the automatic
770 rollover machinery scales as DNSSEC deployment progresses.
773 3.7 No need for resolver-side overlap of old and new keys
776 It is worth pointing out that there is no need for the resolver to
777 keep state about old keys versus new keys, beyond the requirement of
778 tracking signature inception time for the covering RRSIGs as
779 described in Section 3.4.
782 From the resolver point of view there are only trusted and not
783 trusted keys. The reason is that the zone owner needs to do proper
784 maintenance of RRSIGs regardless of the resolver rollover mechanism
785 and hence must ensure that no key rolled out out the DNSKEY set until
786 there cannot be any RRSIGs created by this key still legally cached.
789 Hence the rollover mechanism is entirely stateless with regard to the
790 keys involved: as soon as the resolver (or in this case the rollover
791 tracking utility) detects a change in the DNSKEY RRset (i.e. it is
792 now in the state OUT-OF-SYNC) with a sufficient number of matching
793 RRSIGs the configured trust anchors are immediately updated (and
794 thereby the machine return to state IN-SYNC). I.e. the rollover
795 machine changes states (mostly oscillating between IN-SYNC and
796 OUT-OF-SYNC), but the status of the DNSSEC keys is stateless.
823 Ihren, et al. Expires April 18, 2005 [Page 13]
824 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
828 4. Bootstrapping automatic rollovers
831 It is expected that with the ability to automatically roll trust
832 anchors at trust points will follow a diminished unwillingness to
833 roll these keys, since the risks associated with stale keys are
837 The problem of "priming" the trust anchors, or bringing them into
838 sync (which could happen if a resolver is off line for a long period
839 in which a set of SEP keys in a zone 'evolve' away from its trust
840 anchor configuration) remains.
843 For (re)priming we can rely on out of band technology and we propose
844 the following framework.
850 If all the trust anchors roll somewhat frequently (on the order of
851 months or at most about a year) then it will not be possible to
852 design a device, or a software distribution that includes trust
853 anchors, that after being manufactured is put on a shelf for several
854 key rollover periods before being brought into use (since no trust
855 anchors that were known at the time of manufacture remain active).
858 To alleviate this we propose the concept of "priming keys". Priming
859 keys are ordinary DNSSEC Key Signing Keys with the characteristic
861 o The private part of a priming key signs the DNSKEY RRset at the
862 security apex, i.e. at least one RRSIG DNSKEY is created by a
863 priming key rather than by an "ordinary" trust anchor
864 o the public parts of priming keys are not included in the DNSKEY
865 RRset. Instead the public parts of priming keys are only
866 available out-of-band.
867 o The public parts of the priming keys have a validity period.
868 Within this period they can be used to obtain trust anchors.
869 o The priming key pairs are long lived (relative to the key rollover
873 4.1.1 Bootstrapping trust anchors using a priming key
876 To install the trust anchors for a particular security apex an
877 administrator of a validating resolver will need to:
878 o query for the DNSKEY RRset of the zone at the security apex;
879 o verify the self signatures of all DNSKEYs in the RRset;
880 o verify the signature of the RRSIG made with a priming key --
881 verification using one of the public priming keys that is valid at
882 that moment is sufficient;
888 Ihren, et al. Expires April 18, 2005 [Page 14]
889 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
893 o create the trust anchors by extracting the DNSKEY RRs with the SEP
895 The SEP keys with algorithms unknown to the validating resolver
896 SHOULD be ignored during the creation of the trust anchors.
899 4.1.2 Distribution of priming keys
902 The public parts of the priming keys SHOULD be distributed
903 exclusively through out-of-DNS mechanisms. The requirements for a
904 distribution mechanism are:
905 o it can carry the "validity" period for the priming keys;
906 o it can carry the self-signature of the priming keys;
907 o and it allows for verification using trust relations outside the
909 A distribution mechanism would benefit from:
910 o the availability of revocation lists;
911 o the ability of carrying zone owners policy information such as
912 recommended values for "M" and "N" and a rollover frequency;
913 o and the technology on which is based is readily available.
947 Ihren, et al. Expires April 18, 2005 [Page 15]
948 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
952 5. The Threshold Rollover Mechanism vs Priming
955 There is overlap between the threshold-based trust updater and the
956 Priming method. One could exclusively use the Priming method for
957 maintaining the trust anchors. However the priming method probably
958 relies on "non-DNS' technology and may therefore not be available for
959 all devices that have a resolver.
1005 Ihren, et al. Expires April 18, 2005 [Page 16]
1006 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
1010 6. Security Considerations
1013 6.1 Threshold-based Trust Update Security Considerations
1016 A clear issue for resolvers will be how to ensure that they track all
1017 rollover events for the zones they have configure trust anchors for.
1018 Because of temporary outages validating resolvers may have missed a
1019 rollover of a KSK. The parameters that determine the robustness
1020 against failures are: the length of the period between rollovers
1021 during which the KSK set is stable and validating resolvers can
1022 actually notice the change; the number of available KSKs (i.e. N)
1023 and the number of signatures that may fail to validate (i.e. N-M).
1026 With a large N (i.e. many KSKs) and a small value of M this
1027 operation becomes more robust since losing one key, for whatever
1028 reason, will not be crucial. Unfortunately the choice for the number
1029 of KSKs is a local policy issue for the zone owner while the choice
1030 for the parameter M is a local policy issue for the resolver
1034 Higher values of M increase the resilience against attacks somewhat;
1035 more signatures need to verify for a rollover to be approved. On the
1036 other hand the number of rollover events that may pass unnoticed
1037 before the resolver reaches the UNSYNCABLE state goes down.
1040 The threshold-based trust update intentionally does not provide a
1041 revocation mechanism. In the case that a sufficient number of
1042 private keys of a zone owner are simultaneously compromised the the
1043 attacker may use these private keys to roll the trust anchors of (a
1044 subset of) the resolvers. This is obviously a bad situation but it
1045 is not different from most other public keys systems.
1048 However, it is important to point out that since any reasonable trust
1049 anchor rollover policy (in validating resolvers) will require more
1050 than one RRSIG to validate this proposal does provide security
1051 concious zone administrators with the option of not storing the
1052 individual private keys in the same location and thereby decreasing
1053 the likelihood of simultaneous compromise.
1056 6.2 Priming Key Security Considerations
1059 Since priming keys are not included in the DNSKEY RR set they are
1060 less sensitive to packet size constraints and can be chosen
1061 relatively large. The private parts are only needed to sign the
1062 DNSKEY RR set during the validity period of the particular priming
1063 key pair. Note that the private part of the priming key is used each
1064 time when a DNSKEY RRset has to be resigned. In practice there is
1065 therefore little difference between the usage pattern of the private
1070 Ihren, et al. Expires April 18, 2005 [Page 17]
1071 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
1075 part of key signing keys and priming keys.
1127 Ihren, et al. Expires April 18, 2005 [Page 18]
1128 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
1132 7. IANA Considerations
1185 Ihren, et al. Expires April 18, 2005 [Page 19]
1186 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
1193 8.1 Normative References
1196 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
1197 Levels", BCP 14, RFC 2119, March 1997.
1200 [2] Kolkman, O., Schlyter, J. and E. Lewis, "Domain Name System KEY
1201 (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
1205 [3] Arends, R., "Resource Records for the DNS Security Extensions",
1206 draft-ietf-dnsext-dnssec-records-10 (work in progress),
1210 8.2 Informative References
1213 [4] Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose,
1214 "DNS Security Introduction and Requirements",
1215 draft-ietf-dnsext-dnssec-intro-12 (work in progress), September
1219 [5] Kolkman, O., "DNSSEC Operational Practices",
1220 draft-ietf-dnsop-dnssec-operational-practices-01 (work in
1221 progress), May 2004.
1224 [6] Housley, R., Ford, W., Polk, T. and D. Solo, "Internet X.509
1225 Public Key Infrastructure Certificate and CRL Profile", RFC
1240 EMail: johani@autonomica.se
1253 Ihren, et al. Expires April 18, 2005 [Page 20]
1254 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
1265 Phone: +31 20 535 4444
1266 EMail: olaf@ripe.net
1267 URI: http://www.ripe.net/
1273 Marina del Rey, CA 90295
1312 Ihren, et al. Expires April 18, 2005 [Page 21]
1313 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
1317 Appendix A. Acknowledgments
1320 The present design for in-band automatic rollovers of DNSSEC trust
1321 anchors is the result of many conversations and it is no longer
1322 possible to remember exactly who contributed what.
1325 In addition we've also had appreciated help from (in no particular
1326 order) Paul Vixie, Sam Weiler, Suzanne Woolf, Steve Crocker, Matt
1327 Larson and Mark Kosters.
1371 Ihren, et al. Expires April 18, 2005 [Page 22]
1372 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
1376 Appendix B. Document History
1379 This appendix will be removed if and when the document is submitted
1383 The version you are reading is tagged as $Revision: 1.1.230.1 $.
1386 Text between square brackets, other than references, are editorial
1387 comments and will be removed.
1390 B.1 prior to version 00
1393 This draft was initially published as a personal submission under the
1394 name draft-kolkman-dnsext-dnssec-in-band-rollover-00.txt.
1397 Kolkman documented the ideas provided by Ihren and Manning. In the
1398 process of documenting (and prototyping) Kolkman changed some of the
1399 details of the M-N algorithms working. Ihren did not have a chance
1400 to review the draft before Kolkman posted;
1403 Kolkman takes responsibilities for omissions, fuzzy definitions and
1408 o The name of the draft was changed as a result of the draft being
1409 adopted as a working group document.
1410 o A small section on the concept of stale trust anchors was added.
1411 o The different possible states are more clearly defined, including
1412 examples of transitions between states.
1413 o The terminology is changed throughout the document. The old term
1414 "M-N" is replaced by "threshold" (more or less). Also the
1415 interpretation of the constants M and N is significantly
1416 simplified to bring the usage more in line with "standard"
1417 threshold terminlogy.
1436 Ihren, et al. Expires April 18, 2005 [Page 23]
1437 Internet-Draft DNSSEC Threshold-based Trust Update October 2004
1441 Intellectual Property Statement
1444 The IETF takes no position regarding the validity or scope of any
1445 Intellectual Property Rights or other rights that might be claimed to
1446 pertain to the implementation or use of the technology described in
1447 this document or the extent to which any license under such rights
1448 might or might not be available; nor does it represent that it has
1449 made any independent effort to identify any such rights. Information
1450 on the procedures with respect to rights in RFC documents can be
1451 found in BCP 78 and BCP 79.
1454 Copies of IPR disclosures made to the IETF Secretariat and any
1455 assurances of licenses to be made available, or the result of an
1456 attempt made to obtain a general license or permission for the use of
1457 such proprietary rights by implementers or users of this
1458 specification can be obtained from the IETF on-line IPR repository at
1459 http://www.ietf.org/ipr.
1462 The IETF invites any interested party to bring to its attention any
1463 copyrights, patents or patent applications, or other proprietary
1464 rights that may cover technology that may be required to implement
1465 this standard. Please address the information to the IETF at
1470 Disclaimer of Validity
1473 This document and the information contained herein are provided on an
1474 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1475 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1476 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1477 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1478 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1479 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1486 Copyright (C) The Internet Society (2004). This document is subject
1487 to the rights, licenses and restrictions contained in BCP 78, and
1488 except as set forth therein, the authors retain all their rights.
1495 Funding for the RFC Editor function is currently provided by the
1501 Ihren, et al. Expires April 18, 2005 [Page 24]
projects / FreeBSD / releng / 7.2.git / blob