idnits 2.17.00 (12 Aug 2021) /tmp/idnits7880/draft-ietf-dnsop-nsec-ttl-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC8198, but the abstract doesn't seem to directly say this. It does mention RFC8198 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4034, updated by this document, for RFC5378 checks: 2002-02-26) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (18 February 2021) is 456 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dnsop P. van Dijk 3 Internet-Draft PowerDNS 4 Updates: 4034, 4035, 5155, 8198 (if approved) 18 February 2021 5 Intended status: Standards Track 6 Expires: 22 August 2021 8 NSEC and NSEC3 TTLs and NSEC Aggressive Use 9 draft-ietf-dnsop-nsec-ttl-04 11 Abstract 13 Due to a combination of unfortunate wording in earlier documents, 14 aggressive use of NSEC and NSEC3 records may deny names far beyond 15 the intended lifetime of a denial. This document changes the 16 definition of the NSEC and NSEC3 TTL to correct that situation. This 17 document updates RFC 4034, RFC 4035, RFC 5155, and RFC 8198. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on 22 August 2021. 36 Copyright Notice 38 Copyright (c) 2021 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 43 license-info) in effect on the date of publication of this document. 44 Please review these documents carefully, as they describe your rights 45 and restrictions with respect to this document. Code Components 46 extracted from this document must include Simplified BSD License text 47 as described in Section 4.e of the Trust Legal Provisions and are 48 provided without warranty as described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 54 3. NSEC and NSEC3 TTL changes . . . . . . . . . . . . . . . . . 4 55 3.1. Updates to RFC4034 . . . . . . . . . . . . . . . . . . . 4 56 3.2. Updates to RFC4035 . . . . . . . . . . . . . . . . . . . 5 57 3.3. Updates to RFC5155 . . . . . . . . . . . . . . . . . . . 5 58 3.4. Updates to RFC8198 . . . . . . . . . . . . . . . . . . . 6 59 4. Zone Operator Considerations . . . . . . . . . . . . . . . . 6 60 4.1. A Note On Wildcards . . . . . . . . . . . . . . . . . . . 6 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 63 7. Normative References . . . . . . . . . . . . . . . . . . . . 7 64 8. Informative References . . . . . . . . . . . . . . . . . . . 7 65 Appendix A. Implementation Status . . . . . . . . . . . . . . . 7 66 Appendix B. Document history . . . . . . . . . . . . . . . . . . 8 67 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 70 1. Introduction 72 [RFC editor: please remove this block before publication. 74 Earlier notes on this: 76 * https://indico.dns-oarc.net/event/29/sessions/98/#20181013 77 (https://indico.dns-oarc.net/event/29/sessions/98/#20181013) 79 * https://lists.dns-oarc.net/pipermail/dns-operations/2018-April/ 80 thread.html#17420 (https://lists.dns-oarc.net/pipermail/dns- 81 operations/2018-April/thread.html#17420) 83 * https://lists.dns-oarc.net/pipermail/dns- 84 operations/2018-March/017416.html (https://lists.dns- 85 oarc.net/pipermail/dns-operations/2018-March/017416.html) 87 This document lives on GitHub (https://github.com/PowerDNS/draft- 88 dnsop-nsec-ttl); proposed text and editorial changes are very much 89 welcomed there, but any functional changes should always first be 90 discussed on the IETF DNSOP WG mailing list. 92 ] 94 [RFC2308] defines the TTL of the SOA record that must be returned in 95 negative answers (NXDOMAIN or NODATA): 97 | The TTL of this record is set from the minimum of the MINIMUM 98 | field of the SOA record and the TTL of the SOA itself, and 99 | indicates how long a resolver may cache the negative answer. 101 Thus, if the TTL of the SOA in the zone is lower than the SOA MINIMUM 102 value (the last number in the SOA record), the authoritative server 103 sends that lower value as the TTL of the returned SOA record. The 104 resolver always uses the TTL of the returned SOA record when setting 105 the negative TTL in its cache. 107 However, [RFC4034] section 4 has this unfortunate text: 109 | The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL 110 | field. This is in the spirit of negative caching ([RFC2308]). 112 This text, while referring to RFC2308, can cause NSEC records to have 113 much higher TTLs than the appropriate negative TTL for a zone. 114 [RFC5155] contains equivalent text. 116 [RFC8198] section 5.4 tries to correct this: 118 | Section 5 of [RFC2308] also states that a negative cache entry TTL 119 | is taken from the minimum of the SOA.MINIMUM field and SOA's TTL. 120 | This can be less than the TTL of an NSEC or NSEC3 record, since 121 | their TTL is equal to the SOA.MINIMUM field (see [RFC4035], 122 | Section 2.3 and [RFC5155], Section 3). 123 | 124 | A resolver that supports aggressive use of NSEC and NSEC3 SHOULD 125 | reduce the TTL of NSEC and NSEC3 records to match the SOA.MINIMUM 126 | field in the authority section of a negative response, if 127 | SOA.MINIMUM is smaller. 129 But the NSEC and NSEC3 RRs should, according to RFC4034 and RFC5155, 130 already be at the value of the MINIMUM field in the SOA. Thus, the 131 advice from RFC8198 would not actually change the TTL used for the 132 NSEC and NSEC3 RRs for authoritative servers that follow the RFCs. 134 As a theoretical exercise, consider a TLD named ".example" with a SOA 135 record like this: 137 "example. 900 IN SOA primary.example. hostmaster.example. 1 1800 900 138 604800 86400" 139 The SOA record has a 900 second TTL, and a 86400 MINIMUM TTL. 140 Negative responses from this zone have a 900 second TTL, but the NSEC 141 or NSEC3 records in those negative responses have a 86400 TTL. If a 142 resolver were to use those NSEC or NSEC3 records aggressively, they 143 would be considered valid for a day, instead of the intended 15 144 minutes. 146 2. Conventions and Definitions 148 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 149 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 150 "OPTIONAL" in this document are to be interpreted as described in BCP 151 14 [RFC2119] [RFC8174] when, and only when, they appear in all 152 capitals, as shown here. 154 3. NSEC and NSEC3 TTL changes 156 The existing texts in [RFC4034], [RFC4035], and [RFC5155] use the 157 SHOULD requirement level, but they were written when [RFC4035] still 158 said 'However, it seems prudent for resolvers to avoid blocking new 159 authoritative data or synthesizing new data on their own'. [RFC8198] 160 updated that text to contain 'DNSSEC-enabled validating resolvers 161 SHOULD use wildcards and NSEC/NSEC3 resource records to generate 162 positive and negative responses until the effective TTLs or 163 signatures for those records expire'. This means that correctness of 164 NSEC and NSEC3 records, and their TTLs, has become much more 165 important. Because of that, the updates in this document upgrade the 166 requirement level to MUST. 168 3.1. Updates to RFC4034 170 Where [RFC4034] says: 172 | The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL 173 | field. This is in the spirit of negative caching ([RFC2308]). 175 This is updated to say: 177 | The TTL of the NSEC RR that is returned MUST be the lesser of the 178 | MINIMUM field of the SOA record and the TTL of the SOA itself. 179 | This matches the definition of the TTL for negative responses in 180 | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a 181 | deviating value after the SOA record has been updated, to allow 182 | for an incremental update of the NSEC chain. 184 3.2. Updates to RFC4035 186 Where [RFC4035] says: 188 | The TTL value for any NSEC RR SHOULD be the same as the minimum 189 | TTL value field in the zone SOA RR. 191 This is updated to say: 193 | The TTL of the NSEC RR that is returned MUST be the lesser of the 194 | MINIMUM field of the SOA record and the TTL of the SOA itself. 195 | This matches the definition of the TTL for negative responses in 196 | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a 197 | deviating value after the SOA record has been updated, to allow 198 | for an incremental update of the NSEC chain. 200 3.3. Updates to RFC5155 202 Where [RFC5155] says: 204 | The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL 205 | field. This is in the spirit of negative caching [RFC2308]. 207 This is updated to say: 209 | The TTL of the NSEC3 RR that is returned MUST be the lesser of the 210 | MINIMUM field of the SOA record and the TTL of the SOA itself. 211 | This matches the definition of the TTL for negative responses in 212 | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a 213 | deviating value after the SOA record has been updated, to allow 214 | for an incremental update of the NSEC chain. 216 Where [RFC5155] says: 218 | o The TTL value for any NSEC3 RR SHOULD be the same as the minimum 219 | TTL value field in the zone SOA RR. 221 This is updated to say: 223 | o The TTL value for each NSEC3 RR MUST be the lesser of the 224 | MINIMUM field of the zone SOA RR and the TTL of the zone SOA RR 225 | itself. A signer MAY cause the TTL of the NSEC RR to have a 226 | deviating value after the SOA record has been updated, to allow 227 | for an incremental update of the NSEC chain. 229 3.4. Updates to RFC8198 231 [RFC8198] section 5.4 (Consideration on TTL) is completely replaced 232 by the following text: 234 | The TTL value of negative information is especially important, 235 | because newly added domain names cannot be used while the negative 236 | information is effective. 237 | 238 | Section 5 of [RFC2308] suggests a maximum default negative cache 239 | TTL value of 3 hours (10800). It is RECOMMENDED that validating 240 | resolvers limit the maximum effective TTL value of negative 241 | responses (NSEC/NSEC3 RRs) to this same value. 242 | 243 | A resolver that supports aggressive use of NSEC and NSEC3 MAY 244 | limit the TTL of NSEC and NSEC3 records to the lesser of the 245 | SOA.MINIMUM field and the TTL of the SOA in a response, if 246 | present. It MAY also use a previously cached SOA for a zone to 247 | find these values. 249 (The third paragraph of the original is removed, and the fourth 250 paragraph is updated to allow resolvers to also take the lesser of 251 the SOA TTL and SOA MINIMUM.) 253 4. Zone Operator Considerations 255 If signers & DNS servers for a zone cannot immediately be updated to 256 conform to this document, zone operators are encouraged to consider 257 setting their SOA record TTL and the SOA MINIMUM field to the same 258 value. That way, the TTL used for aggressive NSEC and NSEC3 use 259 matches the SOA TTL for negative responses. 261 4.1. A Note On Wildcards 263 Validating resolvers consider an expanded wildcard valid for the 264 wildcard's TTL, capped by the TTLs of the NSEC and NSEC3 proof that 265 shows that the wildcard expansion is legal. Thus, changing the TTL 266 of NSEC or NSEC3 records (explicitly, or by implementation of this 267 document, implicitly) might affect (shorten) the lifetime of 268 wildcards. 270 5. Security Considerations 272 An attacker can prevent future records from appearing in a cache by 273 seeding the cache with queries that cause NSEC or NSEC3 responses to 274 be cached, for aggressive use purposes. This document reduces the 275 impact of that attack in cases where the NSEC or NSEC3 TTL is higher 276 than the zone operator intended. 278 6. IANA Considerations 280 IANA is requested to add a reference to this document in the 281 "Resource Record (RR) TYPEs" subregistry of the "Domain Name System 282 (DNS) Parameters" registry, for the NSEC and NSEC3 types. 284 7. Normative References 286 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 287 Rose, "Protocol Modifications for the DNS Security 288 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 289 . 291 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 292 Requirement Levels", BCP 14, RFC 2119, 293 DOI 10.17487/RFC2119, March 1997, 294 . 296 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 297 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, 298 . 300 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 301 Rose, "Resource Records for the DNS Security Extensions", 302 RFC 4034, DOI 10.17487/RFC4034, March 2005, 303 . 305 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 306 Security (DNSSEC) Hashed Authenticated Denial of 307 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, 308 . 310 [RFC8198] Fujiwara, K., Kato, A., and W. Kumari, "Aggressive Use of 311 DNSSEC-Validated Cache", RFC 8198, DOI 10.17487/RFC8198, 312 July 2017, . 314 8. Informative References 316 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 317 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 318 May 2017, . 320 Appendix A. Implementation Status 322 [RFC Editor: please remove this section before publication] 323 Implemented in PowerDNS Authoritative Server 4.3.0 324 https://doc.powerdns.com/authoritative/dnssec/ 325 operational.html?highlight=ttl#some-notes-on-ttl-usage 326 (https://doc.powerdns.com/authoritative/dnssec/ 327 operational.html?highlight=ttl#some-notes-on-ttl-usage) . 329 Implemented in BIND 9.16 and up, to be released early 2021 330 https://mailarchive.ietf.org/arch/msg/dnsop/ga41J2PPUbmc21-- 331 dqf3i7_IY6M (https://mailarchive.ietf.org/arch/msg/dnsop/ 332 ga41J2PPUbmc21--dqf3i7_IY6M) https://gitlab.isc.org/isc-projects/ 333 bind9/-/merge_requests/4506 (https://gitlab.isc.org/isc-projects/ 334 bind9/-/merge_requests/4506) . 336 Implemented in Knot DNS 3.1, to be released in 2021 337 https://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1219 338 (https://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1219) . 340 Implemented in ldns, patch under review 341 https://github.com/NLnetLabs/ldns/pull/118 342 (https://github.com/NLnetLabs/ldns/pull/118) 344 Implementation status is tracked at 345 https://trac.ietf.org/trac/dnsop/wiki/draft-ietf-dnsop-nsec-ttl 346 (https://trac.ietf.org/trac/dnsop/wiki/draft-ietf-dnsop-nsec-ttl) 348 Appendix B. Document history 350 [RFC editor: please remove this section before publication.] 352 From draft-vandijk-dnsop-nsec-ttl-00 to draft-ietf-dnsop-nsec-ttl-00: 354 * document was adopted 356 * various minor editorial changes 358 * now also updates 4035 360 * use .example instead of .com for the example 362 * more words on 8198 364 * a note on wildcards 366 From draft-ietf-dnsop-nsec-ttl-00 to draft-ietf-dnsop-nsec-ttl-01: 368 * various wording improvements 369 * added Implementation note from Knot, expanded the BIND one with 370 the GitLab MR URL 372 * reduced requirement level from MUST to SHOULD, like the original 373 texts 375 From draft-ietf-dnsop-nsec-ttl-01 to draft-ietf-dnsop-nsec-ttl-02: 377 * updated the second bit of wrong text in 5155 379 From draft-ietf-dnsop-nsec-ttl-02 to draft-ietf-dnsop-nsec-ttl-03: 381 * document now updates resolver behaviour in 8198 383 * lots of extra text to clarify what behaviour goes where (thanks 384 Paul Hoffman) 386 * replace 'any' with 'each' (thanks Duane) 388 * upgraded requirement level to MUST, plus a note on incremental 389 signers 391 From draft-ietf-dnsop-nsec-ttl-03 to draft-ietf-dnsop-nsec-ttl-04: 393 * the 'incremental signer exception' is now part of all relevant 394 document updates 396 * added an explanation for the upgraded requirement level 398 Acknowledgements 400 This document was made possible with the help of the following 401 people: 403 * Ralph Dolmans 405 * Warren Kumari 407 * Matthijs Mekking 409 * Vladimir Cunat 411 * Matt Nordhoff 413 * Josh Soref 415 * Tim Wicinski 416 The author would like to explicitly thank Paul Hoffman for extensive 417 reviews, text contributions, and help in navigating WG comments. 419 Author's Address 421 Peter van Dijk 422 PowerDNS 423 Den Haag 424 Netherlands 426 Email: peter.van.dijk@powerdns.com