5 Internet-Draft R. Gieben
6 Obsoletes: 2541 (if approved) NLnet Labs
7 Expires: September 7, 2006 March 6, 2006
10 DNSSEC Operational Practices
11 draft-ietf-dnsop-dnssec-operational-practices-08.txt
15 By submitting this Internet-Draft, each author represents that any
16 applicable patent or other IPR claims of which he or she is aware
17 have been or will be disclosed, and any of which he or she becomes
18 aware will be disclosed, in accordance with Section 6 of BCP 79.
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt.
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 This Internet-Draft will expire on September 7, 2006.
40 Copyright (C) The Internet Society (2006).
44 This document describes a set of practices for operating the DNS with
45 security extensions (DNSSEC). The target audience is zone
46 administrators deploying DNSSEC.
48 The document discusses operational aspects of using keys and
49 signatures in the DNS. It discusses issues as key generation, key
50 storage, signature generation, key rollover and related policies.
55 Kolkman & Gieben Expires September 7, 2006 [Page 1]
57 Internet-Draft DNSSEC Operational Practices March 2006
60 This document obsoletes RFC 2541, as it covers more operational
61 ground and gives more up to date requirements with respect to key
62 sizes and the new DNSSEC specification.
67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
68 1.1. The Use of the Term 'key' . . . . . . . . . . . . . . . . 4
69 1.2. Time Definitions . . . . . . . . . . . . . . . . . . . . . 5
70 2. Keeping the Chain of Trust Intact . . . . . . . . . . . . . . 5
71 3. Keys Generation and Storage . . . . . . . . . . . . . . . . . 6
72 3.1. Zone and Key Signing Keys . . . . . . . . . . . . . . . . 6
73 3.1.1. Motivations for the KSK and ZSK Separation . . . . . . 7
74 3.1.2. KSKs for High Level Zones . . . . . . . . . . . . . . 8
75 3.2. Key Generation . . . . . . . . . . . . . . . . . . . . . . 8
76 3.3. Key Effectivity Period . . . . . . . . . . . . . . . . . . 9
77 3.4. Key Algorithm . . . . . . . . . . . . . . . . . . . . . . 9
78 3.5. Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . 10
79 3.6. Private Key Storage . . . . . . . . . . . . . . . . . . . 12
80 4. Signature generation, Key Rollover and Related Policies . . . 12
81 4.1. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
82 4.1.1. Time Considerations . . . . . . . . . . . . . . . . . 13
83 4.2. Key Rollovers . . . . . . . . . . . . . . . . . . . . . . 14
84 4.2.1. Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
85 4.2.2. Key Signing Key Rollovers . . . . . . . . . . . . . . 19
86 4.2.3. Difference Between ZSK and KSK Rollovers . . . . . . . 20
87 4.2.4. Automated Key Rollovers . . . . . . . . . . . . . . . 21
88 4.3. Planning for Emergency Key Rollover . . . . . . . . . . . 22
89 4.3.1. KSK Compromise . . . . . . . . . . . . . . . . . . . . 22
90 4.3.2. ZSK Compromise . . . . . . . . . . . . . . . . . . . . 24
91 4.3.3. Compromises of Keys Anchored in Resolvers . . . . . . 24
92 4.4. Parental Policies . . . . . . . . . . . . . . . . . . . . 24
93 4.4.1. Initial Key Exchanges and Parental Policies
94 Considerations . . . . . . . . . . . . . . . . . . . . 24
95 4.4.2. Storing Keys or Hashes? . . . . . . . . . . . . . . . 25
96 4.4.3. Security Lameness . . . . . . . . . . . . . . . . . . 25
97 4.4.4. DS Signature Validity Period . . . . . . . . . . . . . 26
98 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
99 6. Security Considerations . . . . . . . . . . . . . . . . . . . 27
100 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27
101 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
102 8.1. Normative References . . . . . . . . . . . . . . . . . . . 27
103 8.2. Informative References . . . . . . . . . . . . . . . . . . 28
104 Appendix A. Terminology . . . . . . . . . . . . . . . . . . . . . 29
105 Appendix B. Zone Signing Key Rollover Howto . . . . . . . . . . . 30
106 Appendix C. Typographic Conventions . . . . . . . . . . . . . . . 31
107 Appendix D. Document Details and Changes . . . . . . . . . . . . 33
111 Kolkman & Gieben Expires September 7, 2006 [Page 2]
113 Internet-Draft DNSSEC Operational Practices March 2006
116 D.1. draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 33
117 D.2. draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 33
118 D.3. draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 33
119 D.4. draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 33
120 D.5. draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 34
121 D.6. draft-ietf-dnsop-dnssec-operational-practices-05 . . . . . 34
122 D.7. draft-ietf-dnsop-dnssec-operational-practices-06 . . . . . 34
123 D.8. draft-ietf-dnsop-dnssec-operational-practices-07 . . . . . 34
124 D.9. draft-ietf-dnsop-dnssec-operational-practices-08 . . . . . 34
125 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
126 Intellectual Property and Copyright Statements . . . . . . . . . . 36
167 Kolkman & Gieben Expires September 7, 2006 [Page 3]
169 Internet-Draft DNSSEC Operational Practices March 2006
174 This document describes how to run a DNSSEC (DNS SECure) enabled
175 environment. It is intended for operators who have knowledge of the
176 DNS (see RFC 1034 [1] and RFC 1035 [2]) and want deploy DNSSEC. See
177 RFC 4033 [4] for an introduction into DNSSEC and RFC 4034 [5] for the
178 newly introduced Resource Records and finally RFC 4035 [6] for the
181 During workshops and early operational deployment tests, operators
182 and system administrators have gained experience about operating the
183 DNS with security extensions (DNSSEC). This document translates
184 these experiences into a set of practices for zone administrators.
185 At the time of writing, there exists very little experience with
186 DNSSEC in production environments; this document should therefore
187 explicitly not be seen as representing 'Best Current Practices'.
189 The procedures herein are focused on the maintenance of signed zones
190 (i.e. signing and publishing zones on authoritative servers). It is
191 intended that maintenance of zones such as re-signing or key
192 rollovers be transparent to any verifying clients on the Internet.
194 The structure of this document is as follows. In Section 2 we
195 discuss the importance of keeping the "chain of trust" intact.
196 Aspects of key generation and storage of private keys are discussed
197 in Section 3; the focus in this section is mainly on the private part
198 of the key(s). Section 4 describes considerations concerning the
199 public part of the keys. Since these public keys appear in the DNS
200 one has to take into account all kinds of timing issues, which are
201 discussed in Section 4.1. Section 4.2 and Section 4.3 deal with the
202 rollover, or supercession, of keys. Finally Section 4.4 discusses
203 considerations on how parents deal with their children's public keys
204 in order to maintain chains of trust.
206 The typographic conventions used in this document are explained in
209 Since this is a document with operational suggestions and there are
210 no protocol specifications, the RFC 2119 [9] language does not apply.
212 This document obsoletes RFC 2541 [12].
214 1.1. The Use of the Term 'key'
216 It is assumed that the reader is familiar with the concept of
217 asymmetric keys on which DNSSEC is based (Public Key Cryptography
218 [18]). Therefore, this document will use the term 'key' rather
219 loosely. Where it is written that 'a key is used to sign data' it is
223 Kolkman & Gieben Expires September 7, 2006 [Page 4]
225 Internet-Draft DNSSEC Operational Practices March 2006
228 assumed that the reader understands that it is the private part of
229 the key pair that is used for signing. It is also assumed that the
230 reader understands that the public part of the key pair is published
231 in the DNSKEY resource record and that it is the public part that is
232 used in key exchanges.
234 1.2. Time Definitions
236 In this document we will be using a number of time related terms.
237 The following definitions apply:
238 o "Signature validity period"
239 The period that a signature is valid. It starts at the time
240 specified in the signature inception field of the RRSIG RR and
241 ends at the time specified in the expiration field of the RRSIG
243 o "Signature publication period"
244 Time after which a signature (made with a specific key) is
245 replaced with a new signature (made with the same key). This
246 replacement takes place by publishing the relevant RRSIG in the
248 After one stops publishing an RRSIG in a zone it may take a
249 while before the RRSIG has expired from caches and has actually
250 been removed from the DNS.
251 o "Key effectivity period"
252 The period during which a key pair is expected to be effective.
253 This period is defined as the time between the first inception
254 time stamp and the last expiration date of any signature made
255 with this key, regardless of any discontinuity in the use of
257 The key effectivity period can span multiple signature validity
259 o "Maximum/Minimum Zone Time to Live (TTL)"
260 The maximum or minimum value of the TTLs from the complete set
261 of RRs in a zone. Note that the minimum TTL is not the same as
262 the MINIMUM field in the SOA RR. See [11] for more
266 2. Keeping the Chain of Trust Intact
268 Maintaining a valid chain of trust is important because broken chains
269 of trust will result in data being marked as Bogus (as defined in [4]
270 section 5), which may cause entire (sub)domains to become invisible
271 to verifying clients. The administrators of secured zones have to
272 realize that their zone is, to verifying clients, part of a chain of
275 As mentioned in the introduction, the procedures herein are intended
279 Kolkman & Gieben Expires September 7, 2006 [Page 5]
281 Internet-Draft DNSSEC Operational Practices March 2006
284 to ensure that maintenance of zones, such as re-signing or key
285 rollovers, will be transparent to the verifying clients on the
288 Administrators of secured zones will have to keep in mind that data
289 published on an authoritative primary server will not be immediately
290 seen by verifying clients; it may take some time for the data to be
291 transferred to other secondary authoritative nameservers and clients
292 may be fetching data from caching non-authoritative servers. In this
293 light it is good to note that the time for a zone transfer from
294 master to slave is negligible when using NOTIFY [8] and IXFR [7],
295 increasing by reliance on AXFR, and more if you rely on the SOA
296 timing parameters for zone refresh.
298 For the verifying clients it is important that data from secured
299 zones can be used to build chains of trust regardless of whether the
300 data came directly from an authoritative server, a caching nameserver
301 or some middle box. Only by carefully using the available timing
302 parameters can a zone administrator assure that the data necessary
303 for verification can be obtained.
305 The responsibility for maintaining the chain of trust is shared by
306 administrators of secured zones in the chain of trust. This is most
307 obvious in the case of a 'key compromise' when a trade off between
308 maintaining a valid chain of trust and replacing the compromised keys
309 as soon as possible must be made. Then zone administrators will have
310 to make a trade off, between keeping the chain of trust intact -
311 thereby allowing for attacks with the compromised key - or to
312 deliberately break the chain of trust and making secured sub domains
313 invisible to security aware resolvers. Also see Section 4.3.
316 3. Keys Generation and Storage
318 This section describes a number of considerations with respect to the
319 security of keys. It deals with the generation, effectivity period,
320 size and storage of private keys.
322 3.1. Zone and Key Signing Keys
324 The DNSSEC validation protocol does not distinguish between different
325 types of DNSKEYs. All DNSKEYs can be used during the validation. In
326 practice operators use Key Signing and Zone Signing Keys and use the
327 so-called (Secure Entry Point) SEP [3] flag to distinguish between
328 them during operations. The dynamics and considerations are
331 To make zone re-signing and key rollover procedures easier to
335 Kolkman & Gieben Expires September 7, 2006 [Page 6]
337 Internet-Draft DNSSEC Operational Practices March 2006
340 implement, it is possible to use one or more keys as Key Signing Keys
341 (KSK). These keys will only sign the apex DNSKEY RRSet in a zone.
342 Other keys can be used to sign all the RRSets in a zone and are
343 referred to as Zone Signing Keys (ZSK). In this document we assume
344 that KSKs are the subset of keys that are used for key exchanges with
345 the parent and potentially for configuration as trusted anchors - the
346 SEP keys. In this document we assume a one-to-one mapping between
347 KSK and SEP keys and we assume the SEP flag to be set on all KSKs.
349 3.1.1. Motivations for the KSK and ZSK Separation
351 Differentiating between the KSK and ZSK functions has several
354 o No parent/child interaction is required when ZSKs are updated.
355 o The KSK can be made stronger (i.e. using more bits in the key
356 material). This has little operational impact since it is only
357 used to sign a small fraction of the zone data. Also the KSK is
358 only used to verify the zone's key set, not for other RRSets in
360 o As the KSK is only used to sign a key set, which is most probably
361 updated less frequently than other data in the zone, it can be
362 stored separately from and in a safer location than the ZSK.
363 o A KSK can have a longer key effectivity period.
365 For almost any method of key management and zone signing the KSK is
366 used less frequently than the ZSK. Once a key set is signed with the
367 KSK all the keys in the key set can be used as ZSK. If a ZSK is
368 compromised, it can be simply dropped from the key set. The new key
369 set is then re-signed with the KSK.
371 Given the assumption that for KSKs the SEP flag is set, the KSK can
372 be distinguished from a ZSK by examining the flag field in the DNSKEY
373 RR. If the flag field is an odd number it is a KSK. If it is an
374 even number it is a ZSK.
376 The zone signing key can be used to sign all the data in a zone on a
377 regular basis. When a zone signing key is to be rolled, no
378 interaction with the parent is needed. This allows for "Signature
379 Validity Periods" on the order of days.
381 The key signing key is only to be used to sign the DNSKEY RRs in a
382 zone. If a key signing key is to be rolled over, there will be
383 interactions with parties other than the zone administrator. These
384 can include the registry of the parent zone or administrators of
385 verifying resolvers that have the particular key configured as secure
386 entry points. Hence, the key effectivity period of these keys can
387 and should be made much longer. Although, given a long enough key,
391 Kolkman & Gieben Expires September 7, 2006 [Page 7]
393 Internet-Draft DNSSEC Operational Practices March 2006
396 the Key Effectivity Period can be on the order of years we suggest
397 planning for a key effectivity of the order of a few months so that a
398 key rollover remains an operational routine.
400 3.1.2. KSKs for High Level Zones
402 Higher level zones are generally more sensitive than lower level
403 zones. Anyone controlling or breaking the security of a zone thereby
404 obtains authority over all of its sub domains (except in the case of
405 resolvers that have locally configured the public key of a sub
406 domain, in which case this, and only this, sub domain wouldn't be
407 affected by the compromise of the parent zone). Therefore, extra
408 care should be taken with high level zones and strong keys should
411 The root zone is the most critical of all zones. Someone controlling
412 or compromising the security of the root zone would control the
413 entire DNS name space of all resolvers using that root zone (except
414 in the case of resolvers that have locally configured the public key
415 of a sub domain). Therefore, the utmost care must be taken in the
416 securing of the root zone. The strongest and most carefully handled
417 keys should be used. The root zone private key should always be kept
420 Many resolvers will start at a root server for their access to and
421 authentication of DNS data. Securely updating the trust anchors in
422 an enormous population of resolvers around the world will be
427 Careful generation of all keys is a sometimes overlooked but
428 absolutely essential element in any cryptographically secure system.
429 The strongest algorithms used with the longest keys are still of no
430 use if an adversary can guess enough to lower the size of the likely
431 key space so that it can be exhaustively searched. Technical
432 suggestions for the generation of random keys will be found in RFC
433 4086 [15]. One should carefully assess if the random number
434 generator used during key generation adheres to these suggestions.
436 Keys with a long effectivity period are particularly sensitive as
437 they will represent a more valuable target and be subject to attack
438 for a longer time than short period keys. It is strongly recommended
439 that long term key generation occur off-line in a manner isolated
440 from the network via an air gap or, at a minimum, high level secure
447 Kolkman & Gieben Expires September 7, 2006 [Page 8]
449 Internet-Draft DNSSEC Operational Practices March 2006
452 3.3. Key Effectivity Period
454 For various reasons keys in DNSSEC need to be changed once in a
455 while. The longer a key is in use, the greater the probability that
456 it will have been compromised through carelessness, accident,
457 espionage, or cryptanalysis. Furthermore when key rollovers are too
458 rare an event, they will not become part of the operational habit and
459 there is risk that nobody on-site will remember the procedure for
460 rollover when the need is there.
462 From a purely operational perspective a reasonable key effectivity
463 period for Key Signing Keys is 13 months, with the intent to replace
464 them after 12 months. An intended key effectivity period of a month
465 is reasonable for Zone Signing Keys.
467 For key sizes that matches these effectivity periods see Section 3.5.
469 As argued in Section 3.1.2 securely updating trust anchors will be
470 extremely difficult. On the other hand the "operational habit"
471 argument does also apply to trust anchor reconfiguration. If a short
472 key-effectivity period is used and the trust anchor configuration has
473 to be revisited on a regular basis the odds that the configuration
474 tends to be forgotten is smaller. The trade-off is against a system
475 that is so dynamic that administrators of the validating clients will
476 not be able to follow the modifications.
478 Key effectivity periods can be made very short, as in the order of a
479 few minutes. But when replacing keys one has to take the
480 considerations from Section 4.1 and Section 4.2 into account.
484 There are currently three different types of algorithms that can be
485 used in DNSSEC: RSA, DSA and elliptic curve cryptography. The latter
486 is fairly new and has yet to be standardized for usage in DNSSEC.
488 RSA has been developed in an open and transparent manner. As the
489 patent on RSA expired in 2000, its use is now also free.
491 DSA has been developed by NIST. The creation of signatures takes
492 roughly the same time as with RSA, but is 10 to 40 times as slow for
495 We suggest the use of RSA/SHA-1 as the preferred algorithm for the
496 key. The current known attacks on RSA can be defeated by making your
497 key longer. As the MD5 hashing algorithm is showing (theoretical)
498 cracks, we recommend the usage of SHA-1.
503 Kolkman & Gieben Expires September 7, 2006 [Page 9]
505 Internet-Draft DNSSEC Operational Practices March 2006
508 At the time of publication it is known that the SHA-1 hash has
509 cryptanalysis issues. There is work in progress on addressing these
510 issues. We recommend the use of public key algorithms based on
511 hashes stronger than SHA-1, e.g. SHA-256, as soon as these
512 algorithms are available in protocol specifications (See [20] and
513 [21] ) and implementations.
517 When choosing key sizes, zone administrators will need to take into
518 account how long a key will be used, how much data will be signed
519 during the key publication period (See Section 8.10 of [18]) and,
520 optionally, how large the key size of the parent is. As the chain of
521 trust really is "a chain", there is not much sense in making one of
522 the keys in the chain several times larger then the others. As
523 always, it's the weakest link that defines the strength of the entire
524 chain. Also see Section 3.1.1 for a discussion of how keys serving
525 different roles (ZSK v. KSK) may need different key sizes.
527 Generating a key of the correct size is a difficult problem, RFC 3766
528 [14] tries to deal with that problem. The first part of the
529 selection procedure in Section 1 of the RFC states:
531 1. Determine the attack resistance necessary to satisfy the
532 security requirements of the application. Do this by
533 estimating the minimum number of computer operations that
534 the attacker will be forced to do in order to compromise
535 the security of the system and then take the logarithm base
536 two of that number. Call that logarithm value "n".
538 A 1996 report recommended 90 bits as a good all-around choice
539 for system security. The 90 bit number should be increased
540 by about 2/3 bit/year, or about 96 bits in 2005.
542 [14] goes on to explain how this number "n" can be used to calculate
543 the key sizes in public key cryptography. This culminated in the
544 table given below (slightly modified for our purpose):
559 Kolkman & Gieben Expires September 7, 2006 [Page 10]
561 Internet-Draft DNSSEC Operational Practices March 2006
564 +-------------+-----------+--------------+
566 | requirement | Symmetric | RSA or DSA |
567 | for attack | key size | modulus size |
568 | resistance | (bits) | (bits) |
570 +-------------+-----------+--------------+
577 | 250 | 250 | 14596 |
578 +-------------+-----------+--------------+
580 The key sizes given are rather large. This is because these keys are
581 resilient against a trillionaire attacker. Assuming this rich
582 attacker will not attack your key and that the key is rolled over
583 once a year, we come to the following recommendations about KSK
584 sizes; 1024 bits low value domains, 1300 for medium value and 2048
585 for the high value domains.
587 Whether a domain is of low, medium, high value depends solely on the
588 views of the zone owner. One could for instance view leaf nodes in
589 the DNS as of low value and TLDs or the root zone of high value. The
590 suggested key sizes should be safe for the next 5 years.
592 As ZSKs can be rolled over more easily (and thus more often) the key
593 sizes can be made smaller. But as said in the introduction of this
594 paragraph, making the ZSKs' key sizes too small (in relation to the
595 KSKs' sizes) doesn't make much sense. Try to limit the difference in
596 size to about 100 bits.
598 Note that nobody can see into the future, and that these key sizes
599 are only provided here as a guide. Further information can be found
600 in [17] and Section 7.5 of [18]. It should be noted though that [17]
601 is already considered overly optimistic about what key sizes are
604 One final note concerning key sizes. Larger keys will increase the
605 sizes of the RRSIG and DNSKEY records and will therefore increase the
606 chance of DNS UDP packet overflow. Also the time it takes to
607 validate and create RRSIGs increases with larger keys, so don't
608 needlessly double your key sizes.
615 Kolkman & Gieben Expires September 7, 2006 [Page 11]
617 Internet-Draft DNSSEC Operational Practices March 2006
620 3.6. Private Key Storage
622 It is recommended that, where possible, zone private keys and the
623 zone file master copy that is to be signed, be kept and used in off-
624 line, non-network connected, physically secure machines only.
625 Periodically an application can be run to add authentication to a
626 zone by adding RRSIG and NSEC RRs. Then the augmented file can be
629 When relying on dynamic update to manage a signed zone [10], be aware
630 that at least one private key of the zone will have to reside on the
631 master server. This key is only as secure as the amount of exposure
632 the server receives to unknown clients and the security of the host.
633 Although not mandatory one could administer the DNS in the following
634 way. The master that processes the dynamic updates is unavailable
635 from generic hosts on the Internet, it is not listed in the NS RR
636 set, although its name appears in the SOA RRs MNAME field. The
637 nameservers in the NS RR set are able to receive zone updates through
638 NOTIFY, IXFR, AXFR or an out-of-band distribution mechanism. This
639 approach is known as the "hidden master" setup.
641 The ideal situation is to have a one way information flow to the
642 network to avoid the possibility of tampering from the network.
643 Keeping the zone master file on-line on the network and simply
644 cycling it through an off-line signer does not do this. The on-line
645 version could still be tampered with if the host it resides on is
646 compromised. For maximum security, the master copy of the zone file
647 should be off net and should not be updated based on an unsecured
648 network mediated communication.
650 In general keeping a zone-file off-line will not be practical and the
651 machines on which zone files are maintained will be connected to a
652 network. Operators are advised to take security measures to shield
653 unauthorized access to the master copy.
655 For dynamically updated secured zones [10] both the master copy and
656 the private key that is used to update signatures on updated RRs will
660 4. Signature generation, Key Rollover and Related Policies
664 Without DNSSEC all times in DNS are relative. The SOA fields
665 REFRESH, RETRY and EXPIRATION are timers used to determine the time
666 elapsed after a slave server synchronized with a master server. The
667 Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
671 Kolkman & Gieben Expires September 7, 2006 [Page 12]
673 Internet-Draft DNSSEC Operational Practices March 2006
676 are used to determine how long a forwarder should cache data after it
677 has been fetched from an authoritative server. By using a signature
678 validity period, DNSSEC introduces the notion of an absolute time in
679 the DNS. Signatures in DNSSEC have an expiration date after which
680 the signature is marked as invalid and the signed data is to be
683 4.1.1. Time Considerations
685 Because of the expiration of signatures, one should consider the
687 o We suggest the Maximum Zone TTL of your zone data to be a fraction
688 of your signature validity period.
689 If the TTL would be of similar order as the signature validity
690 period, then all RRSets fetched during the validity period
691 would be cached until the signature expiration time. Section
692 7.1 of [4] suggests that "the resolver may use the time
693 remaining before expiration of the signature validity period of
694 a signed RRSet as an upper bound for the TTL". As a result
695 query load on authoritative servers would peak at signature
696 expiration time, as this is also the time at which records
697 simultaneously expire from caches.
698 To avoid query load peaks we suggest the TTL on all the RRs in
699 your zone to be at least a few times smaller than your
700 signature validity period.
701 o We suggest the Signature Publication Period to end at least one
702 Maximum Zone TTL duration before the end of the Signature Validity
704 Re-signing a zone shortly before the end of the signature
705 validity period may cause simultaneous expiration of data from
706 caches. This in turn may lead to peaks in the load on
707 authoritative servers.
708 o We suggest the minimum zone TTL to be long enough to both fetch
709 and verify all the RRs in the trust chain. In workshop
710 environments it has been demonstrated [19] that a low TTL (under 5
711 to 10 minutes) caused disruptions because of the following two
713 1. During validation, some data may expire before the
714 validation is complete. The validator should be able to keep
715 all data, until is completed. This applies to all RRs needed
716 to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
717 final answers i.e. the RRSet that is returned for the initial
719 2. Frequent verification causes load on recursive nameservers.
720 Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
721 caching. The TTL on those should be relatively long.
727 Kolkman & Gieben Expires September 7, 2006 [Page 13]
729 Internet-Draft DNSSEC Operational Practices March 2006
732 o Slave servers will need to be able to fetch newly signed zones
733 well before the RRSIGs in the zone served by the slave server pass
734 their signature expiration time.
735 When a slave server is out of sync with its master and data in
736 a zone is signed by expired signatures it may be better for the
737 slave server not to give out any answer.
738 Normally a slave server that is not able to contact a master
739 server for an extended period will expire a zone. When that
740 happens the server will respond differently to queries for that
741 zone. Some servers issue SERVFAIL while others turn off the
742 'AA' bit in the answers. The time of expiration is set in the
743 SOA record and is relative to the last successful refresh
744 between the master and the slave server. There exists no
745 coupling between the signature expiration of RRSIGs in the zone
746 and the expire parameter in the SOA.
747 If the server serves a DNSSEC zone then it may well happen that
748 the signatures expire well before the SOA expiration timer
749 counts down to zero. It is not possible to completely prevent
750 this from happening by tweaking the SOA parameters.
751 However, the effects can be minimized where the SOA expiration
752 time is equal or shorter than the signature validity period.
753 The consequence of an authoritative server not being able to
754 update a zone, whilst that zone includes expired signatures, is
755 that non-secure resolvers will continue to be able to resolve
756 data served by the particular slave servers while security
757 aware resolvers will experience problems because of answers
758 being marked as Bogus.
759 We suggest the SOA expiration timer being approximately one
760 third or one fourth of the signature validity period. It will
761 allow problems with transfers from the master server to be
762 noticed before the actual signature times out.
763 We also suggest that operators of nameservers that supply
764 secondary services develop 'watch dogs' to spot upcoming
765 signature expirations in zones they slave, and take appropriate
767 When determining the value for the expiration parameter one has
768 to take the following into account: What are the chances that
769 all my secondaries expire the zone; How quickly can I reach an
770 administrator of secondary servers to load a valid zone? All
771 these arguments are not DNSSEC specific but may influence the
772 choice of your signature validity intervals.
776 A DNSSEC key cannot be used forever (see Section 3.3). So key
777 rollovers -- or supercessions, as they are sometimes called -- are a
778 fact of life when using DNSSEC. Zone administrators who are in the
779 process of rolling their keys have to take into account that data
783 Kolkman & Gieben Expires September 7, 2006 [Page 14]
785 Internet-Draft DNSSEC Operational Practices March 2006
788 published in previous versions of their zone still lives in caches.
789 When deploying DNSSEC, this becomes an important consideration;
790 ignoring data that may be in caches may lead to loss of service for
793 The most pressing example of this occurs when zone material signed
794 with an old key is being validated by a resolver which does not have
795 the old zone key cached. If the old key is no longer present in the
796 current zone, this validation fails, marking the data Bogus.
797 Alternatively, an attempt could be made to validate data which is
798 signed with a new key against an old key that lives in a local cache,
799 also resulting in data being marked Bogus.
801 4.2.1. Zone Signing Key Rollovers
803 For zone signing key rollovers there are two ways to make sure that
804 during the rollover data still cached can be verified with the new
805 key sets or newly generated signatures can be verified with the keys
806 still in caches. One schema, described in Section 4.2.1.2, uses
807 double signatures; the other uses key pre-publication
808 (Section 4.2.1.1). The pros, cons and recommendations are described
811 4.2.1.1. Pre-publish Key Rollover
813 This section shows how to perform a ZSK rollover without the need to
814 sign all the data in a zone twice - the so-called "pre-publish
815 rollover".This method has advantages in the case of a key compromise.
816 If the old key is compromised, the new key has already been
817 distributed in the DNS. The zone administrator is then able to
818 quickly switch to the new key and remove the compromised key from the
819 zone. Another major advantage is that the zone size does not double,
820 as is the case with the double signature ZSK rollover. A small
821 "HOWTO" for this kind of rollover can be found in Appendix B.
823 Pre-publish Key Rollover involves four stages as follows:
825 initial new DNSKEY new RRSIGs DNSKEY removal
828 RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3)
830 DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1
831 DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11
833 RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY)
834 RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
839 Kolkman & Gieben Expires September 7, 2006 [Page 15]
841 Internet-Draft DNSSEC Operational Practices March 2006
844 initial: Initial version of the zone: DNSKEY 1 is the key signing
845 key. DNSKEY 10 is used to sign all the data of the zone, the zone
847 new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no
848 signatures are generated with this key yet, but this does not
849 secure against brute force attacks on the public key. The minimum
850 duration of this pre-roll phase is the time it takes for the data
851 to propagate to the authoritative servers plus TTL value of the
853 new RRSIGs: At the "new RRSIGs" stage (SOA serial 2) DNSKEY 11 is
854 used to sign the data in the zone exclusively (i.e. all the
855 signatures from DNSKEY 10 are removed from the zone). DNSKEY 10
856 remains published in the key set. This way data that was loaded
857 into caches from version 1 of the zone can still be verified with
858 key sets fetched from version 2 of the zone.
859 The minimum time that the key set including DNSKEY 10 is to be
860 published is the time that it takes for zone data from the
861 previous version of the zone to expire from old caches i.e. the
862 time it takes for this zone to propagate to all authoritative
863 servers plus the Maximum Zone TTL value of any of the data in the
864 previous version of the zone.
865 DNSKEY removal: DNSKEY 10 is removed from the zone. The key set, now
866 only containing DNSKEY 1 and DNSKEY 11 is re-signed with the
869 The above scheme can be simplified by always publishing the "future"
870 key immediately after the rollover. The scheme would look as follows
871 (we show two rollovers); the future key is introduced in "new DNSKEY"
872 as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
895 Kolkman & Gieben Expires September 7, 2006 [Page 16]
897 Internet-Draft DNSSEC Operational Practices March 2006
900 initial new RRSIGs new DNSKEY
903 RRSIG10(SOA0) RRSIG11(SOA1) RRSIG11(SOA2)
905 DNSKEY1 DNSKEY1 DNSKEY1
906 DNSKEY10 DNSKEY10 DNSKEY11
907 DNSKEY11 DNSKEY11 DNSKEY12
908 RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY)
909 RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
912 new RRSIGs (II) new DNSKEY (II)
915 RRSIG12(SOA3) RRSIG12(SOA4)
920 RRSIG1(DNSKEY) RRSIG1(DNSKEY)
921 RRSIG12(DNSKEY) RRSIG12(DNSKEY)
924 Pre-Publish Key Rollover, showing two rollovers.
926 Note that the key introduced in the "new DNSKEY" phase is not used
927 for production yet; the private key can thus be stored in a
928 physically secure manner and does not need to be 'fetched' every time
929 a zone needs to be signed.
931 4.2.1.2. Double Signature Zone Signing Key Rollover
933 This section shows how to perform a ZSK key rollover using the double
934 zone data signature scheme, aptly named "double sig rollover".
936 During the "new DNSKEY" stage the new version of the zone file will
937 need to propagate to all authoritative servers and the data that
938 exists in (distant) caches will need to expire, requiring at least
939 the maximum Zone TTL.
951 Kolkman & Gieben Expires September 7, 2006 [Page 17]
953 Internet-Draft DNSSEC Operational Practices March 2006
956 Double Signature Zone Signing Key Rollover involves three stages as
959 initial new DNSKEY DNSKEY removal
962 RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2)
965 DNSKEY1 DNSKEY1 DNSKEY1
966 DNSKEY10 DNSKEY10 DNSKEY11
968 RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY)
969 RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY)
972 initial: Initial Version of the zone: DNSKEY 1 is the key signing
973 key. DNSKEY 10 is used to sign all the data of the zone, the zone
975 new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
976 introduced into the key set and all the data in the zone is signed
977 with DNSKEY 10 and DNSKEY 11. The rollover period will need to
978 continue until all data from version 0 of the zone has expired
979 from remote caches. This will take at least the maximum Zone TTL
980 of version 0 of the zone.
981 DNSKEY removal: DNSKEY 10 is removed from the zone. All the
982 signatures from DNSKEY 10 are removed from the zone. The key set,
983 now only containing DNSKEY 11, is re-signed with DNSKEY 1.
985 At every instance, RRSIGs from the previous version of the zone can
986 be verified with the DNSKEY RRSet from the current version and the
987 other way around. The data from the current version can be verified
988 with the data from the previous version of the zone. The duration of
989 the "new DNSKEY" phase and the period between rollovers should be at
990 least the Maximum Zone TTL.
992 Making sure that the "new DNSKEY" phase lasts until the signature
993 expiration time of the data in initial version of the zone is
994 recommended. This way all caches are cleared of the old signatures.
995 However, this duration could be considerably longer than the Maximum
996 Zone TTL, making the rollover a lengthy procedure.
998 Note that in this example we assumed that the zone was not modified
999 during the rollover. New data can be introduced in the zone as long
1000 as it is signed with both keys.
1007 Kolkman & Gieben Expires September 7, 2006 [Page 18]
1009 Internet-Draft DNSSEC Operational Practices March 2006
1012 4.2.1.3. Pros and Cons of the Schemes
1014 Pre-publish Key Rollover: This rollover does not involve signing the
1015 zone data twice. Instead, before the actual rollover, the new key
1016 is published in the key set and thus available for cryptanalysis
1017 attacks. A small disadvantage is that this process requires four
1018 steps. Also the pre-publish scheme involves more parental work
1019 when used for KSK rollovers as explained in Section 4.2.3.
1020 Double Signature Zone-signing Key Rollover: The drawback of this
1021 signing scheme is that during the rollover the number of
1022 signatures in your zone doubles, this may be prohibitive if you
1023 have very big zones. An advantage is that it only requires three
1026 4.2.2. Key Signing Key Rollovers
1028 For the rollover of a key signing key the same considerations as for
1029 the rollover of a zone signing key apply. However we can use a
1030 double signature scheme to guarantee that old data (only the apex key
1031 set) in caches can be verified with a new key set and vice versa.
1032 Since only the key set is signed with a KSK, zone size considerations
1036 initial new DNSKEY DS change DNSKEY removal
1038 SOA0 --------> SOA1 -------->
1039 RRSIGpar(SOA0) --------> RRSIGpar(SOA1) -------->
1040 DS1 --------> DS2 -------->
1041 RRSIGpar(DS) --------> RRSIGpar(DS) -------->
1045 SOA0 SOA1 --------> SOA2
1046 RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2)
1048 DNSKEY1 DNSKEY1 --------> DNSKEY2
1050 DNSKEY10 DNSKEY10 --------> DNSKEY10
1051 RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2 (DNSKEY)
1052 RRSIG2 (DNSKEY) -------->
1053 RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY)
1055 Stages of Deployment for Key Signing Key Rollover.
1063 Kolkman & Gieben Expires September 7, 2006 [Page 19]
1065 Internet-Draft DNSSEC Operational Practices March 2006
1068 initial: Initial version of the zone. The parental DS points to
1069 DNSKEY1. Before the rollover starts the child will have to verify
1070 what the TTL is of the DS RR that points to DNSKEY1 - it is needed
1071 during the rollover and we refer to the value as TTL_DS.
1072 new DNSKEY: During the "new DNSKEY" phase the zone administrator
1073 generates a second KSK, DNSKEY2. The key is provided to the
1074 parent and the child will have to wait until a new DS RR has been
1075 generated that points to DNSKEY2. After that DS RR has been
1076 published on all servers authoritative for the parent's zone, the
1077 zone administrator has to wait at least TTL_DS to make sure that
1078 the old DS RR has expired from caches.
1079 DS change: The parent replaces DS1 with DS2.
1080 DNSKEY removal: DNSKEY1 has been removed.
1082 The scenario above puts the responsibility for maintaining a valid
1083 chain of trust with the child. It also is based on the premises that
1084 the parent only has one DS RR (per algorithm) per zone. An
1085 alternative mechanism has been considered. Using an established
1086 trust relation, the interaction can be performed in-band, and the
1087 removal of the keys by the child can possibly be signaled by the
1088 parent. In this mechanism there are periods where there are two DS
1089 RRs at the parent. Since at the moment of writing the protocol for
1090 this interaction has not been developed, further discussion is out of
1091 scope for this document.
1093 4.2.3. Difference Between ZSK and KSK Rollovers
1095 Note that KSK rollovers and ZSK rollovers are different in the sense
1096 that a KSK rollover requires interaction with the parent (and
1097 possibly replacing of trust anchors) and the ensuing delay while
1100 A zone key rollover can be handled in two different ways: pre-publish
1101 (Section Section 4.2.1.1) and double signature (Section
1104 As the KSK is used to validate the key set and because the KSK is not
1105 changed during a ZSK rollover, a cache is able to validate the new
1106 key set of the zone. The pre-publish method would also work for a
1107 KSK rollover. The records that are to be pre-published are the
1108 parental DS RRs. The pre-publish method has some drawbacks for KSKs.
1109 We first describe the rollover scheme and then indicate these
1119 Kolkman & Gieben Expires September 7, 2006 [Page 20]
1121 Internet-Draft DNSSEC Operational Practices March 2006
1124 initial new DS new DNSKEY DS/DNSKEY removal
1126 SOA0 SOA1 --------> SOA2
1127 RRSIGpar(SOA0) RRSIGpar(SOA1) --------> RRSIGpar(SOA2)
1128 DS1 DS1 --------> DS2
1130 RRSIGpar(DS) RRSIGpar(DS) --------> RRSIGpar(DS)
1135 SOA0 --------> SOA1 SOA1
1136 RRSIG10(SOA0) --------> RRSIG10(SOA1) RRSIG10(SOA1)
1138 DNSKEY1 --------> DNSKEY2 DNSKEY2
1140 DNSKEY10 --------> DNSKEY10 DNSKEY10
1141 RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY) RRSIG2 (DNSKEY)
1142 RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY) RRSIG10(DNSKEY)
1144 Stages of Deployment for a Pre-publish Key Signing Key rollover.
1146 When the child zone wants to roll it notifies the parent during the
1147 "new DS" phase and submits the new key (or the corresponding DS) to
1148 the parent. The parent publishes DS1 and DS2, pointing to DNSKEY1
1149 and DNSKEY2 respectively. During the rollover ("new DNSKEY" phase),
1150 which can take place as soon as the new DS set propagated through the
1151 DNS, the child replaces DNSKEY1 with DNSKEY2. Immediately after that
1152 ("DS/DNSKEY removal" phase) it can notify the parent that the old DS
1153 record can be deleted.
1155 The drawbacks of this scheme are that during the "new DS" phase the
1156 parent cannot verify the match between the DS2 RR and DNSKEY2 using
1157 the DNS -- as DNSKEY2 is not yet published. Besides, we introduce a
1158 "security lame" key (See Section 4.4.3). Finally the child-parent
1159 interaction consists of two steps. The "double signature" method
1160 only needs one interaction.
1162 4.2.4. Automated Key Rollovers
1164 As keys must be renewed periodically, there is some motivation to
1165 automate the rollover process. Consider that:
1167 o ZSK rollovers are easy to automate as only the child zone is
1169 o A KSK rollover needs interaction between parent and child. Data
1170 exchange is needed to provide the new keys to the parent,
1171 consequently, this data must be authenticated and integrity must
1175 Kolkman & Gieben Expires September 7, 2006 [Page 21]
1177 Internet-Draft DNSSEC Operational Practices March 2006
1180 be guaranteed in order to avoid attacks on the rollover.
1182 4.3. Planning for Emergency Key Rollover
1184 This section deals with preparation for a possible key compromise.
1185 Our advice is to have a documented procedure ready for when a key
1186 compromise is suspected or confirmed.
1188 When the private material of one of your keys is compromised it can
1189 be used for as long as a valid trust chain exists. A trust chain
1191 o as long as a signature over the compromised key in the trust chain
1193 o as long as a parental DS RR (and signature) points to the
1195 o as long as the key is anchored in a resolver and is used as a
1196 starting point for validation (this is generally the hardest to
1199 While a trust chain to your compromised key exists, your name-space
1200 is vulnerable to abuse by anyone who has obtained illegitimate
1201 possession of the key. Zone operators have to make a trade off if
1202 the abuse of the compromised key is worse than having data in caches
1203 that cannot be validated. If the zone operator chooses to break the
1204 trust chain to the compromised key, data in caches signed with this
1205 key cannot be validated. However, if the zone administrator chooses
1206 to take the path of a regular roll-over, the malicious key holder can
1207 spoof data so that it appears to be valid.
1209 4.3.1. KSK Compromise
1211 A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
1212 as long as the compromised KSK is configured as trust anchor or a
1213 parental DS points to it.
1215 A compromised KSK can be used to sign the key set of an attacker's
1216 zone. That zone could be used to poison the DNS.
1218 Therefore when the KSK has been compromised, the trust anchor or the
1219 parental DS, should be replaced as soon as possible. It is local
1220 policy whether to break the trust chain during the emergency
1221 rollover. The trust chain would be broken when the compromised KSK
1222 is removed from the child's zone while the parent still has a DS
1223 pointing to the compromised KSK (the assumption is that there is only
1224 one DS at the parent. If there are multiple DSs this does not apply
1225 -- however the chain of trust of this particular key is broken).
1227 Note that an attacker's zone still uses the compromised KSK and the
1231 Kolkman & Gieben Expires September 7, 2006 [Page 22]
1233 Internet-Draft DNSSEC Operational Practices March 2006
1236 presence of a parental DS would cause the data in this zone to appear
1237 as valid. Removing the compromised key would cause the attacker's
1238 zone to appear as valid and the child's zone as Bogus. Therefore we
1239 advise not to remove the KSK before the parent has a DS to a new KSK
1242 4.3.1.1. Keeping the Chain of Trust Intact
1244 If we follow this advice the timing of the replacement of the KSK is
1245 somewhat critical. The goal is to remove the compromised KSK as soon
1246 as the new DS RR is available at the parent. And also make sure that
1247 the signature made with a new KSK over the key set with the
1248 compromised KSK in it expires just after the new DS appears at the
1249 parent. Thus removing the old cruft in one swoop.
1251 The procedure is as follows:
1252 1. Introduce a new KSK into the key set, keep the compromised KSK in
1254 2. Sign the key set, with a short validity period. The validity
1255 period should expire shortly after the DS is expected to appear
1256 in the parent and the old DSs have expired from caches.
1257 3. Upload the DS for this new key to the parent.
1258 4. Follow the procedure of the regular KSK rollover: Wait for the DS
1259 to appear in the authoritative servers and then wait as long as
1260 the TTL of the old DS RRs. If necessary re-sign the DNSKEY RRSet
1261 and modify/extend the expiration time.
1262 5. Remove the compromised DNSKEY RR from the zone and re-sign the
1263 key set using your "normal" validity interval.
1265 An additional danger of a key compromise is that the compromised key
1266 could be used to facilitate a legitimate DNSKEY/DS rollover and/or
1267 nameserver changes at the parent. When that happens the domain may
1268 be in dispute. An authenticated out-of-band and secure notify
1269 mechanism to contact a parent is needed in this case.
1271 Note that this is only a problem when the DNSKEY and or DS records
1272 are used for authentication at the parent.
1274 4.3.1.2. Breaking the Chain of Trust
1276 There are two methods to break the chain of trust. The first method
1277 causes the child zone to appear as 'Bogus' to validating resolvers.
1278 The other causes the the child zone to appear as 'insecure'. These
1279 are described below.
1281 In the method that causes the child zone to appear as 'Bogus' to
1282 validating resolvers, the child zone replaces the current KSK with a
1283 new one and resigns the key set. Next it sends the DS of the new key
1287 Kolkman & Gieben Expires September 7, 2006 [Page 23]
1289 Internet-Draft DNSSEC Operational Practices March 2006
1292 to the parent. Only after the parent has placed the new DS in the
1293 zone, the child's chain of trust is repaired.
1295 An alternative method of breaking the chain of trust is by removing
1296 the DS RRs from the parent zone altogether. As a result the child
1297 zone would become insecure.
1299 4.3.2. ZSK Compromise
1301 Primarily because there is no parental interaction required when a
1302 ZSK is compromised, the situation is less severe than with a KSK
1303 compromise. The zone must still be re-signed with a new ZSK as soon
1304 as possible. As this is a local operation and requires no
1305 communication between the parent and child this can be achieved
1306 fairly quickly. However, one has to take into account that just as
1307 with a normal rollover the immediate disappearance of the old
1308 compromised key may lead to verification problems. Also note that as
1309 long as the RRSIG over the compromised ZSK is not expired the zone
1310 may be still at risk.
1312 4.3.3. Compromises of Keys Anchored in Resolvers
1314 A key can also be pre-configured in resolvers. For instance, if
1315 DNSSEC is successfully deployed the root key may be pre-configured in
1316 most security aware resolvers.
1318 If trust-anchor keys are compromised, the resolvers using these keys
1319 should be notified of this fact. Zone administrators may consider
1320 setting up a mailing list to communicate the fact that a SEP key is
1321 about to be rolled over. This communication will of course need to
1322 be authenticated e.g. by using digital signatures.
1324 End-users faced with the task of updating an anchored key should
1325 always validate the new key. New keys should be authenticated out-
1326 of-band, for example, looking them up on an SSL secured announcement
1329 4.4. Parental Policies
1331 4.4.1. Initial Key Exchanges and Parental Policies Considerations
1333 The initial key exchange is always subject to the policies set by the
1334 parent. When designing a key exchange policy one should take into
1335 account that the authentication and authorization mechanisms used
1336 during a key exchange should be as strong as the authentication and
1337 authorization mechanisms used for the exchange of delegation
1338 information between parent and child. I.e. there is no implicit need
1339 in DNSSEC to make the authentication process stronger than it was in
1343 Kolkman & Gieben Expires September 7, 2006 [Page 24]
1345 Internet-Draft DNSSEC Operational Practices March 2006
1350 Using the DNS itself as the source for the actual DNSKEY material,
1351 with an out-of-band check on the validity of the DNSKEY, has the
1352 benefit that it reduces the chances of user error. A DNSKEY query
1353 tool can make use of the SEP bit [3] to select the proper key from a
1354 DNSSEC key set; thereby reducing the chance that the wrong DNSKEY is
1355 sent. It can validate the self-signature over a key; thereby
1356 verifying the ownership of the private key material. Fetching the
1357 DNSKEY from the DNS ensures that the chain of trust remains intact
1358 once the parent publishes the DS RR indicating the child is secure.
1360 Note: the out-of-band verification is still needed when the key-
1361 material is fetched via the DNS. The parent can never be sure
1362 whether the DNSKEY RRs have been spoofed or not.
1364 4.4.2. Storing Keys or Hashes?
1366 When designing a registry system one should consider which of the
1367 DNSKEYs and/or the corresponding DSs to store. Since a child zone
1368 might wish to have a DS published using a message digest algorithm
1369 not yet understood by the registry, the registry can't count on being
1370 able to generate the DS record from a raw DNSKEY. Thus, we recommend
1371 that registry systems at least support storing DS records.
1373 It may also be useful to store DNSKEYs, since having them may help
1374 during troubleshooting and, as long as the child's chosen message
1375 digest is supported, the overhead of generating DS records from them
1376 is minimal. Having an out-of-band mechanism, such as a registry
1377 directory (e.g. Whois), to find out which keys are used to generate
1378 DS Resource Records for specific owners and/or zones may also help
1379 with troubleshooting.
1381 The storage considerations also relate to the design of the customer
1382 interface and the method by which data is transferred between
1383 registrant and registry; Will the child zone administrator be able to
1384 upload DS RRs with unknown hash algorithms or does the interface only
1385 allow DNSKEYs? In the registry-registrar model one can use the
1386 DNSSEC EPP protocol extension [16] which allows transfer of DS RRs
1387 and optionally DNSKEY RRs.
1389 4.4.3. Security Lameness
1391 Security Lameness is defined as what happens when a parent has a DS
1392 RR pointing to a non-existing DNSKEY RR. When this happens the
1393 child's zone may be marked as "Bogus" by verifying DNS clients.
1395 As part of a comprehensive delegation check the parent could, at key
1399 Kolkman & Gieben Expires September 7, 2006 [Page 25]
1401 Internet-Draft DNSSEC Operational Practices March 2006
1404 exchange time, verify that the child's key is actually configured in
1405 the DNS. However if a parent does not understand the hashing
1406 algorithm used by child the parental checks are limited to only
1407 comparing the key id.
1409 Child zones should be very careful removing DNSKEY material,
1410 specifically SEP keys, for which a DS RR exists.
1412 Once a zone is "security lame", a fix (e.g. removing a DS RR) will
1413 take time to propagate through the DNS.
1415 4.4.4. DS Signature Validity Period
1417 Since the DS can be replayed as long as it has a valid signature, a
1418 short signature validity period over the DS minimizes the time a
1419 child is vulnerable in the case of a compromise of the child's
1420 KSK(s). A signature validity period that is too short introduces the
1421 possibility that a zone is marked Bogus in case of a configuration
1422 error in the signer. There may not be enough time to fix the
1423 problems before signatures expire. Something as mundane as operator
1424 unavailability during weekends shows the need for DS signature
1425 validity periods longer than 2 days. We recommend an absolute
1426 minimum for a DS signature validity period of a few days.
1428 The maximum signature validity period of the DS record depends on how
1429 long child zones are willing to be vulnerable after a key compromise.
1430 On the other hand shortening the DS signature validity interval
1431 increases the operational risk for the parent. Therefore the parent
1432 may have policy to use a signature validity interval that is
1433 considerably longer than the child would hope for.
1435 A compromise between the operational constraints of the parent and
1436 minimizing damage for the child may result in a DS signature validity
1437 period somewhere between the order of a week to order of months.
1439 In addition to the signature validity period, which sets a lower
1440 bound on the number of times the zone owner will need to sign the
1441 zone data and which sets an upper bound to the time a child is
1442 vulnerable after key compromise, there is the TTL value on the DS
1443 RRs. Shortening the TTL means that the authoritative servers will
1444 see more queries. But on the other hand, a short TTL lowers the
1445 persistence of DS RRSets in caches thereby increases the speed with
1446 which updated DS RRSets propagate through the DNS.
1449 5. IANA Considerations
1451 This overview document introduces no new IANA considerations.
1455 Kolkman & Gieben Expires September 7, 2006 [Page 26]
1457 Internet-Draft DNSSEC Operational Practices March 2006
1460 6. Security Considerations
1462 DNSSEC adds data integrity to the DNS. This document tries to assess
1463 the operational considerations to maintain a stable and secure DNSSEC
1464 service. Not taking into account the 'data propagation' properties
1465 in the DNS will cause validation failures and may make secured zones
1466 unavailable to security aware resolvers.
1471 Most of the ideas in this draft were the result of collective efforts
1472 during workshops, discussions and try outs.
1474 At the risk of forgetting individuals who were the original
1475 contributors of the ideas we would like to acknowledge people who
1476 were actively involved in the compilation of this document. In
1477 random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
1478 Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
1479 Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
1480 Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz and Peter Koch.
1482 Some material in this document has been copied from RFC 2541 [12].
1484 Mike StJohns designed the key exchange between parent and child
1485 mentioned in the last paragraph of Section 4.2.2
1487 Section 4.2.4 was supplied by G. Guette and O. Courtay.
1489 Emma Bretherick, Adrian Bedford and Lindy Foster corrected many of
1490 the spelling and style issues.
1492 Kolkman and Gieben take the blame for introducing all miscakes(SIC).
1494 Kolkman was employed by the RIPE NCC while working on this document.
1499 8.1. Normative References
1501 [1] Mockapetris, P., "Domain names - concepts and facilities",
1502 STD 13, RFC 1034, November 1987.
1504 [2] Mockapetris, P., "Domain names - implementation and
1505 specification", STD 13, RFC 1035, November 1987.
1507 [3] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
1511 Kolkman & Gieben Expires September 7, 2006 [Page 27]
1513 Internet-Draft DNSSEC Operational Practices March 2006
1516 (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
1519 [4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
1520 "DNS Security Introduction and Requirements", RFC 4033,
1523 [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
1524 "Resource Records for the DNS Security Extensions", RFC 4034,
1527 [6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
1528 "Protocol Modifications for the DNS Security Extensions",
1529 RFC 4035, March 2005.
1531 8.2. Informative References
1533 [7] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
1536 [8] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
1537 (DNS NOTIFY)", RFC 1996, August 1996.
1539 [9] Bradner, S., "Key words for use in RFCs to Indicate Requirement
1540 Levels", BCP 14, RFC 2119, March 1997.
1542 [10] Eastlake, D., "Secure Domain Name System Dynamic Update",
1543 RFC 2137, April 1997.
1545 [11] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
1546 RFC 2308, March 1998.
1548 [12] Eastlake, D., "DNS Security Operational Considerations",
1549 RFC 2541, March 1999.
1551 [13] Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
1552 RFC 3658, December 2003.
1554 [14] Orman, H. and P. Hoffman, "Determining Strengths For Public
1555 Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
1558 [15] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
1559 Requirements for Security", BCP 106, RFC 4086, June 2005.
1561 [16] Hollenbeck, S., "Domain Name System (DNS) Security Extensions
1562 Mapping for the Extensible Provisioning Protocol (EPP)",
1563 RFC 4310, December 2005.
1567 Kolkman & Gieben Expires September 7, 2006 [Page 28]
1569 Internet-Draft DNSSEC Operational Practices March 2006
1572 [17] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
1573 Sizes", The Journal of Cryptology 14 (255-293), 2001.
1575 [18] Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
1576 Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
1577 (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
1580 [19] Rose, S., "NIST DNSSEC workshop notes", June 2001.
1582 [20] Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
1583 Records in DNSSEC", draft-ietf-dnsext-dnssec-rsasha256-00.txt
1584 (work in progress), January 2006.
1586 [21] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
1587 Resource Records (RRs)", draft-ietf-dnsext-ds-sha256-04.txt
1588 (work in progress), January 2006.
1591 Appendix A. Terminology
1593 In this document there is some jargon used that is defined in other
1594 documents. In most cases we have not copied the text from the
1595 documents defining the terms but given a more elaborate explanation
1596 of the meaning. Note that these explanations should not be seen as
1599 Anchored Key: A DNSKEY configured in resolvers around the globe.
1600 This key is hard to update, hence the term anchored.
1601 Bogus: Also see Section 5 of [4]. An RRSet in DNSSEC is marked
1602 "Bogus" when a signature of a RRSet does not validate against a
1604 Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
1605 exclusively for signing the apex key set. The fact that a key is
1606 a KSK is only relevant to the signing tool.
1607 Key size: The term 'key size' can be substituted by 'modulus size'
1608 throughout the document. It is mathematically more correct to use
1609 modulus size, but as this is a document directed at operators we
1610 feel more at ease with the term key size.
1611 Private and Public Keys: DNSSEC secures the DNS through the use of
1612 public key cryptography. Public key cryptography is based on the
1613 existence of two (mathematically related) keys, a public key and a
1614 private key. The public keys are published in the DNS by use of
1615 the DNSKEY Resource Record (DNSKEY RR). Private keys should
1623 Kolkman & Gieben Expires September 7, 2006 [Page 29]
1625 Internet-Draft DNSSEC Operational Practices March 2006
1628 Key Rollover: A key rollover (also called key supercession in some
1629 environments) is the act of replacing one key pair by another at
1630 the end of a key effectivity period.
1631 Secure Entry Point key or SEP Key: A KSK that has a parental DS
1632 record pointing to it or is configured as a trust anchor.
1633 Although not required by the protocol we recommend that the SEP
1634 flag [3] is set on these keys.
1635 Self-signature: This is only applies to signatures over DNSKEYs; a
1636 signature made with DNSKEY x, over DNSKEY x is called a self-
1637 signature. Note: without further information self-signatures
1638 convey no trust, they are useful to check the authenticity of the
1639 DNSKEY, i.e. they can be used as a hash.
1640 Singing the Zone File: The term used for the event where an
1641 administrator joyfully signs its zone file while producing melodic
1643 Signer: The system that has access to the private key material and
1644 signs the Resource Record sets in a zone. A signer may be
1645 configured to sign only parts of the zone e.g. only those RRSets
1646 for which existing signatures are about to expire.
1647 Zone Signing Key or ZSK: A Zone Signing Key (ZSK) is a key that is
1648 used for signing all data in a zone. The fact that a key is a ZSK
1649 is only relevant to the signing tool.
1650 Zone Administrator: The 'role' that is responsible for signing a zone
1651 and publishing it on the primary authoritative server.
1654 Appendix B. Zone Signing Key Rollover Howto
1656 Using the pre-published signature scheme and the most conservative
1657 method to assure oneself that data does not live in caches, here
1658 follows the "HOWTO".
1659 Step 0: The preparation: Create two keys and publish both in your key
1660 set. Mark one of the keys as "active" and the other as
1661 "published". Use the "active" key for signing your zone data.
1662 Store the private part of the "published" key, preferably off-
1664 The protocol does not provide for attributes to mark a key as
1665 active or published. This is something you have to do on your
1666 own, through the use of a notebook or key management tool.
1667 Step 1: Determine expiration: At the beginning of the rollover make a
1668 note of the highest expiration time of signatures in your zone
1669 file created with the current key marked as "active".
1670 Wait until the expiration time marked in Step 1 has passed
1671 Step 2: Then start using the key that was marked as "published" to
1672 sign your data i.e. mark it as "active". Stop using the key that
1673 was marked as "active", mark it as "rolled".
1679 Kolkman & Gieben Expires September 7, 2006 [Page 30]
1681 Internet-Draft DNSSEC Operational Practices March 2006
1684 Step 3: It is safe to engage in a new rollover (Step 1) after at
1685 least one "signature validity period".
1688 Appendix C. Typographic Conventions
1690 The following typographic conventions are used in this document:
1691 Key notation: A key is denoted by DNSKEYx, where x is a number or an
1692 identifier, x could be thought of as the key id.
1693 RRSet notations: RRs are only denoted by the type. All other
1694 information - owner, class, rdata and TTL - is left out. Thus:
1695 "example.com 3600 IN A 192.0.2.1" is reduced to "A". RRSets are a
1696 list of RRs. A example of this would be: "A1, A2", specifying the
1697 RRSet containing two "A" records. This could again be abbreviated
1699 Signature notation: Signatures are denoted as RRSIGx(RRSet), which
1700 means that RRSet is signed with DNSKEYx.
1701 Zone representation: Using the above notation we have simplified the
1702 representation of a signed zone by leaving out all unnecessary
1703 details such as the names and by representing all data by "SOAx"
1704 SOA representation: SOAs are represented as SOAx, where x is the
1706 Using this notation the following signed zone:
1735 Kolkman & Gieben Expires September 7, 2006 [Page 31]
1737 Internet-Draft DNSSEC Operational Practices March 2006
1740 example.net. 86400 IN SOA ns.example.net. bert.example.net. (
1742 86400 ; refresh ( 24 hours)
1743 7200 ; retry ( 2 hours)
1744 3600000 ; expire (1000 hours)
1745 28800 ) ; minimum ( 8 hours)
1746 86400 RRSIG SOA 5 2 86400 20130522213204 (
1747 20130422213204 14 example.net.
1748 cmL62SI6iAX46xGNQAdQ... )
1749 86400 NS a.iana-servers.net.
1750 86400 NS b.iana-servers.net.
1751 86400 RRSIG NS 5 2 86400 20130507213204 (
1752 20130407213204 14 example.net.
1753 SO5epiJei19AjXoUpFnQ ... )
1754 86400 DNSKEY 256 3 5 (
1755 EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
1756 86400 DNSKEY 257 3 5 (
1757 gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
1758 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
1759 20130422213204 14 example.net.
1760 J4zCe8QX4tXVGjV4e1r9... )
1761 86400 RRSIG DNSKEY 5 2 86400 20130522213204 (
1762 20130422213204 15 example.net.
1763 keVDCOpsSeDReyV6O... )
1764 86400 RRSIG NSEC 5 2 86400 20130507213204 (
1765 20130407213204 14 example.net.
1766 obj3HEp1GjnmhRjX... )
1767 a.example.net. 86400 IN TXT "A label"
1768 86400 RRSIG TXT 5 3 86400 20130507213204 (
1769 20130407213204 14 example.net.
1770 IkDMlRdYLmXH7QJnuF3v... )
1771 86400 NSEC b.example.com. TXT RRSIG NSEC
1772 86400 RRSIG NSEC 5 3 86400 20130507213204 (
1773 20130407213204 14 example.net.
1774 bZMjoZ3bHjnEz0nIsPMM... )
1777 is reduced to the following representation:
1780 RRSIG14(SOA2006022100)
1787 The rest of the zone data has the same signature as the SOA record,
1791 Kolkman & Gieben Expires September 7, 2006 [Page 32]
1793 Internet-Draft DNSSEC Operational Practices March 2006
1796 i.e a RRSIG created with DNSKEY 14.
1799 Appendix D. Document Details and Changes
1801 This section is to be removed by the RFC editor if and when the
1802 document is published.
1804 $Id: draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.31.2.14
1805 2005/03/21 15:51:41 dnssec Exp $
1807 D.1. draft-ietf-dnsop-dnssec-operational-practices-00
1809 Submission as working group document. This document is a modified
1810 and updated version of draft-kolkman-dnssec-operational-practices-00.
1812 D.2. draft-ietf-dnsop-dnssec-operational-practices-01
1814 changed the definition of "Bogus" to reflect the one in the protocol
1819 Style and spelling corrections
1821 KSK - SEP mapping made explicit.
1823 Updates from Sam Weiler added
1825 D.3. draft-ietf-dnsop-dnssec-operational-practices-02
1827 Style and errors corrected.
1829 Added Automatic rollover requirements from I-D.ietf-dnsop-key-
1830 rollover-requirements.
1832 D.4. draft-ietf-dnsop-dnssec-operational-practices-03
1834 Added the definition of Key effectivity period and used that term
1835 instead of Key validity period.
1837 Modified the order of the sections, based on a suggestion by Rip
1840 Included parts from RFC 2541 [12]. Most of its ground was already
1841 covered. This document obsoletes RFC 2541 [12]. Section 3.1.2
1842 deserves some review as it in contrast to RFC 2541 does _not_ give
1843 recomendations about root-zone keys.
1847 Kolkman & Gieben Expires September 7, 2006 [Page 33]
1849 Internet-Draft DNSSEC Operational Practices March 2006
1852 added a paragraph to Section 4.4.4
1854 D.5. draft-ietf-dnsop-dnssec-operational-practices-04
1856 Somewhat more details added about the pre-publish KSK rollover. Also
1857 moved that subsection down a bit.
1859 Editorial and content nits that came in during wg last call were
1862 D.6. draft-ietf-dnsop-dnssec-operational-practices-05
1864 Applied some another set of comments that came in _after_ the the
1867 Applied comments from Hilarie Orman and made a referece to RFC 3766.
1868 Deleted of a lot of key length discussion and took over the
1869 recommendations from RFC 3766.
1871 Reworked all the heading of the rollover figures
1873 D.7. draft-ietf-dnsop-dnssec-operational-practices-06
1875 One comment from Scott Rose applied.
1877 Marcos Sanz gave a lots of editorial nits. Almost all are
1880 D.8. draft-ietf-dnsop-dnssec-operational-practices-07
1882 Peter Koch's comments applied.
1884 SHA-1/SHA-256 remarks added
1886 D.9. draft-ietf-dnsop-dnssec-operational-practices-08
1888 IESG comments applied. Added headers and some captions to the tables
1889 and applied all the nits.
1891 IESG DISCUSS comments applied
1903 Kolkman & Gieben Expires September 7, 2006 [Page 34]
1905 Internet-Draft DNSSEC Operational Practices March 2006
1916 Email: olaf@nlnetlabs.nl
1917 URI: http://www.nlnetlabs.nl
1926 Email: miek@nlnetlabs.nl
1927 URI: http://www.nlnetlabs.nl
1959 Kolkman & Gieben Expires September 7, 2006 [Page 35]
1961 Internet-Draft DNSSEC Operational Practices March 2006
1964 Intellectual Property Statement
1966 The IETF takes no position regarding the validity or scope of any
1967 Intellectual Property Rights or other rights that might be claimed to
1968 pertain to the implementation or use of the technology described in
1969 this document or the extent to which any license under such rights
1970 might or might not be available; nor does it represent that it has
1971 made any independent effort to identify any such rights. Information
1972 on the procedures with respect to rights in RFC documents can be
1973 found in BCP 78 and BCP 79.
1975 Copies of IPR disclosures made to the IETF Secretariat and any
1976 assurances of licenses to be made available, or the result of an
1977 attempt made to obtain a general license or permission for the use of
1978 such proprietary rights by implementers or users of this
1979 specification can be obtained from the IETF on-line IPR repository at
1980 http://www.ietf.org/ipr.
1982 The IETF invites any interested party to bring to its attention any
1983 copyrights, patents or patent applications, or other proprietary
1984 rights that may cover technology that may be required to implement
1985 this standard. Please address the information to the IETF at
1989 Disclaimer of Validity
1991 This document and the information contained herein are provided on an
1992 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1993 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1994 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1995 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1996 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1997 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2002 Copyright (C) The Internet Society (2006). This document is subject
2003 to the rights, licenses and restrictions contained in BCP 78, and
2004 except as set forth therein, the authors retain all their rights.
2009 Funding for the RFC Editor function is currently provided by the
2015 Kolkman & Gieben Expires September 7, 2006 [Page 36]
projects / FreeBSD / releng / 7.2.git / blob