-
Notifications
You must be signed in to change notification settings - Fork 4
/
draft-ietf-dnsop-dnssec-bootstrapping-06.txt
952 lines (623 loc) · 34.2 KB
/
draft-ietf-dnsop-dnssec-bootstrapping-06.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
DNSOP Working Group P. Thomassen
Internet-Draft deSEC, Secure Systems Engineering
Updates: 7344, 8078 (if approved) N. Wisiol
Intended status: Standards Track deSEC, Technische Universität Berlin
Expires: 4 April 2024 2 October 2023
Automatic DNSSEC Bootstrapping using Authenticated Signals from the
Zone's Operator
draft-ietf-dnsop-dnssec-bootstrapping-06
Abstract
This document introduces an in-band method for DNS operators to
publish arbitrary information about the zones they are authoritative
for, in an authenticated fashion and on a per-zone basis. The
mechanism allows managed DNS operators to securely announce DNSSEC
key parameters for zones under their management, including for zones
that are not currently securely delegated.
Whenever DS records are absent for a zone's delegation, this signal
enables the parent's registry or registrar to cryptographically
validate the CDS/CDNSKEY records found at the child's apex. The
parent can then provision DS records for the delegation without
resorting to out-of-band validation or weaker types of cross-checks
such as "Accept after Delay".
This document deprecates the DS enrollment methods described in
Section 3 of RFC 8078 in favor of Section 4 of this document, and
also updates RFC 7344.
[ Ed note: This document is being collaborated on at
https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/
(https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/).
The authors gratefully accept pull requests. ]
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Thomassen & Wisiol Expires 4 April 2024 [Page 1]
Internet-Draft dnssec-bootstrapping October 2023
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 4 April 2024.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 5
2. Updates to RFCs . . . . . . . . . . . . . . . . . . . . . . . 5
3. Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Chain of Trust . . . . . . . . . . . . . . . . . . . . . 5
3.2. Signaling Names . . . . . . . . . . . . . . . . . . . . . 6
4. Bootstrapping a DNSSEC Delegation . . . . . . . . . . . . . . 6
4.1. Signaling Consent to Act as the Child's Signer . . . . . 6
4.1.1. Example . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. Validating CDS/CDNSKEY Records for DNSSEC
Bootstrapping . . . . . . . . . . . . . . . . . . . . . . 7
4.2.1. Example . . . . . . . . . . . . . . . . . . . . . . . 8
4.3. Triggers . . . . . . . . . . . . . . . . . . . . . . . . 9
4.4. Limitations . . . . . . . . . . . . . . . . . . . . . . . 10
5. Operational Recommendations . . . . . . . . . . . . . . . . . 10
5.1. Child DNS Operator . . . . . . . . . . . . . . . . . . . 10
5.2. Parental Agent . . . . . . . . . . . . . . . . . . . . . 10
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. Implementation Status . . . . . . . . . . . . . . . . . . . . 11
8.1. Child DNS Operator-side . . . . . . . . . . . . . . . . . 12
8.2. Parental Agent-side . . . . . . . . . . . . . . . . . . . 12
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
10. Normative References . . . . . . . . . . . . . . . . . . . . 13
Thomassen & Wisiol Expires 4 April 2024 [Page 2]
Internet-Draft dnssec-bootstrapping October 2023
11. Informative References . . . . . . . . . . . . . . . . . . . 14
Appendix A. Change History (to be removed before publication) . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction
Securing a DNS delegation for the first time requires that the
Child's DNSSEC parameters be conveyed to the Parent through some
trusted channel. While the communication conceptually has to occur
between the Parent registry and the DNSSEC key holder, what exactly
that means and how the communication is coordinated traditionally
depends on the relationship the Child has with the Parent.
A typical situation is that the key is held by the Child DNS
Operator; the communication thus often involes this entity. In
addition, depending on the circumstances, it may also involve the
Registrar, possibly via the Registrant (for details, see [RFC7344],
Appendix A).
As observed in [RFC7344], these dependencies often result in a manual
process that is susceptible to mistakes and/or errors. In addition,
due to the annoyance factor of the process, involved parties may
avoid the process of getting a DS record set published in the first
place.
To alleviate these problems, automated provisioning of DS records has
been specified in ([RFC8078]). It is based on the Parental Agent
(registry or registrar) fetching DNSSEC key parameters from the CDS
and CDNSKEY records ([RFC7344]) located at the Child zone's apex, and
validating them somehow. This validation can be done using the
Child's existing DNSSEC chain of trust if the objective is to update
an existing DS record set (such as during key rollover). However,
when bootstrapping a DNSSEC delegation, the Child zone has no
existing DNSSEC validation path, and other means to ensure the CDS/
CDNSKEY records' legitimacy must be found.
For lack of a comprehensive DNS-innate solution, either out-of-band
methods have been used so far to complete the chain of trust, or
cryptographic validation has been entirely dispensed with, in
exchange for weaker types of cross-checks such as "Accept after
Delay" ([RFC8078] Section 3.3). [RFC8078] does not define an in-band
validation method for enabling DNSSEC.
This document aims to close this gap by introducing an in-band method
for DNS Operators to publish arbitrary information about the zones
they are authoritative for, in an authenticated manner and on a per-
zone basis. The mechanism allows managed DNS Operators to securely
announce DNSSEC key parameters for zones under their management. The
Thomassen & Wisiol Expires 4 April 2024 [Page 3]
Internet-Draft dnssec-bootstrapping October 2023
Parent can then use this signal to cryptographically validate the
CDS/CDNSKEY records found at an insecure Child zone's apex, and upon
success secure the delegation.
While applicable to the vast majority of domains, the protocol does
not support certain edge cases, such as excessively long Child zone
names, or DNSSEC bootstrapping for domains with in-bailick
nameservers only (see Section 4.4).
DNSSEC bootstrapping is just one application of the generic signaling
mechanism specified in this document. Other applications might arise
in the future, such as publication of API endpoints for third-party
interaction with the DNS Operator or of other operational metadata
which the DNS Operator likes to publish.
Readers are expected to be familiar with DNSSEC, including [RFC4033],
[RFC4034], [RFC4035], [RFC6781], [RFC7344], and [RFC8078].
1.1. Terminology
This section defines the terminology used in this document.
CDS/CDNSKEY This notation refers to CDS and/or CDNSKEY, i.e., one or
both.
Child see [RFC8499] Section 7
Child DNS Operator The entity that maintains and publishes the zone
information for the Child DNS.
Parent see [RFC8499] Section 7
Parental Agent The entity that has the authority to insert DS
records into the Parent zone on behalf of the Child. (It could be
the registry, registrar, a reseller, or some other authorized
entity.)
Signaling Domain A hostname from the Child's NS record set, prefixed
with the label _signal. There are as many Signaling Domains as
there are distinct NS targets.
Signaling Name The labels that are prefixed to a Signaling Domain in
order to identify a Signaling Type and a Child zone's name (see
Section 3.2).
Signaling Record A DNS record located at a Signaling Name under a
Signaling Domain. Signaling Records are used by the Child DNS
Operator to publish information about the Child.
Thomassen & Wisiol Expires 4 April 2024 [Page 4]
Internet-Draft dnssec-bootstrapping October 2023
Signaling Type A signal type identifier, such as _dsboot for DNSSEC
bootstrapping.
Signaling Zone The zone which is authoritative for a given Signaling
Record.
1.2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Updates to RFCs
The DS enrollment methods described in Section 3 of [RFC8078] are
deprecated and SHOULD NOT be used. Child DNS Operators and Parental
Agents who wish to use CDS/CDNSKEY records for initial DS enrollment
SHOULD instead support the authentication protocol described in
Section 4 of this document.
In order to facilitate publication of signaling records for the
purpose of DNSSEC bootstrapping (see Section 4.1), the first bullet
("Location") of [RFC7344] Section 4.1 is removed.
3. Signaling
This section describes the general mechanism by which a Child DNS
Operator can publish an authenticated signal about a Child zone.
Parental Agents (or any other party) can then discover and process
the signal. Authenticity is ensured through standard DNSSEC
validation.
3.1. Chain of Trust
If a Child DNS Operator implements the protocol, each Signaling Zone
MUST be signed and be validatable by the Parental Agent (i.e. have a
valid DNSSEC chain of trust). This is typically achieved by securely
delegating each Signaling Zone.
For example, when publishing a signal that relates to a Child zone
with NS records ns1.example.net and ns2.example.org, the Child DNS
Operator needs to ensure that the Parental Agent has a valid DNSSEC
chain of trust for the zone(s) that are authoritative for the
Signaling Domains _signal.ns1.example.net and
_signal.ns2.example.org.
Thomassen & Wisiol Expires 4 April 2024 [Page 5]
Internet-Draft dnssec-bootstrapping October 2023
3.2. Signaling Names
To publish a piece of information about the Child zone in an
authenticated fashion, the Child DNS Operator MUST publish one or
more Signaling Records at a Signaling Name under each Signaling
Domain.
Signaling Records MUST be accompanied by RRSIG records created with
the corresponding Signaling Zone's key(s). The type and contents of
these Signaling Records depend on the type of signal.
The Signaling Name identifies the Child and the Signaling Type. It
is identical to the Child name (with the final root label removed),
prefixed with a label containing the Signaling Type.
4. Bootstrapping a DNSSEC Delegation
When the Child zone's CDS/CDNSKEY RRsets are used for setting up
initial trust, they need to be authenticated. This is achieved by
co-publishing the Child's CDS/CDNSKEY records as an authenticated
signal as described in Section 3. The Parent can discover and
validate it, thus transferring trust from the Child DNS Operator
nameservers' chain of trust to the Child zone.
This protocol is not intended for updating an existing DS RRset. For
this purpose, the Parental Agent can validate the Child's CDS/CDNSKEY
records directly, using the chain of trust established by the
existing DS RRset ([RFC7344] Section 4).
4.1. Signaling Consent to Act as the Child's Signer
To confirm its willingness to act as the Child's delegated signer and
authenticate the Child's CDS/CDNSKEY RRsets, the Child DNS Operator
MUST co-publish them at the corresponding Signaling Name under each
out-of-bailiwick Signaling Domain (Section 3.2). For simplicity, the
Child DNS Operator MAY also co-publish the Child's CDS/CDNSKEY RRsets
under Signaling Domains that are in bailiwick, although those
Signaling Domains are not used for validation (Section 4.2).
Unlike the CDS/CDNSKEY records at the Child's apex, Signaling Records
MUST be signed with the corresponding Signaling Zone's key(s). Their
contents MUST be identical to the corresponding records published at
the Child's apex.
Thomassen & Wisiol Expires 4 April 2024 [Page 6]
Internet-Draft dnssec-bootstrapping October 2023
Existing use of CDS/CDNSKEY records was specified at the Child apex
only ([RFC7344], Section 4.1). This protocol extends the use of
these record types to non-apex owner names for the purpose of DNSSEC
bootstrapping. To exclude the possibility of semantic collision,
there MUST NOT be a zone cut at a Signaling Name.
4.1.1. Example
For the purposes of bootstrapping the Child zone example.co.uk with
NS records ns1.example.net, ns2.example.org, and ns3.example.co.uk,
the required Signaling Domains are _signal.ns1.example.net and
_signal.ns2.example.org.
In the zones containing these domains, the Child DNS Operator
authenticates the CDS/CDNSKEY records found at the Child's apex by
co-publishing them at the names:
_dsboot.example.co.uk._signal.ns1.example.net
_dsboot.example.co.uk._signal.ns2.example.org
The records are accompanied by RRSIG records created using the key(s)
of the respective Signaling Zone.
Publication of Signaling Records under the in-bailiwick domain
_signal.ns3.example.co.uk is not required.
4.2. Validating CDS/CDNSKEY Records for DNSSEC Bootstrapping
To validate a Child's CDS/CDNSKEY RRset for DNSSEC bootstrapping, the
Parental Agent, knowing both the Child zone name and its NS
hostnames, MUST execute the following steps:
1. verify that the Child is not currently securely delegated and
that at least one of its nameservers is out of bailiwick;
2. query the CDS/CDNSKEY records at the Child zone apex directly
from each of the authoritative servers as determined by the
delegation's NS record set (without caching);
3. query the CDS/CDNSKEY records located at the Signaling Name under
each out-of-bailiwick Signaling Domain using a trusted DNS
resolver and enforce DNSSEC validation;
4. check (separately by record type) that all record sets retrieved
in Steps 2 and 3 have equal contents;
Thomassen & Wisiol Expires 4 April 2024 [Page 7]
Internet-Draft dnssec-bootstrapping October 2023
If the above steps succeed without error, the CDS/CDNSKEY records are
successfully validated, and the Parental Agent can proceed with the
publication of the DS record set under the precautions described in
[RFC8078], Section 5.
If, however, an error condition occurs, in particular:
* in Step 1: the Child is already securely delegated or has in-
bailiwick nameservers only;
* in Step 2: any failure during the retrieval of the CDS/CDNSKEY
records located at the Child apex from any of the authoritative
nameservers;
* in Step 3: any failure to retrieve the CDS/CDNSKEY RRsets located
at the Signaling Name under any Signaling Domain, including
failure of DNSSEC validation, or unauthenticated data (AD bit not
set);
* in Step 4: inconsistent responses (for at least one of the types),
including a record set that is empty in one of Steps 2 or 3, but
non-empty in the other;
the Parental Agent MUST abort the procedure.
4.2.1. Example
To verify the CDS/CDNSKEY records for the Child example.co.uk, the
Parental Agent (assuming that the Child delegation's NS records are
ns1.example.net, ns2.example.org, and ns3.example.co.uk)
1. checks that the Child domain is not yet securely delegated;
2. queries CDS/CDNSKEY records for example.co.uk directly from
ns1.example.net, ns2.example.org, and ns3.example.co.uk (without
caching);
3. queries and validates the CDS/CDNSKEY records located at (see
Section 3.2; ns3.example.co.uk is ignored because it is in
bailiwick)
_dsboot.example.co.uk._signal.ns1.example.net
_dsboot.example.co.uk._signal.ns2.example.org
4. checks that the CDS/CDNSKEY record sets retrieved in Steps 2 and
3 agree across responses.
Thomassen & Wisiol Expires 4 April 2024 [Page 8]
Internet-Draft dnssec-bootstrapping October 2023
If all these steps succeed, the Parental Agent can proceed to publish
a DS record set as indicated by the validated CDS/CDNSKEY records.
The Parental Agent does not use in-bailiwick Signaling Names during
validation because they cannot have a pre-established chain of trust
at bootstrapping time, so are not useful for bootstrapping.
Consequently, if all NS hostnames are in bailiwick, validation cannot
be completed, and DS records are not published.
4.3. Triggers
Parental Agents SHOULD trigger the procedure described in Section 4.2
once one of the following conditions is fulfilled:
* The Parental Agent receives a new or updated NS record set for a
Child;
* The Parental Agent encounters a Signaling Record during a
proactive, opportunistic scan (e.g. daily queries of Signaling
Records for some or all of its delegations);
* The Parental Agent encounters a Signaling Record during an NSEC
walk or when parsing a Signaling Zone (e.g. when made available
via AXFR by the Child DNS Operator);
* Any other condition as deemed appropriate by local policy.
Most types of discovery (such as daily scans of delegations) are
based directly on the delegation's NS record set. In this case,
these NS names can be used as is by the bootstrapping algorithm
(Section 4.2) for querying Signaling Records.
Some discovery methods, however, do not imply reliable knowledge of
the Child's NS record set. For example, when discovering Signaling
Names by performing an NSEC walk or zone transfer of a Signaling
Zone, the Parental Agent MUST NOT assume that the nameserver(s) under
whose Signaling Domain(s) a Signaling Name appears is in fact
authoritative for the corresponding Child.
In this case (and in other cases alike where some list of
"bootstrappable domains" is retrieved from elsewhere), the Parental
Agent MUST ascertain that the Child's delegation actually contains
the nameserver hostname seen during discovery, and ensure that
Signaling Record queries are only made against the proper set of
nameservers as listed in the Child's delegation from the Parent.
Thomassen & Wisiol Expires 4 April 2024 [Page 9]
Internet-Draft dnssec-bootstrapping October 2023
4.4. Limitations
As a consequence of Step 3 in Section 4.2, DS bootstrapping does not
work for fully in-bailiwick delegations, as no pre-existing chain of
trust to the Child domain is available during bootstrapping. (As a
workaround, one can add an out-of-bailiwick nameserver to the initial
NS record set and remove it once bootstrapping is completed.
Automation for this is available via CSYNC records, see [RFC7477].)
The protocol is further restricted by the fact that the fully
qualified Signaling Names fit within the general limits that apply to
DNS names (such as their length and label count).
5. Operational Recommendations
5.1. Child DNS Operator
CDS/CDNSKEY records and corresponding signaling records MUST NOT be
published without the zone owner's consent. Likewise, the Child DNS
Operator MUST enable the zone owner to signal the desire to turn off
DNSSEC by publication of the special-value CDS/CDNSKEY RRset
specified in [RFC8078] Section 4. To facilitate transitions between
DNS operators, Child DNS Operators SHOULD support the multi-signer
protocols described in [RFC8901].
Signaling Domains SHOULD be delegated as zones of their own, so that
the Signaling Zone's apex coincides with the Signaling Domain (such
as _signal.ns1.example.net). While it is permissible for the
Signaling Domain to be contained in a Signaling Zone of fewer labels
(such as example.net), a zone cut ensures that bootstrapping
activities do not require modifications of the zone containing the
nameserver hostname.
To keep the size of the Signaling Zones minimal and bulk processing
efficient (such as via zone transfers), Child DNS Operators SHOULD
remove Signaling Records which are found to have been acted upon.
5.2. Parental Agent
It is RECOMMENDED to perform queries within Signaling Domains
(Section 4.2) with an (initially) cold resolver cache or to limit the
TTL of cached records to the interval between scans, as to retrieve
the most current information regardless of TTL. (When a batch job is
used to attempt bootstrapping for a large number of delegations, the
cache does not need to get cleared in between queries pertaining to
different Children.)
Thomassen & Wisiol Expires 4 April 2024 [Page 10]
Internet-Draft dnssec-bootstrapping October 2023
6. Security Considerations
The DNSSEC bootstrapping method introduced in this document is based
on the (now deprecated) approaches described in [RFC8078] Section 3,
but adds authentication to the CDS/CDNSKEY concept. Its security
level is therefore strictly higher than that of existing approaches
described in that document (e.g. "Accept after Delay"). Apart from
this general improvement, the same Security Considerations apply as
in [RFC8078].
The level of rigor in Section 4.2 is needed to prevent publication of
a half-baked DS RRset (authorized only under a subset of NS
hostnames). This ensures, for example, that an operator in a multi-
homed setup cannot enable DNSSEC unless all other operators agree.
Because the parents of a Signaling Domain (such as the corresponding
TLD registry) are in control of its chain of trust, they are also
able to undermine the signal's authenticity. To mitigate this risk,
it is RECOMMENDED to increase the effort required to collude for
taking control of all Signaling Domains, by diversifying the path
from the root to each nameserver. This is best achieved by using
different and independently operated TLDs for each one. (TLD-
independent NS hostnames are advisable anyways in DNS operations, in
order to prevent the TLD from becoming a single point of failure.)
Furthermore, as the Child DNS Operator has authoritative knowledge of
the Child's CDS/CDNSKEY records, it can readily detect fraudulent
provisioning of DS records.
7. IANA Considerations
Per [RFC8552], IANA is requested to add the following entries to the
"Underscored and Globally Scoped DNS Node Names" registry:
+---------+------------+-----------------------------------------+
| RR Type | _NODE NAME | Reference |
+---------+------------+-----------------------------------------+
| CDS | _signal | [draft-ietf-dnsop-dnssec-bootstrapping] |
| CDNSKEY | _signal | [draft-ietf-dnsop-dnssec-bootstrapping] |
+---------+------------+-----------------------------------------+
8. Implementation Status
*Note to the RFC Editor*: please remove this entire section before
publication.
In addition to the information in this section, deployment is tracked
by the community at https://github.com/oskar456/cds-updates
(https://github.com/oskar456/cds-updates).
Thomassen & Wisiol Expires 4 April 2024 [Page 11]
Internet-Draft dnssec-bootstrapping October 2023
8.1. Child DNS Operator-side
* Operator support:
- Cloudflare has implemented bootstrapping record synthesis for
all signed customer zones.
- Glauca HexDNS publishes bootstrapping records for its customer
zones.
- deSEC performs bootstrapping record synthesis for its zones
using names _signal.ns1.desec.io and _signal.ns2.desec.org.
* Authoritative nameserver support:
- An implementation of bootstrapping record synthesis in PowerDNS
is available at https://github.com/desec-io/desec-ns/pull/46
(https://github.com/desec-io/desec-ns/pull/46).
- Knot DNS supports manual creation of non-apex CDS/CDNSKEY
records.
8.2. Parental Agent-side
* ccTLD:
- SWITCH (.ch, .li) has implemented authentication of consumed
CDS records based on this draft.
- .cl is working on an implementation.
* gTLD:
- Knipp has implemented consumption of DNSSEC bootstrapping
records in its TANGO and CORE registry systems.
- A deployment of this is running at .swiss.
* Registrars:
- GoDaddy is working on an implementation.
- Glauca is working on an implementation.
Thomassen & Wisiol Expires 4 April 2024 [Page 12]
Internet-Draft dnssec-bootstrapping October 2023
* A tool to retrieve and process Signaling Records for bootstrapping
purposes, either directly or via zone walking, is available at
https://github.com/desec-io/dsbootstrap (https://github.com/desec-
io/dsbootstrap). The tool outputs the validated DS records which
then can be added to the Parent zone.
9. Acknowledgements
Thanks to Brian Dickson, Ondřej Caletka, John R. Levine,
Christian Elmerot, Oli Schacher, Donald Eastlake, Libor Peltan,
Warren Kumari, Scott Rose, Linda Dunbar, Tim Wicinski for reviewing
draft proposals and offering comments and suggestions.
Thanks also to Steve Crocker, Hugo Salgado, and Ulrich Wisser for
early-stage brainstorming.
10. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005,
<https://www.rfc-editor.org/info/rfc4033>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<https://www.rfc-editor.org/info/rfc4035>.
[RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating
DNSSEC Delegation Trust Maintenance", RFC 7344,
DOI 10.17487/RFC7344, September 2014,
<https://www.rfc-editor.org/info/rfc7344>.
[RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS",
RFC 7477, DOI 10.17487/RFC7477, March 2015,
<https://www.rfc-editor.org/info/rfc7477>.
Thomassen & Wisiol Expires 4 April 2024 [Page 13]
Internet-Draft dnssec-bootstrapping October 2023
[RFC8078] Gudmundsson, O. and P. Wouters, "Managing DS Records from
the Parent via CDS/CDNSKEY", RFC 8078,
DOI 10.17487/RFC8078, March 2017,
<https://www.rfc-editor.org/info/rfc8078>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
January 2019, <https://www.rfc-editor.org/info/rfc8499>.
[RFC8552] Crocker, D., "Scoped Interpretation of DNS Resource
Records through "Underscored" Naming of Attribute Leaves",
BCP 222, RFC 8552, DOI 10.17487/RFC8552, March 2019,
<https://www.rfc-editor.org/info/rfc8552>.
11. Informative References
[RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
Operational Practices, Version 2", RFC 6781,
DOI 10.17487/RFC6781, December 2012,
<https://www.rfc-editor.org/info/rfc6781>.
[RFC8901] Huque, S., Aras, P., Dickinson, J., Vcelak, J., and D.
Blacka, "Multi-Signer DNSSEC Models", RFC 8901,
DOI 10.17487/RFC8901, September 2020,
<https://www.rfc-editor.org/info/rfc8901>.
Appendix A. Change History (to be removed before publication)
* draft-ietf-dnsop-dnssec-bootstrapping-06
| Add section "Updates to RFCs"
|
| Editorial nits
|
| Editorial changes from Secdir early review
* draft-ietf-dnsop-dnssec-bootstrapping-05
| Editorial changes
* draft-ietf-dnsop-dnssec-bootstrapping-04
| Added consent considerations.
|
Thomassen & Wisiol Expires 4 April 2024 [Page 14]
Internet-Draft dnssec-bootstrapping October 2023
| Editorial changes.
* draft-ietf-dnsop-dnssec-bootstrapping-03
| Updated Implementation section.
|
| Typo fix.
* draft-ietf-dnsop-dnssec-bootstrapping-02
| Clarified that RFC 8078 Section 3 is not replaced, but its methods
| are deprecated.
|
| Added new deployments to Implementation section.
|
| Included NSEC walk / AXFR as possible triggers for DS
| bootstrapping.
|
| Editorial changes.
* draft-ietf-dnsop-dnssec-bootstrapping-01
| Allow bootstrapping when some (not all) NS hostnames are in
| bailiwick.
|
| Clarified Operational Recommendations according to operator
| feedback.
|
| Turn loose Security Considerations points into coherent text.
|
| Do no longer suggest NSEC-walking Signaling Domains. (It does not
| work well due to the Signaling Type prefix. What's more, it's
| unclear who would do this: Parents know there delegations and can
| do a targeted scan; others are not interested.)
|
| Editorial changes.
|
| Added IANA request.
|
| Introduced Signaling Type prefix (_dsboot), renamed Signaling Name
| infix from _dsauth to _signal.
* draft-ietf-dnsop-dnssec-bootstrapping-00
| Editorial changes.
* draft-thomassen-dnsop-dnssec-bootstrapping-03
Thomassen & Wisiol Expires 4 April 2024 [Page 15]
Internet-Draft dnssec-bootstrapping October 2023
| Clarified importance of record cleanup by moving paragraph up.
|
| Pointed out limitations.
|
| Replace [RFC8078] Section 3 with our Section 4.2.
|
| Changed _boot label to _dsauth.
|
| Removed hashing of Child name components in Signaling Names.
|
| Editorial changes.
* draft-thomassen-dnsop-dnssec-bootstrapping-02
| Reframed as an authentication mechanism for RFC 8078.
|
| Removed multi-signer use case (focus on RFC 8078 authentication).
|
| Triggers need to fetch NS records (if not implicit from context).
|
| Improved title.
|
| Recognized that hash collisions are dealt with by Child apex
| check.
* draft-thomassen-dnsop-dnssec-bootstrapping-01
| Add section on Triggers.
|
| Clarified title.
|
| Improved abstract.
|
| Require CDS/CDNSKEY records at the Child.
|
| Reworked Signaling Name scheme.
|
| Recommend using cold cache for consumption.
|
| Updated terminology (replace "Bootstrapping" by "Signaling").
|
| Added NSEC recommendation for Bootstrapping Zones.
|
| Added multi-signer use case.
|
| Editorial changes.
* draft-thomassen-dnsop-dnssec-bootstrapping-00
Thomassen & Wisiol Expires 4 April 2024 [Page 16]
Internet-Draft dnssec-bootstrapping October 2023
| Initial public draft.
Authors' Addresses
Peter Thomassen
deSEC, Secure Systems Engineering
Berlin
Germany
Email: [email protected]
Nils Wisiol
deSEC, Technische Universität Berlin
Berlin
Germany
Email: [email protected]
Thomassen & Wisiol Expires 4 April 2024 [Page 17]