Ensuring CDS/CDNSKEY Consistency is Mandatory
draft-thomassen-dnsop-cds-consistency-00
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
|---|---|---|---|
| Author | Peter Thomassen | ||
| Last updated | 2022-07-09 | ||
| Replaced by | draft-ietf-dnsop-cds-consistency | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-thomassen-dnsop-cds-consistency-00
DNSOP Working Group P. Thomassen
Internet-Draft deSEC, Secure Systems Engineering
Updates: 7344 (if approved) 9 July 2022
Intended status: Standards Track
Expires: 10 January 2023
Ensuring CDS/CDNSKEY Consistency is Mandatory
draft-thomassen-dnsop-cds-consistency-00
Abstract
For maintaining DNSSEC Delegation Trust, DS records have to be kept
up to date. [RFC7344] automates this by having the child publish CDS
and/or CDNSKEY records which hold the prospective DS parameters.
Parent-side entities (e.g. Registries, Registrars) can use these
records to update the delegation's DS records. A common method for
detecting changes in CDS/CDNSKEY record sets is to query them
periodically from the child zone ("polling"), as described in
Section 6.1 of [RFC7344].
This document specifies that if polling is used, parent-side entities
MUST ensure that CDS/CDNSKEY record sets are equivalent across all of
the child's authoritative nameservers, before taking any action based
on these records.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 10 January 2023.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
Thomassen Expires 10 January 2023 [Page 1]
Internet-Draft cds-consistency July 2022
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3
2. Polling a CDS or CDNSKEY Record Set . . . . . . . . . . . . . 3
3. Security Considerations . . . . . . . . . . . . . . . . . . . 4
4. Normative References . . . . . . . . . . . . . . . . . . . . 4
Appendix A. Change History (to be removed before publication) . 5
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
[RFC7344] automates DNSSEC delegation trust maintenance by having the
child publish CDS and/or CDNSKEY records which hold the prospective
DS parameters. Parent-side entities (e.g. Registries, Registrars)
can use these records to update the delegation's DS records. A
common method for detecting changes in CDS/CDNSKEY record sets is to
query them periodically from the child zone ("polling"), as described
in Section 6.1 of [RFC7344].
While [RFC7344] does specify acceptance rules (Section 4.1 ) for CDS/
CDNSKEY records that have been retrieved, it does not mention how
specifically the poll queries should be done. A naive implementation
would thus be likely to simply query CDS or CDNSKEY records through a
trusted validating resolver, and use the validated answer.
This may be fine if all authoritative nameservers are controlled by
the same entity (= DNS operator). However, it poses a problem in
conjunction with multi-signer setups ([RFC8901]): When the CDS/
CDNSKEY are retrieved "normally" using a validating resolver, chances
are that records are retrieved from one nameserver only, without
checking for consistency across other NS hostnames.
Thomassen Expires 10 January 2023 [Page 2]
Internet-Draft cds-consistency July 2022
In a multi-signer setup, this means that a single provider could
(accidentally or maliciously) roll the DS record set at the parent.
For example, a provider could be performing a key rollover and then
accidentally publish CDS/CDNSKEY records for its own keys. As a
result, when the parent happens to retrieve the records from a
nameserver controlled by this provider, the other providers' DS
records would be removed from the parent, breaking the zone for some
or all queries.
A single provider should not be in the position to remove the other
providers' trust anchors. To address this issue, this document
specifies that if polling is used, parent-side entities MUST ensure
that CDS/CDNSKEY record sets are equivalent across all of the child's
authoritative nameservers, before taking any action based on these
records.
Readers are expected to be familiar with DNSSEC, including [RFC4033],
[RFC4034], [RFC4035], [RFC6781], [RFC7344], and [RFC8901].
1.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Polling a CDS or CDNSKEY Record Set
The terminology in this section is as defined in [RFC7344].
To retrieve a Child's CDS/CDNSKEY RRset for DNSSEC delegation trust
maintenance, the Parental Agent, knowing both the Child zone name and
its NS hostnames, MUST ascertain that queries are made against all of
the nameservers listed in the Child's delegation from the Parent, and
ensure that the set of referenced keys is equal.
In other words, CDS/CDNSKEY records at the Child zone apex MUST be
queried directly from each of the authoritative servers as determined
by the delegation's NS record set, with DNSSEC validation enforced.
When a key is referenced in the CDS or CDNSKEY record set returned by
one nameserver, but not referenced in the corresponding answers of
all of the other nameservers, the CDS/CDNSKEY state MUST be
considered inconsistent.
If an inconsistent CDS/CDNSKEY state is encountered, the Parental
Agent MUST take no action. Specifically, it MUST NOT delete or alter
the existing DS RRset.
Thomassen Expires 10 January 2023 [Page 3]
Internet-Draft cds-consistency July 2022
3. Security Considerations
The level of rigor mandated by this document is needed to prevent
publication of a half-baked DS RRset (authorized only under a subset
of NS hostnames). This ensures, for example, that an operator in a
multi-homed setup cannot unilaterally remove another operator's trust
anchor from the delegation's DS records.
As a consequence, DS records can only be modified when there is
consensus across all operators.
4. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005,
<https://www.rfc-editor.org/info/rfc4033>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<https://www.rfc-editor.org/info/rfc4035>.
[RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
Operational Practices, Version 2", RFC 6781,
DOI 10.17487/RFC6781, December 2012,
<https://www.rfc-editor.org/info/rfc6781>.
[RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating
DNSSEC Delegation Trust Maintenance", RFC 7344,
DOI 10.17487/RFC7344, September 2014,
<https://www.rfc-editor.org/info/rfc7344>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Thomassen Expires 10 January 2023 [Page 4]
Internet-Draft cds-consistency July 2022
[RFC8901] Huque, S., Aras, P., Dickinson, J., Vcelak, J., and D.
Blacka, "Multi-Signer DNSSEC Models", RFC 8901,
DOI 10.17487/RFC8901, September 2020,
<https://www.rfc-editor.org/info/rfc8901>.
Appendix A. Change History (to be removed before publication)
* draft-thomassen-dnsop-cds-consistency-00
| Initial public draft.
Author's Address
Peter Thomassen
deSEC, Secure Systems Engineering
Berlin
Germany
Email: peter@desec.io
Thomassen Expires 10 January 2023 [Page 5]