freebsd-nq/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
2008-07-12 05:00:28 +00:00

1501 lines
42 KiB
Plaintext

Network Working Group J. Ihren
Internet-Draft Autonomica AB
Expires: April 18, 2005 O. Kolkman
RIPE NCC
B. Manning
EP.net
October 18, 2004
An In-Band Rollover Mechanism and an Out-Of-Band Priming Method for
DNSSEC Trust Anchors.
draft-ietf-dnsext-trustupdate-threshold-00
Status of this Memo
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 18, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
The DNS Security Extensions (DNSSEC) works by validating so called
chains of authority. The start of these chains of authority are
usually public keys that are anchored in the DNS clients. These keys
are known as the so called trust anchors.
Ihren, et al. Expires April 18, 2005 [Page 1]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
This memo describes a method how these client trust anchors can be
replaced using the DNS validation and querying mechanisms (in-band)
when the key pairs used for signing by zone owner are rolled.
This memo also describes a method to establish the validity of trust
anchors for initial configuration, or priming, using out of band
mechanisms.
Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Key Signing Keys, Zone Signing Keys and Secure Entry
Points . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction and Background . . . . . . . . . . . . . . . . . 5
2.1 Dangers of Stale Trust Anchors . . . . . . . . . . . . . . 5
3. Threshold-based Trust Anchor Rollover . . . . . . . . . . . . 7
3.1 The Rollover . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Threshold-based Trust Update . . . . . . . . . . . . . . . 8
3.3 Possible Trust Update States . . . . . . . . . . . . . . . 9
3.4 Implementation notes . . . . . . . . . . . . . . . . . . . 10
3.5 Possible transactions . . . . . . . . . . . . . . . . . . 11
3.5.1 Single DNSKEY replaced . . . . . . . . . . . . . . . . 12
3.5.2 Addition of a new DNSKEY (no removal) . . . . . . . . 12
3.5.3 Removal of old DNSKEY (no addition) . . . . . . . . . 12
3.5.4 Multiple DNSKEYs replaced . . . . . . . . . . . . . . 12
3.6 Removal of trust anchors for a trust point . . . . . . . . 12
3.7 No need for resolver-side overlap of old and new keys . . 13
4. Bootstrapping automatic rollovers . . . . . . . . . . . . . . 14
4.1 Priming Keys . . . . . . . . . . . . . . . . . . . . . . . 14
4.1.1 Bootstrapping trust anchors using a priming key . . . 14
4.1.2 Distribution of priming keys . . . . . . . . . . . . . 15
5. The Threshold Rollover Mechanism vs Priming . . . . . . . . . 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 17
6.1 Threshold-based Trust Update Security Considerations . . . 17
6.2 Priming Key Security Considerations . . . . . . . . . . . 17
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
8.1 Normative References . . . . . . . . . . . . . . . . . . . . 20
8.2 Informative References . . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 20
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22
B. Document History . . . . . . . . . . . . . . . . . . . . . . . 23
B.1 prior to version 00 . . . . . . . . . . . . . . . . . . . 23
B.2 version 00 . . . . . . . . . . . . . . . . . . . . . . . . 23
Intellectual Property and Copyright Statements . . . . . . . . 24
Ihren, et al. Expires April 18, 2005 [Page 2]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
1. Terminology
The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
and "MAY" in this document are to be interpreted as described in
RFC2119 [1].
The term "zone" refers to the unit of administrative control in the
Domain Name System. In this document "name server" denotes a DNS
name server that is authoritative (i.e. knows all there is to know)
for a DNS zone. A "zone owner" is the entity responsible for signing
and publishing a zone on a name server. The terms "authentication
chain", "bogus", "trust anchors" and "Island of Security" are defined
in [4]. Throughout this document we use the term "resolver" to mean
"Validating Stub Resolvers" as defined in [4].
We use the term "security apex" as the zone for which a trust anchor
has been configured (by validating clients) and which is therefore,
by definition, at the root of an island of security. The
configuration of trust anchors is a client side issue. Therefore a
zone owner may not always know if their zone has become a security
apex.
A "stale anchor" is a trust anchor (a public key) that relates to a
key that is not used for signing. Since trust anchors indicate that
a zone is supposed to be secure a validator will mark the all data in
an island of security as bogus when all trust anchors become stale.
It is assumed that the reader is familiar with public key
cryptography concepts [REF: Schneier Applied Cryptography] and is
able to distinguish between the private and public parts of a key
based on the context in which we use the term "key". If there is a
possible ambiguity we will explicitly mention if a private or a
public part of a key is used.
The term "administrator" is used loosely throughout the text. In
some cases an administrator is meant to be a person, in other cases
the administrator may be a process that has been delegated certain
responsibilities.
1.1 Key Signing Keys, Zone Signing Keys and Secure Entry Points
Although the DNSSEC protocol does not make a distinction between
different keys the operational practice is that a distinction is made
between zone signing keys and key signing keys. A key signing key is
used to exclusively sign the DNSKEY Resource Record (RR) set at the
apex of a zone and the zone signing keys sign all the data in the
zone (including the DNSKEY RRset at the apex).
Ihren, et al. Expires April 18, 2005 [Page 3]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
Keys that are intended to be used as the start of the authentication
chain for a particular zone, either because they are pointed to by a
parental DS RR or because they are configured as a trust anchor, are
called Secure Entry Point (SEP) keys. In practice these SEP keys
will be key signing keys.
In order for the mechanism described herein to work the keys that are
intended to be used as secure entry points MUST have the SEP [2] flag
set. In the examples it is assumed that keys with the SEP flag set
are used as key signing keys and thus exclusively sign the DNSKEY
RRset published at the apex of the zone.
Ihren, et al. Expires April 18, 2005 [Page 4]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
2. Introduction and Background
When DNSSEC signatures are validated the resolver constructs a chain
of authority from a pre-configured trust anchor to the DNSKEY
Resource Record (RR), which contains the public key that validates
the signature stored in an RRSIG RR. DNSSEC is designed so that the
administrator of a resolver can validate data in multiple islands of
security by configuring multiple trust anchors.
It is expected that resolvers will have more than one trust anchor
configured. Although there is no deployment experience it is not
unreasonable to expect resolvers to be configured with a number of
trust anchors that varies between order 1 and order 1000. Because
zone owners are expected to roll their keys, trust anchors will have
to be maintained (in the resolver end) in order not to become stale.
Since there is no global key maintenance policy for zone owners and
there are no mechanisms in the DNS to signal the key maintenance
policy it may be very hard for resolvers administrators to keep their
set of trust anchors up to date. For instance, if there is only one
trust anchor configured and the key maintenance policy is clearly
published, through some out of band trusted channel, then a resolver
administrator can probably keep track of key rollovers and update the
trust anchor manually. However, with an increasing number of trust
anchors all rolled according to individual policies that are all
published through different channels this soon becomes an
unmanageable problem.
2.1 Dangers of Stale Trust Anchors
Whenever a SEP key at a security apex is rolled there exists a danger
that "stale anchors" are created. A stale anchor is a trust anchor
(i.e. a public key configured in a validating resolver) that relates
to a private key that is no longer used for signing.
The problem with a stale anchors is that they will (from the
validating resolvers point of view) prove data to be false even
though it is actually correct. This is because the data is either
signed by a new key or is no longer signed and the resolver expects
data to be signed by the old (now stale) key.
This situation is arguably worse than not having a trusted key
configured for the secure entry point, since with a stale key no
lookup is typically possible (presuming that the default
configuration of a validating recursive nameserver is to not give out
data that is signed but failed to verify.
The danger of making configured trust anchors become stale anchors
Ihren, et al. Expires April 18, 2005 [Page 5]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
may be a reason for zone owners not to roll their keys. If a
resolver is configured with many trust anchors that need manual
maintenance it may be easy to not notice a key rollover at a security
apex, resulting in a stale anchor.
In Section 3 this memo sets out a lightweight, in-DNS, mechanism to
track key rollovers and modify the configured trust anchors
accordingly. The mechanism is stateless and does not need protocol
extensions. The proposed design is that this mechanism is
implemented as a "trust updating machine" that is run entirely
separate from the validating resolver except that the trust updater
will have influence over the trust anchors used by the latter.
In Section 4 we describe a method [Editors note: for now only the
frame work and a set of requirements] to install trust anchors. This
method can be used at first configuration or when the trust anchors
became stale (typically due to a failure to track several rollover
events).
The choice for which domains trust anchors are to be configured is a
local policy issue. So is the choice which trust anchors has
prevalence if there are multiple chains of trust to a given piece of
DNS data (e.g. when a parent zone and its child both have trust
anchors configured). Both issues are out of the scope of this
document.
Ihren, et al. Expires April 18, 2005 [Page 6]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
3. Threshold-based Trust Anchor Rollover
3.1 The Rollover
When a key pair is replaced all signatures (in DNSSEC these are the
RRSIG records) created with the old key will be replaced by new
signatures created by the new key. Access to the new public key is
needed to verify these signatures.
Since zone signing keys are in "the middle" of a chain of authority
they can be verified using the signature made by a key signing key.
Rollover of zone signing keys is therefore transparent to validators
and requires no action in the validator end.
But if a key signing key is rolled a resolver can determine its
authenticity by either following the authorization chain from the
parents DS record, an out-of-DNS authentication mechanism or by
relying on other trust anchors known for the zone in which the key is
rolled.
The threshold trust anchor rollover mechanism (or trust update),
described below, is based on using existing trust anchors to verify a
subset of the available signatures. This is then used as the basis
for a decision to accept the new keys as valid trust anchors.
Our example pseudo zone below contains a number of key signing keys
numbered 1 through Y and two zone signing keys A and B. During a key
rollover key 2 is replaced by key Y+1. The zone content changes
from:
example.com. DNSKEY key1
example.com. DNSKEY key2
example.com. DNSKEY key3
...
example.com. DNSKEY keyY
example.com. DNSKEY keyA
example.com. DNSKEY keyB
example.com. RRSIG DNSKEY ... (key1)
example.com. RRSIG DNSKEY ... (key2)
example.com. RRSIG DNSKEY ... (key3)
...
example.com. RRSIG DNSKEY ... (keyY)
example.com. RRSIG DNSKEY ... (keyA)
example.com. RRSIG DNSKEY ... (keyB)
to:
Ihren, et al. Expires April 18, 2005 [Page 7]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
example.com. DNSKEY key1
example.com. DNSKEY key3
...
example.com. DNSKEY keyY
example.com. DNSKEY keyY+1
example.com. RRSIG DNSKEY ... (key1)
example.com. RRSIG DNSKEY ... (key3)
...
example.com. RRSIG DNSKEY ... (keyY)
example.com. RRSIG DNSKEY ... (keyY+1)
example.com. RRSIG DNSKEY ... (keyA)
example.com. RRSIG DNSKEY ... (keyB)
When the rollover becomes visible to the verifying stub resolver it
will be able to verify the RRSIGs associated with key1, key3 ...
keyY. There will be no RRSIG by key2 and the RRSIG by keyY+1 will
not be used for validation, since that key is previously unknown and
therefore not trusted.
Note that this example is simplified. Because of operational
considerations described in [5] having a period during which the two
key signing keys are both available is necessary.
3.2 Threshold-based Trust Update
The threshold-based trust update algorithm applies as follows. If
for a particular secure entry point
o if the DNSKEY RRset in the zone has been replaced by a more recent
one (as determined by comparing the RRSIG inception dates)
and
o if at least M configured trust anchors directly verify the related
RRSIGs over the new DNSKEY RRset
and
o the number of configured trust anchors that verify the related
RRSIGs over the new DNSKEY RRset exceed a locally defined minimum
number that should be greater than one
then all the trust anchors for the particular secure entry point are
replaced by the set of keys from the zones DNSKEY RRset that have the
SEP flag set.
The choices for the rollover acceptance policy parameter M is left to
the administrator of the resolver. To be certain that a rollover is
accepted up by resolvers using this mechanism zone owners should roll
as few SEP keys at a time as possible (preferably just one). That
way they comply to the most strict rollover acceptance policy of
M=N-1.
Ihren, et al. Expires April 18, 2005 [Page 8]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
The value of M has an upper bound, limited by the number of of SEP
keys a zone owner publishes (i.e. N). But there is also a lower
bound, since it will not be safe to base the trust in too few
signatures. The corner case is M=1 when any validating RRSIG will be
sufficient for a complete replacement of the trust anchors for that
secure entry point. This is not a recommended configuration, since
that will allow an attacker to initiate rollover of the trust anchors
himself given access to just one compromised key. Hence M should in
be strictly larger than 1 as shown by the third requirement above.
If the rollover acceptance policy is M=1 then the result for the
rollover in our example above should be that the local database of
trust anchors is updated by removing key "key2" from and adding key
"keyY+1" to the key store.
3.3 Possible Trust Update States
We define five states for trust anchor configuration at the client
side.
PRIMING: There are no trust anchors configured. There may be priming
keys available for initial priming of trust anchors.
IN-SYNC: The set of trust anchors configured exactly matches the set
of SEP keys used by the zone owner to sign the zone.
OUT-OF-SYNC: The set of trust anchors is not exactly the same as the
set of SEP keys used by the zone owner to sign the zone but there
are enough SEP key in use by the zone owner that is also in the
trust anchor configuration.
UNSYNCABLE: There is not enough overlap between the configured trust
anchors and the set of SEP keys used to sign the zone for the new
set to be accepted by the validator (i.e. the number of
signatures that verify is not sufficient).
STALE: There is no overlap between the configured trust anchors and
the set of SEP keys used to sign the zone. Here validation of
data is no longer possible and hence we are in a situation where
the trust anchors are stale.
Of these five states only two (IN-SYNC and OUT-OF-SYNC) are part of
the automatic trust update mechanism. The PRIMING state is where a
validator is located before acquiring an up-to-date set of trust
anchors. The transition from PRIMING to IN-SYNC is manual (see
Section 4 below).
Example: assume a secure entry point with four SEP keys and a
validator with the policy that it will accept any update to the set
of trust anchors as long as no more than two signatures fail to
validate (i.e. M >= N-2) and at least two signature does validate
(i.e. M >= 2). In this case the rollover of a single key will move
the validator from IN-SYNC to OUT-OF-SYNC. When the trust update
Ihren, et al. Expires April 18, 2005 [Page 9]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
state machine updates the trust anchors it returns to state IN-SYNC.
If if for some reason it fails to update the trust anchors then the
next rollover (of a different key) will move the validator from
OUT-OF-SYNC to OUT-OF-SYNC (again), since there are still two keys
that are configured as trust anchors and that is sufficient to accpt
an automatic update of the trust anchors.
The UNSYNCABLE state is where a validator is located if it for some
reason fails to incorporate enough updates to the trust anchors to be
able to accept new updates according to its local policy. In this
example (i.e. with the policy specified above) this will either be
because M < N-2 or M < 2, which does not suffice to authenticate a
successful update of trust anchors.
Continuing with the previous example where two of the four SEP keys
have already rolled, but the validator has failed to update the set
of trust anchors. When the third key rolls over there will only be
one trust anchor left that can do successful validation. This is not
sufficient to enable automatic update of the trust anchors, hence the
new state is UNSYNCABLE. Note, however, that the remaining
up-to-date trust anchor is still enough to do successful validation
so the validator is still "working" from a DNSSEC point of view.
The STALE state, finally, is where a validator ends up when it has
zero remaining current trust anchors. This is a dangerous state,
since the stale trust anchors will cause all validation to fail. The
escape is to remove the stale trust anchors and thereby revert to the
PRIMING state.
3.4 Implementation notes
The DNSSEC protocol specification ordains that a DNSKEY to which a DS
record points should be self-signed. Since the keys that serve as
trust anchors and the keys that are pointed to by DS records serve
the same purpose, they are both secure entry points, we RECOMMEND
that zone owners who want to facilitate the automated rollover scheme
documented herein self-sign DNSKEYs with the SEP bit set and that
implementation check that DNSKEYs with the SEP bit set are
self-signed.
In order to maintain a uniform way of determining that a keyset in
the zone has been replaced by a more recent set the automatic trust
update machine SHOULD only accept new DNSKEY RRsets if the
accompanying RRSIGs show a more recent inception date than the
present set of trust anchors. This is also needed as a safe guard
against possible replay attacks where old updates are replayed
"backwards" (i.e. one change at a time, but going in the wrong
Ihren, et al. Expires April 18, 2005 [Page 10]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
direction, thereby luring the validator into the UNSYNCABLE and
finally STALE states).
In order to be resilient against failures the implementation should
collect the DNSKEY RRsets from (other) authoritative servers if
verification of the self signatures fails.
The threshold-based trust update mechanism SHOULD only be applied to
algorithms, as represented in the algorithm field in the DNSKEY/RRSIG
[3], that the resolver is aware of. In other words the SEP keys of
unknown algorithms should not be used when counting the number of
available signatures (the N constant) and the SEP keys of unknown
algorithm should not be entered as trust anchors.
When in state UNSYNCABLE or STALE manual intervention will be needed
to return to the IN-SYNC state. These states should be flagged. The
most appropriate action is human audit possibly followed by
re-priming (Section 4) the keyset (i.e. manual transfer to the
PRIMING state through removal of the configured trust anchors).
An implementation should regularly probe the the authoritative
nameservers for new keys. Since there is no mechanism to publish
rollover frequencies this document RECOMMENDS zone owners not to roll
their key signing keys more often than once per month and resolver
administrators to probe for key rollsovers (and apply the threshold
criterion for acceptance of trust update) not less often than once
per month. If the rollover frequency is higher than the probing
frequency then trust anchors may become stale. The exact relation
between the frequencies depends on the number of SEP keys rolled by
the zone owner and the value M configured by the resolver
administrator.
In all the cases below a transaction where the threshold criterion is
not satisfied should be considered bad (i.e. possibly spoofed or
otherwise corrupted data). The most appropriate action is human
audit.
There is one case where a "bad" state may be escaped from in an
automated fashion. This is when entering the STALE state where all
DNSSEC validation starts to fail. If this happens it is concievable
that it is better to completely discard the stale trust anchors
(thereby reverting to the PRIMING state where validation is not
possible). A local policy that automates removal of stale trust
anchors is therefore suggested.
3.5 Possible transactions
Ihren, et al. Expires April 18, 2005 [Page 11]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
3.5.1 Single DNSKEY replaced
This is probably the most typical transaction on the zone owners
part. The result should be that if the threshold criterion is
satisfied then the key store is updated by removal of the old trust
anchor and addition of the new key as a new trust anchor. Note that
if the DNSKEY RRset contains exactly M keys replacement of keys is
not possible, i.e. for automatic rollover to work M must be stricly
less than N.
3.5.2 Addition of a new DNSKEY (no removal)
If the threshold criterion is satisfied then the new key is added as
a configured trust anchor. Not more than N-M keys can be added at
once, since otherwise the algorithm will fail.
3.5.3 Removal of old DNSKEY (no addition)
If the threshold criterion is satisfied then the old key is removed
from being a configured trust anchor. Note that it is not possible
to reduce the size of the DNSKEY RRset to a size smaller than the
minimum required value for M.
3.5.4 Multiple DNSKEYs replaced
Arguably it is not a good idea for the zone administrator to replace
several keys at the same time, but from the resolver point of view
this is exactly what will happen if the validating resolver for some
reason failed to notice a previous rollover event.
Not more than N-M keys can be replaced at one time or the threshold
criterion will not be satisfied. Or, expressed another way: as long
as the number of changed keys is less than or equal to N-M the
validator is in state OUT-OF-SYNC. When the number of changed keys
becomes greater than N-M the state changes to UNSYNCABLE and manual
action is needed.
3.6 Removal of trust anchors for a trust point
If the parent of a secure entry point gets signed and it's trusted
keys get configured in the key store of the validating resolver then
the configured trust anchors for the child should be removed entirely
unless explicitly configured (in the utility configuration) to be an
exception.
The reason for such a configuration would be that the resolver has a
local policy that requires maintenance of trusted keys further down
the tree hierarchy than strictly needed from the point of view.
Ihren, et al. Expires April 18, 2005 [Page 12]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
The default action when the parent zone changes from unsigned to
signed should be to remove the configured trust anchors for the
child. This form of "garbage collect" will ensure that the automatic
rollover machinery scales as DNSSEC deployment progresses.
3.7 No need for resolver-side overlap of old and new keys
It is worth pointing out that there is no need for the resolver to
keep state about old keys versus new keys, beyond the requirement of
tracking signature inception time for the covering RRSIGs as
described in Section 3.4.
From the resolver point of view there are only trusted and not
trusted keys. The reason is that the zone owner needs to do proper
maintenance of RRSIGs regardless of the resolver rollover mechanism
and hence must ensure that no key rolled out out the DNSKEY set until
there cannot be any RRSIGs created by this key still legally cached.
Hence the rollover mechanism is entirely stateless with regard to the
keys involved: as soon as the resolver (or in this case the rollover
tracking utility) detects a change in the DNSKEY RRset (i.e. it is
now in the state OUT-OF-SYNC) with a sufficient number of matching
RRSIGs the configured trust anchors are immediately updated (and
thereby the machine return to state IN-SYNC). I.e. the rollover
machine changes states (mostly oscillating between IN-SYNC and
OUT-OF-SYNC), but the status of the DNSSEC keys is stateless.
Ihren, et al. Expires April 18, 2005 [Page 13]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
4. Bootstrapping automatic rollovers
It is expected that with the ability to automatically roll trust
anchors at trust points will follow a diminished unwillingness to
roll these keys, since the risks associated with stale keys are
minimized.
The problem of "priming" the trust anchors, or bringing them into
sync (which could happen if a resolver is off line for a long period
in which a set of SEP keys in a zone 'evolve' away from its trust
anchor configuration) remains.
For (re)priming we can rely on out of band technology and we propose
the following framework.
4.1 Priming Keys
If all the trust anchors roll somewhat frequently (on the order of
months or at most about a year) then it will not be possible to
design a device, or a software distribution that includes trust
anchors, that after being manufactured is put on a shelf for several
key rollover periods before being brought into use (since no trust
anchors that were known at the time of manufacture remain active).
To alleviate this we propose the concept of "priming keys". Priming
keys are ordinary DNSSEC Key Signing Keys with the characteristic
that
o The private part of a priming key signs the DNSKEY RRset at the
security apex, i.e. at least one RRSIG DNSKEY is created by a
priming key rather than by an "ordinary" trust anchor
o the public parts of priming keys are not included in the DNSKEY
RRset. Instead the public parts of priming keys are only
available out-of-band.
o The public parts of the priming keys have a validity period.
Within this period they can be used to obtain trust anchors.
o The priming key pairs are long lived (relative to the key rollover
period.)
4.1.1 Bootstrapping trust anchors using a priming key
To install the trust anchors for a particular security apex an
administrator of a validating resolver will need to:
o query for the DNSKEY RRset of the zone at the security apex;
o verify the self signatures of all DNSKEYs in the RRset;
o verify the signature of the RRSIG made with a priming key --
verification using one of the public priming keys that is valid at
that moment is sufficient;
Ihren, et al. Expires April 18, 2005 [Page 14]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
o create the trust anchors by extracting the DNSKEY RRs with the SEP
flag set.
The SEP keys with algorithms unknown to the validating resolver
SHOULD be ignored during the creation of the trust anchors.
4.1.2 Distribution of priming keys
The public parts of the priming keys SHOULD be distributed
exclusively through out-of-DNS mechanisms. The requirements for a
distribution mechanism are:
o it can carry the "validity" period for the priming keys;
o it can carry the self-signature of the priming keys;
o and it allows for verification using trust relations outside the
DNS.
A distribution mechanism would benefit from:
o the availability of revocation lists;
o the ability of carrying zone owners policy information such as
recommended values for "M" and "N" and a rollover frequency;
o and the technology on which is based is readily available.
Ihren, et al. Expires April 18, 2005 [Page 15]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
5. The Threshold Rollover Mechanism vs Priming
There is overlap between the threshold-based trust updater and the
Priming method. One could exclusively use the Priming method for
maintaining the trust anchors. However the priming method probably
relies on "non-DNS' technology and may therefore not be available for
all devices that have a resolver.
Ihren, et al. Expires April 18, 2005 [Page 16]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
6. Security Considerations
6.1 Threshold-based Trust Update Security Considerations
A clear issue for resolvers will be how to ensure that they track all
rollover events for the zones they have configure trust anchors for.
Because of temporary outages validating resolvers may have missed a
rollover of a KSK. The parameters that determine the robustness
against failures are: the length of the period between rollovers
during which the KSK set is stable and validating resolvers can
actually notice the change; the number of available KSKs (i.e. N)
and the number of signatures that may fail to validate (i.e. N-M).
With a large N (i.e. many KSKs) and a small value of M this
operation becomes more robust since losing one key, for whatever
reason, will not be crucial. Unfortunately the choice for the number
of KSKs is a local policy issue for the zone owner while the choice
for the parameter M is a local policy issue for the resolver
administrator.
Higher values of M increase the resilience against attacks somewhat;
more signatures need to verify for a rollover to be approved. On the
other hand the number of rollover events that may pass unnoticed
before the resolver reaches the UNSYNCABLE state goes down.
The threshold-based trust update intentionally does not provide a
revocation mechanism. In the case that a sufficient number of
private keys of a zone owner are simultaneously compromised the the
attacker may use these private keys to roll the trust anchors of (a
subset of) the resolvers. This is obviously a bad situation but it
is not different from most other public keys systems.
However, it is important to point out that since any reasonable trust
anchor rollover policy (in validating resolvers) will require more
than one RRSIG to validate this proposal does provide security
concious zone administrators with the option of not storing the
individual private keys in the same location and thereby decreasing
the likelihood of simultaneous compromise.
6.2 Priming Key Security Considerations
Since priming keys are not included in the DNSKEY RR set they are
less sensitive to packet size constraints and can be chosen
relatively large. The private parts are only needed to sign the
DNSKEY RR set during the validity period of the particular priming
key pair. Note that the private part of the priming key is used each
time when a DNSKEY RRset has to be resigned. In practice there is
therefore little difference between the usage pattern of the private
Ihren, et al. Expires April 18, 2005 [Page 17]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
part of key signing keys and priming keys.
Ihren, et al. Expires April 18, 2005 [Page 18]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
7. IANA Considerations
NONE.
Ihren, et al. Expires April 18, 2005 [Page 19]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
8. References
8.1 Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Kolkman, O., Schlyter, J. and E. Lewis, "Domain Name System KEY
(DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
RFC 3757, May 2004.
[3] Arends, R., "Resource Records for the DNS Security Extensions",
draft-ietf-dnsext-dnssec-records-10 (work in progress),
September 2004.
8.2 Informative References
[4] Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose,
"DNS Security Introduction and Requirements",
draft-ietf-dnsext-dnssec-intro-12 (work in progress), September
2004.
[5] Kolkman, O., "DNSSEC Operational Practices",
draft-ietf-dnsop-dnssec-operational-practices-01 (work in
progress), May 2004.
[6] Housley, R., Ford, W., Polk, T. and D. Solo, "Internet X.509
Public Key Infrastructure Certificate and CRL Profile", RFC
2459, January 1999.
Authors' Addresses
Johan Ihren
Autonomica AB
Bellmansgatan 30
Stockholm SE-118 47
Sweden
EMail: johani@autonomica.se
Ihren, et al. Expires April 18, 2005 [Page 20]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
Olaf M. Kolkman
RIPE NCC
Singel 256
Amsterdam 1016 AB
NL
Phone: +31 20 535 4444
EMail: olaf@ripe.net
URI: http://www.ripe.net/
Bill Manning
EP.net
Marina del Rey, CA 90295
USA
Ihren, et al. Expires April 18, 2005 [Page 21]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
Appendix A. Acknowledgments
The present design for in-band automatic rollovers of DNSSEC trust
anchors is the result of many conversations and it is no longer
possible to remember exactly who contributed what.
In addition we've also had appreciated help from (in no particular
order) Paul Vixie, Sam Weiler, Suzanne Woolf, Steve Crocker, Matt
Larson and Mark Kosters.
Ihren, et al. Expires April 18, 2005 [Page 22]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
Appendix B. Document History
This appendix will be removed if and when the document is submitted
to the RFC editor.
The version you are reading is tagged as $Revision: 1.1.230.1 $.
Text between square brackets, other than references, are editorial
comments and will be removed.
B.1 prior to version 00
This draft was initially published as a personal submission under the
name draft-kolkman-dnsext-dnssec-in-band-rollover-00.txt.
Kolkman documented the ideas provided by Ihren and Manning. In the
process of documenting (and prototyping) Kolkman changed some of the
details of the M-N algorithms working. Ihren did not have a chance
to review the draft before Kolkman posted;
Kolkman takes responsibilities for omissions, fuzzy definitions and
mistakes.
B.2 version 00
o The name of the draft was changed as a result of the draft being
adopted as a working group document.
o A small section on the concept of stale trust anchors was added.
o The different possible states are more clearly defined, including
examples of transitions between states.
o The terminology is changed throughout the document. The old term
"M-N" is replaced by "threshold" (more or less). Also the
interpretation of the constants M and N is significantly
simplified to bring the usage more in line with "standard"
threshold terminlogy.
Ihren, et al. Expires April 18, 2005 [Page 23]
Internet-Draft DNSSEC Threshold-based Trust Update October 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Ihren, et al. Expires April 18, 2005 [Page 24]