Automating DNS Delegation Management via DDNS
draft-johani-dnsop-delegation-mgmt-via-ddns-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
|---|---|---|---|
| Author | Johan Stenstam | ||
| Last updated | 2023-10-23 | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-johani-dnsop-delegation-mgmt-via-ddns-00
DNSOP Working Group J. Stenstam
Internet-Draft The Swedish Internet Foundation
Intended status: Standards Track 23 October 2023
Expires: 25 April 2024
Automating DNS Delegation Management via DDNS
draft-johani-dnsop-delegation-mgmt-via-ddns-00
Abstract
Delegation information (i.e. the NS RRset, possible glue, possible DS
records) should always be kept in sync between child zone and parent
zone. However, in practice that is not always the case.
When the delegation information is not in sync the child zone is
usually working fine, but without the amount of redundancy that the
zone owner likely expects to have. Hence, should any further
problems ensue it could have catastropic consequences.
The DNS name space has lived with this problem for decades and it
never goes away. Or, rather, it will never go away until a fully
automated mechanism for how to keep the information in sync
automatically is deployed.
This document proposes such a mechanism.
TO BE REMOVED: This document is being collaborated on in Github at:
https://github.com/johanix/draft-johani-dnsop-delegation-mgmt-via-
ddns (https://github.com/johanix/draft-johani-dnsop-delegation-mgmt-
via-ddns). The most recent working version of the document, open
issues, etc, should all be available there. The author (gratefully)
accept pull requests.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Stenstam Expires 25 April 2024 [Page 1]
Internet-Draft DDNS Updates of Delegation Information October 2023
This Internet-Draft will expire on 25 April 2024.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3
2. Is there a Use Case? . . . . . . . . . . . . . . . . . . . . 4
3. DNS NOTIFY versus DNS UPDATE . . . . . . . . . . . . . . . . 4
3.1. Similarities between NOTIFY and UPDATE . . . . . . . . . 4
3.2. Generalized NOTIFY vs original NOTIFY . . . . . . . . . . 5
3.3. Differencies between NOTIFY and UPDATE . . . . . . . . . 5
4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Updating Delegation Information via DNS UPDATEs. . . . . . . 6
6. Locating the Target for a generalized NOTIFY and/or DNS
UPDATE. . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Locating the Target for a DNS UPDATE. . . . . . . . . . . 7
7. Limitation of Scope for the Proposed Mechanism . . . . . . . 7
8. Processing the UPDATE in the DNS UPDATE Receiver . . . . . . 8
9. Interpretation of the response to the DNS UPDATE. . . . . . . 8
10. Management of SIG(0) Public Keys . . . . . . . . . . . . . . 9
10.1. Bootstrapping the SIG(0) Public Key Into the DNS UPDATE
Receiver . . . . . . . . . . . . . . . . . . . . . . . . 9
10.2. Rolling the SIG(0) Key . . . . . . . . . . . . . . . . . 9
11. Security Considerations. . . . . . . . . . . . . . . . . . . 9
12. IANA Considerations. . . . . . . . . . . . . . . . . . . . . 10
13. Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . 10
14. Normative References . . . . . . . . . . . . . . . . . . . . 10
Appendix A. Change History (to be removed before publication) . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11
Stenstam Expires 25 April 2024 [Page 2]
Internet-Draft DDNS Updates of Delegation Information October 2023
1. Introduction
For DNSSEC signed child zones with TLD registries as parents there is
an emerging trend towards running so-called "CDS scanners" and "CSYNC
scanners" by the parent.
These scanners detect publication of CDS records (the child
signalling a desire for an update to the DS RRset in the parent) and/
or a CSYNC record (the child signalling a desire for an update to the
NS RRset or, possibly, in-bailiwick glue in the parent.
The scanners have a number of drawbacks, including being inefficient
and slow. They are only applicable to DNSSEC-signed child zones and
they add significant complexity to the parent operations. But given
that, they do work.
Generalized DNS Notifications (see draft-ietf-dnsop-generalized-
notify-00) propose a method to alleviate the inefficiency and
slowness of scanners. But the DNSSEC requirement and the complexity
remain.
This document proposes an alternative mechanism to automate the
updating of delegation information in the parent zone for a child
zone based on DNS Dynamic Updates secured with SIG(0) signatures.
This alternative mechanism shares the property of being efficient and
provide rapid convergence (similar to generalized notifications in
conjuction with scanners). Furthermore, it has the advantages of not
requiring any scanners in the parent at all and also not being
dependent on the child (and parent) being DNSSEC-signed.
Knowledge of DNS NOTIFY [RFC1996] and DNS Dynamic Updates [RFC2136]
and [RFC3007] is assumed. DNS SIG(0) transaction signatures are
documented in [RFC2931]. In addition this Internet-Draft borrows
heavily from the thoughts and problem statement from the Internet-
Draft on Generalized DNS Notifications (work in progress).
1.1. Requirements Notation
The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*",
"*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*NOT
RECOMMENDED*", "*MAY*", and "*OPTIONAL*" in this document are to be
interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only
when, they appear in all capitals, as shown here.
Stenstam Expires 25 April 2024 [Page 3]
Internet-Draft DDNS Updates of Delegation Information October 2023
2. Is there a Use Case?
Because of the drawbacks of CDS and CSYNC scanners they are unlikely
to be able to fully automate the maintenance of delegation
information in all parent zones. The primary reasons are the hard
requirement on DNSSEC in the child zones and the complexity cost of
operating the scanner infrastructure. In practice, scanners are
likely mostly realistic for parent zones that are operated by well-
resourced registries.
All the parts of the DNS name space where the parent is smaller and
more resource constrained would be able to automate the delegation
management via this mechanism without the requirement of operating
scanners. Also all parts of the name space where there are child
zones that are not DNSSEC-signed would be able to use this.
Obviously, also well-resourced parent zones with DNSSEC-signed child
zones would be able to use this DNS UPDATE-based mechanism, but in
those cases scanners plus generalized notifications would also work.
3. DNS NOTIFY versus DNS UPDATE
DNS NOTIFY and DNS UPDATE messages share several properties and are
used to address similar issues.
3.1. Similarities between NOTIFY and UPDATE
Both NOTIFY and UPDATE are "push" rather than "pull" messages and
therefore very efficient.
Both NOTIFY and UPDATE are messages, in DNS packet format. They are
used by one party (the sender) to inform another party (the
recipient) that some piece of DNS information has changed and that as
a consequence of this change the recipient of the message may want to
also make a change to its DNS data.
A NOTIFY (as per [RFC1996]) is only a hint and the recipient may
ignore it. But if the recipient does listen to the NOTIFY it should
make its own lookups to verify what has changed and whether that
should trigger any changes in the DNS data provided by the recipient.
Stenstam Expires 25 April 2024 [Page 4]
Internet-Draft DDNS Updates of Delegation Information October 2023
3.2. Generalized NOTIFY vs original NOTIFY
This is a proposed extension to the use of [RFC1996] NOTIFY. The
extension covers using NOTIFY(CSYNC) to signal the publication of a
CSYNC record in the child zone (prompting the parent zone to look it
up and make a decison on whether to update the delegation information
for the child zone based upon what is found. Another type is
NOTIFY(CDS) which does the same, except it is used to prompt the
parent to decide whether to update the child DS RRset (or not).
A generalized NOTIFY is typically sent across a zone cut (from child
to parent) and the recipient is likely a CSYNC or CDS scanner. In
this case it is essentially a message that says:
"the delegation information for this child has changed; I suggest
that you go and check it out yourself"
3.3. Differencies between NOTIFY and UPDATE
The difference between the UPDATE and the NOTIFY is that the UPDATE
contains the exact change that should (in the opinion of the sender)
be applied to the recipients DNS data. Furthermore, for secure
Dynamic Updates, the message also contains proof why the update
should be trusted (in the form of a digital signature by a key that
the recipient trusts).
In this document the term "Dynamic Update" or "DNS UPDATE" implies
secure dynamic update. Furthermore this document implies that the
signature algorithms are always based on asymmetric crypto keys,
using the same algorithms as are being used for DNSSEC. I.e. by
using the right algorithm the resulting signatures will be as strong
as DNSSEC-signatures.
DNS UPDATEs can be used to update any information in a zone (subject
to the policy of the recipient). But in the special case where the
data that is updated is the delegation information for a child zone
and it is sent across a zone cut (i.e. the child sends it to the
parent), it acts as a glorified generalized NOTIFY.
The DNS UPDATE in this case is essentially a message that says:
"the delegation information for this child zone has changed; here
is the exact change; here is the proof that the change is
authentic, please verify this signature"
4. Terminology
SIG(0) An assymmetric signing algorithm that allows the recipient to
Stenstam Expires 25 April 2024 [Page 5]
Internet-Draft DDNS Updates of Delegation Information October 2023
only need to know the public key to verify a signature created by
the senders private key.
5. Updating Delegation Information via DNS UPDATEs.
This is not a new idea. The functionality to update delegation
information in the parent zone via DNS UPDATE has been available for
years in a least one DNS implementation (BIND9). However, while DNS
UPDATE is used extensively inside organisations it has not seen much
use across organisational boundaries. And zone cuts, almost by
definition, usually cuts across such boundaries.
When sending a DNS UPDATE it is necessary to know where to send it.
Inside an organisation this information is usually readily available.
But outside the organisation it is not. And even if the sender would
know where to send the update, it is not at all clear that the
destination is reachable to the sender (the parent primary is likely
to be protected by firewalls and other measures).
This constitutes a problem for using DNS UPDATES across zone cuts.
Another concern is that traditionally DNS UPDATEs are sent to a
primary nameserver, and if the update signture verifies the update is
automatically applied to the DNS zone. This is often not an
acceptable mechanism. The recipient may, for good reason, require
additional policy checks and likely an audit trail. Finally, the
change should in many cases not be applied to the running zone but
rather to some sort of provisioning system or a database.
This creates another problem for using DNS UPDATEs for managing
delegation information.
Both problems are addressed by the proposed mechanism for locating
the recipient of a generalized NOTIFY.
6. Locating the Target for a generalized NOTIFY and/or DNS UPDATE.
The generalized notifications I-D proposes a new RR type, tentatively
with the mnemonic NOTIFY that has the following format:
{parent zone} IN NOTIFY {RRtype} {scheme} {port} {target}
Stenstam Expires 25 April 2024 [Page 6]
Internet-Draft DDNS Updates of Delegation Information October 2023
where {parent zone} is the domain name of the parent zone and
{target} is the domain name of the recipient of the NOTIFY. {RRtype}
is typically "CDS" or "CSYNC" in the case where delegation
information should be updated (there are also other uses of
generalized notifications). Finally, {scheme} is a number to
indicate the type of notification mechanism to use. Scheme=1 is
defined as "send a generalized NOTIFY".
Example for where children of parent. should send NOTIFY(CSYNC):
parent. IN NOTIFY CSYNC 1 5301 csync-scanner.parent.
This record is looked up by the child primary nameserver at the time
that the child primary is about to publish a new CSYNC record in the
child zone (or the equivalent for a CDS). The interpretation is:
Send a NOTIFY(CSYNC) to csync-scanner.parent. on port 5301
6.1. Locating the Target for a DNS UPDATE.
This document proposes the definition of a new {scheme} for the same
record that is used for generalized NOTIFY. Scheme=2 is here defined
as "send a DNS UPDATE".
Example:
parent. IN NOTIFY ANY 2 5302 ddns-receiver.parent.
This record is looked up by the child primary nameserver at the time
that the delegation information for the child zone changes (typically
causing the child to publish a new CSYNC record and/or a new CDS
record). The interpretation is:
Send a DNS UPDATE to ddns-receiver.parent. on port 5302
7. Limitation of Scope for the Proposed Mechanism
DNS UPDATE is in wide use all over the world, for all sorts of
purposes. It is not in wide use (if used at all) across
organizational boundaries. This document only address the specific
case of a child zone that makes a change in its DNS information that
will require an update of the corresponding information in the parent
zone. This includes:
* changes to the NS RRset
* changes to glue (if any)
Stenstam Expires 25 April 2024 [Page 7]
Internet-Draft DDNS Updates of Delegation Information October 2023
* changes to the DS RRset (if any)
Only for those specific cases is the descibed mechanism proposed.
8. Processing the UPDATE in the DNS UPDATE Receiver
The receiver of the DNS UPDATE messages should implement a suitably
strict policy for what updates are accepted (typically only allowing
updates to the NS RRset, glue and DS RRset).
Furthermore, it is strongly recommended that the policy is further
tightened by only allowing updates to the delegation information of a
child zone with the exact same name as the name of the SIG(0) key the
signed the UPDATE request. I.e. an UPDATE request for the delegation
information for the zone child.parent. should only be processed if it
is signed by a SIG(0) key with the name child.parent. and the
signature verifies correctly.
Once the UPDATE has been verified to be correctly signed by a known
key with the correct name and also adhere to the update policy it
should be subjected to the same set of correctness tests as CDS/CSYNC
scanner would have performed. If these requirements are also
fulfilled the change may be applied to the parent zone in whatever
manner the parent zone is maintained (as a text file, data in a
database, via and API, etc).
9. Interpretation of the response to the DNS UPDATE.
All DNS transactions are designed as a pair of messages and this is
true also for DNS UPDATE. The interpretation of the different
responses to DNS UPDATE are already fully documented in [RFC2136],
section 2.2. In particular a response with rcode=5 ("REFUSED")
should be interpreted as a permanent signal that DNS UPDATEs are not
supported by the receiver.
The case of no response is more complex, as it is not possible to
know whether the DNS UPDATE actually reached the reciever (or was
lost in transit) or the response was not sent (or lost in transit).
Stenstam Expires 25 April 2024 [Page 8]
Internet-Draft DDNS Updates of Delegation Information October 2023
For this reason it is suggested that a lack of response is left as
implementation dependent. That way the implementation has sufficient
freedom do chose a sensible approach. Eg. if the sender of the DNS
UPDATE (like the primary nameserver of the child zone) only serves a
single child, then resending the DNS UPDATE once or twice may be ok
(to ensure that the lack of response is not due to packets being lost
in transit). On the other hand, if the sender serves a large number
of child zones below the same parent zone, then it may already know
that the receiver for the DNS UPDATEs is not responding for any of
the child zones, and then resending the update immediately is likely
pointless.
10. Management of SIG(0) Public Keys
Only the child should have access to the SIG(0) private key. The
corresponding SIG(0) public key doesn't have to be published in DNS,
it only needs to be available to the parent DNS UPDATE Receiver.
Keeping all the public SIG(0) keys for different child zones in some
sort of database is perfectly fine.
10.1. Bootstrapping the SIG(0) Public Key Into the DNS UPDATE Receiver
The primary audience for this DNS UPDATE based synchronization
mechanism is "non-registries". In those cases there is by definition
some mechanism in place to communicate information from the child to
the parent, be it email, a web form, pieces of paper or something
else. The same mechanism can be extended to also be used to
communicate the initial SIG(0) public key from the child to the
parent.
Should a "registry" parent want to support this mechanism (as a
service to its unsigned children) then the interface is usually EPP
[RFC1234] and would require the implementation of a new EPP
extension, which is clearly doable.
10.2. Rolling the SIG(0) Key
Once the parent DNS UPDATE Receiver has the key, the child can update
it via a DNS UPDATE just like updating the NS RRset, the DS RRset or
the glue in the parent zone (assuming a suitable DNS UPDATE policy in
the parent). I.e. only the initial bootstrapping of the key is an
issue.
11. Security Considerations.
Any fully automatic mechanism to update the contents of a DNS zone
opens up a potential vulnerability should the mechanism not be
implemented correctly.
Stenstam Expires 25 April 2024 [Page 9]
Internet-Draft DDNS Updates of Delegation Information October 2023
In this case the definition of "correct" is a question for the
receiver of the DNS UPDATE. The receiver should validate the
authenticity of the DNS UPDATE and then do the same checks and
verifications as a CDS or CSYNC scanner does. The difference from
the scanner is only in the validation: single SIG(0) signature by a
key that the receiver trusts vs DNSSEC signature that chains back to
a DNSSEC trust anchor that a scanner trusts.
12. IANA Considerations.
None.
13. Acknowledgements.
* Peter Thomassen and I together came up with the location mechanism
for the generalized notifications, which this draft relies upon.
* Mark Andrews provided the initial inspiration for writing some
code to experiment with the combination of the location mechanism
from the generalised notifications with DNS UPDATEs across zone
cuts.
14. Normative References
[RFC1234] Provan, D., "Tunneling IPX traffic through IP networks",
RFC 1234, DOI 10.17487/RFC1234, June 1991,
<https://www.rfc-editor.org/info/rfc1234>.
[RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996,
August 1996, <https://www.rfc-editor.org/info/rfc1996>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997,
<https://www.rfc-editor.org/info/rfc2136>.
[RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September
2000, <https://www.rfc-editor.org/info/rfc2931>.
Stenstam Expires 25 April 2024 [Page 10]
Internet-Draft DDNS Updates of Delegation Information October 2023
[RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, DOI 10.17487/RFC3007, November 2000,
<https://www.rfc-editor.org/info/rfc3007>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Appendix A. Change History (to be removed before publication)
* draft-johani-dnsop-delegation-mgmt-via-ddns-00
Initial public draft.
Author's Address
Johan Stenstam
The Swedish Internet Foundation
Sweden
Email: johan.stenstam@internetstiftelsen.se
Stenstam Expires 25 April 2024 [Page 11]