7 Network Working Group E. Lewis
8 Request for Comments: 3090 NAI Labs
9 Category: Standards Track March 2001
12 DNS Security Extension Clarification on Zone Status
16 This document specifies an Internet standards track protocol for the
17 Internet community, and requests discussion and suggestions for
18 improvements. Please refer to the current edition of the "Internet
19 Official Protocol Standards" (STD 1) for the standardization state
20 and status of this protocol. Distribution of this memo is unlimited.
24 Copyright (C) The Internet Society (2001). All Rights Reserved.
28 The definition of a secured zone is presented, clarifying and
29 updating sections of RFC 2535. RFC 2535 defines a zone to be secured
30 based on a per algorithm basis, e.g., a zone can be secured with RSA
31 keys, and not secured with DSA keys. This document changes this to
32 define a zone to be secured or not secured regardless of the key
33 algorithm used (or not used). To further simplify the determination
34 of a zone's status, "experimentally secure" status is deprecated.
38 Whether a DNS zone is "secured" or not is a question asked in at
39 least four contexts. A zone administrator asks the question when
40 configuring a zone to use DNSSEC. A dynamic update server asks the
41 question when an update request arrives, which may require DNSSEC
42 processing. A delegating zone asks the question of a child zone when
43 the parent enters data indicating the status the child. A resolver
44 asks the question upon receipt of data belonging to the zone.
46 1.1 When a Zone's Status is Important
48 A zone administrator needs to be able to determine what steps are
49 needed to make the zone as secure as it can be. Realizing that due
50 to the distributed nature of DNS and its administration, any single
51 zone is at the mercy of other zones when it comes to the appearance
52 of security. This document will define what makes a zone qualify as
58 Lewis Standards Track [Page 1]
60 RFC 3090 DNS Security Extension on Zone Status March 2001
63 A name server performing dynamic updates needs to know whether a zone
64 being updated is to have signatures added to the updated data, NXT
65 records applied, and other required processing. In this case, it is
66 conceivable that the name server is configured with the knowledge,
67 but being able to determine the status of a zone by examining the
68 data is a desirable alternative to configuration parameters.
70 A delegating zone is required to indicate whether a child zone is
71 secured. The reason for this requirement lies in the way in which a
72 resolver makes its own determination about a zone (next paragraph).
73 To shorten a long story, a parent needs to know whether a child
74 should be considered secured. This is a two part question. Under
75 what circumstances does a parent consider a child zone to be secure,
76 and how does a parent know if the child conforms?
78 A resolver needs to know if a zone is secured when the resolver is
79 processing data from the zone. Ultimately, a resolver needs to know
80 whether or not to expect a usable signature covering the data. How
81 this determination is done is out of the scope of this document,
82 except that, in some cases, the resolver will need to contact the
83 parent of the zone to see if the parent states that the child is
86 1.2 Islands of Security
88 The goal of DNSSEC is to have each zone secured, from the root zone
89 and the top-level domains down the hierarchy to the leaf zones.
90 Transitioning from an unsecured DNS, as we have now, to a fully
91 secured - or "as much as will be secured" - tree will take some time.
92 During this time, DNSSEC will be applied in various locations in the
93 tree, not necessarily "top down."
95 For example, at a particular instant, the root zone and the "test."
96 TLD might be secured, but region1.test. might not be. (For
97 reference, let's assume that region2.test. is secured.) However,
98 subarea1.region1.test. may have gone through the process of becoming
99 secured, along with its delegations. The dilemma here is that
100 subarea1 cannot get its zone keys properly signed as its parent zone,
101 region1, is not secured.
103 The colloquial phrase describing the collection of contiguous secured
104 zones at or below subarea1.region1.test. is an "island of security."
105 The only way in which a DNSSEC resolver will come to trust any data
106 from this island is if the resolver is pre-configured with the zone
107 key(s) for subarea1.region1.test., i.e., the root of the island of
108 security. Other resolvers (not so configured) will recognize this
114 Lewis Standards Track [Page 2]
116 RFC 3090 DNS Security Extension on Zone Status March 2001
119 An island of security begins with one zone whose public key is pre-
120 configured in resolvers. Within this island are subzones which are
121 also secured. The "bottom" of the island is defined by delegations
122 to unsecured zones. One island may also be on top of another -
123 meaning that there is at least one unsecured zone between the bottom
124 of the upper island and the root of the lower secured island.
126 Although both subarea1.region1.test. and region2.test. have both been
127 properly brought to a secured state by the administering staff, only
128 the latter of the two is actually "globally" secured - in the sense
129 that all DNSSEC resolvers can and will verify its data. The former,
130 subarea1, will be seen as secured by a subset of those resolvers,
131 just those appropriately configured. This document refers to such
132 zones as being "locally" secured.
134 In RFC 2535, there is a provision for "certification authorities,"
135 entities that will sign public keys for zones such as subarea1.
136 There is another document, [RFC3008], that restricts this activity.
137 Regardless of the other document, resolvers would still need proper
138 configuration to be able to use the certification authority to verify
139 the data for the subarea1 island.
141 1.2.1 Determining the closest security root
143 Given a domain, in order to determine whether it is secure or not,
144 the first step is to determine the closest security root. The
145 closest security root is the top of an island of security whose name
146 has the most matching (in order from the root) right-most labels to
149 For example, given a name "sub.domain.testing.signed.exp.test.", and
150 given the secure roots "exp.test.", "testing.signed.exp.test." and
151 "not-the-same.xy.", the middle one is the closest. The first secure
152 root shares 2 labels, the middle 4, and the last 0.
154 The reason why the closest is desired is to eliminate false senses of
155 insecurity because of a NULL key. Continuing with the example, the
156 reason both "testing..." and "exp.test." are listed as secure root is
157 presumably because "signed.exp.test." is unsecured (has a NULL key).
158 If we started to descend from "exp.test." to our given domain
159 (sub...), we would encounter a NULL key and conclude that sub... was
160 unsigned. However, if we descend from "testing..." and find keys
161 "domain...." then we can conclude that "sub..." is secured.
163 Note that this example assumes one-label deep zones, and assumes that
164 we do not configure overlapping islands of security. To be clear,
165 the definition given should exclude "short.xy.test." from being a
166 closest security root for "short.xy." even though 2 labels match.
170 Lewis Standards Track [Page 3]
172 RFC 3090 DNS Security Extension on Zone Status March 2001
175 Overlapping islands of security introduce no conceptually interesting
176 ideas and do not impact the protocol in anyway. However, protocol
177 implementers are advised to make sure their code is not thrown for a
178 loop by overlaps. Overlaps are sure to be configuration problems as
179 islands of security grow to encompass larger regions of the name
182 1.3 Parent Statement of Child Security
184 In 1.1 of this document, there is the comment "the parent states that
185 the child is secured." This has caused quite a bit of confusion.
187 The need to have the parent "state" the status of a child is derived
188 from the following observation. If you are looking to see if an
189 answer is secured, that it comes from an "island of security" and is
190 properly signed, you must begin at the (appropriate) root of the
193 To find the answer you are inspecting, you may have to descend
194 through zones within the island of security. Beginning with the
195 trusted root of the island, you descend into the next zone down. As
196 you trust the upper zone, you need to get data from it about the next
197 zone down, otherwise there is a vulnerable point in which a zone can
198 be hijacked. When or if you reach a point of traversing from a
199 secured zone to an unsecured zone, you have left the island of
200 security and should conclude that the answer is unsecured.
202 However, in RFC 2535, section 2.3.4, these words seem to conflict
203 with the need to have the parent "state" something about a child:
205 There MUST be a zone KEY RR, signed by its superzone, for every
206 subzone if the superzone is secure. This will normally appear in
207 the subzone and may also be included in the superzone. But, in
208 the case of an unsecured subzone which can not or will not be
209 modified to add any security RRs, a KEY declaring the subzone to
210 be unsecured MUST appear with the superzone signature in the
211 superzone, if the superzone is secure.
213 The confusion here is that in RFC 2535, a secured parent states that
214 a child is secured by SAYING NOTHING ("may also be" as opposed to
215 "MUST also be"). This is counter intuitive, the fact that an absence
216 of data means something is "secured." This notion, while acceptable
217 in a theoretic setting has met with some discomfort in an operation
218 setting. However, the use of "silence" to state something does
219 indeed work in this case, so there hasn't been sufficient need
220 demonstrated to change the definition.
226 Lewis Standards Track [Page 4]
228 RFC 3090 DNS Security Extension on Zone Status March 2001
231 1.4 Impact on RFC 2535
233 This document updates sections of RFC 2535. The definition of a
234 secured zone is an update to section 3.4 of the RFC. Section 3.4 is
235 updated to eliminate the definition of experimental keys and
236 illustrate a way to still achieve the functionality they were
237 designed to provide. Section 3.1.3 is updated by the specifying the
238 value of the protocol octet in a zone key.
240 1.5 "MUST" and other key words
242 The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
243 in this document are to be interpreted as described in [RFC 2119].
244 Currently, only "MUST" is used in this document.
248 In this section, rules governing a zone's DNSSEC status are
249 presented. There are three levels of security defined: global,
250 local, and unsecured. A zone is globally secure when it complies
251 with the strictest set of DNSSEC processing rules. A zone is locally
252 secured when it is configured in such a way that only resolvers that
253 are appropriately configured see the zone as secured. All other
256 Note: there currently is no document completely defining DNSSEC
257 verification rules. For the purposes of this document, the strictest
258 rules are assumed to state that the verification chain of zone keys
259 parallels the delegation tree up to the root zone. (See 2.b below.)
260 This is not intended to disallow alternate verification paths, just
261 to establish a baseline definition.
263 To avoid repetition in the rules below, the following terms are
266 2.a Zone signing KEY RR - A KEY RR whose flag field has the value 01
267 for name type (indicating a zone key) and either value 00 or value 01
268 for key type (indicating a key permitted to authenticate data). (See
269 RFC 2535, section 3.1.2). The KEY RR also has a protocol octet value
270 of DNSSEC (3) or ALL (255).
272 The definition updates RFC 2535's definition of a zone key. The
273 requirement that the protocol field be either DNSSEC or ALL is a new
274 requirement (a change to section 3.1.3.)
276 2.b On-tree Validation - The authorization model in which only the
277 parent zone is recognized to supply a DNSSEC-meaningful signature
278 that is used by a resolver to build a chain of trust from the child's
282 Lewis Standards Track [Page 5]
284 RFC 3090 DNS Security Extension on Zone Status March 2001
287 keys to a recognized root of security. The term "on-tree" refers to
288 following the DNS domain hierarchy (upwards) to reach a trusted key,
289 presumably the root key if no other key is available. The term
290 "validation" refers to the digital signature by the parent to prove
291 the integrity, authentication and authorization of the child's key to
292 sign the child's zone data.
294 2.c Off-tree Validation - Any authorization model that permits domain
295 names other than the parent's to provide a signature over a child's
296 zone keys that will enable a resolver to trust the keys.
300 A globally secured zone, in a nutshell, is a zone that uses only
301 mandatory to implement algorithms (RFC 2535, section 3.2) and relies
302 on a key certification chain that parallels the delegation tree (on-
303 tree validation). Globally secured zones are defined by the
306 2.1.a. The zone's apex MUST have a KEY RR set. There MUST be at
307 least one zone signing KEY RR (2.a) of a mandatory to implement
308 algorithm in the set.
310 2.1.b. The zone's apex KEY RR set MUST be signed by a private key
311 belonging to the parent zone. The private key's public companion
312 MUST be a zone signing KEY RR (2.a) of a mandatory to implement
313 algorithm and owned by the parent's apex.
315 If a zone cannot get a conforming signature from the parent zone, the
316 child zone cannot be considered globally secured. The only exception
317 to this is the root zone, for which there is no parent zone.
319 2.1.c. NXT records MUST be deployed throughout the zone. (Clarifies
320 RFC 2535, section 2.3.2.) Note: there is some operational discomfort
321 with the current NXT record. This requirement is open to
322 modification when two things happen. First, an alternate mechanism
323 to the NXT is defined and second, a means by which a zone can
324 indicate that it is using an alternate method.
326 2.1.d. Each RR set that qualifies for zone membership MUST be signed
327 by a key that is in the apex's KEY RR set and is a zone signing KEY
328 RR (2.a) of a mandatory to implement algorithm. (Updates 2535,
331 Mentioned earlier, the root zone is a special case. The root zone
332 will be considered to be globally secured provided that if conforms
333 to the rules for locally secured, with the exception that rule 2.1.a.
334 be also met (mandatory to implement requirement).
338 Lewis Standards Track [Page 6]
340 RFC 3090 DNS Security Extension on Zone Status March 2001
345 The term "locally" stems from the likely hood that the only resolvers
346 to be configured for a particular zone will be resolvers "local" to
349 A locally secured zone is a zone that complies with rules like those
350 for a globally secured zone with the following exceptions. The
351 signing keys may be of an algorithm that is not mandatory to
352 implement and/or the verification of the zone keys in use may rely on
353 a verification chain that is not parallel to the delegation tree
354 (off-tree validation).
356 2.2.a. The zone's apex MUST have a KEY RR set. There MUST be at
357 least one zone signing KEY RR (2.a) in the set.
359 2.2.b. The zone's apex KEY RR set MUST be signed by a private key and
360 one of the following two subclauses MUST hold true.
362 2.2.b.1 The private key's public companion MUST be pre-configured in
363 all the resolvers of interest.
365 2.2.b.2 The private key's public companion MUST be a zone signing KEY
366 RR (2.a) authorized to provide validation of the zone's apex KEY RR
367 set, as recognized by resolvers of interest.
369 The previous sentence is trying to convey the notion of using a
370 trusted third party to provide validation of keys. If the domain
371 name owning the validating key is not the parent zone, the domain
372 name must represent someone the resolver trusts to provide
375 2.2.c. NXT records MUST be deployed throughout the zone. Note: see
376 the discussion following 2.1.c.
378 2.2.d. Each RR set that qualifies for zone membership MUST be signed
379 by a key that is in the apex's KEY RR set and is a zone signing KEY
380 RR (2.a). (Updates 2535, section 2.3.1.)
384 All other zones qualify as unsecured. This includes zones that are
385 designed to be experimentally secure, as defined in a later section
394 Lewis Standards Track [Page 7]
396 RFC 3090 DNS Security Extension on Zone Status March 2001
401 The designation of globally secured, locally secured, and unsecured
402 are merely labels to apply to zones, based on their contents.
403 Resolvers, when determining whether a signature is expected or not,
404 will only see a zone as secured or unsecured.
406 Resolvers that follow the most restrictive DNSSEC verification rules
407 will only see globally secured zones as secured, and all others as
408 unsecured, including zones which are locally secured. Resolvers that
409 are not as restrictive, such as those that implement algorithms in
410 addition to the mandatory to implement algorithms, will see some
411 locally secured zones as secured.
413 The intent of the labels "global" and "local" is to identify the
414 specific attributes of a zone. The words are chosen to assist in the
415 writing of a document recommending the actions a zone administrator
416 take in making use of the DNS security extensions. The words are
417 explicitly not intended to convey a state of compliance with DNS
420 3 Experimental Status
422 The purpose of an experimentally secured zone is to facilitate the
423 migration from an unsecured zone to a secured zone. This distinction
426 The objective of facilitating the migration can be achieved without a
427 special designation of an experimentally secure status.
428 Experimentally secured is a special case of locally secured. A zone
429 administrator can achieve this by publishing a zone with signatures
430 and configuring a set of test resolvers with the corresponding public
431 keys. Even if the public key is published in a KEY RR, as long as
432 there is no parent signature, the resolvers will need some pre-
433 configuration to know to process the signatures. This allows a zone
434 to be secured with in the sphere of the experiment, yet still be
435 registered as unsecured in the general Internet.
437 4 IANA Considerations
439 This document does not request any action from an assigned number
440 authority nor recommends any actions.
450 Lewis Standards Track [Page 8]
452 RFC 3090 DNS Security Extension on Zone Status March 2001
455 5 Security Considerations
457 Without a means to enforce compliance with specified protocols or
458 recommended actions, declaring a DNS zone to be "completely" secured
459 is impossible. Even if, assuming an omnipotent view of DNS, one can
460 declare a zone to be properly configured for security, and all of the
461 zones up to the root too, a misbehaving resolver could be duped into
462 believing bad data. If a zone and resolver comply, a non-compliant
463 or subverted parent could interrupt operations. The best that can be
464 hoped for is that all parties are prepared to be judged secure and
465 that security incidents can be traced to the cause in short order.
469 The need to refine the definition of a secured zone has become
470 apparent through the efforts of the participants at two DNSSEC
471 workshops, sponsored by the NIC-SE (.se registrar), CAIRN (a DARPA-
472 funded research network), and other workshops. Further discussions
473 leading to the document include Olafur Gudmundsson, Russ Mundy,
474 Robert Watson, and Brian Wellington. Roy Arends, Ted Lindgreen and
475 others have contributed significant input via the namedroppers
480 [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
481 STD 13, RFC 1034, November 1987.
483 [RFC1035] Mockapetris, P., "Domain Names - Implementation and
484 Specification", STD 13, RFC 1035, November 1987.
486 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
487 Requirement Levels", BCP 14, RFC 2119, March 1997.
489 [RFC2136] Vixie, P., (Ed.), Thomson, S., Rekhter, Y. and J. Bound,
490 "Dynamic Updates in the Domain Name System", RFC 2136,
493 [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
496 [RFC3007] Wellington, B., "Simple Secure Domain Name System (DNS)
497 Dynamic Update", RFC 3007, November 2000.
499 [RFC3008] Wellington, B., "Domain Name System Security (DNSSEC)
500 Signing Authority", RFC 3008, November 2000.
506 Lewis Standards Track [Page 9]
508 RFC 3090 DNS Security Extension on Zone Status March 2001
515 3060 Washington Road Glenwood
518 Phone: +1 443 259 2352
519 EMail: lewis@tislabs.com
562 Lewis Standards Track [Page 10]
564 RFC 3090 DNS Security Extension on Zone Status March 2001
567 11 Full Copyright Statement
569 Copyright (C) The Internet Society (2001). All Rights Reserved.
571 This document and translations of it may be copied and furnished to
572 others, and derivative works that comment on or otherwise explain it
573 or assist in its implementation may be prepared, copied, published
574 and distributed, in whole or in part, without restriction of any
575 kind, provided that the above copyright notice and this paragraph are
576 included on all such copies and derivative works. However, this
577 document itself may not be modified in any way, such as by removing
578 the copyright notice or references to the Internet Society or other
579 Internet organizations, except as needed for the purpose of
580 developing Internet standards in which case the procedures for
581 copyrights defined in the Internet Standards process must be
582 followed, or as required to translate it into languages other than
585 The limited permissions granted above are perpetual and will not be
586 revoked by the Internet Society or its successors or assigns.
588 This document and the information contained herein is provided on an
589 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
590 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
591 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
592 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
593 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
597 Funding for the RFC Editor function is currently provided by the
618 Lewis Standards Track [Page 11]
projects / FreeBSD / releng / 7.2.git / blob