DNSEXT Working Group                                Olafur Gudmundsson
  INTERNET-DRAFT                                                May 2001

  Updates: RFC 1035, RFC 2535, RFC 3008.

                  Delegation Signer record in parent.

Status of this Memo

  This document is an Internet-Draft and is in full conformance with all
  provisions of Section 10 of RFC2026.

  Internet-Drafts are working documents of the Internet Engineering Task
  Force (IETF), its areas, and its working groups.  Note that other
  groups may also distribute working documents as Internet-Drafts.

  Internet-Drafts are draft documents valid for a maximum of six months
  and may be updated, replaced, or obsoleted by other documents at any
  time.  It is inappropriate to use Internet-Drafts as reference
  material or to cite them other than as ``work in progress.''

  The list of current Internet-Drafts can be accessed at

  The list of Internet-Draft Shadow Directories can be accessed at

  Comments should be sent to the authors or the DNSEXT WG mailing list

  This draft expires on November 30, 2001.

  Copyright Notice

  Copyright (C) The Internet Society (2001).  All rights reserved.


  One of the biggest problems in DNS occur when records of the same type
  can appear on both sides of an delegation. If the contents of these
  sets differs clients can get confused.  RFC2535 KEY records follows
  the same model as for NS records, parent is responsible for the
  records but the child is responsible for the contents. This document

Gudmundsson               Expires November 2001                 [Page 1]

INTERNET-DRAFT          Delegation Signer Record                May 2001

  proposes to store a different record in the parent that specifies
  which one of the child's keys can sign the child's KEY set. This
  change is not backwards compatible with RFC2535 but simplifies DNSSEC

1 - Introduction

  Familiarity with the DNS system [RFC1035], DNS security extensions
  [RFC2535] and DNSSEC terminology [RFC3090] is important.

  When the same data can reside in two administratively different DNS
  zones sources it is common that the data gets out of sync. NS record
  in a zone indicates that there is a delegation at this name and the NS
  record lists the authorative servers for the real zone. Based on
  actual measurements 10-30% of all delegations in the Internet have
  differing NS sets at parent and child. There are number of reasons for
  this including lack of communication between parent and child, and
  bogus nameservers are listed to meet registrar requirements.

  DNSSEC [RFC2535,RFC3008,RFC3090] specifies that child must have its
  KEY set signed by the parent to create a verifiable chain of KEYs.
  There is some debate, where the signed KEY set should reside,
  parent[Parent] or child[RFC2535]. If the KEY set resides at the child,
  frequent communication is needed between the two to transmit keysets
  up to parent and signatures down to child. If the KEY set resides at
  the parent[Parent] the communication is reduced having only child send
  updated key sets to parent. DNSSEC requires that the parent store NULL
  key set for unsecure children, this complicates resolution process as
  in many cases as servers for both parent and child need to be queried
  for KEY set.

  Further complication of the DNSSEC KEY model is that KEY record is
  used to store DNS zone keys and public keys for other protocols. This
  can lead to large key sets at delegation points. There are number of
  potential problems with this.
  1. KEY set may become quite large if many applications/protocols store
  their keys at the zone apex. Example of protocols are IPSEC, HTTP,
  SMTP, SSH etc.
  2. Key set may require frequent updates,
  3. Probability of compromised/lost keys increases and triggers
  emergency key rollover.
  4. Parent may refuse sign key sets with NON DNS zone keys.
  5. Parent may not have QoS on key changes that meets child's

  Given these and other reasons there is good reason to explore
  alternatives to using only KEY records to create chain of trust.

Gudmundsson               Expires November 2001                 [Page 2]

INTERNET-DRAFT          Delegation Signer Record                May 2001

  Some of these problems can be reduced or eliminated by operational
  rules or protocol changes. To reduce the number of keys at apex, rule
  to require applications to store their KEY records at the SRV name for
  that application is one possibility. Another is to restrict KEY record
  to DNS keys only and create a new type for all non DNS keys. Third
  possible solution is to ban the storage of non DNS related keys at
  zone apex. There are other possible solutions but they are outside the
  scope of this draft.

1.1 - Delegation Signer Record model

  This draft proposes an alternative to the KEY record chain of trust,
  that uses a special record that can only reside at the parent.  This
  record will identify the key(s) that child will use to self sign its
  KEY set.

  The chain of trust is now established by verifying the parent KEY set,
  the DK set from the parent and then the KEY set at the child. This is
  cryptographically equivalent to just using KEY records.

  Communication between the parent and child is reduced as the parent
  only needs to know of changes in DNS zone KEY records used to sign the
  apex KEY set. If other KEY records are stored at the zone apex, the
  parent does not to be aware of them.

  If child wants to have frequent key rollover for its DNS keys it is
  possible to do that without communicating to the parent, in this case
  the child uses on strong key to sign its apex KEY set and other
  smaller keys to sign the zone for a short time.

  This approach has the advantage that communication between the parent
  and child is kept to a minimum and the child is the authority for the
  KEY set with full control over the contents.  The load on the parent
  is reduced and it can maintain its zone as it sees fit.

  The main disadvantage of this approach is to double the number of
  signatures that need to be verified for the each KEY set. The
  advantage on the other hand is that child only needs to update data in
  parent when it changes DNS signing key.

Gudmundsson               Expires November 2001                 [Page 3]

INTERNET-DRAFT          Delegation Signer Record                May 2001

1.2 - Reserved words

  The key words "CAN", "MUST", "MUST NOT", "SHOULD", "DOES NOT" and
  "MAY" in this document are to be interpreted as described in RFC2119.

2 - DK (Delegation KEY signer) record:

2.1 Protocol change

  DK record MUST only appear at a delegation in the parent zone.  The
  record lists the child's keys that CAN sign the child's key set.
  Insecure delegation MUST NOT have a DK record, the presence of DK
  record SHOULD be considered a hint that the child might be secure.
  Resolver MUST only trust KEY records that match a DK record.
  NOTE: It has been suggested that NULL DK record for insecure children
  is better than no record. The advantage is to have authenticated
  denial of child's security status, the drawback is for large
  delegating zones there will be many NULL DK records.
  WG please comment on which approach is better.

  Updates RFC2535 sections 2.3.4 and 3.4, as well as RFC3008 section 
  2.7: Delegating zones MUST NOT store KEY records for delegations. The
  only records that can appear at delegation in parent are NS, SIG, NXT
  and DK.

  Zone MUST self sign its apex KEY set, it SHOULD sign it with a key
  that corresponds to a DK record in the parent.

  If child apex KEY RRset is not signed with one of the keys specified
  in the DK record the child is locally secure[RFC3090] and SHOULD only
  be considered secure the resolver has been instructed to trust the key
  used, via preconfiguration.

  Authorative server answering a query, that has the OK bit set[OKbit],
  MUST include the DK set in the additional section if the answer is a
  referral and there is space. Caching servers MAY return the DK record
  in the additional section under the same condition.

Gudmundsson               Expires November 2001                 [Page 4]

INTERNET-DRAFT          Delegation Signer Record                May 2001

2.1.1 - Comments on protocol change

  DK record is the first DNS record to be only stored at the upper side
  of a delegation. NS records appear at both sides as do SIG and NXT.
  All other records can only appear at the lower side. This will cause
  some problems as servers authorative for parent may reject DK record
  even if the server understands unknown types. Similarly a nameserver
  acting as a authorative for child and as a caching recursive server
  may never return the DK record.  A caching server does not care from
  which side DK record comes from and thus should not have to be changed
  if it supports unknown types.

  Secure resolvers need to know about the DK record and how to interpret
  it.  In the worst case, introducing the DK record, doubles the
  signatures that need to be checked to validate a KEY set, this is a
  small price to pay to have a cleaner delegations structure.

  Over the years there has been various discussions on that the
  delegation model in DNS is broken as there is no real good way to
  assert if delegation exists. In RFC2535 version of DNSSEC the
  authentication of a delegation is the NS bit in the NXT bitmap at the
  delegation point. Something more explicit is needed and the DK record
  addresses this for secure delegations.

2.2 Wire format of DK record

  There are two possible ways to represent the DK record at the parent
  and this draft presents both for discussion, the WG is expected to
  select one and only one. The two formats is either to reuse the RDATA
  definition of the KEY record and the other one is to store an
  identifier of the key.

2.2.1 Compact DK format

  The DK record consists of algorithm, size, key tag and SHA-1 digest of
  the public key KEY record allowed to sign the child's delegation.

                          1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     |           key tag             |               size            |
     |  algorithm    |              SHA-1 digest                     |
     |                (20 bytes)                                     |
     |                                                               |

Gudmundsson               Expires November 2001                 [Page 5]

INTERNET-DRAFT          Delegation Signer Record                May 2001

     |                                                               |
     |                                                               |
     |               |

  The key tag is calculated as specified in RFC2535, the size is the
  size of the public key in bits as specified in the document specifying
  the algorithm. Algorithm MUST be an algorithm number assigned in the
  range 1..251.  The SHA-1 digest is calculated over the canonical name
  of the delegation followed by the RDATA of the KEY record. Justifications for fields

  The algorithm and size fields are here to allow resolvers to quickly
  identify the candidate KEY records to examine. Key Tag is to allow
  quick check if this is a good candidate.  The key tag is redundant but
  provides some greater assurance than SHA-1 digest on its own. SHA-1 is
  a strong cryptographic checksum, it is hard for attacker to generate a
  KEY record that has the same SHA-1 digest. Making sure that the KEY
  record is a valid public key is much harder. Combining the SHA-1 all
  the checks, the task of the attacker is as hard breaking the public
  key. Even if someone creates a database of all SHA-1 key hashes seen
  so far, the addition of the name renders that database useless for

2.2.2 Verbose DK format

  The RDATA of the DK record is identical to the KEY record as specified
  in RFC2535 sections 3.1, 3.1.2, 3.1.3 and 3.2.

2.3 Presentation format of DK record

  Only one of these subsections will be used in RFC.

Gudmundsson               Expires November 2001                 [Page 6]

INTERNET-DRAFT          Delegation Signer Record                May 2001

2.3.1 Presentation format for the compact DK record

  The presentation format of DK record consists of 2 numbers, followed
  by either the name of the signature algorithm or the algorithm number.
  The digest is to be presented in hex.

2.3.2 Presentation format for the verbose DK record

  Identical to KEY record.

2.4 Justifications for each format

2.4.1 Justification for compact format

  This format allows concise representation of the keys that child will
  use, thus keeping down the size of the answer for the delegation,
  reducing the probability of packet overflow. The SHA-1 hash is strong
  enough to uniquely identify the key. This is similar to PGP footprint.

  Each DK record has RDATA size of 25, regardless of the size of the
  keys, keeping the answers from the parent smaller than if public key
  was used. The smallest currently defined KEY record RDATA is 70 bytes.

  Compact DK format is also better suited to list trusted keys for
  islands of security in configuration files.

2.4.2 Justifications for verbose format

  Even though this format results in larger DK set the effect on
  implementations is smaller. Supporting  I/O for DK record type is a
  matter of reusing the code for reading/writing KEY records. For
  finding DK to KEY matches simple compare will do, instead of digesting
  the public KEYS.

3 Resolver Example

  This example uses compact notation for both DK and KEY for clarity.

  To create a chain of trust resolver goes from trusted KEY to DK to

  Assume the key for domain example. is trusted.  In zone example we
  example.        KEY <stuff>
  secure.example. DK      tag=12345 size=1024 alg=dsa <foofoo>
  secure.example. NS  ns1.secure.example.
                  NS  ns1.secure.example.
  secure.example. NXT NS SIG NXT DK tail.example.

Gudmundsson               Expires November 2001                 [Page 7]

INTERNET-DRAFT          Delegation Signer Record                May 2001

  secure.example. SIG(NXT)
  secure.example. SIG(DK)

  In zone secure.example. we have
  secure.example. SOA  <soa stuff>
  secure.example. NS   ns1.secure.example.
                  NS   ns1.secure.example.
  secure.example. KEY  <tag=12345 size=1024 alg=dsa>
                  KEY  <tag=54321 size=512 alg=rsa/sha1>
                  KEY  <tag=32145 size=1024 alg=dsa>
  secure.example. SIG(KEY) <by key-tag=12345 size=1024 alg=dsa>
  secure.example. SIG(SOA) <by key-tag=54321 size=512 alg=rsa/sha1>
  secure.example. SIG(NS)  <by key-tag=54321 size=512 alg=rsa/sha1>

  In this example the trusted key for example signs the DK record for
  secure.example, making that a trusted record. The DK record states
  what key is supposed to sign the KEY record at secure.example.  In
  this example secure.example. has three KEY records and the correct one
  signs the KEY set, thus the key set is validated and trusted.  One of
  the other keys in the keyset actually signs the zone data, and
  resolvers will trust the signatures as the key appears in the KEY set
  that was correctly signed.

  This example has only one DK record for the child but there no reason
  to outlaw multiple DK records. More than one DK record is needed
  during signing key rollover.

4 Acknowledgments

  Number of people have over the last few years contributed number of
  ideas that are captured in this document.

4 - Security Considerations:

  This document proposes a change to the validation chain of KEY records
  in DNS. The change in is not believed to reduce security in the
  overall system, in RFC2535 DNSSEC child must communicate keys to
  parent and prudent parents will require some authentication on that
  handshake. The modified protocol will require same authentication but
  allows the child to exert more local control over its own KEY set.

  In the compact representation of DK record, there is a possibility
  that an attacker can generate an valid KEY that matches all the checks
  thus starting to forge data from the child. This is considered
  impractical as on average more than 2**80 keys must be generated
  before one is found that will match.

Gudmundsson               Expires November 2001                 [Page 8]

INTERNET-DRAFT          Delegation Signer Record                May 2001

  DK record is a change to DNSSEC protocol and there is some installed
  base of implementations, as well as text books on how to set up
  secured delegations. Implementations that do not understand DK record
  will not be able to follow the KEY to DK to KEY chain and consider all
  zone secured that way insecure.

5 - IANA Considerations:

  IANA needs to allocate RR type code for DK from the standard RR type


[RFC1035]  P. Mockapetris, ``Domain Names - Implementation and
           Specification'', STD 13, RFC 1035, November 1987.

[RFC2535]  D. Eastlake, ``Domain Name System Security Extensions'', RFC
           2535, March 1999.

[RFC3008]  B. Wellington, ``Domain Name System Security (DNSSEC) Signing
           Authority'', RFC 3008, November 2000.

[RFC3090]  E. Lewis `` DNS Security Extension Clarification on Zone
           Status'', RFC 3090, March 2001.

[IDbit]    D. Conrad, ``Indicating Resolver Support of DNSSEC'', work in
           progress <draft-ietf-dnsext-dnssec-okbit-02.txt>, April 2001.

[Parent]   R. Gieben, T. Lindgreen, ``Parent stores the child's zone
           KEYs'', work in progress <draft-ietf-dnsext-parent-stores-
           zones-keys-01.txt>, May 2001.

Author Address

     Olafur Gudmundsson
     3826 Legation Street, NW
     Washington, DC,  20015

Full Copyright Statement

  Copyright (C) The Internet Society (2001).  All Rights Reserved.

  This document and translations of it may be copied and furnished to
  others, and derivative works that comment on or otherwise explain it
  or assist in its implementation may be prepared, copied, published and

Gudmundsson               Expires November 2001                 [Page 9]

INTERNET-DRAFT          Delegation Signer Record                May 2001

  distributed, in whole or in part, without restriction of any kind,
  provided that the above copyright notice and this paragraph are
  included on all such copies and derivative works.  However, this
  document itself may not be modified in any way, such as by removing
  the copyright notice or references to the Internet Society or other
  Internet organizations, except as needed for the purpose of developing
  Internet standards in which case the procedures for copyrights defined
  in the Internet Standards process must be followed, or as required to
  translate it into languages other than English.

  The limited permissions granted above are perpetual and will not be
  revoked by the Internet Society or its successors or assigns.

  This document and the information contained herein is provided on an

Gudmundsson               Expires November 2001                [Page 10]