2 Internet Draft Johan Ihren
3 draft-ihren-dnsext-threshold-validation-00.txt Autonomica
10 A Mechanism for Improved Trust and Redundancy for DNSSEC Keys
15 This document is an Internet-Draft and is in full conformance with
16 all provisions of Section 10 of RFC2026.
18 Internet-Drafts are working documents of the Internet Engineering
19 Task Force (IETF), its areas, and its working groups. Note that
20 other groups may also distribute working documents as
23 Internet-Drafts are draft documents valid for a maximum of six
24 months and may be updated, replaced, or obsoleted by other
25 documents at any time. It is inappropriate to use Internet-Drafts
26 as reference material or to cite them other than as "work in
29 The list of current Internet-Drafts can be accessed at
30 http://www.ietf.org/ietf/1id-abstracts.txt
32 The list of Internet-Draft Shadow Directories can be accessed at
33 http://www.ietf.org/shadow.html.
38 This memo documents a proposal for a different method of validation
39 for DNSSEC aware resolvers. The key change is that by changing from
40 a model of one Key Signing Key, KSK, at a time to multiple KSKs it
41 will be possible to increase the aggregated trust in the signed
42 keys by leveraging from the trust associated with the different
45 By having multiple keys to chose from validating resolvers get the
46 opportunity to use local policy to reflect actual trust in
47 different keys. For instance, it is possible to trust a single,
48 particular key ultimately, while requiring multiple valid
49 signatures by less trusted keys for validation to succeed.
50 Furthermore, with multiple KSKs there are additional redundancy
51 benefits available since it is possible to roll over different KSKs
52 at different times which may make rollover scenarios easier to
58 2. Introduction and Background
60 3. Trust in DNSSEC Keys
61 3.1. Key Management, Split Keys and Trust Models
62 3.2. Trust Expansion: Authentication versus Authorization
64 4. Proposed Semantics for Signing the KEY Resource Record
66 4.1. Packet Size Considerations
68 5. Proposed Use of Multiple "Trusted Keys" in a Validating
70 5.1. Not All Possible KSKs Need to Be Trusted
71 5.2. Possible to do Threshold Validation
72 5.3. Not All Trusted Keys Will Be Available
74 6. Additional Benefits from Having Multiple KSKs
75 6.1. More Robust Key Rollovers
76 6.2. Evaluation of Multiple Key Distribution Mechanisms
78 7. Security Considerations
79 8. IANA Considerations.
89 The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
90 and "MAY" in this document are to be interpreted as described in
93 The term "zone" refers to the unit of administrative control in the
94 Domain Name System. "Name server" denotes a DNS name server that is
95 authoritative (i.e. knows all there is to know) for a DNS zone,
96 typically the root zone. A "resolver", is a DNS "client", i.e. an
97 entity that sends DNS queries to authoritative nameservers and
98 interpret the results. A "validating resolver" is a resolver that
99 attempts to perform DNSSEC validation on data it retrieves by doing
103 2. Introduction and Background
105 From a protocol perspective there is no real difference between
106 different keys in DNSSEC. They are all just keys. However, in
107 actual use there is lots of difference. First and foremost, most
108 DNSSEC keys have in-band verification. I.e. the keys are signed by
109 some other key, and this other key is in its turn also signed by
110 yet another key. This way a "chain of trust" is created. Such
111 chains have to end in what is referred to as a "trusted key" for
112 validation of DNS lookups to be possible.
114 A "trusted key" is a the public part of a key that the resolver
115 acquired by some other means than by looking it up in DNS. The
116 trusted key has to be explicitly configured.
118 A node in the DNS hierarchy that issues such out-of-band "trusted
119 keys" is called a "security apex" and the trusted key for that apex
120 is the ultimate source of trust for all DNS lookups within that
123 DNSSEC is designed to be able to work with more than on security
124 apex. These apexes will all share the problem of how to distribute
125 their "trusted keys" in a way that provides validating resolvers
126 confidence in the distributed keys.
128 Maximizing that confidence is crucial to the usefulness of DNSSEC
129 and this document tries to address this issue.
132 3. Trust in DNSSEC Keys
134 In the end the trust that a validating resolver will be able to put
135 in a key that it cannot validate within DNSSEC will have to be a
138 * trust in the key issuer, aka the KSK holder
140 * trust in the distribution method
142 * trust in extra, out-of-band verification
144 The KSK holder needs to be trusted not to accidentally lose private
145 keys in public places. Furthermore it needs to be trusted to
146 perform correct identification of the ZSK holders in case they are
147 separate from the KSK holder itself.
149 The distribution mechanism can be more or less tamper-proof. If the
150 key holder publishes the public key, or perhaps just a secure
151 fingerprint of the key in a major newspaper it may be rather
152 difficult to tamper with. A key acquired that way may be easier to
153 trust than if it had just been downloaded from a web page.
155 Out-of-band verification can for instance be the key being signed
156 by a certificate issued by a known Certificate Authority that the
157 resolver has reason to trust.
159 3.1. Simplicity vs Trust
161 The fewer keys that are in use the simpler the key management
162 becomes. Therefore increasing the number of keys should only be
163 considered when the complexity is not the major concern. A perfect
164 example of this is the distinction between so called Key Signing
165 Keys, KSK, and Zone Signing Keys, ZSK. This distinction adds
166 overall complexity but simplifies real life operations and was an
167 overall gain since operational simplification was considered to be
168 a more crucial issue than the added complexity.
170 In the case of a security apex there are additional issues to
173 * maximizing trust in the KSK received out-of-band
175 * authenticating the legitimacy of the ZSKs used
177 In some cases this will be easy, since the same entity will manage
178 both ZSKs and KSKs (i.e. it will authenticate itself, somewhat
179 similar to a self-signed certificate). In some environments it will
180 be possible to get the trusted key installed in the resolver end by
181 decree (this would seem to be a likely method within corporate and
182 government environments).
184 In other cases, however, this will possibly not be sufficient. In
185 the case of the root zone this is obvious, but there may well be
188 3.2. Expanding the "Trust Base"
190 For a security apex where the ZSKs and KSK are not held by the same
191 entity the KSK will effectively authenticate the identity of
192 whoever does real operational zone signing. The amount of trust
193 that the data signed by a ZSK will get is directly dependent on
194 whether the end resolver trusts the KSK or not, since the resolver
195 has no OOB access to the public part of the ZSKs (for practical
198 Since the KSK holder is distinct from the ZSK holder the obvious
199 question is whether it would then be possible to further improve
200 the situation by using multiple KSK holders and thereby expanding
201 the trust base to the union of that available to each individual
202 KSK holder. "Trust base" is an invented term intended to signify
203 the aggregate of Internet resolvers that will eventually choose to
204 trust a key issued by a particular KSK holder.
206 A crucial issue when considering trust expansion through addition
207 of multiple KSK holders is that the KSK holders are only used to
208 authenticate the ZSKs used for signing the zone. I.e. the function
209 performed by the KSK is basically:
211 "This is indeed the official ZSK holder for this zone,
212 I've verified this fact to the best of my abilitites."
214 Which can be thought of as similar to the service of a public
215 notary. I.e. the point with adding more KSK holders is to improve
216 the public trust in data signed by the ZSK holders by improving the
217 strength of available authentication.
219 Therefore adding more KSK holders, each with their own trust base,
220 is by definition a good thing. More authentication is not
221 controversial. On the contrary, when it comes to authentication,
222 the more the merrier.
225 4. Proposed Semantics for Signing the KEY Resource Record Set
227 In DNSSEC according to RFC2535 all KEY Resource Records are used to
228 sign all authoritative data in the zone, including the KEY RRset
229 itself, since RFC2535 makes no distinction between Key Signing
230 Keys, KSK, and Zone Signing Keys, ZSK. With Delegation Signer [DS]
231 it is possible to change this to the KEY RRset being signed with
232 all KSKs and ZSKs but the rest of the zone only being signed by the
235 This proposal changes this one step further, by recommending that
236 the KEY RRset is only signed by the Key Signing Keys, KSK, and
237 explicitly not by the Zone Signing Keys, ZSK. The reason for this
238 is to maximize the amount of space in the DNS response packet that
239 is available for additional KSKs and signatures thereof. The rest
240 of the authoritative zone contents are as previously signed by only
243 4.1. Packet Size Considerations
245 The reason for the change is to keep down the size of the aggregate
246 of KEY RRset plus SIG(KEY) that resolvers will need to acquire to
247 perform validation of data below a security apex. For DNSSEC data
248 to be returned the DNSSEC OK bit in the EDNS0 OPT Record has to be
249 set, and therefore the allowed packet size can be assumed to be at
250 least the EDNS0 minimum of 4000 bytes.
252 When querying for KEY + SIG(KEY) for "." (the case that is assumed
253 to be most crucial) the size of the response packet after the
254 change to only sign the KEY RR with the KSKs break down into a
255 rather large space of possibilities. Here are a few examples for
256 the possible alternatives for different numbers of KSKs and ZSKs
257 for some different key lengths (all RSA keys, with a public
258 exponent that is < 254). This is all based upon the size of the
259 response for the particular example of querying for
263 with a response of entire KEY + SIG(KEY) with the authority and
264 additional sections empty:
266 ZSK/768 and KSK/1024 (real small)
267 Max 12 KSK + 3 ZSK at 3975
268 10 KSK + 8 ZSK at 3934
269 8 KSK + 13 ZSK at 3893
272 MAX 10 KSK + 2 ZSK at 3913
273 8 KSK + 9 ZSK at 3970
274 6 KSK + 15 ZSK at 3914
277 MAX 8 KSK + 4 ZSK at 3917
278 7 KSK + 8 ZSK at 3938
279 6 KSK + 12 ZSK at 3959
282 MAX 6 KSK + 5 ZSK at 3936
283 5 KSK + 10 ZSK at 3942
286 MAX 12 KSK + 2 ZSK at 3943
287 11 KSK + 4 ZSK at 3930
288 10 KSK + 6 ZSK at 3917
289 8 KSK + 10 ZSK at 3891
292 MAX 8 KSK + 3 ZSK at 3900
293 7 KSK + 6 ZSK at 3904
294 6 KSK + 9 ZSK at 3908
297 MAX 6 KSK + 4 ZSK at 3951
298 5 KSK + 8 ZSK at 3972
299 4 KSK + 12 ZSK at 3993
301 Note that these are just examples and this document is not making
302 any recommendations on suitable choices of either key lengths nor
303 number of different keys employed at a security apex.
305 This document does however, based upon the above figures, make the
306 recommendation that at a security apex that expects to distribute
307 "trusted keys" the KEY RRset should only be signed with the KSKs
308 and not with the ZSKs to keep the size of the response packets
312 5. Proposed Use of Multiple "Trusted Keys" in a Validating Resolver
314 In DNSSEC according to RFC2535[RFC2535] validation is the process
315 of tracing a chain of signatures (and keys) upwards through the DNS
316 hierarchy until a "trusted key" is reached. If there is a known
317 trusted key present at a security apex above the starting point
318 validation becomes an exercise with a binary outcome: either the
319 validation succeeds or it fails. No intermediate states are
322 With multiple "trusted keys" (i.e. the KEY RRset for the security
323 apex signed by multiple KSKs) this changes into a more complicated
324 space of alternatives. From the perspective of complexity that may
325 be regarded as a change for the worse. However, from a perspective
326 of maximizing available trust the multiple KSKs add value to the
329 5.1. Possible to do Threshold Validation
331 With multiple KSKs a new option that opens for the security
332 concious resolver is to not trust a key individually. Instead the
333 resolver may decide to require the validated signatures to exceed a
334 threshold. For instance, given M trusted keys it is possible for
335 the resolver to require N-of-M signatures to treat the data as
338 I.e. with the following pseudo-configuration in a validating
341 security-apex "." IN {
349 # Note that ksk-4 is not present below
350 keys { ksk-1; ksk-2; ksk-3; ksk-5; };
351 # 3 signatures needed with 4 possible keys, aka 75%
356 we configure five trusted keys for the root zone, but require two
357 valid signatures for the top-most KEY for validation to
358 succeed. I.e. threshold validation does not force multiple
359 signatures on the entire signature chain, only on the top-most
360 signature, closest to the security apex for which the resolver has
363 5.2. Not All Trusted Keys Will Be Available
365 With multiple KSKs held and managed by separate entities the end
366 resolvers will not always manage to get access to all possible
367 trusted keys. In the case of just a single KSK this would be fatal
368 to validation and necessary to avoid at whatever cost. But with
369 several fully trusted keys available the resolver can decide to
370 trust several of them individually. An example based upon more
371 pseudo-configuration:
373 security-apex "." IN {
381 # Only these two keys are trusted independently
382 keys { ksk-1; ksk-4; };
383 # With these keys a single signature is sufficient
388 Here we have the same five keys and instruct the validating
389 resolver to fully trust data that ends up with just one signature
390 from by a fully trusted key.
392 The typical case where this will be useful is for the case where
393 there is a risk of the resolver not catching a rollover event by
394 one of the KSKs. By doing rollovers of different KSKs with
395 different schedules it is possible for a resolver to "survive"
396 missing a rollover without validation breaking. This improves
397 overall robustness from a management point of view.
399 5.3. Not All Possible KSKs Need to Be Trusted
401 With just one key available it simply has to be trusted, since that
402 is the only option available. With multiple KSKs the validating
403 resolver immediately get the option of implementing a local policy
404 of only trusting some of the possible keys.
406 This local policy can be implemented either by simply not
407 configuring keys that are not trusted or, possibly, configure them
408 but specify to the resolver that certain keys are not to be
409 ultimately trusted alone.
412 6. Additional Benefits from Having Multiple KSKs
414 6.1. More Robust Key Rollovers
416 With only one KSK the rollover operation will be a delicate
417 operation since the new trusted key needs to reach every validating
418 resolver before the old key is retired. For this reason it is
419 expected that long periods of overlap will be needed.
421 With multiple KSKs this changes into a system where different
422 "series" of KSKs can have different rollover schedules, thereby
423 changing from one "big" rollover to several "smaller" rollovers.
425 If the resolver trusts several of the available keys individually
426 then even a failure to track a certain rollover operation within
427 the overlap period will not be fatal to validation since the other
428 available trusted keys will be sufficient.
430 6.2. Evaluation of Multiple Key Distribution Mechanisms
432 Distribution of the trusted keys for the DNS root zone is
433 recognized to be a difficult problem that ...
435 With only one trusted key, from one single "source" to distribute
436 it will be difficult to evaluate what distribution mechanism works
437 best. With multiple KSKs, held by separate entitites it will be
438 possible to measure how large fraction of the resolver population
439 that is trusting what subsets of KSKs.
442 7. Security Considerations
444 From a systems perspective the simplest design is arguably the
445 best, i.e. one single holder of both KSK and ZSKs. However, if that
446 is not possible in all cases a more complex scheme is needed where
447 additional trust is injected by using multiple KSK holders, each
448 contributing trust, then there are only two alternatives
449 available. The first is so called "split keys", where a single key
450 is split up among KSK holders, each contributing trust. The second
451 is the multiple KSK design outlined in this proposal.
453 Both these alternatives provide for threshold mechanisms. However
454 split keys makes the threshold integral to the key generating
455 mechanism (i.e. it will be a property of the keys how many
456 signatures are needed). In the case of multiple KSKs the threshold
457 validation is not a property of the keys but rather local policy in
458 the validating resolver. A benefit from this is that it is possible
459 for different resolvers to use different trust policies. Some may
460 configure threshold validation requiring multiple signatures and
461 specific keys (optimizing for security) while others may choose to
462 accept a single signature from a larger set of keys (optimizing for
463 redundancy). Since the security requirements are different it would
464 seem to be a good idea to make this choice local policy rather than
467 Furthermore, a clear issue for validating resolvers will be how to
468 ensure that they track all rollover events for keys they
469 trust. Even with operlap during the rollover (which is clearly
470 needed) there is still a need to be exceedingly careful not to miss
471 any rollovers (or fail to acquire a new key) since without this
472 single key validation will fail. With multiple KSKs this operation
473 becomes more robust, since different KSKs may roll at different
474 times according to different rollover schedules and losing one key,
475 for whatever reason, will not be crucial unless the resolver
476 intentionally chooses to be completely dependent on that exact key.
478 8. IANA Considerations.
487 [RFC2535] Domain Name System Security Extensions. D. Eastlake.
490 [RFC3090] DNS Security Extension Clarification on Zone Status.
491 E. Lewis. March 2001.
496 [RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System
497 (DNS). D. Eastlake 3rd. May 2001.
499 [RFC3225] Indicating Resolver Support of DNSSEC. D. Conrad.
502 [DS] Delegation Signer Resource Record.
503 O. Gudmundsson. October 2002. Work In Progress.
507 Bill Manning came up with the original idea of moving complexity
508 from the signing side down to the resolver in the form of threshold
509 validation. I've also had much appreciated help from (in no
510 particular order) Jakob Schlyter, Paul Vixie, Olafur Gudmundson and
518 SE-118 47 Stockholm, Sweden
projects / FreeBSD / releng / 7.2.git / blob