DNS Extensions                                                 R. Arends
Internet-Draft                                      Telematica Instituut
Expires: January 13, 2005                                     R. Austein
                                                                     ISC
                                                               M. Larson
                                                                VeriSign
                                                               D. Massey
                                                                 USC/ISI
                                                                 S. Rose
                                                                    NIST
                                                           July 15, 2004


               DNS Security Introduction and Requirements
                   draft-ietf-dnsext-dnssec-intro-11

Status of this Memo

   By submitting this Internet-Draft, I certify that any applicable
   patent or other IPR claims of which I am aware have been disclosed,
   and any of which I become aware will be disclosed, in accordance with
   RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 13, 2005.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   The Domain Name System Security Extensions (DNSSEC) add data origin
   authentication and data integrity to the Domain Name System.  This



Arends, et al.          Expires January 13, 2005                [Page 1]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


   document introduces these extensions, and describes their
   capabilities and limitations.  This document also discusses the
   services that the DNS security extensions do and do not provide.
   Last, this document describes the interrelationships between the
   group of documents that collectively describe DNSSEC.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Definitions of Important DNSSEC Terms  . . . . . . . . . . . .  4
   3.  Services Provided by DNS Security  . . . . . . . . . . . . . .  8
     3.1   Data Origin Authentication and Data Integrity  . . . . . .  8
     3.2   Authenticating Name and Type Non-Existence . . . . . . . .  9
   4.  Services Not Provided by DNS Security  . . . . . . . . . . . . 11
   5.  Scope of the DNSSEC Document Set and Last Hop Issues . . . . . 12
   6.  Resolver Considerations  . . . . . . . . . . . . . . . . . . . 14
   7.  Stub Resolver Considerations . . . . . . . . . . . . . . . . . 15
   8.  Zone Considerations  . . . . . . . . . . . . . . . . . . . . . 16
     8.1   TTL values vs. RRSIG validity period . . . . . . . . . . . 16
     8.2   New Temporal Dependency Issues for Zones . . . . . . . . . 16
   9.  Name Server Considerations . . . . . . . . . . . . . . . . . . 17
   10.   DNS Security Document Family . . . . . . . . . . . . . . . . 18
   11.   IANA Considerations  . . . . . . . . . . . . . . . . . . . . 19
   12.   Security Considerations  . . . . . . . . . . . . . . . . . . 20
   13.   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
   14.   References . . . . . . . . . . . . . . . . . . . . . . . . . 23
   14.1  Normative References . . . . . . . . . . . . . . . . . . . . 23
   14.2  Informative References . . . . . . . . . . . . . . . . . . . 23
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
       Intellectual Property and Copyright Statements . . . . . . . . 26





















Arends, et al.          Expires January 13, 2005                [Page 2]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


1.  Introduction

   This document introduces the Domain Name System Security Extensions
   (DNSSEC).  This document and its two companion documents
   ([I-D.ietf-dnsext-dnssec-records] and
   [I-D.ietf-dnsext-dnssec-protocol]) update, clarify, and refine the
   security extensions defined in RFC 2535 [RFC2535] and its
   predecessors.  These security extensions consist of a set of new
   resource record types and modifications to the existing DNS protocol
   [RFC1035].  The new records and protocol modifications are not fully
   described in this document, but are described in a family of
   documents outlined in Section 10.  Section 3 and Section 4 describe
   the capabilities and limitations of the security extensions in
   greater detail.  Section 5 discusses the scope of the document set.
   Section 6, Section 7, Section 8, and Section 9 discuss the effect
   that these security extensions will have on resolvers, stub
   resolvers, zones and name servers.

   This document and its two companions update and obsolete RFCs 2535
   [RFC2535], 3008 [RFC3008], 3090 [RFC3090], 3445 [RFC3445], 3655
   [RFC3655], 3658 [RFC3658], 3755 [RFC3755], and the Work in Progress
   [I-D.ietf-dnsext-nsec-rdata].  This document set also updates, but
   does not obsolete, RFCs 1034 [RFC1034], 1035 [RFC1035], 2136
   [RFC2136], 2181 [RFC2181], 2308 [RFC2308], 3597 [RFC3597], and parts
   of 3226 [RFC3226] (dealing with DNSSEC).

   The DNS security extensions provide origin authentication and
   integrity protection for DNS data, as well as a means of public key
   distribution.  These extensions do not provide confidentiality.






















Arends, et al.          Expires January 13, 2005                [Page 3]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


2.  Definitions of Important DNSSEC Terms

   This section defines a number of terms used in this document set.
   Since this is intended to be useful as a reference while reading the
   rest of the document set, first-time readers may wish to skim this
   section quickly, read the rest of this document, then come back to
   this section.

   Authentication Chain: An alternating sequence of DNSKEY RRsets and DS
      RRsets forms a chain of signed data, with each link in the chain
      vouching for the next.  A DNSKEY RR is used to verify the
      signature covering a DS RR and allows the DS RR to be
      authenticated.  The DS RR contains a hash of another DNSKEY RR and
      this new DNSKEY RR is authenticated by matching the hash in the DS
      RR.  This new DNSKEY RR in turn authenticates another DNSKEY RRset
      and, in turn, some DNSKEY RR in this set may be used to
      authenticate another DS RR and so forth until the chain finally
      ends with a DNSKEY RR whose corresponding private key signs the
      desired DNS data.  For example, the root DNSKEY RRset can be used
      to authenticate the DS RRset for "example."  The "example." DS
      RRset contains a hash that matches some "example." DNSKEY, and
      this DNSKEY's corresponding private key signs the "example."
      DNSKEY RRset.  Private key counterparts of the "example." DNSKEY
      RRset sign data records such as "www.example." as well as DS RRs
      for delegations such as "subzone.example."

   Authentication Key: A public key that a security-aware resolver has
      verified and can therefore use to authenticate data.  A
      security-aware resolver can obtain authentication keys in three
      ways.  First, the resolver is generally configured to know about
      at least one public key; this configured data is usually either
      the public key itself or a hash of the public key as found in the
      DS RR (see "trust anchor").  Second, the resolver may use an
      authenticated public key to verify a DS RR and the DNSKEY RR to
      which the DS RR refers.  Third, the resolver may be able to
      determine that a new public key has been signed by the private key
      corresponding to another public key which the resolver has
      verified.  Note that the resolver must always be guided by local
      policy when deciding whether to authenticate a new public key,
      even if the local policy is simply to authenticate any new public
      key for which the resolver is able verify the signature.

   Delegation Point: Term used to describe the name at the parental side
      of a zone cut.  That is, the delegation point for "foo.example"
      would be the foo.example node in the "example" zone (as opposed to
      the zone apex of the "foo.example" zone).





Arends, et al.          Expires January 13, 2005                [Page 4]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


   Island of Security: Term used to describe a signed, delegated zone
      that does not have an authentication chain from its delegating
      parent.  That is, there is no DS RR containing a hash of a DNSKEY
      RR for the island in its delegating parent zone (see
      [I-D.ietf-dnsext-dnssec-records]).  An island of security is
      served by security-aware name servers and may provide
      authentication chains to any delegated child zones.  Responses
      from an island of security or its descendents can only be
      authenticated if its authentication keys can be authenticated by
      some trusted means out of band from the DNS protocol.

   Key Signing Key (KSK): An authentication key that corresponds to a
      private key used to sign one or more other authentication keys for
      a given zone.  Typically, the private key corresponding to a key
      signing key will sign a zone signing key, which in turn has a
      corresponding private key which will sign other zone data.  Local
      policy may require the zone signing key to be changed frequently,
      while the key signing key may have a longer validity period in
      order to provide a more stable secure entry point into the zone.
      Designating an authentication key as a key signing key is purely
      an operational issue: DNSSEC validation does not distinguish
      between key signing keys and other DNSSEC authentication keys, and
      it is possible to use a single key as both a key signing key and a
      zone signing key.  Key signing keys are discussed in more detail
      in [RFC3757].  Also see: zone signing key.

   Non-Validating Security-Aware Stub Resolver: A security-aware stub
      resolver which trusts one or more security-aware recursive name
      servers to perform most of the tasks discussed in this document
      set on its behalf.  In particular, a non-validating security-aware
      stub resolver is an entity which sends DNS queries, receives DNS
      responses, and is capable of establishing an appropriately secured
      channel to a security-aware recursive name server which will
      provide these services on behalf of the security-aware stub
      resolver.  See also: security-aware stub resolver, validating
      security-aware stub resolver.

   Non-Validating Stub Resolver: A less tedious term for a
      non-validating security-aware stub resolver.

   Security-Aware Name Server: An entity acting in the role of a name
      server (defined in section 2.4 of [RFC1034]) that understands the
      DNS security extensions defined in this document set.  In
      particular, a security-aware name server is an entity which
      receives DNS queries, sends DNS responses, supports the EDNS0
      [RFC2671] message size extension and the DO bit [RFC3225], and
      supports the RR types and message header bits defined in this
      document set.



Arends, et al.          Expires January 13, 2005                [Page 5]


   Security-Aware Recursive Name Server: An entity which acts in both
      the security-aware name server and security-aware resolver roles.
      A more cumbersome equivalent phrase would be "a security-aware
      name server which offers recursive service".

   Security-Aware Resolver: An entity acting in the role of a resolver
      (defined in section 2.4 of [RFC1034]) which understands the DNS
      security extensions defined in this document set.  In particular,
      a security-aware resolver is an entity which sends DNS queries,
      receives DNS responses, supports the EDNS0 [RFC2671] message size
      extension and the DO bit [RFC3225], and is capable of using the RR
      types and message header bits defined in this document set to
      provide DNSSEC services.

   Security-Aware Stub Resolver: An entity acting in the role of a stub
      resolver (defined in section 5.3.1 of [RFC1034]) which has enough
      of an understanding the DNS security extensions defined in this
      document set to provide additional services not available from a
      security-oblivious stub resolver.  Security-aware stub resolvers
      may be either "validating" or "non-validating" depending on
      whether the stub resolver attempts to verify DNSSEC signatures on
      its own or trusts a friendly security-aware name server to do so.
      See also: validating stub resolver, non-validating stub resolver.

   Security-Oblivious <anything>: An <anything> that is not
      "security-aware".

   Signed Zone: A zone whose RRsets are signed and which contains
      properly constructed DNSKEY, RRSIG, NSEC and (optionally) DS
      records.

   Trust Anchor: A configured DNSKEY RR or DS RR hash of a DNSKEY RR.  A
      validating security-aware resolver uses this public key or hash as
      a starting point for building the authentication chain to a signed
      DNS response.  In general, a validating resolver will need to
      obtain the initial values of its trust anchors via some secure or
      trusted means outside the DNS protocol.  Presence of a trust
      anchor also implies that the resolver should expect the zone to
      which the trust anchor points to be signed.

   Unsigned Zone: A zone that is not signed.

   Validating Security-Aware Stub Resolver: A security-aware resolver
      that sends queries in recursive mode but which performs signature
      validation on its own rather than just blindly trusting an
      upstream security-aware recursive name server.  See also:
      security-aware stub resolver, non-validating security-aware stub
      resolver.





Arends, et al.          Expires January 13, 2005                [Page 6]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


   Validating Stub Resolver: A less tedious term for a validating
      security-aware stub resolver.

   Zone Signing Key (ZSK): An authentication key that corresponds to a
      private key used to sign a zone.  Typically a zone signing key
      will be part of the same DNSKEY RRset as the key signing key whose
      corresponding private key signs this DNSKEY RRset, but the zone
      signing key is used for a slightly different purpose, and may
      differ from the key signing key in other ways, such as validity
      lifetime.  Designating an authentication key as a zone signing key
      is purely an operational issue: DNSSEC validation does not
      distinguish between zone signing keys and other DNSSEC
      authentication keys, and it is possible to use a single key as
      both a key signing key and a zone signing key.  See also: key
      signing key.




































Arends, et al.          Expires January 13, 2005                [Page 7]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


3.  Services Provided by DNS Security

   The Domain Name System (DNS) security extensions provide origin
   authentication and integrity assurance services for DNS data,
   including mechanisms for authenticated denial of existence of DNS
   data.  These mechanisms are described below.

   These mechanisms require changes to the DNS protocol.  DNSSEC adds
   four new resource record types (RRSIG, DNSKEY, DS and NSEC) and two
   new message header bits (CD and AD).  In order to support the larger
   DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also
   requires EDNS0 support [RFC2671].  Finally, DNSSEC requires support
   for the DO bit [RFC3225], so that a security-aware resolver can
   indicate in its queries that it wishes to receive DNSSEC RRs in
   response messages.

   These services protect against most of the threats to the Domain Name
   System described in [I-D.ietf-dnsext-dns-threats].

3.1  Data Origin Authentication and Data Integrity

   DNSSEC provides authentication by associating cryptographically
   generated digital signatures with DNS RRsets.  These digital
   signatures are stored in a new resource record, the RRSIG record.
   Typically, there will be a single private key that signs a zone's
   data, but multiple keys are possible: for example, there may be keys
   for each of several different digital signature algorithms.  If a
   security-aware resolver reliably learns a zone's public key, it can
   authenticate that zone's signed data.  An important DNSSEC concept is
   that the key that signs a zone's data is associated with the zone
   itself and not with the zone's authoritative name servers (public
   keys for DNS transaction authentication mechanisms may also appear in
   zones, as described in [RFC2931], but DNSSEC itself is concerned with
   object security of DNS data, not channel security of DNS
   transactions.  The keys associated with transaction security may be
   stored in different RR types.  See [RFC3755] for details.).

   A security-aware resolver can learn a zone's public key either by
   having a trust anchor configured into the resolver or by normal DNS
   resolution.  To allow the latter, public keys are stored in a new
   type of resource record, the DNSKEY RR.  Note that the private keys
   used to sign zone data must be kept secure, and should be stored
   offline when practical to do so.  To discover a public key reliably
   via DNS resolution, the target key itself needs to be signed by
   either a configured authentication key or another key that has been
   authenticated previously.  Security-aware resolvers authenticate zone
   information by forming an authentication chain from a newly learned
   public key back to a previously known authentication public key,



Arends, et al.          Expires January 13, 2005                [Page 8]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


   which in turn either has been configured into the resolver or must
   have been learned and verified previously.  Therefore, the resolver
   must be configured with at least one trust anchor.  If the configured
   key is a zone signing key, then it will authenticate the associated
   zone; if the configured key is a key signing key, it will
   authenticate a zone signing key.  If the resolver has been configured
   with the hash of a key rather than the key itself, the resolver may
   need to obtain the key via a DNS query.  To help security-aware
   resolvers establish this authentication chain, security-aware name
   servers attempt to send the signature(s) needed to authenticate a
   zone's public key(s) in the DNS reply message along with the public
   key itself, provided there is space available in the message.

   The Delegation Signer (DS) RR type simplifies some of the
   administrative tasks involved in signing delegations across
   organizational boundaries.  The DS RRset resides at a delegation
   point in a parent zone and indicates the public key(s) corresponding
   to the private key(s) used to self-sign the DNSKEY RRset at the
   delegated child zone's apex.  The administrator of the child zone, in
   turn, uses the private key(s) corresponding to one or more of the
   public keys in this DNSKEY RRset to sign the child zone's data.  The
   typical authentication chain is therefore
   DNSKEY->[DS->DNSKEY]*->RRset, where "*" denotes zero or more
   DS->DNSKEY subchains.  DNSSEC permits more complex authentication
   chains, such as additional layers of DNSKEY RRs signing other DNSKEY
   RRs within a zone.

   A security-aware resolver normally constructs this authentication
   chain from the root of the DNS hierarchy down to the leaf zones based
   on configured knowledge of the public key for the root.  Local
   policy, however, may also allow a security-aware resolver to use one
   or more configured public keys (or hashes of public keys) other than
   the root public key, or may not provide configured knowledge of the
   root public key, or may prevent the resolver from using particular
   public keys for arbitrary reasons even if those public keys are
   properly signed with verifiable signatures.  DNSSEC provides
   mechanisms by which a security-aware resolver can determine whether
   an RRset's signature is "valid" within the meaning of DNSSEC.  In the
   final analysis however, authenticating both DNS keys and data is a
   matter of local policy, which may extend or even override the
   protocol extensions defined in this document set.  See Section 5 for
   further discussion.

3.2  Authenticating Name and Type Non-Existence

   The security mechanism described in Section 3.1 only provides a way
   to sign existing RRsets in a zone.  The problem of providing negative
   responses with the same level of authentication and integrity



Arends, et al.          Expires January 13, 2005                [Page 9]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


   requires the use of another new resource record type, the NSEC
   record.  The NSEC record allows a security-aware resolver to
   authenticate a negative reply for either name or type non-existence
   via the same mechanisms used to authenticate other DNS replies.  Use
   of NSEC records requires a canonical representation and ordering for
   domain names in zones.  Chains of NSEC records explicitly describe
   the gaps, or "empty space", between domain names in a zone, as well
   as listing the types of RRsets present at existing names.  Each NSEC
   record is signed and authenticated using the mechanisms described in
   Section 3.1.









































Arends, et al.          Expires January 13, 2005               [Page 10]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


4.  Services Not Provided by DNS Security

   DNS was originally designed with the assumptions that the DNS will
   return the same answer to any given query regardless of who may have
   issued the query, and that all data in the DNS is thus visible.
   Accordingly, DNSSEC is not designed to provide confidentiality,
   access control lists, or other means of differentiating between
   inquirers.

   DNSSEC provides no protection against denial of service attacks.
   Security-aware resolvers and security-aware name servers are
   vulnerable to an additional class of denial of service attacks based
   on cryptographic operations.  Please see Section 12 for details.

   The DNS security extensions provide data and origin authentication
   for DNS data.  The mechanisms outlined above are not designed to
   protect operations such as zone transfers and dynamic update
   [RFC3007].  Message authentication schemes described in [RFC2845] and
   [RFC2931] address security operations that pertain to these
   transactions.































Arends, et al.          Expires January 13, 2005               [Page 11]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


5.  Scope of the DNSSEC Document Set and Last Hop Issues

   The specification in this document set defines the behavior for zone
   signers and security-aware name servers and resolvers in such a way
   that the validating entities can unambiguously determine the state of
   the data.

   A validating resolver can determine these 4 states:

   Secure: The validating resolver has a trust anchor, a chain of trust
      and is able to verify all the signatures in the response.

   Insecure: The validating resolver has a trust anchor, a chain of
      trust, and, at some delegation point, signed proof of the
      non-existence of a DS record.  That indicates that subsequent
      branches in the tree are provably insecure.  A validating resolver
      may have local policy to mark parts of the domain space as
      insecure.

   Bogus: The validating resolver has a trust anchor and there is a
      secure delegation which is indicating that subsidiary data will be
      signed, but the response fails to validate due to one or more
      reasons: missing signatures, expired signatures, signatures with
      unsupported algorithms, data missing which the relevant NSEC RR
      says should be present, and so forth.

   Indeterminate: There is no trust anchor which would indicate that a
      specific portion of the tree is secure.  This is the default
      operation mode.

   This specification only defines how security aware name servers can
   signal non-validating stub resolvers that data was found to be bogus
   (using RCODE=2, "Server Failure" -- see
   [I-D.ietf-dnsext-dnssec-protocol]).

   There is a mechanism for security aware name servers to signal
   security-aware stub resolvers that data was found to be secure (using
   the AD bit, see [I-D.ietf-dnsext-dnssec-protocol]).

   This specification does not define a format for communicating why
   responses were found to be bogus or marked as insecure.  The current
   signaling mechanism does not distinguish between indeterminate and
   insecure.

   A method for signaling advanced error codes and policy between a
   security aware stub resolver and security aware recursive nameservers
   is a topic for future work, as is the interface between a security
   aware resolver and the applications that use it.  Note, however, that



Arends, et al.          Expires January 13, 2005               [Page 12]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


   the lack of the specification of such communication does not prohibit
   deployment of signed zones or the deployment of security aware
   recursive name servers that prohibit propagation of bogus data to the
   applications.















































Arends, et al.          Expires January 13, 2005               [Page 13]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


6.  Resolver Considerations

   A security-aware resolver needs to be able to perform cryptographic
   functions necessary to verify digital signatures using at least the
   mandatory-to-implement algorithm(s).  Security-aware resolvers must
   also be capable of forming an authentication chain from a newly
   learned zone back to an authentication key, as described above.  This
   process might require additional queries to intermediate DNS zones to
   obtain necessary DNSKEY, DS and RRSIG records.  A security-aware
   resolver should be configured with at least one trust anchor as the
   starting point from which it will attempt to establish authentication
   chains.

   If a security-aware resolver is separated from the relevant
   authoritative name servers by a recursive name server or by any sort
   of device which acts as a proxy for DNS, and if the recursive name
   server or proxy is not security-aware, the security-aware resolver
   may not be capable of operating in a secure mode.  For example, if a
   security-aware resolver's packets are routed through a network
   address translation device that includes a DNS proxy which is not
   security-aware, the security-aware resolver may find it difficult or
   impossible to obtain or validate signed DNS data.

   If a security-aware resolver must rely on an unsigned zone or a name
   server that is not security aware, the resolver may not be able to
   validate DNS responses, and will need a local policy on whether to
   accept unverified responses.

   A security-aware resolver should take a signature's validation period
   into consideration when determining the TTL of data in its cache, to
   avoid caching signed data beyond the validity period of the
   signature, but should also allow for the possibility that the
   security-aware resolver's own clock is wrong.  Thus, a security-aware
   resolver which is part of a security-aware recursive name server will
   need to pay careful attention to the DNSSEC "checking disabled" (CD)
   bit [I-D.ietf-dnsext-dnssec-records].  This is in order to avoid
   blocking valid signatures from getting through to other
   security-aware resolvers which are clients of this recursive name
   server.  See [I-D.ietf-dnsext-dnssec-protocol] for how a secure
   recursive server handles queries with the CD bit set.











Arends, et al.          Expires January 13, 2005               [Page 14]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


7.  Stub Resolver Considerations

   Although not strictly required to do so by the protocol, most DNS
   queries originate from stub resolvers.  Stub resolvers, by
   definition, are minimal DNS resolvers which use recursive query mode
   to offload most of the work of DNS resolution to a recursive name
   server.  Given the widespread use of stub resolvers, the DNSSEC
   architecture has to take stub resolvers into account, but the
   security features needed in a stub resolver differ in some respects
   from those needed in a full security-aware resolver.

   Even a security-oblivious stub resolver may get some benefit from
   DNSSEC if the recursive name servers it uses are security-aware, but
   for the stub resolver to place any real reliance on DNSSEC services,
   the stub resolver must trust both the recursive name servers in
   question and the communication channels between itself and those name
   servers.  The first of these issues is a local policy issue: in
   essence, a security-oblivious stub resolver has no real choice but to
   place itself at the mercy of the recursive name servers that it uses,
   since it does not perform DNSSEC validity checks on its own.  The
   second issue requires some kind of channel security mechanism; proper
   use of DNS transaction authentication mechanisms such as SIG(0) or
   TSIG would suffice, as would appropriate use of IPsec, and particular
   implementations may have other choices available, such as operating
   system specific interprocess communication mechanisms.
   Confidentiality is not needed for this channel, but data integrity
   and message authentication are.

   A security-aware stub resolver that does trust both its recursive
   name servers and its communication channel to them may choose to
   examine the setting of the AD bit in the message header of the
   response messages it receives.  The stub resolver can use this flag
   bit as a hint to find out whether the recursive name server was able
   to validate signatures for all of the data in the Answer and
   Authority sections of the response.

   There is one more step that a security-aware stub resolver can take
   if, for whatever reason, it is not able to establish a useful trust
   relationship with the recursive name servers which it uses: it can
   perform its own signature validation, by setting the Checking
   Disabled (CD) bit in its query messages.  A validating stub resolver
   is thus able to treat the DNSSEC signatures as a trust relationship
   between the zone administrator and the stub resolver itself.








Arends, et al.          Expires January 13, 2005               [Page 15]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


8.  Zone Considerations

   There are several differences between signed and unsigned zones.  A
   signed zone will contain additional security-related records (RRSIG,
   DNSKEY, DS and NSEC records).  RRSIG and NSEC records may be
   generated by a signing process prior to serving the zone.  The RRSIG
   records that accompany zone data have defined inception and
   expiration times, which establish a validity period for the
   signatures and the zone data the signatures cover.

8.1  TTL values vs. RRSIG validity period

   It is important to note the distinction between a RRset's TTL value
   and the signature validity period specified by the RRSIG RR covering
   that RRset.  DNSSEC does not change the definition or function of the
   TTL value, which is intended to maintain database coherency in
   caches.  A caching resolver purges RRsets from its cache no later
   than the end of the time period specified by the TTL fields of those
   RRsets, regardless of whether or not the resolver is security-aware.

   The inception and expiration fields in the RRSIG RR
   [I-D.ietf-dnsext-dnssec-records], on the other hand, specify the time
   period during which the signature can be used to validate the covered
   RRset.  The signatures associated with signed zone data are only
   valid for the time period specified by these fields in the RRSIG RRs
   in question.  TTL values cannot extend the validity period of signed
   RRsets in a resolver's cache, but the resolver may use the time
   remaining before expiration of the signature validity period of a
   signed RRset as an upper bound for the TTL of the signed RRset and
   its associated RRSIG RR in the resolver's cache.

8.2  New Temporal Dependency Issues for Zones

   Information in a signed zone has a temporal dependency which did not
   exist in the original DNS protocol.  A signed zone requires regular
   maintenance to ensure that each RRset in the zone has a current valid
   RRSIG RR.  The signature validity period of an RRSIG RR is an
   interval during which the signature for one particular signed RRset
   can be considered valid, and the signatures of different RRsets in a
   zone may expire at different times.  Re-signing one or more RRsets in
   a zone will change one or more RRSIG RRs, which in turn will require
   incrementing the zone's SOA serial number to indicate that a zone
   change has occurred and re-signing the SOA RRset itself.  Thus,
   re-signing any RRset in a zone may also trigger DNS NOTIFY messages
   and zone transfers operations.






Arends, et al.          Expires January 13, 2005               [Page 16]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


9.  Name Server Considerations

   A security-aware name server should include the appropriate DNSSEC
   records (RRSIG, DNSKEY, DS and NSEC) in all responses to queries from
   resolvers which have signaled their willingness to receive such
   records via use of the DO bit in the EDNS header, subject to message
   size limitations.  Since inclusion of these DNSSEC RRs could easily
   cause UDP message truncation and fallback to TCP, a security-aware
   name server must also support the EDNS "sender's UDP payload"
   mechanism.

   If possible, the private half of each DNSSEC key pair should be kept
   offline, but this will not be possible for a zone for which DNS
   dynamic update has been enabled.  In the dynamic update case, the
   primary master server for the zone will have to re-sign the zone when
   updated, so the private key corresponding to the zone signing key
   will have to be kept online.  This is an example of a situation where
   the ability to separate the zone's DNSKEY RRset into zone signing
   key(s) and key signing key(s) may be useful, since the key signing
   key(s) in such a case can still be kept offline and may have a longer
   useful lifetime than the zone signing key(s).

   DNSSEC, by itself, is not enough to protect the integrity of an
   entire zone during zone transfer operations, since even a signed zone
   contains some unsigned, nonauthoritative data if the zone has any
   children.  Therefore, zone maintenance operations will require some
   additional mechanisms (most likely some form of channel security,
   such as TSIG, SIG(0), or IPsec).























Arends, et al.          Expires January 13, 2005               [Page 17]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


10.  DNS Security Document Family

   The DNSSEC document set can be partitioned into several main groups,
   under the larger umbrella of the DNS base protocol documents.

   The "DNSSEC protocol document set" refers to the three documents
   which form the core of the DNS security extensions:
   1.  DNS Security Introduction and Requirements (this document)
   2.  Resource Records for DNS Security Extensions
       [I-D.ietf-dnsext-dnssec-records]
   3.  Protocol Modifications for the DNS Security Extensions
       [I-D.ietf-dnsext-dnssec-protocol]

   Additionally, any document that would add to, or change the core DNS
   Security extensions would fall into this category.  This includes any
   future work on the communication between security-aware stub
   resolvers and upstream security-aware recursive name servers.

   The "Digital Signature Algorithm Specification" document set refers
   to the group of documents that describe how specific digital
   signature algorithms should be implemented to fit the DNSSEC resource
   record format.  Each document in this set deals with a specific
   digital signature algorithm.

   The "Transaction Authentication Protocol" document set refers to the
   group of documents that deal with DNS message authentication,
   including secret key establishment and verification.  While not
   strictly part of the DNSSEC specification as defined in this set of
   documents, this group is noted because of its relationship to DNSSEC.

   The final document set, "New Security Uses", refers to documents that
   seek to use proposed DNS Security extensions for other security
   related purposes.  DNSSEC does not provide any direct security for
   these new uses, but may be used to support them.  Documents that fall
   in this category include the use of DNS in the storage and
   distribution of certificates [RFC2538].















Arends, et al.          Expires January 13, 2005               [Page 18]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


11.  IANA Considerations

   This overview document introduces no new IANA considerations.  Please
   see [I-D.ietf-dnsext-dnssec-records] for a complete review of the
   IANA considerations introduced by DNSSEC.














































Arends, et al.          Expires January 13, 2005               [Page 19]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


12.  Security Considerations

   This document introduces the DNS security extensions and describes
   the document set that contains the new security records and DNS
   protocol modifications.  The extensions provide data origin
   authentication and data integrity using digital signatures over
   resource record sets.This document discusses the capabilities and
   limitations of these extensions.

   In order for a security-aware resolver to validate a DNS response,
   all zones along the path from the trusted starting point to the zone
   containing the response zones must be signed, and all name servers
   and resolvers involved in the resolution process must be
   security-aware, as defined in this document set.  A security-aware
   resolver cannot verify responses originating from an unsigned zone,
   from a zone not served by a security-aware name server, or for any
   DNS data which the resolver is only able to obtain through a
   recursive name server which is not security-aware.  If there is a
   break in the authentication chain such that a security-aware resolver
   cannot obtain and validate the authentication keys it needs, then the
   security-aware resolver cannot validate the affected DNS data.

   This document briefly discusses other methods of adding security to a
   DNS query, such as using a channel secured by IPsec or using a DNS
   transaction authentication mechanism, but transaction security is not
   part of DNSSEC per se.

   A non-validating security-aware stub resolver, by definition, does
   not perform DNSSEC signature validation on its own, and thus is
   vulnerable both to attacks on (and by) the security-aware recursive
   name servers which perform these checks on its behalf and also to
   attacks on its communication with those security-aware recursive name
   servers.  Non-validating security-aware stub resolvers should use
   some form of channel security to defend against the latter threat.
   The only known defense against the former threat would be for the
   security-aware stub resolver to perform its own signature validation,
   at which point, again by definition, it would no longer be a
   non-validating security-aware stub resolver.

   DNSSEC does not protect against denial of service attacks.  DNSSEC
   makes DNS vulnerable to a new class of denial of service attacks
   based on cryptographic operations against security-aware resolvers
   and security-aware name servers, since an attacker can attempt to use
   DNSSEC mechanisms to consume a victim's resources.  This class of
   attacks takes at least two forms.  An attacker may be able to consume
   resources in a security-aware resolver's signature validation code by
   tampering with RRSIG RRs in response messages or by constructing
   needlessly complex signature chains.  An attacker may also be able to



Arends, et al.          Expires January 13, 2005               [Page 20]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


   consume resources in a security-aware name server which supports DNS
   dynamic update, by sending a stream of update messages that force the
   security-aware name server to re-sign some RRsets in the zone more
   frequently than would otherwise be necessary.

   DNSSEC does not provide confidentiality, due to a deliberate design
   choice.

   DNSSEC introduces the ability for a hostile party to enumerate all
   the names in a zone by following the NSEC chain.  NSEC RRs assert
   which names do not exist in a zone by linking from existing name to
   existing name along a canonical ordering of all the names within a
   zone.  Thus, an attacker can query these NSEC RRs in sequence to
   obtain all the names in a zone.  While not an attack on the DNS
   itself, this could allow an attacker to map network hosts or other
   resources by enumerating the contents of a zone.

   DNSSEC introduces significant additional complexity to the DNS, and
   thus introduces many new opportunities for implementation bugs and
   misconfigured zones.  In particular, enabling DNSSEC signature
   validation in a resolver may cause entire legitimate zones to become
   effectively unreachable due to DNSSEC configuration errors or bugs.

   DNSSEC does not protect against tampering with unsigned zone data.
   Non-authoritative data at zone cuts (glue and NS RRs in the parent
   zone) are not signed.  This does not pose a problem when validating
   the authentication chain, but does mean that the non-authoritative
   data itself is vulnerable to tampering during zone transfer
   operations.  Thus, while DNSSEC can provide data origin
   authentication and data integrity for RRsets, it cannot do so for
   zones, and other mechanisms must be used to protect zone transfer
   operations.

   Please see [I-D.ietf-dnsext-dnssec-records] and
   [I-D.ietf-dnsext-dnssec-protocol] for additional security
   considerations.















Arends, et al.          Expires January 13, 2005               [Page 21]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


13.  Acknowledgements

   This document was created from the input and ideas of the members of
   the DNS Extensions Working Group.  While explicitly listing everyone
   who has contributed during the decade during which DNSSEC has been
   under development would be an impossible task, the editors would
   particularly like to thank the following people for their
   contributions to and comments on this document set: Jaap Akkerhuis,
   Mark Andrews, Derek Atkins, Roy Badami, Alan Barrett, Dan Bernstein,
   David Blacka, Len Budney, Randy Bush, Francis Dupont, Donald
   Eastlake, Robert Elz, Miek Gieben, Michael Graff, Olafur Gudmundsson,
   Gilles Guette, Andreas Gustafsson, Jun-ichiro itojun Hagino, Phillip
   Hallam-Baker, Bob Halley, Ted Hardie, Walter Howard, Greg Hudson,
   Christian Huitema, Johan Ihren, Stephen Jacob, Jelte Jansen, Simon
   Josefsson, Andris Kalnozols, Peter Koch, Olaf Kolkman, Mark Kosters,
   Suresh Krishnaswamy, Ben Laurie, David Lawrence, Ted Lemon, Ed Lewis,
   Ted Lindgreen, Josh Littlefield, Rip Loomis, Bill Manning, Russ
   Mundy, Mans Nilsson, Masataka Ohta, Mike Patton, Rob Payne, Jim Reid,
   Michael Richardson, Erik Rozendaal, Marcos Sanz, Pekka Savola, Jakob
   Schlyter, Mike StJohns, Paul Vixie, Sam Weiler, Brian Wellington, and
   Suzanne Woolf.

   No doubt the above list is incomplete.  We apologize to anyone we
   left out.



























Arends, et al.          Expires January 13, 2005               [Page 22]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


14.  References

14.1  Normative References

   [I-D.ietf-dnsext-dnssec-protocol]
              Arends, R., Austein, R., Larson, M., Massey, D. and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", draft-ietf-dnsext-dnssec-protocol-06 (work in
              progress), May 2004.

   [I-D.ietf-dnsext-dnssec-records]
              Arends, R., Austein, R., Larson, M., Massey, D. and S.
              Rose, "Resource Records for DNS Security Extensions",
              draft-ietf-dnsext-dnssec-records-08 (work in progress),
              May 2004.

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, November 1987.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
              RFC 2535, March 1999.

   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
              2671, August 1999.

   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
              3225, December 2001.

   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
              message size requirements", RFC 3226, December 2001.

   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
              Resource Record (RR)", RFC 3445, December 2002.

14.2  Informative References

   [I-D.ietf-dnsext-dns-threats]
              Atkins, D. and R. Austein, "Threat Analysis Of The Domain
              Name System", draft-ietf-dnsext-dns-threats-07 (work in
              progress), April 2004.

   [I-D.ietf-dnsext-nsec-rdata]
              Schlyter, J., "DNSSEC NSEC RDATA Format",
              draft-ietf-dnsext-nsec-rdata-06 (work in progress), May
              2004.



Arends, et al.          Expires January 13, 2005               [Page 23]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
              April 1997.

   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
              Specification", RFC 2181, July 1997.

   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
              NCACHE)", RFC 2308, March 1998.

   [RFC2538]  Eastlake, D. and O. Gudmundsson, "Storing Certificates in
              the Domain Name System (DNS)", RFC 2538, March 1999.

   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B.
              Wellington, "Secret Key Transaction Authentication for DNS
              (TSIG)", RFC 2845, May 2000.

   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
              SIG(0)s)", RFC 2931, September 2000.

   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
              Update", RFC 3007, November 2000.

   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
              Signing Authority", RFC 3008, November 2000.

   [RFC3090]  Lewis, E., "DNS Security Extension Clarification on Zone
              Status", RFC 3090, March 2001.

   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
              (RR) Types", RFC 3597, September 2003.

   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
              Authenticated Data (AD) bit", RFC 3655, November 2003.

   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
              (RR)", RFC 3658, December 2003.

   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
              Signer", RFC 3755, April 2004.

   [RFC3757]  Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure
              Entry Point Flag", RFC 3757, April 2004.








Arends, et al.          Expires January 13, 2005               [Page 24]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


Authors' Addresses

   Roy Arends
   Telematica Instituut
   Drienerlolaan 5
   7522 NB  Enschede
   NL

   EMail: roy.arends@telin.nl


   Rob Austein
   Internet Systems Consortium
   950 Charter Street
   Redwood City, CA  94063
   USA

   EMail: sra@isc.org


   Matt Larson
   VeriSign, Inc.
   21345 Ridgetop Circle
   Dulles, VA  20166-6503
   USA

   EMail: mlarson@verisign.com


   Dan Massey
   USC Information Sciences Institute
   3811 N. Fairfax Drive
   Arlington, VA  22203
   USA

   EMail: masseyd@isi.edu


   Scott Rose
   National Institute for Standards and Technology
   100 Bureau Drive
   Gaithersburg, MD  20899-8920
   USA

   EMail: scott.rose@nist.gov






Arends, et al.          Expires January 13, 2005               [Page 25]


Internet-Draft    DNSSEC Introduction and Requirements         July 2004


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Arends, et al.          Expires January 13, 2005               [Page 26]