1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
|
<pre>Network Working Group R. Arends
Request for Comments: 4956 Nominet
Category: Experimental M. Kosters
D. Blacka
VeriSign, Inc.
July 2007
<span class="h1">DNS Security (DNSSEC) Opt-In</span>
Status of This Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
In the DNS security (DNSSEC) extensions, delegations to unsigned
subzones are cryptographically secured. Maintaining this
cryptography is not always practical or necessary. This document
describes an experimental "Opt-In" model that allows administrators
to omit this cryptography and manage the cost of adopting DNSSEC with
large zones.
<span class="grey">Arends, et al. Experimental [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
Table of Contents
<a href="#section-1">1</a>. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2">2</a>. Definitions and Terminology . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-3">3</a>. Experimental Status . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-4">4</a>. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-4.1">4.1</a>. Server Considerations . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-4.1.1">4.1.1</a>. Delegations Only . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-4.1.2">4.1.2</a>. Insecure Delegation Responses . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-4.1.3">4.1.3</a>. Dynamic Update . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-4.2">4.2</a>. Client Considerations . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-4.2.1">4.2.1</a>. Delegations Only . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-4.2.2">4.2.2</a>. Validation Process Changes . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-4.2.3">4.2.3</a>. NSEC Record Caching . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-4.2.4">4.2.4</a>. Use of the AD bit . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-5">5</a>. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-6">6</a>. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-7">7</a>. Transition Issues . . . . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-8">8</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-9">9</a>. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-10">10</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-10.1">10.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-10.2">10.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#appendix-A">Appendix A</a>. Implementing Opt-In Using "Views" . . . . . . . . . . <a href="#page-15">15</a>
<span class="grey">Arends, et al. Experimental [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Overview</span>
The cost to cryptographically secure delegations to unsigned zones is
high for large delegation-centric zones and zones where insecure
delegations will be updated rapidly. For these zones, the costs of
maintaining the NextSECure (NSEC) record chain may be extremely high
relative to the gain of cryptographically authenticating existence of
unsecured zones.
This document describes an experimental method of eliminating the
superfluous cryptography present in secure delegations to unsigned
zones. Using "Opt-In", a zone administrator can choose to remove
insecure delegations from the NSEC chain. This is accomplished by
extending the semantics of the NSEC record by using a redundant bit
in the type map.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Definitions and Terminology</span>
Throughout this document, familiarity with the DNS system (<a href="./rfc1035">RFC 1035</a>
[<a href="#ref-1" title=""Domain names - implementation and specification"">1</a>]), DNS security extensions ([<a href="#ref-4" title=""DNS Security Introduction and Requirements"">4</a>], [<a href="#ref-5" title=""Resource Records for the DNS Security Extensions"">5</a>], and [<a href="#ref-6" title=""Protocol Modifications for the DNS Security Extensions"">6</a>], referred to in this
document as "standard DNSSEC"), and DNSSEC terminology (<a href="./rfc3090">RFC 3090</a>
[<a href="#ref-10" title=""DNS Security Extension Clarification on Zone Status"">10</a>]) is assumed.
The following abbreviations and terms are used in this document:
RR: is used to refer to a DNS resource record.
RRset: refers to a Resource Record Set, as defined by [<a href="#ref-8" title=""Clarifications to the DNS Specification"">8</a>]. In this
document, the RRset is also defined to include the covering RRSIG
records, if any exist.
signed name: refers to a DNS name that has, at minimum, a (signed)
NSEC record.
unsigned name: refers to a DNS name that does not (at least) have an
NSEC record.
covering NSEC record/RRset: is the NSEC record used to prove
(non)existence of a particular name or RRset. This means that for
a RRset or name 'N', the covering NSEC record has the name 'N', or
has an owner name less than 'N' and "next" name greater than 'N'.
delegation: refers to an NS RRset with a name different from the
current zone apex (non-zone-apex), signifying a delegation to a
subzone.
<span class="grey">Arends, et al. Experimental [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
secure delegation: refers to a signed name containing a delegation
(NS RRset), and a signed DS RRset, signifying a delegation to a
signed subzone.
insecure delegation: refers to a signed name containing a delegation
(NS RRset), but lacking a DS RRset, signifying a delegation to an
unsigned subzone.
Opt-In insecure delegation: refers to an unsigned name containing
only a delegation NS RRset. The covering NSEC record uses the
Opt-In methodology described in this document.
The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="#ref-2" title=""Key words for use in RFCs to Indicate Requirement Levels"">2</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Experimental Status</span>
This document describes an EXPERIMENTAL extension to DNSSEC. It
interoperates with non-experimental DNSSEC using the technique
described in [<a href="#ref-7" title=""DNSSEC Experiments"">7</a>]. This experiment is identified with the following
private algorithms (using algorithm 253):
"3.optin.verisignlabs.com": is an alias for DNSSEC algorithm 3, DSA,
and
"5.optin.verisignlabs.com": is an alias for DNSSEC algorithm 5,
RSASHA1.
Servers wishing to sign and serve zones that utilize Opt-In MUST sign
the zone with only one or more of these private algorithms and MUST
NOT use any other algorithms.
Resolvers MUST NOT apply the Opt-In validation rules described in
this document unless a zone is signed using one or more of these
private algorithms.
This experimental protocol relaxes the restriction that validators
MUST ignore the setting of the NSEC bit in the type map as specified
in <a href="./rfc4035">RFC 4035</a> [<a href="#ref-6" title=""Protocol Modifications for the DNS Security Extensions"">6</a>] <a href="#section-5.4">Section 5.4</a>.
The remainder of this document assumes that the servers and resolvers
involved are aware of and are involved in this experiment.
<span class="grey">Arends, et al. Experimental [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Protocol Additions</span>
In DNSSEC, delegation NS RRsets are not signed, but are instead
accompanied by an NSEC RRset of the same name and (possibly) a DS
record. The security status of the subzone is determined by the
presence or absence of the DS RRset, cryptographically proven by the
NSEC record. Opt-In expands this definition by allowing insecure
delegations to exist within an otherwise signed zone without the
corresponding NSEC record at the delegation's owner name. These
insecure delegations are proven insecure by using a covering NSEC
record.
Since this represents a change of the interpretation of NSEC records,
resolvers must be able to distinguish between RFC standard DNSSEC
NSEC records and Opt-In NSEC records. This is accomplished by
"tagging" the NSEC records that cover (or potentially cover) insecure
delegation nodes. This tag is indicated by the absence of the NSEC
bit in the type map. Since the NSEC bit in the type map merely
indicates the existence of the record itself, this bit is redundant
and safe for use as a tag.
An Opt-In tagged NSEC record does not assert the (non)existence of
the delegations that it covers (except for a delegation with the same
name). This allows for the addition or removal of these delegations
without recalculating or resigning records in the NSEC chain.
However, Opt-In tagged NSEC records do assert the (non)existence of
other RRsets.
An Opt-In NSEC record MAY have the same name as an insecure
delegation. In this case, the delegation is proven insecure by the
lack of a DS bit in the type map, and the signed NSEC record does
assert the existence of the delegation.
Zones using Opt-In MAY contain a mixture of Opt-In tagged NSEC
records and standard DNSSEC NSEC records. If an NSEC record is not
Opt-In, there MUST NOT be any insecure delegations (or any other
records) between it and the RRsets indicated by the 'next domain
name' in the NSEC RDATA. If it is Opt-In, there MUST only be
insecure delegations between it and the next node indicated by the
'next domain name' in the NSEC RDATA.
In summary,
o An Opt-In NSEC type is identified by a zero-valued (or not-
specified) NSEC bit in the type bit map of the NSEC record.
<span class="grey">Arends, et al. Experimental [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
o A standard DNSSEC NSEC type is identified by a one-valued NSEC bit
in the type bit map of the NSEC record.
and
o An Opt-In NSEC record does not assert the non-existence of a name
between its owner name and "next" name, although it does assert
that any name in this span MUST be an insecure delegation.
o An Opt-In NSEC record does assert the (non)existence of RRsets
with the same owner name.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Server Considerations</span>
Opt-In imposes some new requirements on authoritative DNS servers.
<span class="h4"><a class="selflink" id="section-4.1.1" href="#section-4.1.1">4.1.1</a>. Delegations Only</span>
This specification dictates that only insecure delegations may exist
between the owner and "next" names of an Opt-In tagged NSEC record.
Signing tools MUST NOT generate signed zones that violate this
restriction. Servers MUST refuse to load and/or serve zones that
violate this restriction. Servers also MUST reject AXFR or IXFR
responses that violate this restriction.
<span class="h4"><a class="selflink" id="section-4.1.2" href="#section-4.1.2">4.1.2</a>. Insecure Delegation Responses</span>
When returning an Opt-In insecure delegation, the server MUST return
the covering NSEC RRset in the Authority section.
In standard DNSSEC, NSEC records already must be returned along with
the insecure delegation. The primary difference that this proposal
introduces is that the Opt-In tagged NSEC record will have a
different owner name from the delegation RRset. This may require
implementations to search for the covering NSEC RRset.
<span class="h4"><a class="selflink" id="section-4.1.3" href="#section-4.1.3">4.1.3</a>. Dynamic Update</span>
Opt-In changes the semantics of Secure DNS Dynamic Update [<a href="#ref-9" title=""Secure Domain Name System (DNS) Dynamic Update"">9</a>]. In
particular, it introduces the need for rules that describe when to
add or remove a delegation name from the NSEC chain. This document
does not attempt to define these rules. Until these rules are
defined, servers MUST NOT process DNS Dynamic Update requests against
zones that use Opt-In NSEC records. Servers SHOULD return responses
to update requests with RCODE=REFUSED.
<span class="grey">Arends, et al. Experimental [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Client Considerations</span>
Opt-In imposes some new requirements on security-aware resolvers
(caching or otherwise).
<span class="h4"><a class="selflink" id="section-4.2.1" href="#section-4.2.1">4.2.1</a>. Delegations Only</span>
As stated in <a href="#section-4.1">Section 4.1</a> above, this specification restricts the
namespace covered by Opt-In tagged NSEC records to insecure
delegations only. Clients are not expected to take any special
measures to enforce this restriction; instead, it forms an underlying
assumption that clients may rely on.
<span class="h4"><a class="selflink" id="section-4.2.2" href="#section-4.2.2">4.2.2</a>. Validation Process Changes</span>
This specification does not change the resolver's resolution
algorithm. However, it does change the DNSSEC validation process.
<span class="h5"><a class="selflink" id="section-4.2.2.1" href="#section-4.2.2.1">4.2.2.1</a>. Referrals</span>
Resolvers MUST be able to use Opt-In tagged NSEC records to
cryptographically prove the validity and security status (as
insecure) of a referral. Resolvers determine the security status of
the referred-to zone as follows:
o In standard DNSSEC, the security status is proven by the existence
or absence of a DS RRset at the same name as the delegation. The
existence of the DS RRset indicates that the referred-to zone is
signed. The absence of the DS RRset is proven using a verified
NSEC record of the same name that does not have the DS bit set in
the type map. This NSEC record MAY also be tagged as Opt-In.
o Using Opt-In, the security status is proven by the existence of a
DS record (for signed) or the presence of a verified Opt-In tagged
NSEC record that covers the delegation name. That is, the NSEC
record does not have the NSEC bit set in the type map, and the
delegation name falls between the NSEC's owner and "next" name.
Using Opt-In does not substantially change the nature of following
referrals within DNSSEC. At every delegation point, the resolver
will have cryptographic proof that the referred-to subzone is signed
or unsigned.
<span class="h5"><a class="selflink" id="section-4.2.2.2" href="#section-4.2.2.2">4.2.2.2</a>. Queries for DS Resource Records</span>
Since queries for DS records are directed to the parent side of a
zone cut (see [<a href="#ref-5" title=""Resource Records for the DNS Security Extensions"">5</a>], Section 5), negative responses to these queries
may be covered by an Opt-In flagged NSEC record.
<span class="grey">Arends, et al. Experimental [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
Resolvers MUST be able to use Opt-In tagged NSEC records to
cryptographically prove the validity and security status of negative
responses to queries for DS records. In particular, a NOERROR/NODATA
(i.e., RCODE=3, but the answer section is empty) response to a DS
query may be proven by an Opt-In flagged covering NSEC record, rather
than an NSEC record matching the query name.
<span class="h4"><a class="selflink" id="section-4.2.3" href="#section-4.2.3">4.2.3</a>. NSEC Record Caching</span>
Caching resolvers MUST be able to retrieve the appropriate covering
Opt-In NSEC record when returning referrals that need them. This
requirement differs from standard DNSSEC in that the covering NSEC
will not have the same owner name as the delegation. Some
implementations may have to use new methods for finding these NSEC
records.
<span class="h4"><a class="selflink" id="section-4.2.4" href="#section-4.2.4">4.2.4</a>. Use of the AD bit</span>
The AD bit, as defined by [<a href="#ref-3" title=""Redefinition of DNS Authenticated Data (AD) bit"">3</a>] and [<a href="#ref-6" title=""Protocol Modifications for the DNS Security Extensions"">6</a>], MUST NOT be set when:
o sending a Name Error (RCODE=3) response where the covering NSEC is
tagged as Opt-In.
o sending an Opt-In insecure delegation response, unless the
covering (Opt-In) NSEC record's owner name equals the delegation
name.
o sending a NOERROR/NODATA response when query type is DS and the
covering NSEC is tagged as Opt-In, unless NSEC record's owner name
matches the query name.
This rule is based on what the Opt-In NSEC record actually proves:
for names that exist between the Opt-In NSEC record's owner and
"next" names, the Opt-In NSEC record cannot prove the non-existence
or existence of the name. As such, not all data in the response has
been cryptographically verified, so the AD bit cannot be set.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Benefits</span>
Using Opt-In allows administrators of large and/or changing
delegation-centric zones to minimize the overhead involved in
maintaining the security of the zone.
Opt-In accomplishes this by eliminating the need for NSEC records for
insecure delegations. This, in a zone with a large number of
delegations to unsigned subzones, can lead to substantial space
savings (both in memory and on disk). Additionally, Opt-In allows
for the addition or removal of insecure delegations without modifying
<span class="grey">Arends, et al. Experimental [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
the NSEC record chain. Zones that are frequently updating insecure
delegations (e.g., Top-Level Domains (TLDs)) can avoid the
substantial overhead of modifying and resigning the affected NSEC
records.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Example</span>
Consider the zone EXAMPLE shown below. This is a zone where all of
the NSEC records are tagged as Opt-In.
Example A: Fully Opt-In Zone.
EXAMPLE. SOA ...
EXAMPLE. RRSIG SOA ...
EXAMPLE. NS FIRST-SECURE.EXAMPLE.
EXAMPLE. RRSIG NS ...
EXAMPLE. DNSKEY ...
EXAMPLE. RRSIG DNSKEY ...
EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (
SOA NS RRSIG DNSKEY )
EXAMPLE. RRSIG NSEC ...
FIRST-SECURE.EXAMPLE. A ...
FIRST-SECURE.EXAMPLE. RRSIG A ...
FIRST-SECURE.EXAMPLE. NSEC NOT-SECURE-2.EXAMPLE. A RRSIG
FIRST-SECURE.EXAMPLE. RRSIG NSEC ...
NOT-SECURE.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE.
NS.NOT-SECURE.EXAMPLE. A ...
NOT-SECURE-2.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE.
NOT-SECURE-2.EXAMPLE NSEC SECOND-SECURE.EXAMPLE NS RRSIG
NOT-SECURE-2.EXAMPLE RRSIG NSEC ...
SECOND-SECURE.EXAMPLE. NS NS.ELSEWHERE.
SECOND-SECURE.EXAMPLE. DS ...
SECOND-SECURE.EXAMPLE. RRSIG DS ...
SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DNSKEY
SECOND-SECURE.EXAMPLE. RRSIG NSEC ...
UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE.
NS.UNSIGNED.EXAMPLE. A ...
Example A.
<span class="grey">Arends, et al. Experimental [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
In this example, a query for a signed RRset (e.g., "FIRST-
SECURE.EXAMPLE A") or a secure delegation ("WWW.SECOND-SECURE.EXAMPLE
A") will result in a standard DNSSEC response.
A query for a nonexistent RRset will result in a response that
differs from standard DNSSEC by the following: the NSEC record will
be tagged as Opt-In, there may be no NSEC record proving the non-
existence of a matching wildcard record, and the AD bit will not be
set.
A query for an insecure delegation RRset (or a referral) will return
both the answer (in the Authority section) and the corresponding
Opt-In NSEC record to prove that it is not secure.
Example A.1: Response to query for WWW.UNSIGNED.EXAMPLE. A
RCODE=NOERROR, AD=0
Answer Section:
Authority Section:
UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE
SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DS
SECOND-SECURE.EXAMPLE. RRSIG NSEC ...
Additional Section:
NS.UNSIGNED.EXAMPLE. A ...
Example A.1
In the Example A.1 zone, the EXAMPLE. node MAY use either style of
NSEC record, because there are no insecure delegations that occur
between it and the next node, FIRST-SECURE.EXAMPLE. In other words,
Example A would still be a valid zone if the NSEC record for EXAMPLE.
was changed to the following RR:
EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (SOA NS
RRSIG DNSKEY NSEC )
However, the other NSEC records (FIRST-SECURE.EXAMPLE. and SECOND-
SECURE.EXAMPLE.) MUST be tagged as Opt-In because there are insecure
delegations in the range they define. (NOT-SECURE.EXAMPLE. and
UNSIGNED.EXAMPLE., respectively).
NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that is
part of the NSEC chain and also covered by an Opt-In tagged NSEC
record. Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot be
<span class="grey">Arends, et al. Experimental [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
removed from the zone without modifying and resigning the prior NSEC
record. Delegations with names that fall between NOT-SECURE-
2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or removed without
resigning any NSEC records.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Transition Issues</span>
Opt-In is not backwards compatible with standard DNSSEC and is
considered experimental. Standard DNSSEC-compliant implementations
would not recognize Opt-In tagged NSEC records as different from
standard NSEC records. Because of this, standard DNSSEC
implementations, if they were to validate Opt-In style responses,
would reject all Opt-In insecure delegations within a zone as
invalid. However, by only signing with private algorithms, standard
DNSSEC implementations will treat Opt-In responses as unsigned.
It should be noted that all elements in the resolution path between
(and including) the validator and the authoritative name server must
be aware of the Opt-In experiment and implement the Opt-In semantics
for successful validation to be possible. In particular, this
includes any caching middleboxes between the validator and
authoritative name server.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Security Considerations</span>
Opt-In allows for unsigned names, in the form of delegations to
unsigned subzones, to exist within an otherwise signed zone. All
unsigned names are, by definition, insecure, and their validity or
existence cannot be cryptographically proven.
In general:
o Records with unsigned names (whether or not existing) suffer from
the same vulnerabilities as records in an unsigned zone. These
vulnerabilities are described in more detail in [<a href="#ref-12" title=""Threat Analysis of the Domain Name System (DNS)"">12</a>] (note in
particular Sections <a href="#section-2.3">2.3</a>, "Name Games" and 2.6, "Authenticated
Denial").
o Records with signed names have the same security whether or not
Opt-In is used.
Note that with or without Opt-In, an insecure delegation may have its
contents undetectably altered by an attacker. Because of this, the
primary difference in security that Opt-In introduces is the loss of
the ability to prove the existence or nonexistence of an insecure
delegation within the span of an Opt-In NSEC record.
<span class="grey">Arends, et al. Experimental [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
In particular, this means that a malicious entity may be able to
insert or delete records with unsigned names. These records are
normally NS records, but this also includes signed wildcard
expansions (while the wildcard record itself is signed, its expanded
name is an unsigned name), which can be undetectably removed or used
to replace an existing unsigned delegation.
For example, if a resolver received the following response from the
example zone above:
Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE. A
RCODE=NOERROR
Answer Section:
Authority Section:
DOES-NOT-EXIST.EXAMPLE. NS NS.FORGED.
EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. SOA NS \
RRSIG DNSKEY
EXAMPLE. RRSIG NSEC ...
Additional Section:
Attacker has forged a name
The resolver would have no choice but to believe that the referral to
NS.FORGED. is valid. If a wildcard existed that would have been
expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could
have undetectably removed it and replaced it with the forged
delegation.
Note that being able to add a delegation is functionally equivalent
to being able to add any record type: an attacker merely has to forge
a delegation to the nameserver under his/her control and place
whatever records are needed at the subzone apex.
While in particular cases, this issue may not present a significant
security problem, in general it should not be lightly dismissed.
Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly.
In particular, zone signing tools SHOULD NOT default to Opt-In, and
MAY choose not to support Opt-In at all.
<span class="grey">Arends, et al. Experimental [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Acknowledgments</span>
The contributions, suggestions, and remarks of the following persons
(in alphabetic order) to this document are acknowledged:
Mats Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill
Manning, Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter,
Brian Wellington.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. References</span>
<span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>. Normative References</span>
[<a id="ref-1">1</a>] Mockapetris, P., "Domain names - implementation and
specification", STD 13, <a href="./rfc1035">RFC 1035</a>, November 1987.
[<a id="ref-2">2</a>] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-3">3</a>] Wellington, B. and O. Gudmundsson, "Redefinition of DNS
Authenticated Data (AD) bit", <a href="./rfc3655">RFC 3655</a>, November 2003.
[<a id="ref-4">4</a>] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", <a href="./rfc4033">RFC 4033</a>,
March 2005.
[<a id="ref-5">5</a>] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Resource Records for the DNS Security Extensions", <a href="./rfc4034">RFC 4034</a>,
March 2005.
[<a id="ref-6">6</a>] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"Protocol Modifications for the DNS Security Extensions",
<a href="./rfc4035">RFC 4035</a>, March 2005.
[<a id="ref-7">7</a>] Blacka, D., "DNSSEC Experiments", <a href="./rfc4955">RFC 4955</a>, July 2007.
<span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>. Informative References</span>
[<a id="ref-8">8</a>] Elz, R. and R. Bush, "Clarifications to the DNS Specification",
<a href="./rfc2181">RFC 2181</a>, July 1997.
[<a id="ref-9">9</a>] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", <a href="./rfc3007">RFC 3007</a>, November 2000.
[<a id="ref-10">10</a>] Lewis, E., "DNS Security Extension Clarification on Zone
Status", <a href="./rfc3090">RFC 3090</a>, March 2001.
<span class="grey">Arends, et al. Experimental [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
[<a id="ref-11">11</a>] Conrad, D., "Indicating Resolver Support of DNSSEC", <a href="./rfc3225">RFC 3225</a>,
December 2001.
[<a id="ref-12">12</a>] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
System (DNS)", <a href="./rfc3833">RFC 3833</a>, August 2004.
<span class="grey">Arends, et al. Experimental [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Implementing Opt-In Using "Views"</span>
In many cases, it may be convenient to implement an Opt-In zone by
combining two separately maintained "views" of a zone at request
time. In this context, "view" refers to a particular version of a
zone, not to any specific DNS implementation feature.
In this scenario, one view is the secure view, the other is the
insecure (or legacy) view. The secure view consists of an entirely
signed zone using Opt-In tagged NSEC records. The insecure view
contains no DNSSEC information. It is helpful, although not
necessary, for the secure view to be a subset (minus DNSSEC records)
of the insecure view.
In addition, the only RRsets that may solely exist in the insecure
view are non-zone-apex NS RRsets. That is, all non-NS RRsets (and
the zone apex NS RRset) MUST be signed and in the secure view.
These two views may be combined at request time to provide a virtual,
single Opt-In zone. The following algorithm is used when responding
to each query:
V_A is the secure view as described above.
V_B is the insecure view as described above.
R_A is a response generated from V_A, following standard DNSSEC.
R_B is a response generated from V_B, following DNS resolution as
per <a href="./rfc1035">RFC 1035</a> [<a href="#ref-1" title=""Domain names - implementation and specification"">1</a>].
R_C is the response generated by combining R_A with R_B, as
described below.
A query is DNSSEC-aware if it either has the DO bit [<a href="#ref-11" title=""Indicating Resolver Support of DNSSEC"">11</a>] turned on
or is for a DNSSEC-specific record type.
1. If V_A is a subset of V_B and the query is not DNSSEC-aware,
generate and return R_B, otherwise
2. Generate R_A.
3. If R_A's RCODE != NXDOMAIN, return R_A, otherwise
<span class="grey">Arends, et al. Experimental [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
4. Generate R_B and combine it with R_A to form R_C:
For each section (ANSWER, AUTHORITY, ADDITIONAL), copy the
records from R_A into R_B, EXCEPT the AUTHORITY section SOA
record, if R_B's RCODE = NOERROR.
5. Return R_C.
Authors' Addresses
Roy Arends
Nominet
Sandford Gate
Sandy Lane West
Oxford OX4 6LB
UNITED KINGDOM
Phone: +44 1865 332211
EMail: roy@nominet.org.uk
Mark Kosters
VeriSign, Inc.
21355 Ridgetop Circle
Dulles, VA 20166
US
Phone: +1 703 948 3200
EMail: mkosters@verisign.com
URI: <a href="http://www.verisignlabs.com">http://www.verisignlabs.com</a>
David Blacka
VeriSign, Inc.
21355 Ridgetop Circle
Dulles, VA 20166
US
Phone: +1 703 948 3200
EMail: davidb@verisign.com
URI: <a href="http://www.verisignlabs.com">http://www.verisignlabs.com</a>
<span class="grey">Arends, et al. Experimental [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc4956">RFC 4956</a> DNS Security (DNSSEC) Opt-In July 2007</span>
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Arends, et al. Experimental [Page 17]
</pre>
|
