idnits 2.17.00 (12 Aug 2021) /tmp/idnits60922/draft-ietf-dnsop-delegation-trust-maintainance-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 517 has weird spacing: '... full i.e. ...' == Line 520 has weird spacing: '...augment i.e. ...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (April 14, 2014) is 2959 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: draft-ietf-dnsop-dnssec-key-timing has been published as RFC 7583 -- No information found for draft-parent-zones - is the name correct? Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop W. Kumari 3 Internet-Draft Google 4 Intended status: Informational O. Gudmundsson 5 Expires: October 16, 2014 Shinkuro Inc. 6 G. Barwood 8 April 14, 2014 10 Automating DNSSEC Delegation Trust Maintenance 11 draft-ietf-dnsop-delegation-trust-maintainance-06 13 Abstract 15 This document describes a method to allow DNS operators to more 16 easily update DNSSEC Key Signing Keys using the DNS as communication 17 channel. This document does not address the initial configuration of 18 trust anchors for a domain. The technique described is aimed at 19 delegations in which it is currently hard to move information from 20 the child to parent. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on October 16, 2014. 39 Copyright Notice 41 Copyright (c) 2014 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 58 1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4 59 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4 61 2.2. Relationship Between Parent and Child DNS Operator . . . 5 62 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 63 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7 64 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions . . 7 65 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 66 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 67 4. Automating DS Maintainance With CDS/CDNSKEY records . . . . . 8 68 4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 8 69 5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9 70 6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9 71 6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 9 72 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 73 6.1.2. Other Mechanisms . . . . . . . . . . . . . . . . . . 10 74 6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 11 75 6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11 76 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 77 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 78 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 79 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 80 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 81 11.1. Normative References . . . . . . . . . . . . . . . . . . 14 82 11.2. Informative References . . . . . . . . . . . . . . . . . 15 83 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 84 Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 87 1. Introduction 89 When a DNS operator first signs their zone, they need to communicate 90 their DS record(s) (or DNSKEY(s)) to their parent through some out- 91 of-band method to complete the chain of trust. 93 Each time the child changes the key that is represented in the 94 parent, the updated and/or deleted key information has to be 95 communicated to the parent and published in the parent's zone. How 96 this information is sent to the parent depends on the relationship 97 the child has with the parent. In many cases this is a manual 98 process, and not an easy one. For each key roll, there may be up to 99 two interactions with the parent. Any manual process is susceptible 100 to mistakes and/or errors. In addition, due to the annoyance factor 101 of the process, operators may avoid performing key rollovers or skip 102 needed steps to publish the new DS at the parent. 104 DNSSEC provides data integrity to information published in DNS; thus 105 DNS publication can be used to automate maintenance of delegation 106 information. This document describes a method to automate 107 publication of subsequent DS records, after the initial one has been 108 published. 110 Readers are expected to be familiar with DNSSEC, including [RFC4033], 111 [RFC4034], [RFC4035], [RFC5011] and [RFC6781]. 113 This document is a compilation of two earlier drafts: draft-barwood- 114 dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll. 116 This document outlines a technique in which the parent periodically 117 (or upon request) polls its signed children and automatically publish 118 new DS records. To a large extent, the procedures this document 119 follows are as described in [RFC6781] section 4.1.2. 121 This technique is designed to be friendly both to fully automated 122 tools and humans. Fully automated tools can perform all the actions 123 needed without human intervention, and thus can monitor when it is 124 safe to move to the next step. 126 The solution described in this document only allows transferring 127 information about DNSSEC keys (DS and DNSKEY) from the child to the 128 parental agent. It lists exactly what the parent should publish, and 129 allows for publication of stand-by keys. A different protocol, 130 [I-D.csync], can be used to maintain other important delegation 131 information, such as NS and glue. These two protocols have been kept 132 as separate solutions because the problems are fundamentally 133 different, and a combined solution is overly complex. 135 This document describes a method for automating maintanance of the 136 delegation trust information, and proposes a polled / periodic 137 trigger for simplicity. Some users may prefer a different trigger, 138 such as a button on a webpage, a REST interface, DNS NOTIFY, etc. 139 These alternate / additional triggers are not discussed in this 140 document. 142 This proposal does not include all operations needed for the 143 maintenance of DNSSEC key material, specifically the initial 144 introduction or complete removal of all keys. Because of this, 145 alternate communications mechanisms must always exist, potentially 146 introducing more complexity. 148 1.1. Terminology 150 The terminology we use is defined in this section. 152 Highlighted roles: 154 o Child: "The entity on record that has the delegation of the domain 155 from the parent" 157 o Parent: "The domain in which the child is registered" 159 o Child DNS Operator: "The entity that maintains and publishes the 160 zone information for the child DNS" 162 o Parent DNS Operator: "The entity that maintains and publishes the 163 zone information for the parent DNS" 165 o Parental Agent: "The entity that the child has relationship with, 166 to change its delegation information" 168 o Provisioning system: "A system that the operator of the master DNS 169 server operates to maintain the information published in the DNS. 170 This includes the systems that sign the DNS data" 172 RRR is our shorthand for Registry/Registrar/Registrant model of 173 parent child relationship see Appendix A for more. 175 1.2. Requirements Notation 177 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 178 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 179 document are to be interpreted as described in [RFC2119]. 181 2. Background 183 2.1. DNS Delegations 185 DNS operation consists of delegations of authority. For each 186 delegation there are (most of the time) two parties: the parent and 187 the child. 189 The parent publishes information about the delegations to the child; 190 for the name servers it publishes an NS [RFC1035] RRset that lists a 191 hint for name servers that are authoritative for the child. The 192 child also publishes a NS RRset, and this set is the authoritative 193 list of name servers to the child zone. 195 The second RRset the parent sometimes publishes is the DS [RFC4034] 196 set. The DS RRset provides information about the DNSKEY(s) that the 197 child has told the parent it will use to sign its DNSKEY RRset. In 198 DNSSEC trust relationship between zones is provided by the following 199 chain: 201 parent DNSKEY --> DS --> child DNSKEY. 203 A prior proposal [I-D.auto-cpsync] suggested that the child send an 204 "update" to the parent via a mechanism similar to Dynamic Update. 205 The main issue became: How does the child find the actual parental 206 agent/server to send the update to? While that could have been 207 solved via technical means, the proposal died. There is also a 208 similar proposal in [I-D.parent-zones]. 210 As the DS record can only be present at the parent (RFC4034 211 [RFC4034]), some other record/method is needed to automate which 212 DNSKEYs are picked to be represented in the parent zone's DS records. 213 One possibility is to use flags in the DNSKEY record. If the SEP bit 214 is set, this indicates that the DNSKEY is intended for use as a 215 secure entry point. This DNSKEY signs the DNSKEY RRset, and the 216 Parental Agent can calculate DS records based on that. But this 217 fails to meet some operating needs, including the child having no 218 influence what DS digest algorithms are used and DS records can only 219 be published for keys that are in the DNSKEY RRset, and thus this 220 technique would not be compatible with Double-DS key rollover. 222 2.2. Relationship Between Parent and Child DNS Operator 224 In practical application, there are many different relationships 225 between the parent and child DNS operators. The type of relationship 226 affects how the Child DNS Operator communicates with the parent. 227 This section will highlight some of the different situations, but is 228 by no means a complete list. 230 Different communication paths: 232 o Direct/API: The child can change the delegation information via 233 automated/scripted means EPP[RFC5730] used by many TLDs is an 234 example of this. Another example is the web service's 235 programmatic interfaces that Registrars make available to their 236 Resellers. 238 o User Interface: The Child uses a (web) site set up by the Parental 239 Agent for updating delegation information. 241 o Indirect: The communication has to be transmitted via out-of-band 242 between two parties, such as email, telephone etc.. This is common 243 when the Child's DNS operator is neither the child itself nor the 244 Registrar for the domain but a third party. 246 o Multi-step Combinations: The information flows through an 247 intermediary. It is possible, but unlikely, that all the steps 248 are automated via API's and there are no humans are involved. 250 A domain name holder (Child) may operate its own DNS servers or 251 outsource the operation. While we use the word parent as a singular, 252 parent can consist of single entity or a composite of many discrete 253 parts that have rules and roles. We refer to the entity that the 254 child corresponds with as the Parent. 256 In another common case an enterprise may delegate parts of its name- 257 space to be operated by a group that is not the same as that which 258 operates the enterprise's DNS servers. In this case the flow of 259 information is frequently handled in either an ad hoc manner or via 260 some corporate mechanism; this can range from email to fully- 261 automated operation. The word enterprise above covers all 262 organizations in which the domains are not sold on the open market 263 and there is some relationship between the entities. 265 2.2.1. Solution Space 267 This document is aimed at the cases in which there is an 268 organizational separation of the child and parent. 270 A further complication is when the Child DNS Operator is not the 271 Child. There are two common cases of this: 273 a) The Parental Agent (e.g. registrar) handles the DNS operation. 275 b) A third party takes care of the DNS operation. 277 If the Parental Agent is the DNS operator, life is much easier; the 278 Parental Agent can inject any delegation changes directly into the 279 Parent's Provisioning system. The techniques described below are not 280 needed in the case when Parental Agent is the DNS operator. 282 In the case of a third party DNS operator, the Child either needs to 283 relay changes in DNS delegation or give the Child DNS Operator access 284 to its delegation/registration account. 286 Some parents want the child to express their DNSKEYS in the form of 287 DS records, while others want to receive the DNSKEY records and 288 calculate the DS records themselves. There is no consensus on which 289 method is better; both have good reasons to exist. This solution is 290 DS vs DNSKEY agnostic, and allows operation with either. 292 2.2.2. DNSSEC key change process 294 After a Child DNS Operator first signs the zone, there is a need to 295 interact with the Parent, for example via the delegation account 296 interface, to "upload / paste-in the zone's DS information". The 297 action of logging in through the delegation account user interface 298 authenticates that the user is authorized to change delegation 299 information for the child published in the parent zone. In the case 300 where the "Child DNS Operator" does not have access to the 301 registration account, the Child needs to perform the action. 303 At a later date, the Child DNS Operator may want to publish a new DS 304 record in the parent, either because they are rolling keys, or 305 because they want to publish a stand-by key. This involves 306 performing the same process as before. Furthermore when this is a 307 manual process with cut and paste, operational mistakes will happen 308 -- or worse, the update action is not performed at all. 310 The Child DNS Operator may also introduce new keys, and can do so 311 when old keys exist and can be used. The Child may also remove old 312 keys, but this document does not support removing all keys. This is 313 to avoid making signed zones unsigned. The Child may not enroll the 314 initial key or introduce a new key when there are no old keys that 315 can be used (without some additional, out of band, validation of the 316 keys), because there is no way to validate the information. 318 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions 320 This document specifies two new resource records, CDS and CDNSKEY. 321 These records are used to convey, from one zone to its parent, the 322 desired contents of the zone's DS resource record set residing in the 323 parent zone. 325 The CDS / CDNSKEY records are published in the child zone and gives 326 the child control of what is published for it in the parental zone. 327 The CDS / CDNSKEY RRset expresses what the child would like the DS 328 RRset to look like after the change; it is a "replace" operation, and 329 it is up to the consumer of the records to translate that into the 330 appropriate add/delete operations in the registration systems (and in 331 the case of CDNSKEY, to generate the DS from the DNSKEY). If no CDS 332 / CDNSKEY RRset is present in child, this means that no change is 333 needed. 335 [[RFC Editor: Please remove this paragraph before publication] 336 Version -04 of the ID that became this working group document (http:/ 337 /tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new 338 record (CTA) that could hold either a DS or a DNSKEY record (with a 339 selector to differentiate between them). In a shocking development, 340 there was almost full consensus that this was horrid :-) ] 342 3.1. CDS Resource Record Format 344 The wire and presentation format of the CDS ("Child DS") record is 345 identical to the DS record [RFC4034]. IANA has allocated RR code 59 346 for the CDS record via expert review [I-D.ds-publish]. CDS uses the 347 same registries as DS for its fields. 349 No special processing is performed by authoritative servers or by 350 revolvers, when serving or resolving. For all practical purposes CDS 351 is a regular RR type. 353 3.2. CDNSKEY Resource Record Format 355 The wire and presentation format of the CDNSKEY ("Child DNSKEY") 356 record is identical to the DNSKEY record. IANA has allocated RR code 357 TBA1 for the CDS record via expert review. CDNSKEY uses the same 358 registries as DNSKEY for its fields. 360 No special processing is performed by authoritative servers or by 361 revolvers, when serving or resolving. For all practical purposes 362 CDNSKEY is a regular RR type. 364 4. Automating DS Maintainance With CDS/CDNSKEY records 366 CDS/CDNSKEY records are intended to be "consumed" by delegation trust 367 maintainers. The use of CDS/CDNSKEY is optional. 369 The child SHOULD publish both CDS and CDNSKEY records. If the child 370 knows which the parent consumes, it MAY choose to only publish that 371 record type (for example, some children wish the parent to publish a 372 DS, but they wish to keep the DNSKEY "hidden" until needed). If the 373 child publishes both, the two RRsets MUST match in content. The 374 parent should use whichever one they choose, but MUST NOT query for 375 both and perform consistency checks between the CDS and CDNSKEY 376 records. 378 4.1. CDS / CDNSKEY Processing Rules 380 If there are no CDS / CDNSKEY resource records in the child, this 381 signals that no change should be made to the current DS set. This 382 means that, once the child and parent are in sync, the child DNS 383 operator MAY remove all CDS records from the zone. 385 Following acceptance rules are placed on the CDS / CDNSKEY records as 386 follows: 388 o Location: "the CDS / CDNSKEY record MUST be at the child zone 389 apex". 391 o Signer: "MUST be signed with a key that is represented in both the 392 current DNSKEY and DS RRset's." 394 o Continuity: "MUST NOT break the current delegation if applied to 395 DS RRset" 397 If any these conditions fail the CDS / CDNSKEY record MUST be 398 ignored. 400 5. CDS / CDNSKEY Publication 402 Child DNS Operator publishes a CDS and / or CDNSKEY RRset. In order 403 to be valid, the CDS / CDNSKEY RRset MUST be compliant with the rules 404 in Section 4.1. When the Parent DS is "in-sync" with the CDS / 405 CDNSKEY, the Child DNS Operator MAY delete the CDS / CDNSKEY 406 RRset(s); the child can determine if this is the case by quering for 407 DS records in the parent. Note that if the child has published a 408 CDNSKEY RR, the Parent will have to calculate the DS (using the 409 requested digest algorithm) to do the comparison. 411 6. Parent Side CDS / CDNSKEY Consumption 413 The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to 414 update the DS RRset in the parent zone. The Parental Agent for this 415 uses a tool that understands the CDS / CDNSKEY signing rules from 416 Section 4.1 so it may not be able to use a standard validator. 418 The parent MUST choose to accept either CDS or CDNSKEY records (based 419 upon local policy), and MUST NOT expect there to be both. A parent 420 MUST NOT perform a consistency check between CDS and CDNSKEY (other 421 than for informational / debugging use). 423 6.1. Detecting a Changed CDS / CDNSKEY 425 How the Parental Agent gets the CDS / CDNSKEY record may differ, 426 below are two examples as how this can take place. 428 Polling The Parental Agent operates a tool that periodically checks 429 each of the children that has a DS record to see if there is a 430 CDS or CDNSKEY record. 432 Pushing The delegation user interface has a button {Fetch DS} when 433 pushed preforms the CDS / CDNSKEY processing. If the Parent 434 zone does not contain DS for this delegation then the "push" 435 SHOULD be ignored. If the Parental Agent displays the contents 436 of the CDS / CDSNKEY to the user and gets confirmation that 437 this represents their key, the Parental Agent MAY use this for 438 initial enrolment (when the Parent zone does not contain the DS 439 for this delgation). 441 In either case the Parental Agent MAY apply additional rules that 442 defer the acceptance of a CDS / CDNSKEY change, these rules may 443 include a condition that the CDS / CDNSKEY remains in place and valid 444 for some time period before it is accepted. It may be appropriate in 445 the "Pushing" case to assume that the Child is ready and thus accept 446 changes without delay. 448 6.1.1. CDS / CDNSKEY Polling 450 This is the only defined use of CDS / CDNSKEY in this document. 451 There are limits to the scaleability of polling techniques, thus some 452 other mechanism is likely to be specified later that addresses CDS / 453 CDNSKEY usage in the situation where polling does not scale to. 454 Having said that Polling will work in many important cases like 455 enterprises, universities, small TLDs etc. In many regulatory 456 environments the registry is prohibited from talking to the 457 registrant. In most of these cases the registrant has a business 458 relationship with the registrar, and so the registrar can offer this 459 as a service. 461 If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST 462 take no action. Specifically it MUST NOT delete or alter the 463 existing DS RRset. 465 6.1.2. Other Mechanisms 467 It is assumed that other mechanisms will be implemented to trigger 468 the parent to look for an updated CDS / CDNSKEY record. As the CDS / 469 CDNSKEY records are validated with DNSSEC, these mechanisms can be 470 unauthenticated (for example, a child could telephone its parent and 471 request that they process the new CDS or CDNSKEY record, an 472 unauthenticated POST could be made to a webserver (with rate- 473 limiting), etc.) 475 Other documents can specify the trigger conditions. 477 6.2. Using the New CDS / CDNSKEY Records 479 Regardless of how the Parental Agent detected changes to a CDS / 480 CDNSKEY RR, the Parental Agent SHOULD use a DNSSEC validator to 481 obtain a validated CDS / CDNSKEY RRset from the Child zone. The only 482 exception to this is if the parent perfoms some additional validation 483 on the data to confirm that it is the "correct" ket. This behavior 484 is NOT RECOMMENDED. 486 The Parental Agent MUST ensure that old versions of the CDS / CDNSKEY 487 RRset do not overwrite newer versions. This MAY be accomplished by 488 checking that the signature inception in the RRSIG for CDS / CDNSKEY 489 is newer and/or the serial number on the child's SOA is greater. 490 This may require the Parental Agent to maintain some state 491 information. 493 The Parental Agent MAY take extra security measures. For example, to 494 mitigate the possibility that a Child's key signing key has been 495 compromised, the Parental Agent may, for example, inform (by email or 496 other methods ) the Child DNS Operator of the change. However the 497 precise out-of-band measures that a parent zone SHOULD take are 498 outside the scope of this document. 500 Once the Parental Agent has obtained a valid CDS / CDNSKEY it MUST 501 check the publication rules from section 4.1. In particular the 502 Parental Agent MUST double check the Continuity rule and do its best 503 not to invalidate the Child zone. Once checked and if the CDS / 504 CDNSKEY and DS differ it may apply the changes to the parent zone. 505 If the parent consumes CDNSKEY, the parent should calculate the DS 506 before doing this comparison. 508 6.2.1. Parent Calculates DS 510 There are cases where the Parent wants to calculate the DS record due 511 to policy reasons. In this case, the Child publishes CDNSKEY records 512 and the parent calculates the DS records on behalf of the children. 514 When a Parent operates in "calculate DS" mode it can operate in one 515 of two sub-modes 517 full i.e. it only publishes DS records it calculates from DNSKEY 518 records, 520 augment i.e. it will make sure there are DS records for the digest 521 algorithm(s) it requires(s). 523 In the case the parent fetch the CDNSKEY and calculate the DS it MAY 524 be the case that the DS published in the parent zone is not identical 525 with the data in the CDS record made available by the child. 527 7. IANA Considerations 529 IANA has assigned RR Type code 59 for CDS. This was done for an 530 earlier version of this document[I-D.ds-publish] This document is to 531 become the reference for CDS RRtype. 533 IANA is requested to assign another RR Type for the CDNSKEY, and to 534 replace TBA1 with this value (currntly 60 is still free, it would be 535 nice if that were assigned...) 537 8. Privacy Considerations 539 All of the information handled / transmitted by this protocol is 540 public information published in the DNS. 542 9. Security Considerations 544 This work is for the normal case; when things go wrong there is only 545 so much that automation can fix. 547 If child breaks DNSSEC validation by removing all the DNSKEYs that 548 are represented in the DS set its only repair actions are to contact 549 the parent or restore the DNSKEYs in the DS set. 551 In the event of a compromise of the server or system generating 552 signatures for a zone, an attacker might be able to generate and 553 publish new CDS records. The modified CDS records will be picked up 554 by this technique and so may allow the attacker to extend the 555 effective time of his attack. If there a delay in accepting changes 556 to DS, as in [RFC5011], then the attacker needs to hope his activity 557 is not detected before the DS in parent is changed. If this type of 558 change takes place, the child needs to contact the parent (possibly 559 via a registrar web interface) and remove any compromised DS keys. 561 A compromise of the account with the parent (e.g. registrar) will not 562 be mitigated by this technique, as the "new registrant" can delete/ 563 modify the DS records at will. 565 While it may be tempting, this SHOULD NOT be used for initial 566 enrollment of keys since there is no way to ensure that the initial 567 key is the correct one. If is used, strict rules for inclusion of 568 keys like hold down times, challenge data inclusion etc., ought to be 569 used, along with some kind of challenge mechanism. A child cannot 570 use this mechanism to go from signed to unsigned (publishing an empty 571 CDS / CDNSKEY RRset means no-change should be made in the parent). 573 The CDS RR type should allow for enhanced security by simplifying 574 process. Since rollover is automated, updating a DS RRset by other 575 means may be regarded as unusual and subject to extra security 576 checks. 578 As this introduces a new mechanism to update information in the 579 parent it MUST be clear who is fetching the records and creating the 580 appropriate records in the parent zone. Specifically some operations 581 may use other mechanisms than what is described here. For example, a 582 registrar may assume that it is maintaining the DNSSEC key 583 information in the registry, and may have this cached. If the 584 registry is fetching the CDS / CDNSKEY then the registry and 585 registrar may have different views of the DNSSEC key material and the 586 result of such a situation is unclear. Because of this, this 587 mechanism SHOULD NOT be use to bypass intermediaries that might cache 588 information and because of that get the wrong state. 590 If there is a failure in applying changes in child zone to all DNS 591 servers listed in either parent or child NS set it is possible that 592 the Parental agent may get confused, either because it gets different 593 answers on different checks or CDS validation fails. In the worst 594 case, the Parental Agent performs an action reversing a prior action 595 but after the child signing system decides to take the next step in 596 rollover, resulting in a broken delegation. 598 DNS is a loosely coherent distributed database with local caching; 599 therefore, it is important to allow old information to expire from 600 caches before deleting DS or DNSKEY records. Similarly, it is 601 important to allow new records to propagate through the DNS before 602 use, see [RFC6781] and [I-D.key-time] 604 It is common practice for users to outsource their DNS hosting to a 605 3rd party DNS provider. In order for that provider to be able to 606 maintain the DNSSEC information some users give the provider their 607 registrar login credentials (which obviously has negative security 608 implications). Deploying the solution described in this document 609 allows the 3rd party DNS provider to maintain the DNSSEC information 610 without giving them the registrar credentials, thereby improving 611 security. 613 By automating the maintenance of the DNSSEC key information (and 614 removing humans from the process) we expect to decrease the number of 615 DNSSEC related outages, which should increase DNSSEC deployment. 617 10. Acknowledgements 619 We would like to thank a large number of folk, including: Mark 620 Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian 621 Dickinson, Paul Ebersman, Tony Finch, Jim Galvin, Paul Hoffman, Samir 622 Hussain, Tatuya Jinmei, Olaf Kolkman, Cricket Liu, Stephan Lagerholm, 623 Matt Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul 624 Wouters, John Dickinson, Timothe Litt and Edward Lewis. 626 Special thanks to Wes Hardaker for contributing significant text and 627 creating the complementary (CSYNC) solution, and to Patrik Faltstrom, 628 Paul Hoffman, Matthijs Mekking and Mukund Sivaraman for text and in- 629 depth review. 631 There were a number of other folk with whom we discussed this, 632 apologies for not remembering everyone. 634 11. References 636 11.1. Normative References 638 [RFC1035] Mockapetris, P., "Domain names - implementation and 639 specification", STD 13, RFC 1035, November 1987. 641 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 642 Requirement Levels", BCP 14, RFC 2119, March 1997. 644 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 645 Rose, "DNS Security Introduction and Requirements", RFC 646 4033, March 2005. 648 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 649 Rose, "Resource Records for the DNS Security Extensions", 650 RFC 4034, March 2005. 652 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 653 Rose, "Protocol Modifications for the DNS Security 654 Extensions", RFC 4035, March 2005. 656 [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) 657 Trust Anchors", STD 74, RFC 5011, September 2007. 659 [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC 660 Operational Practices, Version 2", RFC 6781, December 661 2012. 663 11.2. Informative References 665 [I-D.auto-cpsync] 666 Mekking, W., "Automated (DNSSEC) Child Parent 667 Synchronization using DNS UPDATE", draft-mekking-dnsop- 668 auto-cpsync-01 (work in progress), December 2010. 670 [I-D.csync] 671 Hardaker, W., "Child To Parent Synchronization in DNS", 672 draft-hardaker-dnsop-csync-02 (work in progress), July 673 2013. 675 [I-D.ds-publish] 676 Barwood, G., "DNS Transport", draft-barwood-dnsop-ds- 677 publish-02 (work in progress), June 2011. 679 [I-D.key-time] 680 Mekking, W., "DNSSEC Key Timing Considerations", draft- 681 ietf-dnsop-dnssec-key-timing-03 (work in progress), July 682 2012. 684 [I-D.parent-zones] 685 Andrews, M., "Updating Parent Zones", November 2013. 687 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 688 STD 69, RFC 5730, August 2009. 690 [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) 691 Security Extensions Mapping for the Extensible 692 Provisioning Protocol (EPP)", RFC 5910, May 2010. 694 Appendix A. RRR background 696 In the RRR world, the different parties are frequently from different 697 organizations. In the single enterprise world there are also 698 organizational/geographical/cultural separations that affect how 699 information flows from a Child to the parent. 701 Due to the complexity of the different roles and interconnections, 702 automation of delegation information has been punted in the past. 703 There have been some proposals to automate this, in order to improve 704 the reliability of the DNS. These proposals have not gained enough 705 traction to become standards. 707 For example in many of the TLD cases there is the RRR model 708 (Registry, Registrar and Registrant). The Registry operates DNS for 709 the TLD, the Registrars accept registrations and place information 710 into the Registries database. The Registrant only communicates with 711 the Registrar; frequently the Registry is not allowed to communicate 712 with the Registrant. In that case as far as the registrant is 713 concerned the Registrar == Parent. 715 In many RRR cases the Registrar and Registry communicate via 716 EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number 717 of ccTLDs there are other mechanisms in use as well as EPP, but in 718 general there seems to be a movement towards EPP usage when DNSSEC is 719 enabled in the TLD. 721 Appendix B. Changes / Author Notes. 723 [RFC Editor: Please remove this section before publication ] 725 WG-05 to WG-06 727 o Consensus (according to me!) was that mail thread said "Child MAY 728 remove the CDS record". Changed to accomodate. 730 o "The proposal below can operate with both models, but the child 731 needs to be aware of the parental policies." - removed "but the 732 child needs to be aware of the parental policies.". This is no 733 longer true, as we suggest publishing both CDS and CDSNKEY. 735 o Added: "without some additional out of band process" to "The Child 736 may not enroll the initial key or introduce a new key when there 737 are no old keys that can be used (without some additional, out of 738 band, validation of the keys), because there is no way to validate 739 the information." 741 o Added a bit to the IANA section, requesting that TBA1 be replaced 742 with the IANA allocated code. 744 o Removed" Some parents prefer to accept DNSSEC key information in 745 DS format, some parents prefer to accept it in DNSKEY format, and 746 calculate the DS record on the child's behalf. Each method has 747 pros and cons, both technical and policy. This solution is DS vs 748 DNSKEY agnostic, and allows operation with either." from Section 4 749 as it is covered in Section 2.2.1 751 o Remove a bunch of comments from the XML. I was getting tired of 752 scrolling past them. If the authors need them back, they are in 753 SVN commit 47. 755 WG-04 to WG-05 757 o More comments from Patrik, Paul and Ed. 759 o Many nits and fixes from Matthijs Mekking. 761 o Outstanding question: Should we remove the "Child SHOULD remove 762 the CDS record" text? Mail sent to list. 764 WG-03 to WG-04 766 o Large number of comments and changes from Patrik. 768 WG-02 to WG-03 770 o Fixed some references to RFC 5011 - from Samir Hussain. 772 o Fixed some spelling / typos - from Samir Hussain. 774 o A number of clarifiations on the meaning on an empty / non- 775 existant CDS RRset - thanks to JINMEI, Tatuya 777 o Be consistent in mentioning both CDS and CDNSKEY throughout the 778 document. 780 WG-01 to WG-02 782 o Many nits and suggestions from Mukund. 784 o Matthijs: " I still think that it is too strong that the Child DNS 785 Operator SHOULD/MUST delete the CDS RRset when the Parent DS is 786 "in-sync". This should be a MAY" 788 WG-00 to WG-01 790 o Addressed Vancouver: "Paul Hoffmann: NOT ready for WGLC. None of 791 the 2 documents explain why there is a split between the two 792 strategies." Thanks to Paul for providing text. 794 From -05 to WG-00: 796 o Nothing rchanged, resubmit under new name. 798 From 04 to 05 800 o Renamed the record back to CDS. 802 From 03 to 04. 804 o Added text explaining that CDS and CSYNC complement each other, 805 not replace or compete. 807 o Changed format of record to be to allow the 808 publication of DS **or** DNSKEY. 810 o Bunch of text changed to cover the above. 812 o Added a bit more text on the polling scaling stuff, expectation 813 that other triggers will be documented. 815 From 02 to 03 817 o Applied comments by Matthijs Mekking 819 o Incorporated suggestions from Edward Lewis about structure 821 o Reworked structure to be easier for implementors to follow 823 o Applied many suggestions from a wonderful thorough review by John 824 Dickinson 826 o Removed the going Unsigned option 828 From 01 to 02 830 o Major restructuring to facilitate easier discussion 832 o Lots of comments from DNSOP mailing list incorporated, including 833 making draft DNSKEY/DS neutral, explain different relationships 834 that exists, 836 o added more people to acks. 838 o added description of enterprise situations 840 o Unified on using Parental Agent over Parental Representative 842 o Removed redundant text when possible 844 o Added text to explain what can go wrong if not all child DNS 845 servers are in sync. 847 o Reference prior work by Matthijs Mekking 849 o Added text when parent calculates DS from DNSKEY 851 From - to -1. 853 o Removed from section .1: "If a child zone has gone unsigned, i.e. 854 no DNSKEY and no RRSIG in the zone, the parental representative 855 MAY treat that as intent to go unsigned. (NEEDS DISCUSSION)." 856 Added new text at end. -- suggestion by Scott Rose 20/Feb/13. 858 o Added some background on the different DNS Delegation operating 859 situations and how they affect interaction of parties. This moved 860 some blocks of text from later sections into here. 862 o Number of textual improvements from Stephan Lagerholm 864 o Added motivation why CDS is needed in CDS definition section 866 o Unified terminology in the document. 868 o Much more background 870 Authors' Addresses 872 Warren Kumari 873 Google 874 1600 Amphitheatre Parkway 875 Mountain View, CA 94043 876 US 878 Email: warren@kumari.net 880 Olafur Gudmundsson 881 Shinkuro Inc. 882 4922 Fairmont Av, Suite 250 883 Bethesda, MD 20814 884 USA 886 Email: ogud@ogud.com 888 George Barwood 889 33 Sandpiper Close 890 Gloucester GL2 4LZ 891 United Kingdom 893 Email: george.barwood@blueyonder.co.uk