idnits 2.17.00 (12 Aug 2021) /tmp/idnits64004/draft-ietf-dnsop-delegation-trust-maintainance-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 513 has weird spacing: '... full it on...' == Line 515 has weird spacing: '...augment it wi...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (April 15, 2014) is 2958 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: draft-ietf-dnsop-dnssec-key-timing has been published as RFC 7583 Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop W. Kumari 3 Internet-Draft Google 4 Intended status: Informational O. Gudmundsson 5 Expires: October 17, 2014 Shinkuro Inc. 6 G. Barwood 8 April 15, 2014 10 Automating DNSSEC Delegation Trust Maintenance 11 draft-ietf-dnsop-delegation-trust-maintainance-08 13 Abstract 15 This document describes a method to allow DNS operators to more 16 easily update DNSSEC Key Signing Keys using the DNS as communication 17 channel. This document does not address the initial configuration of 18 trust anchors for a domain. The technique described is aimed at 19 delegations in which it is currently hard to move information from 20 the child to parent. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on October 17, 2014. 39 Copyright Notice 41 Copyright (c) 2014 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 58 1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4 59 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4 61 2.2. Relationship Between Parent and Child DNS Operator . . . 5 62 2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6 63 2.2.2. DNSSEC key change process . . . . . . . . . . . . . . 7 64 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions . . 7 65 3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8 66 3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8 67 4. Automating DS Maintainance With CDS/CDNSKEY records . . . . . 8 68 4.1. CDS / CDNSKEY Processing Rules . . . . . . . . . . . . . 8 69 5. CDS / CDNSKEY Publication . . . . . . . . . . . . . . . . . . 9 70 6. Parent Side CDS / CDNSKEY Consumption . . . . . . . . . . . . 9 71 6.1. Detecting a Changed CDS / CDNSKEY . . . . . . . . . . . . 9 72 6.1.1. CDS / CDNSKEY Polling . . . . . . . . . . . . . . . . 10 73 6.1.2. Other Mechanisms . . . . . . . . . . . . . . . . . . 10 74 6.2. Using the New CDS / CDNSKEY Records . . . . . . . . . . . 10 75 6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11 76 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 77 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 78 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 79 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 80 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 81 11.1. Normative References . . . . . . . . . . . . . . . . . . 14 82 11.2. Informative References . . . . . . . . . . . . . . . . . 15 83 Appendix A. RRR background . . . . . . . . . . . . . . . . . . . 15 84 Appendix B. Changes / Author Notes. . . . . . . . . . . . . . . 16 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 87 1. Introduction 89 When a DNS operator first signs their zone, they need to communicate 90 their DS record(s) (or DNSKEY(s)) to their parent through some out- 91 of-band method to complete the chain of trust. 93 Each time the child changes the key that is represented in the 94 parent, the updated and/or deleted key information has to be 95 communicated to the parent and published in the parent's zone. How 96 this information is sent to the parent depends on the relationship 97 the child has with the parent. In many cases this is a manual 98 process, and not an easy one. For each key change, there may be up 99 to two interactions with the parent. Any manual process is 100 susceptible to mistakes and/or errors. In addition, due to the 101 annoyance factor of the process, operators may avoid changing keys or 102 skip needed steps to publish the new DS at the parent. 104 DNSSEC provides data integrity to information published in DNS; thus 105 DNS publication can be used to automate maintenance of delegation 106 information. This document describes a method to automate 107 publication of subsequent DS records, after the initial one has been 108 published. 110 Readers are expected to be familiar with DNSSEC, including [RFC4033], 111 [RFC4034], [RFC4035], [RFC5011] and [RFC6781]. 113 This document is a compilation of two earlier drafts: draft-barwood- 114 dnsop-ds-publish[I-D.ds-publish] and draft-wkumari-dnsop-ezkeyroll. 116 This document outlines a technique in which the parent periodically 117 (or upon request) polls its signed children and automatically publish 118 new DS records. To a large extent, the procedures this document 119 follows are as described in [RFC6781] section 4.1.2. 121 This technique is designed to be friendly both to fully automated 122 tools and humans. Fully automated tools can perform all the actions 123 needed without human intervention, and thus can monitor when it is 124 safe to move to the next step. 126 The solution described in this document only allows transferring 127 information about DNSSEC keys (DS and DNSKEY) from the child to the 128 parental agent. It lists exactly what the parent should publish, and 129 allows for publication of stand-by keys. A different protocol, 130 [I-D.csync], can be used to maintain other important delegation 131 information, such as NS and glue. These two protocols have been kept 132 as separate solutions because the problems are fundamentally 133 different, and a combined solution is overly complex. 135 This document describes a method for automating maintanance of the 136 delegation trust information, and proposes a polled / periodic 137 trigger for simplicity. Some users may prefer a different trigger, 138 for example a button on a webpage, a REST interface or a DNS NOTIFY. 139 These alternate / additional triggers are not discussed in this 140 document. 142 This proposal does not include all operations needed for the 143 maintenance of DNSSEC key material, specifically the initial 144 introduction or complete removal of all keys. Because of this, 145 alternate communications mechanisms must always exist, potentially 146 introducing more complexity. 148 1.1. Terminology 150 The terminology we use is defined in this section. 152 Highlighted roles: 154 o Child: "The entity on record that has the delegation of the domain 155 from the parent" 157 o Parent: "The domain in which the child is registered" 159 o Child DNS Operator: "The entity that maintains and publishes the 160 zone information for the child DNS" 162 o Parental Agent: "The entity that the child has relationship with, 163 to change its delegation information" 165 o Provisioning system: "A system that the operator of the master DNS 166 server operates to maintain the information published in the DNS. 167 This includes the systems that sign the DNS data" 169 RRR is our shorthand for Registry/Registrar/Registrant model of 170 parent child relationship see Appendix A for more. 172 1.2. Requirements Notation 174 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 175 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 176 document are to be interpreted as described in [RFC2119]. 178 2. Background 180 2.1. DNS Delegations 182 DNS operation consists of delegations of authority. For each 183 delegation there are (most of the time) two parties: the parent and 184 the child. 186 The parent publishes information about the delegations to the child; 187 for the name servers it publishes an NS [RFC1035] RRset that lists a 188 hint for name servers that are authoritative for the child. The 189 child also publishes a NS RRset, and this set is the authoritative 190 list of name servers to the child zone. 192 The second RRset the parent sometimes publishes is the DS [RFC4034] 193 set. The DS RRset provides information about the DNSKEY(s) that the 194 child has told the parent it will use to sign its DNSKEY RRset. In 195 DNSSEC trust relationship between zones is provided by the following 196 chain: 198 parent DNSKEY --> DS --> child DNSKEY. 200 A prior proposal [I-D.auto-cpsync] suggested that the child send an 201 "update" to the parent via a mechanism similar to Dynamic Update. 202 The main issue became: How does the child find the actual parental 203 agent/server to send the update to? While that could have been 204 solved via technical means, it failed to each consensus. There is 205 also a similar proposal in [I-D.parent-zones]. 207 As the DS record can only be present at the parent ( [RFC4034]), some 208 other method is needed to automate which DNSKEYs are picked to be 209 represented in the parent zone's DS records. One possibility is to 210 use flags in the DNSKEY record. If the SEP bit is set, this 211 indicates that the DNSKEY is intended for use as a secure entry 212 point. This DNSKEY signs the DNSKEY RRset, and the Parental Agent 213 can calculate DS records based on that. But this fails to meet some 214 operating needs, including the child having no influence what DS 215 digest algorithms are used and DS records can only be published for 216 keys that are in the DNSKEY RRset, and thus this technique would not 217 be compatible with Double-DS ( [RFC6781] ) key rollover. 219 2.2. Relationship Between Parent and Child DNS Operator 221 In practical application, there are many different relationships 222 between the parent and Child DNS Operators. The type of relationship 223 affects how the Child DNS Operator communicates with the parent. 224 This section will highlight some of the different situations, but is 225 by no means a complete list. 227 Different communication paths: 229 o Direct/API: The child can change the delegation information via 230 automated/scripted means. EPP[RFC5730], used by many TLDs is an 231 example of this. Another example is the web service's 232 programmatic interfaces that Registrars make available to their 233 Resellers. 235 o User Interface: The Child uses a (web) site set up by the Parental 236 Agent for updating delegation information. 238 o Indirect: The communication has to be transmitted via out-of-band 239 between two parties, such as by email or telephone. This is 240 common when the Child's DNS operator is neither the child itself 241 nor the Registrar for the domain but a third party. 243 o Multi-step Combinations: The information flows through an 244 intermediary. It is possible, but unlikely, that all the steps 245 are automated via API's and there are no humans are involved. 247 A domain name holder (Child) may operate its own DNS servers or 248 outsource the operation. While we use the word parent as a singular, 249 parent can consist of single entity or a composite of many discrete 250 parts that have rules and roles. We refer to the entity that the 251 child corresponds with as the Parent. 253 In some cases an organization may delegate parts of its name-space to 254 be operated by a group that is not the same as that which operates 255 the organization's DNS servers. In this case the flow of information 256 is frequently handled in either an ad hoc manner or via some 257 corporate mechanism; this can range from email to fully-automated 258 operation. 260 2.2.1. Solution Space 262 This document is aimed at the cases in which there is a separation 263 between the child and parent. 265 A further complication is when the Child DNS Operator is not the 266 Child. There are two common cases of this: 268 a) The Parental Agent (e.g. registrar) handles the DNS operation. 270 b) A third party takes care of the DNS operation. 272 If the Parental Agent is the DNS operator, life is much easier; the 273 Parental Agent can inject any delegation changes directly into the 274 Parent's Provisioning system. The techniques described below are not 275 needed in the case when Parental Agent is the DNS operator. 277 In the case of a third party DNS operator, the Child either needs to 278 relay changes in DNS delegation or give the Child DNS Operator access 279 to its delegation/registration account. 281 Some parents want the child to express their DNSKEYS in the form of 282 DS records, while others want to receive the DNSKEY records and 283 calculate the DS records themselves. There is no consensus on which 284 method is better; both have good reasons to exist. This solution is 285 DS vs DNSKEY agnostic, and allows operation with either. 287 2.2.2. DNSSEC key change process 289 After a Child DNS Operator first signs the zone, there is a need to 290 interact with the Parent, for example via a delegation account 291 interface, to "upload / paste-in the zone's DS information". This 292 action of logging in through the delegation account user interface 293 authenticates that the user is authorized to change delegation 294 information for the child published in the parent zone. In the case 295 where the Child DNS Operator does not have access to the registration 296 account, the Child needs to perform the action. 298 At a later date, the Child DNS Operator may want to publish a new DS 299 record in the parent, either because they are changing keys, or 300 because they want to publish a stand-by key. This involves 301 performing the same process as before. Furthermore when this is a 302 manual process with cut and paste, operational mistakes will happen 303 -- or worse, the update action is not performed at all. 305 The Child DNS Operator may also introduce new keys, and can do so 306 when old keys exist and can be used. The Child may also remove old 307 keys, but this document does not support removing all keys. This is 308 to avoid making signed zones unsigned. The Child may not enroll the 309 initial key or introduce a new key when there are no old keys that 310 can be used (without some additional, out of band, validation of the 311 keys), because there is no way to validate the information. 313 3. CDS / CDNSKEY (Child DS/ Child DNSKEY) Record Definitions 315 This document specifies two new DNS resource records, CDS and 316 CDNSKEY. These records are used to convey, from one zone to its 317 parent, the desired contents of the zone's DS resource record set 318 residing in the parent zone. 320 The CDS / CDNSKEY resource records are published in the child zone 321 and gives the child control of what is published for it in the 322 parental zone. The CDS / CDNSKEY RRset expresses what the child 323 would like the DS RRset to look like after the change; it is a 324 "replace" operation, and it is up to the consumer of the records to 325 translate that into the appropriate add/delete operations in the 326 provisioning systems (and in the case of CDNSKEY, to generate the DS 327 from the DNSKEY). If no CDS / CDNSKEY RRset is present in child, 328 this means that no change is needed. 330 [[RFC Editor: Please remove this paragraph before publication] 331 Version -04 of the ID that became this working group document (http:/ 332 /tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined a new 333 record (CTA) that could hold either a DS or a DNSKEY record (with a 334 selector to differentiate between them). In a shocking development, 335 there was almost full consensus that this was horrid :-) ] 337 3.1. CDS Resource Record Format 339 The wire and presentation format of the CDS ("Child DS") resource 340 record is identical to the DS record [RFC4034]. IANA has allocated 341 RR code 59 for the CDS resource record via expert review 342 [I-D.ds-publish]. The CDS RR uses the same registries as DS for its 343 fields. 345 No special processing is performed by authoritative servers or by 346 revolvers, when serving or resolving. For all practical purposes CDS 347 is a regular RR type. 349 3.2. CDNSKEY Resource Record Format 351 The wire and presentation format of the CDNSKEY ("Child DNSKEY") 352 resource record is identical to the DNSKEY record. IANA has 353 allocated RR code TBA1 for the CDNSKEY resource record via expert 354 review. The CDNSKEY RR uses the same registries as DNSKEY for its 355 fields. 357 No special processing is performed by authoritative servers or by 358 revolvers, when serving or resolving. For all practical purposes 359 CDNSKEY is a regular RR type. 361 4. Automating DS Maintainance With CDS/CDNSKEY records 363 CDS/CDNSKEY resource records are intended to be "consumed" by 364 delegation trust maintainers. The use of CDS/CDNSKEY is optional. 366 The child SHOULD publish both CDS and CDNSKEY resource records. If 367 the child knows which the parent consumes, it MAY choose to only 368 publish that record type (for example, some children wish the parent 369 to publish a DS, but they wish to keep the DNSKEY "hidden" until 370 needed). If the child publishes both, the two RRsets MUST match in 371 content. 373 4.1. CDS / CDNSKEY Processing Rules 375 If there are no CDS / CDNSKEY RRset in the child, this signals that 376 no change should be made to the current DS set. This means that, 377 once the child and parent are in sync, the Child DNS Operator MAY 378 remove all CDS and CDNSKEY resource records from the zone. 380 Following acceptance rules are placed on the CDS / CDNSKEY resource 381 records as follows: 383 o Location: "the CDS / CDNSKEY resource records MUST be at the child 384 zone apex". 386 o Signer: "MUST be signed with a key that is represented in both the 387 current DNSKEY and DS RRset's." 389 o Continuity: "MUST NOT break the current delegation if applied to 390 DS RRset" 392 If any these conditions fail the CDS / CDNSKEY resource record MUST 393 be ignored. 395 5. CDS / CDNSKEY Publication 397 Child DNS Operator publishes a CDS and / or CDNSKEY resource records. 398 In order to be valid, the CDS / CDNSKEY RRset MUST be compliant with 399 the rules in Section 4.1. When the Parent DS is "in-sync" with the 400 CDS / CDNSKEY resource records, the Child DNS Operator MAY delete the 401 CDS / CDNSKEY record(s); the child can determine if this is the case 402 by quering for DS records in the parent. Note that if the child has 403 published a CDNSKEY RR, the Parent will have to calculate the DS 404 (using the requested digest algorithm) to do the comparison. 406 6. Parent Side CDS / CDNSKEY Consumption 408 The CDS / CDNSKEY RRset SHOULD be used by the Parental Agent to 409 update the DS RRset in the parent zone. The Parental Agent for this 410 uses a tool that understands the CDS / CDNSKEY signing rules from 411 Section 4.1 so it may not be able to use a standard validator. 413 The parent MUST choose to use either CDNSKEY or CDS resource records 414 as their default updating mechanism. The parent MAY only accept 415 either CDNSKEY or CDS, but it MAY also accept both, so it can use the 416 other in the absence of the default updating mechanism, but it MUST 417 NOT expect there to be both. 419 6.1. Detecting a Changed CDS / CDNSKEY 421 How the Parental Agent gets the CDS / CDNSKEY RRset may differ, below 422 are two examples as how this can take place. 424 Polling The Parental Agent operates a tool that periodically checks 425 each of the children that has a DS record to see if there is a 426 CDS or CDNSKEY RRset. 428 Pushing The delegation user interface has a button {Fetch DS} when 429 pushed preforms the CDS / CDNSKEY processing. If the Parent 430 zone does not contain DS for this delegation then the "push" 431 SHOULD be ignored. If the Parental Agent displays the contents 432 of the CDS / CDSNKEY to the user and gets confirmation that 433 this represents their key, the Parental Agent MAY use this for 434 initial enrolment (when the Parent zone does not contain the DS 435 for this delgation). 437 In either case the Parental Agent MAY apply additional rules that 438 defer the acceptance of a CDS / CDNSKEY change, these rules may 439 include a condition that the CDS / CDNSKEY remains in place and valid 440 for some time period before it is accepted. It may be appropriate in 441 the "Pushing" case to assume that the Child is ready and thus accept 442 changes without delay. 444 6.1.1. CDS / CDNSKEY Polling 446 This is the only defined use of CDS / CDNSKEY resource records in 447 this document. There are limits to the scaleability of polling 448 techniques, thus some other mechanism is likely to be specified later 449 that addresses CDS / CDNSKEY resource recod usage in the situation 450 where polling does not scale to. Having said that Polling will work 451 in many important cases such as enterprises, universities and smaller 452 TLDs. In many regulatory environments the registry is prohibited 453 from talking to the registrant. In most of these cases the 454 registrant has a business relationship with the registrar, and so the 455 registrar can offer this as a service. 457 If the CDS / CDNSKEY RRset does not exist, the Parental Agent MUST 458 take no action. Specifically it MUST NOT delete or alter the 459 existing DS RRset. 461 6.1.2. Other Mechanisms 463 It is assumed that other mechanisms will be implemented to trigger 464 the parent to look for an updated CDS / CDNSKEY RRsets. As the CDS / 465 CDNSKEY resource records are validated with DNSSEC, these mechanisms 466 can be unauthenticated (for example, a child could telephone its 467 parent and request that they process the new CDS or CDNSKEY resource 468 records or an unauthenticated POST could be made to a webserver (with 469 rate-limiting).) 471 Other documents can specify the trigger conditions. 473 6.2. Using the New CDS / CDNSKEY Records 475 Regardless of how the Parental Agent detected changes to a CDS / 476 CDNSKEY RRset, the Parental Agent SHOULD use a DNSSEC validator to 477 obtain a validated CDS / CDNSKEY RRset from the Child zone. The only 478 exception to this is if the parent perfoms some additional validation 479 on the data to confirm that it is the "correct" key. This behavior 480 is NOT RECOMMENDED. 482 The Parental Agent MUST ensure that previous versions of the CDS / 483 CDNSKEY RRset do not overwrite more recent versions. This MAY be 484 accomplished by checking that the signature inception in the RRSIG 485 for CDS / CDNSKEY RRset is later and/or the serial number on the 486 child's SOA is greater. This may require the Parental Agent to 487 maintain some state information. 489 The Parental Agent MAY take extra security measures. For example, to 490 mitigate the possibility that a Child's key signing key has been 491 compromised, the Parental Agent may, for example, inform (by email or 492 other methods ) the Child DNS Operator of the change. However the 493 precise out-of-band measures that a parent zone SHOULD take are 494 outside the scope of this document. 496 Once the Parental Agent has obtained a valid CDS / CDNSKEY RRset it 497 MUST check the publication rules from section 4.1. In particular the 498 Parental Agent MUST check the Continuity rule and do its best not to 499 invalidate the Child zone. Once checked and if the information in 500 the CDS / CDNSKEY and DS differ it may apply the changes to the 501 parent zone. If the parent consumes CDNSKEY, the parent should 502 calculate the DS before doing this comparison. 504 6.2.1. Parent Calculates DS 506 There are cases where the Parent wants to calculate the DS record due 507 to policy reasons. In this case, the Child publishes CDNSKEY records 508 and the parent calculates the DS records on behalf of the children. 510 When a Parent operates in "calculate DS" mode it can operate in one 511 of two sub-modes 513 full it only publishes DS records it calculates from DNSKEY records, 515 augment it will make sure there are DS records for the digest 516 algorithm(s) it requires(s). 518 In the case where the parent fetches the CDNSKEY RRset and calculate 519 the DS it MAY be the case that the DS published in the parent zone is 520 not identical with the data in the CDS resource record made available 521 by the child. 523 7. IANA Considerations 525 IANA has assigned RR Type code 59 for the CDS resource record. This 526 was done for an earlier version of this document[I-D.ds-publish] This 527 document is to become the reference for CDS RRtype. 529 IANA is requested to assign another RR Type for the CDNSKEY, and to 530 replace TBA1 with this value (currntly 60 is still free, it would be 531 nice if that were assigned...) 533 8. Privacy Considerations 535 All of the information handled / transmitted by this protocol is 536 public information published in the DNS. 538 9. Security Considerations 540 This work is for the normal case; when things go wrong there is only 541 so much that automation can fix. 543 If child breaks DNSSEC validation by removing all the DNSKEYs that 544 are represented in the DS set its only repair actions are to contact 545 the parent or restore the DNSKEYs in the DS set. 547 In the event of a compromise of the server or system generating 548 signatures for a zone, an attacker might be able to generate and 549 publish new CDS resource records. The modified CDS recourse records 550 will be picked up by this technique and so may allow the attacker to 551 extend the effective time of his attack. If there a delay in 552 accepting changes to DS, as in [RFC5011], then the attacker needs to 553 hope his activity is not detected before the DS in parent is changed. 554 If this type of change takes place, the child needs to contact the 555 parent (possibly via a registrar web interface) and remove any 556 compromised DS keys. 558 A compromise of the account with the parent (e.g. registrar) will not 559 be mitigated by this technique, as the "new registrant" can delete/ 560 modify the DS records at will. 562 While it may be tempting, this SHOULD NOT be used for initial 563 enrollment of keys since there is no way to ensure that the initial 564 key is the correct one. If is used, strict rules for inclusion of 565 keys such as hold down times, challenge data inclusion or similar, 566 ought to be used, along with some kind of challenge mechanism. A 567 child cannot use this mechanism to go from signed to unsigned 568 (publishing an empty CDS / CDNSKEY RRset means no-change should be 569 made in the parent). 571 The CDS RR type should allow for enhanced security by simplifying 572 process. Since key change is automated, updating a DS RRset by other 573 means may be regarded as unusual and subject to extra security 574 checks. 576 As this introduces a new mechanism to update information in the 577 parent it MUST be clear who is fetching the records and creating the 578 appropriate records in the parent zone. Specifically some operations 579 may use other mechanisms than what is described here. For example, a 580 registrar may assume that it is maintaining the DNSSEC key 581 information in the registry, and may have this cached. If the 582 registry is fetching the CDS / CDNSKEY RRset then the registry and 583 registrar may have different views of the DNSSEC key material and the 584 result of such a situation is unclear. Therefore, this mechanism 585 SHOULD NOT be use to bypass intermediaries that might cache 586 information and because of that get the wrong state. 588 If there is a failure in applying changes in child zone to all DNS 589 servers listed in either parent or child NS set it is possible that 590 the Parental agent may get confused, either because it gets different 591 answers on different checks or CDS RR validation fails. In the worst 592 case, the Parental Agent performs an action reversing a prior action 593 but after the child signing system decides to take the next step in 594 the key change process, resulting in a broken delegation. 596 DNS is a loosely coherent distributed database with local caching; 597 therefore, it is important to allow old information to expire from 598 caches before deleting DS or DNSKEY records. Similarly, it is 599 important to allow new records to propagate through the DNS before 600 use, see [RFC6781] and [I-D.key-time] 602 It is common practice for users to outsource their DNS hosting to a 603 3rd party DNS provider. In order for that provider to be able to 604 maintain the DNSSEC information some users give the provider their 605 registrar login credentials (which obviously has negative security 606 implications). Deploying the solution described in this document 607 allows the 3rd party DNS provider to maintain the DNSSEC information 608 without giving them the registrar credentials, thereby improving 609 security. 611 By automating the maintenance of the DNSSEC key information (and 612 removing humans from the process), we expect to decrease the number 613 of DNSSEC related outages, which should increase DNSSEC deployment. 615 10. Acknowledgements 617 We would like to thank a large number of folk, including: Mark 618 Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian 619 Dickinson, Paul Ebersman, Tony Finch, Jim Galvin, Paul Hoffman, Samir 620 Hussain, Tatuya Jinmei, Olaf Kolkman, Cricket Liu, Stephan Lagerholm, 621 Matt Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul 622 Wouters, John Dickinson, Timothe Litt and Edward Lewis. 624 Special thanks to Wes Hardaker for contributing significant text and 625 creating the complementary (CSYNC) solution, and to Patrik Faltstrom, 626 Paul Hoffman, Matthijs Mekking and Mukund Sivaraman for text and in- 627 depth review. 629 There were a number of other folk with whom we discussed this, 630 apologies for not remembering everyone. 632 11. References 634 11.1. Normative References 636 [RFC1035] Mockapetris, P., "Domain names - implementation and 637 specification", STD 13, RFC 1035, November 1987. 639 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 640 Requirement Levels", BCP 14, RFC 2119, March 1997. 642 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 643 Rose, "DNS Security Introduction and Requirements", RFC 644 4033, March 2005. 646 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 647 Rose, "Resource Records for the DNS Security Extensions", 648 RFC 4034, March 2005. 650 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 651 Rose, "Protocol Modifications for the DNS Security 652 Extensions", RFC 4035, March 2005. 654 [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) 655 Trust Anchors", STD 74, RFC 5011, September 2007. 657 [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC 658 Operational Practices, Version 2", RFC 6781, December 659 2012. 661 11.2. Informative References 663 [I-D.auto-cpsync] 664 Mekking, W., "Automated (DNSSEC) Child Parent 665 Synchronization using DNS UPDATE", draft-mekking-dnsop- 666 auto-cpsync-01 (work in progress), December 2010. 668 [I-D.csync] 669 Hardaker, W., "Child To Parent Synchronization in DNS", 670 draft-hardaker-dnsop-csync-02 (work in progress), July 671 2013. 673 [I-D.ds-publish] 674 Barwood, G., "DNS Transport", draft-barwood-dnsop-ds- 675 publish-02 (work in progress), June 2011. 677 [I-D.key-time] 678 Mekking, W., "DNSSEC Key Timing Considerations", draft- 679 ietf-dnsop-dnssec-key-timing-03 (work in progress), July 680 2012. 682 [I-D.parent-zones] 683 Andrews, M., "Updating Parent Zones", draft-andrews-dnsop- 684 update-parent-zones-04 (work in progress), November 2013. 686 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 687 STD 69, RFC 5730, August 2009. 689 [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) 690 Security Extensions Mapping for the Extensible 691 Provisioning Protocol (EPP)", RFC 5910, May 2010. 693 Appendix A. RRR background 695 In the RRR world, the different parties are frequently from different 696 organizations. In the single enterprise world there are also 697 organizational/geographical/cultural separations that affect how 698 information flows from a Child to the parent. 700 Due to the complexity of the different roles and interconnections, 701 automation of delegation information has not yet occured. There have 702 been proposals to automate this, in order to improve the reliability 703 of the DNS. These proposals have not gained enough traction to 704 become standards. 706 For example in many of the TLD cases there is the RRR model 707 (Registry, Registrar and Registrant). The Registry operates DNS for 708 the TLD, the Registrars accept registrations and place information 709 into the Registries database. The Registrant only communicates with 710 the Registrar; frequently the Registry is not allowed to communicate 711 with the Registrant. In that case as far as the registrant is 712 concerned the Registrar == Parent. 714 In many RRR cases the Registrar and Registry communicate via 715 EPP[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number 716 of ccTLDs there are other mechanisms in use as well as EPP, but in 717 general there seems to be a movement towards EPP usage when DNSSEC is 718 enabled in the TLD. 720 Appendix B. Changes / Author Notes. 722 [RFC Editor: Please remove this section before publication ] 724 WG-07 to WG-08 726 o Incorporated text from Antoin Verschuren at the end of Section 6. 728 o Comments from Paul Hoffman and Tim W 730 WG-06 to WG-07 732 o Incorporated nits / editorial comments from Tim Wicinski. 734 o 736 * Reference for Mark's draft was incorrect, Wes Hardaker doesn't 737 work for ISC :-P 739 * Normalized CDS record / CDS resource record / records / etc. 741 * Language cleanup / nits / poor grammar. 743 * removed "punted" colloquialism. 745 WG-05 to WG-06 747 o Consensus (according to me!) was that mail thread said "Child MAY 748 remove the CDS record". Changed to accomodate. 750 o "The proposal below can operate with both models, but the child 751 needs to be aware of the parental policies." - removed "but the 752 child needs to be aware of the parental policies.". This is no 753 longer true, as we suggest publishing both CDS and CDSNKEY. 755 o Added: "without some additional out of band process" to "The Child 756 may not enroll the initial key or introduce a new key when there 757 are no old keys that can be used (without some additional, out of 758 band, validation of the keys), because there is no way to validate 759 the information." 761 o Added a bit to the IANA section, requesting that TBA1 be replaced 762 with the IANA allocated code. 764 o Removed" Some parents prefer to accept DNSSEC key information in 765 DS format, some parents prefer to accept it in DNSKEY format, and 766 calculate the DS record on the child's behalf. Each method has 767 pros and cons, both technical and policy. This solution is DS vs 768 DNSKEY agnostic, and allows operation with either." from Section 4 769 as it is covered in Section 2.2.1 771 o Remove a bunch of comments from the XML. I was getting tired of 772 scrolling past them. If the authors need them back, they are in 773 SVN commit 47. 775 WG-04 to WG-05 777 o More comments from Patrik, Paul and Ed. 779 o Many nits and fixes from Matthijs Mekking. 781 o Outstanding question: Should we remove the "Child SHOULD remove 782 the CDS record" text? Mail sent to list. 784 WG-03 to WG-04 786 o Large number of comments and changes from Patrik. 788 WG-02 to WG-03 790 o Fixed some references to RFC 5011 - from Samir Hussain. 792 o Fixed some spelling / typos - from Samir Hussain. 794 o A number of clarifiations on the meaning on an empty / non- 795 existant CDS RRset - thanks to JINMEI, Tatuya 797 o Be consistent in mentioning both CDS and CDNSKEY throughout the 798 document. 800 WG-01 to WG-02 802 o Many nits and suggestions from Mukund. 804 o Matthijs: " I still think that it is too strong that the Child DNS 805 Operator SHOULD/MUST delete the CDS RRset when the Parent DS is 806 "in-sync". This should be a MAY" 808 WG-00 to WG-01 810 o Addressed Vancouver: "Paul Hoffmann: NOT ready for WGLC. None of 811 the 2 documents explain why there is a split between the two 812 strategies." Thanks to Paul for providing text. 814 From -05 to WG-00: 816 o Nothing rchanged, resubmit under new name. 818 From 04 to 05 820 o Renamed the record back to CDS. 822 From 03 to 04. 824 o Added text explaining that CDS and CSYNC complement each other, 825 not replace or compete. 827 o Changed format of record to be to allow the 828 publication of DS **or** DNSKEY. 830 o Bunch of text changed to cover the above. 832 o Added a bit more text on the polling scaling stuff, expectation 833 that other triggers will be documented. 835 From 02 to 03 837 o Applied comments by Matthijs Mekking 839 o Incorporated suggestions from Edward Lewis about structure 841 o Reworked structure to be easier for implementors to follow 843 o Applied many suggestions from a wonderful thorough review by John 844 Dickinson 846 o Removed the going Unsigned option 848 From 01 to 02 850 o Major restructuring to facilitate easier discussion 851 o Lots of comments from DNSOP mailing list incorporated, including 852 making draft DNSKEY/DS neutral, explain different relationships 853 that exists, 855 o added more people to acks. 857 o added description of enterprise situations 859 o Unified on using Parental Agent over Parental Representative 861 o Removed redundant text when possible 863 o Added text to explain what can go wrong if not all child DNS 864 servers are in sync. 866 o Reference prior work by Matthijs Mekking 868 o Added text when parent calculates DS from DNSKEY 870 From - to -1. 872 o Removed from section .1: "If a child zone has gone unsigned, i.e. 873 no DNSKEY and no RRSIG in the zone, the parental representative 874 MAY treat that as intent to go unsigned. (NEEDS DISCUSSION)." 875 Added new text at end. -- suggestion by Scott Rose 20/Feb/13. 877 o Added some background on the different DNS Delegation operating 878 situations and how they affect interaction of parties. This moved 879 some blocks of text from later sections into here. 881 o Number of textual improvements from Stephan Lagerholm 883 o Added motivation why CDS is needed in CDS definition section 885 o Unified terminology in the document. 887 o Much more background 889 Authors' Addresses 891 Warren Kumari 892 Google 893 1600 Amphitheatre Parkway 894 Mountain View, CA 94043 895 US 897 Email: warren@kumari.net 898 Olafur Gudmundsson 899 Shinkuro Inc. 900 4922 Fairmont Av, Suite 250 901 Bethesda, MD 20814 902 USA 904 Email: ogud@ogud.com 906 George Barwood 907 33 Sandpiper Close 908 Gloucester GL2 4LZ 909 United Kingdom 911 Email: george.barwood@blueyonder.co.uk