idnits 2.17.00 (12 Aug 2021) /tmp/idnits64710/draft-ietf-dnsop-delegation-trust-maintainance-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 533 has weird spacing: '... full i.e. ...' == Line 536 has weird spacing: '...augment i.e. ...' -- The document date (April 10, 2014) is 2963 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: draft-ietf-dnsop-dnssec-key-timing has been published as RFC 7583 -- No information found for draft-parent-zones - is the name correct? Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop W. Kumari 3 Internet-Draft Google 4 Intended status: Informational O. Gudmundsson 5 Expires: October 12, 2014 Shinkuro Inc. 6 G. Barwood 8 April 10, 2014 10 Automating DNSSEC delegation trust maintenance 11 draft-ietf-dnsop-delegation-trust-maintainance-04 13 Abstract 15 This document describes a method to allow DNS operators to more 16 easily update DNSSEC Key Signing Keys using the DNS as communication 17 channel. This document does not address the initial configuration of 18 trust anchors for a domain. The technique described is aimed at 19 delegations in which it is currently hard to move information from 20 the child to parent. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on October 12, 2014. 39 Copyright Notice 41 Copyright (c) 2014 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 58 1.2. Requirements notation . . . . . . . . . . . . . . . . . . 4 59 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 2.1. DNS delegations . . . . . . . . . . . . . . . . . . . . . 4 61 2.2. Relationship between Parent and Child DNS operator . . . 5 62 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 63 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7 64 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions . . 7 65 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 66 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 67 4. Automating DS maintainance with CDS/CDNSKEY records . . . . . 8 68 4.1. CDS / CDNSKEY processing rules . . . . . . . . . . . . . 9 69 5. Child's CDS / CDNSKEY Publication . . . . . . . . . . . . . . 9 70 6. Parent side CDS / CDNSKEY Consumption . . . . . . . . . . . . 10 71 6.1. Detecting a changed CDS / CDNSKEY . . . . . . . . . . . . 10 72 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 73 6.1.2. Other mechanisms . . . . . . . . . . . . . . . . . . 11 74 6.2. Using the new CDS / CDNSKEY records . . . . . . . . . . . 11 75 6.2.1. Parent calculates DS . . . . . . . . . . . . . . . . 12 76 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 77 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 78 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 79 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 80 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 81 11.1. Normative References . . . . . . . . . . . . . . . . . . 14 82 11.2. Informative References . . . . . . . . . . . . . . . . . 15 83 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 84 Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 87 1. Introduction 89 When a DNS operator first signs their zone, they need to communicate 90 their DS record(s) (or DNSKEY(s)) to their parent through some out- 91 of-band method to complete the chain of trust. 93 Each time the child changes/rolls the key that is represented in the 94 parent, the new and/or deleted key information has to be communicated 95 to the parent and published there. How this information is sent to 96 the parent depends on the relationship the child has with the parent. 98 In many cases this is a manual process, and not an easy one. For 99 each key roll, there may be two interactions with the parent. Any 100 manual process is susceptible to mistakes and/or errors. In 101 addition, due to the annoyance factor of the process, operators may 102 avoid performing key rollovers or skip needed steps to publish the 103 new DS at the parent. 105 DNSSEC provides data integrity to information published in DNS; thus 106 DNS publication can be used to automate maintenance of delegation 107 information. This document describes a method to automate 108 publication of subsequent DS records, after the initial one has been 109 published. 111 Readers are expected to be familiar with DNSSEC, including [RFC4033], 112 [RFC4034], [RFC4035], [RFC5011] and [RFC6781]. 114 This document is a compilation of two earlier drafts: draft-barwood- 115 dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll. 117 This document outlines a technique in which the parent periodically 118 (or upon request) polls its signed children and automatically publish 119 new DS records. To a large extent, the procedures this document 120 follows are as described in [RFC6781] section 4.1.2. 122 This technique is in some ways similar to [RFC5011] style rollovers, 123 but for sub-domains DS records, instead of trust anchors. 125 This technique is designed to be friendly both to fully automated 126 tools and humans. Fully automated tools can perform all the actions 127 needed without human intervention, and thus can monitor when it is 128 safe to move to the next step. 130 The solution described in this document only allows transferring 131 information about DNSSEC keys (DS and DNSKEY) from the child to the 132 parental agent. It lists exactly what the parent should publish, and 133 allows for publication of stand-by keys. A different protocol, 134 [I-D.csync], can be used to maintain other important delegation 135 information, such as NS and glue. These two protocols have been kept 136 as separate solutions because the problems are fundamentally 137 different, and a combined solution is overly complex. 139 This document describes a method for automating maintanance of the 140 delegation trust information, and proposes a polled / periodic 141 trigger for simplicity. Some users may prefer a different trigger, 142 such as a button on a webpage, a REST interface, DNS NOTIFY, etc. 143 These alternate / additional triggers are not discussed in this 144 document. This proposal does not include all operations needed for 145 the maintenance of DNSSEC key material, specifically the introduction 146 or complete removal of all keys. Because of this, alternate 147 communications mechanisms must always exist, potentially introducing 148 more complexity. 150 1.1. Terminology 152 The terminology we use is defined in this section 154 Highlighted roles 156 o Child: "The entity on record that has the delegation of the domain 157 from the parent" 159 o Parent: "The domain in which the child is registered" 161 o Child DNS Operator: "The entity that maintains and publishes the 162 zone information for the child DNS" 164 o Parent DNS Operator: "The entity that maintains and publishes the 165 zone information for the parent DNS" 167 o Parental Agent: "The entity that the child has relationship with, 168 to change its delegation information" 170 o Provisioning system: "A system that the operator of the master DNS 171 server operates to maintain the information published in the DNS. 172 This includes the systems that sign the DNS data" 174 RRR is our shorthand for Registry/Registrar/Registrant model of 175 parent child relationship see Appendix A for more. 177 1.2. Requirements notation 179 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 180 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 181 document are to be interpreted as described in [RFC2119]. 183 2. Background 185 2.1. DNS delegations 187 DNS operation consists of delegations of authority. For each 188 delegation there are (most of the time) two parties: the parent and 189 the child. 191 The parent publishes information about the delegations to the child; 192 for the name-servers it publishes an NS [RFC1035] RRset that lists a 193 hint for name-servers that are authoritative for the child. The 194 child also publishes a NS RRset, and this set is the authoritative 195 list of name-servers to the child zone. 197 The second RRset the parent sometimes publishes is the DS [RFC4034] 198 set. The DS RRset provides information about the DNSKEY(s) that the 199 child has told the parent it will use to sign its DNSKEY RRset. In 200 DNSSEC trust relationship between zones is provided by the following 201 chain: 203 parent DNSKEY --> DS --> child DNSKEY. 205 A prior proposal [I-D.auto-cpsync] suggested that the child send an 206 "update" to the parent via a mechanism similar to Dynamic Update. 207 The main issue became: How does the child find the actual parental 208 agent/server to send the update to? While that could have been 209 solved via technical means, the proposal died. There is also a 210 similar proposal in [I-D.parent-zones] 212 As the DS record can only be present at the parent (RFC4034 213 [RFC4034]), some other record/method is needed to automate which 214 DNSKEYs are picked to be represented in the parent zone's DS records. 215 One possibility is to use flags in the DNSKEY record. If the SEP bit 216 is set, this indicates that the DNSKEY is intended for use as a 217 secure entry point. This DNSKEY signs the DNSKEY RRset, and the 218 Parental Agent can calculate DS records based on that. But this 219 fails to meet some operating needs, including the child having no 220 influence what DS digest algorithms are used and DS records can only 221 be published for keys that are in the DNSKEY RRset. 223 2.2. Relationship between Parent and Child DNS operator 225 In practical application, there are many different relationships 226 between the parent and child DNS operators. The type of relationship 227 affects how the Child DNS Operator communicates with the parent. 228 This section will highlight some of the different situations, but is 229 by no means a complete list. 231 Different communication paths: 233 o Direct/API: The child can change the delegation information via 234 automated/scripted means EPP[RFC5730] used by many TLDs is an 235 example of this. Another example is the web service's 236 programmatic interfaces that Registrars make available to their 237 Resellers. 239 o User Interface: The Child uses a (web) site set up by the Parental 240 Agent for updating delegation information. 242 o Indirect: The communication has to be transmitted via out-of-band 243 between two parties, such as email, telephone etc.. This is common 244 when the Child's DNS operator is neither the child itself nor the 245 Registrar for the domain but a third party. 247 o Multi-step Combinations: The information flows through an 248 intermediary. It is possible, but unlikely, that all the steps 249 are automated via API's and there are no humans are involved. 251 A domain name holder (Child) may operate its own DNS servers or 252 outsource the operation. While we use the word parent as a singular, 253 parent can consist of single entity or a composite of many discrete 254 parts that have rules and roles. We refer to the entity that the 255 child corresponds with as the Parent. 257 In another common case an enterprise may delegate parts of its name- 258 space to be operated by a group that is not the same as that which 259 operates the enterprise's DNS servers. In this case the flow of 260 information is frequently handled in either an ad hoc manner or via 261 some corporate mechanism; this can range from email to fully- 262 automated operation. The word enterprise above covers all 263 organizations in which the domains are not sold on the open market 264 and there is some relationship between the entities. 266 2.2.1. Solution Space 268 This document is aimed at the cases in which there is an 269 organizational separation of the child and parent. 271 A further complication is when the Child DNS Operator is not the 272 Child. There are two common cases of this, 274 a) The Parental Agent (e.g. registrar) handles the DNS operation 276 b) A third party takes care of the DNS operation. 278 If the Parental Agent is the DNS operator, life is much easier; the 279 Parental Agent can inject any delegation changes directly into the 280 Parent's Provisioning system. The techniques described below are not 281 needed in the case when Parental Agent is the DNS operator. 283 In the case of a third party DNS operator, the Child either needs to 284 relay changes in DNS delegation or give the Child DNS Operator access 285 to its delegation/registration account. 287 Some parents want the child to express their DNSKEYS in the form of 288 DS records, while others want to receive the DNSKEY records and 289 calculate the DS records themselves. There is no consensus on which 290 method is better; both have good reasons to exist. The proposal 291 below can operate with both models, but the child needs to be aware 292 of the parental policies. 294 2.2.2. DNSSEC key change process 296 After a Child DNS Operator first signs the zone, there is a need to 297 interact with the Parent, for example via the delegation account 298 interface, to "upload / paste-in the zone's DS information". The 299 action of logging in through the delegation account user interface 300 authenticates that the user is authorized to change delegation 301 information for the child published in the parent zone. In the case 302 where the "Child DNS Operator" does not have access to the 303 registration account, the Child needs to perform the action. 305 At a later date, the Child DNS Operator may want to publish a new DS 306 record in the parent, either because they are rolling keys, or 307 because they want to publish a stand-by key. This involves 308 performing the same process as before. Furthermore when this is a 309 manual process with cut and paste, operational mistakes will happen 310 -- or worse, the update action is not performed at all. 312 The Child DNS Operator may also introduce new keys, and can do so 313 when old keys exist and can be used. The Child may also remove old 314 keys, but we do not support removing all keys. This is to avoid 315 making signed zones unsigned. 317 The Child may not introduce a new key when no old keys can be used, 318 and nor may it remove the last key from the RRSet of the zone apex. 319 The Child may not enroll the initial key or introduce a new key when 320 there are no old keys that can be used, because there is no way to 321 validate the information. [TODO ADD TEXT RE REMOVAL) 323 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) record definitions 325 This document specifies two new resource records, CDS and CDNSKEY. 326 These records are used to convey, from one zone to it's parent, the 327 desired contents of the zone's DS resource record set residing in the 328 parent zone. 330 The CDS / CDNSKEY records are published in the child zone and gives 331 the child control of what is published for it in the parental zone. 332 The CDS / CDNSKEY RRset expresses what the child would like the DS 333 RRset to look like after the change; it is a "replace" operation, and 334 it is up to the consumer of the records to translate that into the 335 appropriate add/delete operations in the registration systems (and in 336 the case of CDNSKEY, to generate the DS from the DNSKEY). If no CDS 337 / CDNSKEY RRset is present in child, this means that no change is 338 needed. 340 [[RFC Editor: Please remove this paragraph before publication] 341 Version -04 of the ID that became this working group document (http:/ 342 /tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new 343 record (CTA) that could hold either a DS or a DNSKEY record (with a 344 selector to differentiate between them). In a shocking development, 345 there was almost full consensus that this was horrid :-) ] 347 3.1. CDS Resource Record Format 349 The wire and presentation format of the CDS ("Child DS") record is 350 identical to the DS record [RFC4034]. IANA has allocated RR code 59 351 for the CDS record via expert review [I-D.ds-publish]. CDS uses the 352 same registries as DS for its fields 354 No special processing is performed by authoritative servers or by 355 revolvers, when serving or resolving. For all practical purposes CDS 356 is a regular RR type. 358 3.2. CDNSKEY Resource Record Format 360 The wire and presentation format of the CDNSKEY ("Child DNSKEY") 361 record is identical to the DNSKEY record. CDNSKEY uses the same 362 registries as DNSKEY for its fields. 364 No special processing is performed by authoritative servers or by 365 revolvers, when serving or resolving. For all practical purposes 366 CDNSKEY is a regular RR type. 368 4. Automating DS maintainance with CDS/CDNSKEY records 370 CDS/CDNSKEY records are intended to be "consumed" by delegation trust 371 maintainers. The use of CDS/CDNSKEY is optional. 373 Some parents prefer to accept DNSSEC key information in DS format, 374 some parents prefer to accept it in DNSKEY format, and calculate the 375 DS record on the child's behalf. Each method has pros and cons, both 376 technical and policy. This solution is DS vs DNSKEY agnostic, and 377 allows operation with either. 379 If the child knows what the parent prefers, they can publish the 380 parent's preferred record type. If the child does not know (or 381 simply chooses to), they can publish both CDS and CDNSKEY. If the 382 child publishes both, the two RRsets they MUST match in content. The 383 parent should use whichever one they choose, but SHOULD NOT query for 384 both and perform consistency checks between the CDS and CDNSKEY 385 records. 387 [Editor note: It is not an error for a child to have published CDS 388 records and not have CDNSKEYs that hash to those records, nor for 389 there to be CDNSKEY records without matching DS records. This is 390 because a child might have been publishing CDS records and then the 391 parent's policy changes to require CDNSKEY records. The child might 392 forget to remove the CDS, etc. This avoids all sorts of error 393 conditions / complexity, etc.] 395 4.1. CDS / CDNSKEY processing rules 397 If there are no CDS / CDNSKEY resource records in the child, this 398 signals that no change should be made to the current DS set. This 399 means that, once the child and parent are in sync, the child DNS 400 operator SHOULD remove all CDS records from the zone. 402 Following acceptance rules are placed on the CDS / CDNSKEY records as 403 follows: 405 o Location: "the CDS / CDNSKEY record MUST be at the child zone 406 apex". 408 o Signer: "MUST be signed with a key that is represented in both the 409 current DNSKEY and DS RRset's." 411 o Continuity: "MUST NOT break the current delegation if applied to 412 DS RRset" 414 If any these conditions fail the CDS / CDNSKEY record MUST be 415 ignored. 417 5. Child's CDS / CDNSKEY Publication 419 Child DNS Operator SHOULD only publish a CDS or CDNSKEY RRset when it 420 wants to make a change to the DS RRset in the Parent. In order to be 421 valid, the CDS / CDNSKEY RRset MUST be compliant with the rules in 422 Section 4.1. When the Parent DS is "in-sync" with the CDS / CDNSKEY, 423 the Child DNS Operator SHOULD delete the CDS / CDNSKEY RRset(s). 424 Note that if the child has published a CDNSKEY RR, the Parent will 425 have to calculate the DS (using the requested digest algorithm) to do 426 the comparison. 428 A child MAY publish both CDS and CDNSKEY. If a child chooses to 429 publish both, it MUST attempt to maintain consistency (a matching CDS 430 for each CDNSKEY). 432 6. Parent side CDS / CDNSKEY Consumption 434 The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to 435 update the DS RRset in the parent zone. The Parental Agent for this 436 uses a tool that understands the CDS / CDNSKEY signing rules from 437 Section 4.1 so it may not be able to use a standard validator. 439 The parent MUST choose to accept either CDS or CDNSKEY records, and 440 MUST NOT expect there to be both. A parent SHOULD NOT perform a 441 consistency check between CDS and CDNSKEY (other than for 442 informational / debugging use). 444 6.1. Detecting a changed CDS / CDNSKEY 446 How the Parental Agent gets the CDS / CDNSKEY record may differ, 447 below are two examples as how this can take place. 449 Polling The Parental Agent operates a tool that periodically checks 450 each of the children that has a DS record to see if there is a 451 CDS or CDNSKEY record. 453 Pushing The delegation user interface has a button {Fetch DS} when 454 pushed preforms the CDS / CDNSKEY processing. If the Parent 455 zone does not contain DS for this delegation then the "push" 456 MUST be ignored. 458 In either case the Parental Agent MAY apply additional rules that 459 defer the acceptance of a CDS / CDNSKEY change, these rules may 460 include a condition that the CDS / CDNSKEY remains in place and valid 461 for some time period before it is accepted. It may be appropriate in 462 the "Pushing" case to assume that the Child is ready and thus accept 463 changes without delay. 465 6.1.1. CDS / CDNSKEY Polling 467 This is the only defined use of CDS / CDNSKEY in this document. 468 There are limits to the saleability of polling techniques, thus some 469 other mechanism is likely to be specified later that addresses CDS / 470 CDNSKEY usage in the situation where polling does not scale to. 471 Having said that Polling will work in many important cases like 472 enterprises, universities, small TLDs etc. In many regulatory 473 environments the registry is prohibited from talking to the 474 registrant. In most of these cases the registrant has a business 475 relationship with the registrar, and so the registrar can offer this 476 as a service. 478 If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST 479 take no action. Specifically it MUST NOT delete or alter the 480 existing DS RRset. 482 6.1.2. Other mechanisms 484 It is assumed that other mechanisms will be implemented to trigger 485 the parent to look for an updated CDS / CDNSKEY record. As the CDS / 486 CDNSKEY records are validated with DNSSEC, these mechanisms can be 487 unauthenticated (for example, a child could telephone its parent and 488 request that they process the new CDS or CDNSKEY record, an 489 unauthenticated POST could be made to a webserver (with rate- 490 limiting), etc.) 492 Other documents can specify the trigger conditions. 494 6.2. Using the new CDS / CDNSKEY records 496 Regardless of how the Parental Agent detected changes to a CDS / 497 CDNSKEY RR, the Parental Agent MUST use a DNSSEC validator to obtain 498 a validated CDS / CDNSKEY RRset from the Child zone. It would be a 499 good idea if the Parental Agent checked all NS RRs listed at the 500 delegation. 502 The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY 503 RRset do not overwrite newer versions. This MAY be accomplished by 504 checking that the signature inception in the RRSIG for CDS / CDNSKEY 505 is newer and/or the serial number on the child's SOA is greater. 506 This may require the Parental Agent to maintain some state 507 information. 509 The Parental Agent MAY take extra security measures. For example, to 510 mitigate the possibility that a Child's key signing key has been 511 compromised, the Parental Agent may, for example, inform (by email or 512 other methods ) the Child DNS Operator of the change. However the 513 precise out-of-band measures that a parent zone SHOULD take are 514 outside the scope of this document. 516 Once the Parental Agent has obtained a valid CDS / CDNSKEY it MUST 517 double check the publication rules from section 4.1. In particular 518 the Parental Agent MUST double check the Continuity rule and do its 519 best not to invalidate the Child zone. Once checked and if the CDS / 520 CDNSKEY and DS "differ" it may apply the changes to the parent zone. 521 If the parent consumes CDNSKEY, the parent should calculate the DS 522 before doing this comparison. 524 6.2.1. Parent calculates DS 526 There are cases where the Parent wants to calculate the DS record due 527 to policy reasons. In this case, the Child publishes CDNSKEY records 528 and the parent calculates the DS records on behalf of the children. 530 When a Parent operates in "calculate DS" mode it can operate in one 531 of two sub-modes 533 full i.e. it only publishes DS records it calculates from DNSKEY 534 records, 536 augment i.e. it will make sure there are DS records for the digest 537 algorithm(s) it requires(s). 539 IIn the case the parent fetch the CDNSKEY and calculate the DS it MAY 540 be the case that the DS published in the parent zone is not identical 541 with the data in the CDS record made available by the child. 543 7. IANA Considerations 545 IANA has assigned RR Type code 59 for CDS. This was done for an 546 earlier version of this document[I-D.ds-publish] This document is to 547 become the reference for CDS RRtype. 549 IANA is requested to assign another RR Type for the CDNSKEY. 551 8. Privacy Considerations 553 All of the information handled / transmitted by this protocol is 554 public information published in the DNS. 556 9. Security Considerations 558 This work is for the normal case; when things go wrong there is only 559 so much that automation can fix. 561 If child breaks DNSSEC validation by removing all the DNSKEYs that 562 are represented in the DS set its only repair actions are to contact 563 the parent or restore the DNSKEYs in the DS set. 565 In the event of a compromise of the server or system generating 566 signatures for a zone, an attacker might be able to generate and 567 publish new CDS records. The modified CDS records will be picked up 568 by this technique and so may allow the attacker to extend the 569 effective time of his attack. If there a delay in accepting changes 570 to DS, as in [RFC5011], then the attacker needs to hope his activity 571 is not detected before the DS in parent is changed. If this type of 572 change takes place, the child needs to contact the parent (possibly 573 via a registrar web interface) and remove any compromised DS keys. 575 A compromise of the account with the parent (e.g. registrar) will not 576 be mitigated by this technique, as the "new registrant" can delete/ 577 modify the DS records at will. 579 While it may be tempting, this SHOULD NOT be used for initial 580 enrollment of keys since there is no way to ensure that the initial 581 key is the correct one. If is used, strict rules for inclusion of 582 keys like hold down times, challenge data inclusion etc., ought to be 583 used, along with some kind of challenge mechanism. A child cannot 584 use this mechanism to go from signed to unsigned (publishing an empty 585 CDS / CDNSKEY RRset means no-change should be made in the parent). 587 The CDS RR type should allow for enhanced security by simplifying 588 process. Since rollover is automated, updating a DS RRset by other 589 means may be regarded as unusual and subject to extra security 590 checks. 592 As this introduces a new mechanism to update information in the 593 parent it MUST be clear who is fetching the records and creating the 594 appropriate records in the parent zone. Specifically some operations 595 may use other mechanisms than what is described here. For example, a 596 registrar may assume that it is maintaining the DNSSEC key 597 information in the registry, and may have this cached. If the 598 registry is fetching the CDS / CDNSKEY then the registry and 599 registrar may have different views of the DNSSEC key material and the 600 result of such a situation is unclear. Because of this, this 601 mechanism SHOULD NOT be use to bypass intermediaries that might cache 602 information and because of that get the wrong state. 604 If there is a failure in applying changes in child zone to all DNS 605 servers listed in either parent or child NS set it is possible that 606 the Parental agent may get confused either not perform action because 607 it gets different answers on different checks or CDS validation 608 fails. In the worst case, Parental Agent performs an action 609 reversing a prior action but after the child signing system decides 610 to take the next step in rollover, resulting in a broken delegation. 612 DNS is a loosely coherent distributed database with local caching; 613 therefore, it is important to allow old information to expire from 614 caches before deleting DS or DNSKEY records. Similarly, it is 615 important to allow new records to propagate through the DNS before 616 use, see [RFC6781] and [I-D.key-time] 618 It is common practice for users to outsource their DNS hosting to a 619 3rd party DNS provider. In order for that provider to be able to 620 maintain the DNSSEC information some users give the provider their 621 registrar login credentials (which obviously has negative security 622 implications). Deploying the solution described in this document 623 allows the 3rd party DNS provider to maintain the DNSSEC information 624 without giving them the registrar credentials, thereby improving 625 security. 627 By automating the maintenance of the DNSSEC key information (and 628 removing humans from the process) we expect to decrease the number of 629 DNSSEC related outages, which should increase DNSSEC deployment. 631 10. Acknowledgements 633 We would like to thank a large number of folk, including: Mark 634 Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian 635 Dickinson, Paul Ebersman, Tony Finch, Patrik Faltstrom, Jim Galvin, 636 Paul Hoffman, Samir Hussain, Tatuya Jinmei, Olaf Kolkman, Cricket 637 Liu, Stephan Lagerholm, Matt Larson, Marco Sanz, Antoin Verschuren, 638 Suzanne Woolf, Paul Wouters, Matthijs Meeking, John Dickinson, 639 Timothe Litt and Edward Lewis. 641 Special thanks to Wes Hardaker for contributing significant text and 642 creating the complementary (CSYNC) solution, and to Paul Hoffman and 643 Mukund Sivaraman for text and review. 645 There were a number of other folk with whom we discussed this, 646 apologies for not remembering everyone. 648 11. References 650 11.1. Normative References 652 [RFC1035] Mockapetris, P., "Domain names - implementation and 653 specification", STD 13, RFC 1035, November 1987. 655 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 656 Requirement Levels", BCP 14, RFC 2119, March 1997. 658 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 659 Rose, "DNS Security Introduction and Requirements", RFC 660 4033, March 2005. 662 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 663 Rose, "Resource Records for the DNS Security Extensions", 664 RFC 4034, March 2005. 666 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 667 Rose, "Protocol Modifications for the DNS Security 668 Extensions", RFC 4035, March 2005. 670 [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) 671 Trust Anchors", STD 74, RFC 5011, September 2007. 673 [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC 674 Operational Practices, Version 2", RFC 6781, December 675 2012. 677 11.2. Informative References 679 [I-D.auto-cpsync] 680 Mekking, W., "Automated (DNSSEC) Child Parent 681 Synchronization using DNS UPDATE", draft-mekking-dnsop- 682 auto-cpsync-01 (work in progress), December 2010. 684 [I-D.csync] 685 Hardaker, W., "Child To Parent Synchronization in DNS", 686 draft-hardaker-dnsop-csync-02 (work in progress), July 687 2013. 689 [I-D.ds-publish] 690 Barwood, G., "DNS Transport", draft-barwood-dnsop-ds- 691 publish-02 (work in progress), June 2011. 693 [I-D.key-time] 694 Mekking, W., "DNSSEC Key Timing Considerations", draft- 695 ietf-dnsop-dnssec-key-timing-03 (work in progress), July 696 2012. 698 [I-D.parent-zones] 699 Andrews, M., "Updating Parent Zones", November 2013. 701 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 702 STD 69, RFC 5730, August 2009. 704 [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) 705 Security Extensions Mapping for the Extensible 706 Provisioning Protocol (EPP)", RFC 5910, May 2010. 708 Appendix A. RRR background 710 In the RRR world, the different parties are frequently from different 711 organizations. In the single enterprise world there are also 712 organizational/geographical/cultural separations that affect how 713 information flows from a Child to the parent. 715 Due to the complexity of the different roles and interconnections, 716 automation of delegation information has been punted in the past. 717 There have been some proposals to automate this, in order to improve 718 the reliability of the DNS. These proposals have not gained enough 719 traction to become standards. 721 For example in many of the TLD cases there is the RRR model 722 (Registry, Registrar and Registrant). The Registry operates DNS for 723 the TLD, the Registrars accept registrations and place information 724 into the Registries database. The Registrant only communicates with 725 the Registrar; frequently the Registry is not allowed to communicate 726 with the Registrant. In that case as far as the registrant is 727 concerned the Registrar == Parent. 729 In many RRR cases the Registrar and Registry communicate via 730 EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number 731 of ccTLDs there are other mechanisms in use as well as EPP, but in 732 general there seems to be a movement towards EPP usage when DNSSEC is 733 enabled in the TLD. 735 Appendix B. Changes / Author Notes. 737 [RFC Editor: Please remove this section before publication ] 739 WG-03 to WG-04 741 o Large number of comments and changes from Patrik. 743 WG-02 to WG-03 745 o Fixed some references to RFC 5011 - from Samir Hussain. 747 o Fixed some spelling / typos - from Samir Hussain. 749 o A number of clarifiations on the meaning on an empty / non- 750 existant CDS RRset - thanks to JINMEI, Tatuya 752 o Be consistent in mentioning both CDS and CDNSKEY throughout the 753 document. 755 WG-01 to WG-02 757 o Many nits and suggestions from Mukund. 759 o Matthijs: " I still think that it is too strong that the Child DNS 760 Operator SHOULD/MUST delete the CDS RRset when the Parent DS is 761 "in-sync". This should be a MAY" 763 WG-00 to WG-01 765 o Addressed Vancouver: "Paul Hoffmann: NOT ready for WGLC. None of 766 the 2 documents explain why there is a split between the two 767 strategies." Thanks to Paul for providing text. 769 From -05 to WG-00: 771 o Nothing rchanged, resubmit under new name. 773 From 04 to 05 775 o Renamed the record back to CDS. 777 From 03 to 04. 779 o Added text explaining that CDS and CSYNC complement each other, 780 not replace or compete. 782 o Changed format of record to be to allow the 783 publication of DS **or** DNSKEY. 785 o Bunch of text changed to cover the above. 787 o Added a bit more text on the polling scaling stuff, expectation 788 that other triggers will be documented. 790 From 02 to 03 792 o Applied comments by Matthijs Mekking 794 o Incorporated suggestions from Edward Lewis about structure 796 o Reworked structure to be easier for implementors to follow 798 o Applied many suggestions from a wonderful thorough review by John 799 Dickinson 801 o Removed the going Unsigned option 803 From 01 to 02 805 o Major restructuring to facilitate easier discussion 807 o Lots of comments from DNSOP mailing list incorporated, including 808 making draft DNSKEY/DS neutral, explain different relationships 809 that exists, 811 o added more people to acks. 813 o added description of enterprise situations 815 o Unified on using Parental Agent over Parental Representative 817 o Removed redundant text when possible 819 o Added text to explain what can go wrong if not all child DNS 820 servers are in sync. 822 o Reference prior work by Matthijs Mekking 824 o Added text when parent calculates DS from DNSKEY 826 From - to -1. 828 o Removed from section .1: "If a child zone has gone unsigned, i.e. 829 no DNSKEY and no RRSIG in the zone, the parental representative 830 MAY treat that as intent to go unsigned. (NEEDS DISCUSSION)." 831 Added new text at end. -- suggestion by Scott Rose 20/Feb/13. 833 o Added some background on the different DNS Delegation operating 834 situations and how they affect interaction of parties. This moved 835 some blocks of text from later sections into here. 837 o Number of textual improvements from Stephan Lagerholm 839 o Added motivation why CDS is needed in CDS definition section 841 o Unified terminology in the document. 843 o Much more background 845 Authors' Addresses 847 Warren Kumari 848 Google 849 1600 Amphitheatre Parkway 850 Mountain View, CA 94043 851 US 853 Email: warren@kumari.net 854 Olafur Gudmundsson 855 Shinkuro Inc. 856 4922 Fairmont Av, Suite 250 857 Bethesda, MD 20814 858 USA 860 Email: ogud@ogud.com 862 George Barwood 863 33 Sandpiper Close 864 Gloucester GL2 4LZ 865 United Kingdom 867 Email: george.barwood@blueyonder.co.uk