[Search] [txt|pdf|bibtex] [Tracker] [WG] [Email] [Nits]

Versions: 00                                                            
Domain Name System Security Working Group                      R. Watson
INTERNET DRAFT                                             November 1997
<draft-ietf-dnssec-ar-00.txt>                      Expires in six months

               DNSsec Authentication Referral Record (AR)

Status of this Document

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   To view the entire list of current Internet-Drafts, please check the
   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
   munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
   ftp.isi.edu (US West Coast).


   Authentication Referrals allow DNS to refer to authentication
   mechanisms that supplement or replace the KEY RRs of DNSsec.

   Five Authentication Service types are defined: DNSsec, Kerberos IV,
   Kerberos V, Network Information Service (NIS+), and Radius.

Watson                                                          [Page 1]

Internet DRAFT       DNSsec Authentication Referral        November 1997

1. Introduction

   Domain Name System Security [DNSSEC] extends the Domain Name System
   (DNS) [RFC1034, RFC1035] to provide for data origin authentication,
   public key distribution, and query and transaction authentication,
   all based on public key cryptography and public key based digital
   signatures.  In many organizations, it is desirable to provide a
   centralized source for authentication data, especially in
   environments where multiple systems are used (for example, KerberosIV
   and NIS+).  Systems have been defined for distributing user
   information in the DNS name-space [HESIOD], but DNS has traditionally
   lacked the security necessary to safely distribute sensitive
   authentication information.  Authentication Referrals use DNSsec's
   authenticated data capabilities to distribute mappings from entities
   to authentication mechanisms.

1.1 Keywords Used

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119.

1.2 Definition of Terms

   Service Desiring Authentication (SDA): A service requiring a user to
   authenticate before providing access.  For example, the login program
   on a UNIX host is an SDA.

   Authentication Service: A type of authentication system that allows
   an SDA to verify the identity of a Client communicating with the SDA.
   Services are typically accessed using an Authentication Server such
   as a KerberosIV or Radius server.  In a referral, both the type of
   authentication service and the server address are provided.

   Client: An entity that wishes to connect to a service, in particular,
   to an SDA.  Clients are identified using a unique DNS Fully Qualified
   Domain Name (FQDN), which contains records providing information on
   verifying authentication.  Authentication Client may refer to both
   humans and hosts in this document.

   Authentication Username: In the event that an Authentication Service
   is used, the Username may differ from the Client's FQDN in DNS.

   Authentication Realm: Some distributed authentication systems allow
   for multiple "realms" in which authentication takes place.  Realms
   typically represent a set of identities and services over which a
   single authority is responsible for authentication.  Where
   appropriate, referrals contain the name of the realm against which

Watson                                                          [Page 2]

Internet DRAFT       DNSsec Authentication Referral        November 1997

   they should be made.

   Authentication Server: Many authentication systems rely on a
   centralized database, which may be found on the Authentication
   Server.  This database can be identified using the DNS FQDN for the
   host.  It is assumed that the Authentication Service type will
   provide all other information necessary to communicate with the
   Authentication Server.

1.3 Authentication in DNSsec

   DNSsec provides a mechanism for the authentication of entities it
   describes via KEY records containing public keys.  This is adequate
   for IP Security [IPSEC] and other key-based protocols (such as Secure
   Shell [SSH]), but it is not useful for individual user
   authentication.  Typically such an authentication process involves
   the encryption of data using the Client's public key (extracted from
   DNSsec), which must then be decrypted by the Client and returned in
   some other form (often encrypted with the SDA's public key to protect
   both the challenge and the response).  Users may be reluctant to
   replace their traditional alpha-numeric password with 514-bit private
   keys and then perform computation-intensive key manipulation and
   signature-operations in their heads.  While devices are available
   that perform this function in a more accessible manner, they are not
   yet mainstream, and a standard has not yet been proposed for
   interaction between these devices and DNSsec-based authentication

   Existing distributed authentication systems commonly rely on a
   password (shared secret) or a variable challenge-response mechanism
   using a system-specific protocol.  For example, both KerberosIV
   [KERBEROSIV] and Radius [RADIUS] use protocols employing different
   packet formats and privacy mechanisms.  Because DNS was designed as a
   publicly accessible distributed database, no mechanism for the
   distribution of private data is provided, which makes the inclusion
   of password data in the system both difficult and inappropriate.

   The AR resource record (RR type TBD) allows DNSsec to refer an SDA to
   an Authentication Service when direct authentication based on the KEY
   RR cannot be used.

2. Authentication Referral Resource Record Format

   To provide storage for authentication referral information, a new RR
   type is defined with the mnemonic AR.  More than one AR RR MAY exist
   in an RRset; the RRset MUST contain the complete list of
   authentication mechanisms allowed for the DNS name.

Watson                                                          [Page 3]

Internet DRAFT       DNSsec Authentication Referral        November 1997

2.1 Record Format

      NAME    The domain name of the entity to be authenticated.
      TYPE    AR (TBD)
      CLASS   IN (HS may also be appropriate)
      TTL     (as appropriate)
      RdLen   (variable)

        Field Name               Data Type   Notes
        ------------------------ ----------- -------------------------
        Authentication Server    dname       FQDN of the server that
                                             will provide
                                             authentication data
        Authentication Realm     dname       Realm in which
                                             authentication occurs
        Authentication Service   16-bit int  Authentication Service
                                             Type as defined in 2.3
        Username Length          16-bit int  Length of Authentication
                                             Username string in octets
        Authentication Username  8-bit int[] UTF-8 encoded name whose
                                             use is defined by the
                                             service type.
        Other Data               undefined   Ignore any following

   All integer values are stored in network byte order.  The
   Authentication Username field is an octet stream of length Username

   Meaning of Authentication Realm, Authentication Server,
   Authentication Username are specific to each Authentication Service

2.2 Text Representation

   A simple text representation for the AR RR might be:

      NAME.    IN AR [Server] [Realm] [AuthMnemonic] [Username]

2.3 Authentication Service Types

   Different Authentication Services types will be assigned numeric
   value.  New services MUST be registered with IANA.*  A mnemonic is
   associated with each type to simplify textual representation.

Watson                                                          [Page 4]

Internet DRAFT       DNSsec Authentication Referral        November 1997

      Value  Mnemonic    Authentication Service Name
      ------ ----------- ---------------------------
      0      DNSSEC      DNSsec
      1      KERBEROS_V4 Kerberos IV
      2      KERBEROS_V5 Kerberos V
      3      RADIUS      Radius
      4      NISPLUS     NIS+

   * A method for registration will be described in detail in a later
   version of this document.

2.3.1 DNSsec Referral

   It may be desirable to refer authentication to another FQDN.  For
   example, an organization may have several user zones defined, but one
   Client may exist in several of them.  Rather than requiring separate
   AR RRs, authentication may be forwarded to one canonical AR RR
   containing other useful data, or to a record with a KEY RR.  Some
   fields defined across the AR record are not used:

        Field Name               Value
        ------------------------ ----------------------------------
        Authentication Server    (empty)
        Authentication Realm     (empty)
        Authentication Service   0 (DNSSEC)
        Username Length          (as appropriate)
        Authentication Username  FQDN of the entity referred to

   When using DNSsec referrals, it is important to avoid referral loops.
   The appropriate interpretation order of coexisting KEY and AR records
   is discussed in section 3.  Referrals may point to either another AR
   record or a record with authentication KEYs.  If a DNSsec referral
   record points to a non-existent name or no authentication information
   is available at that name, the authentication MUST fail. DNSsec Referral Example

      TYPE    AR (TBD)
      CLASS   IN
      TTL     3600
      RdLen   (as appropriate)

Watson                                                          [Page 5]

Internet DRAFT       DNSsec Authentication Referral        November 1997


        Field Name               Value
        ------------------------ ----------------------------------
        Authentication Server    (empty)
        Authentication Realm     (empty)
        Authentication Service   0 (DNSSEC)
        Username Length          19
        Authentication Username  rnw.andrew.cmu.edu.

   A textual representation of this record in zone USER.WATSON.ORG would
   appears as:

      ROBERT    IN AR (. . DNSSEC "rnw.andrew.cmu.edu.")

2.3.2 Kerberos IV Referral

   The Authentication Username is a "principal.instance" pair where
   instance may be alphanumeric, null, or the wildcard "*".  For
   authentication against user robert in realm WATSON.ORG, an
   appropriate Authentication Username would be "robert.", indicating
   that no instance is to be used.  To require authentication against
   another instance, the form "robert.admin" is appropriate.  In some
   circumstances, a wild-card Username entry might be used, "robert.*",
   indicating that the Client MAY be prompted for a specific instance.

        Field Name              Value
        ----------------------- --------------------------------------
        Authentication Server   Kerberos IV Server
        Authentication Realm    Kerberos IV Realm
        Authentication Service  1 (Kerberos IV)
        Username Length         (length of Username in octets)
        Authentication Username Kerberos IV principal.instance Kerberos IV Referral Example

      TYPE    AR (TBD)
      CLASS   IN
      TTL     3600
      RdLen   (as appropriate)

Watson                                                          [Page 6]

Internet DRAFT       DNSsec Authentication Referral        November 1997


        Field Name              Value
        ----------------------- ----------------------
        Authentication Server   KERBEROS.WATSON.ORG.
        Authentication Realm    WATSON.ORG.
        Authentication Service  1 (KERBEROS_V4)
        Username Length         12
        Authentication Username robert.admin

   A textual representation of this record in zone USER.WATSON.ORG would
   appear as:

                              KERBEROS_V4 "robert.admin")

2.3.3. Kerberos V Referral

   The specifics of this type will be specified in a future draft.  It
   is expected that Kerberos V referrals will be almost identical to
   Kerberos IV, but with the "." principal/instance separator replaced
   with a "/".

2.3.4 Radius Referral

        Field Name              Value
        ----------------------- ---------------------------------
        Authentication Server   Radius Server
        Authentication Realm    (empty)
        Authentication Service  3 (RADIUS)
        Username Length         (as appropriate)
        Authentication Username Radius Username Radius Referral Example

      TYPE    AR (TBD)
      CLASS   IN
      TTL     3600
      RdLen   (as appropriate)

Watson                                                          [Page 7]

Internet DRAFT       DNSsec Authentication Referral        November 1997


        Field Name              Value
        ----------------------- ----------------------
        Authentication Server   RADIUS.WATSON.ORG.
        Authentication Realm    (empty)
        Authentication Service  5 (RADIUS)
        Username Length         6
        Authentication Username robert

   A textual representation of this record in zone USER.WATSON.ORG would
   appear as:

      ROBERT                  IN AR (RADIUS.WATSON.ORG. .
                                      RADIUS "robert")

2.3.5 NIS+ Referral

   NIS+ referral will be documented in a separate document.  Due to the
   complex interactions between NIS and DNS, there are additional
   concerns that must be addressed in greater detail than is appropriate

2.4 DNS Server Handling of the AR Resource Record

   When returning an AR RR as part of an RRset, a DNS server MAY include
   Additional Records [RFC1034: Section 3.7] that it anticipates the SDA

3. AR Resource Record Evaluation

   When performing a lookup on a Client's DNS entry, a signed RRset is
   returned containing KEY RRs, SIG RRs, other data, and possibly an AR
   RR.  If KEY RRs are present and are permitted for use in user
   authentication, public/private key authentication may take place.
   Alternatively, the SDA may choose a different authentication
   mechanism from the list of AR RRs.

3.1 Authentication Rules

   Multiple AR RRs of different Authentication Service types may exist.
   Similarly, multiple RRs of the same type may exist in an RRset.  When
   multiple RRs are returned, the SDA must select some subset of these
   to try.  A combination of local policy and and the desire for load
   balancing determines the correct use of these RRs.

   Where multiple AR RRs of different Authentication Service type exist,
   one of the available Services SHOULD be selected.  This choice could

Watson                                                          [Page 8]

Internet DRAFT       DNSsec Authentication Referral        November 1997

   be made by local site policy (i.e., only to accept authentication by
   Kerberos, or to not allow AR referral to another DNSsec name), or
   with Client interaction (the user is prompted for the mechanism they
   wish to authenticate against).  If one Authentication Service fails,
   the choice to retry against the same service or against different
   Services should be made in accordance with local security policy.

   Where multiple RRs with the same Authentication Service Type exist
   but different Authentication Realm or Username are present, the SDA
   should make a choice in accordance with local site policy.  For
   example, a site might choose only to accept authentication to their
   own Kerberos realm.

   Load balancing is desirable in the event that multiple RRs with the
   same Authentication Realm, Authentication Service, and Username are
   present.  Such sets of related AR RRs may be considered to be
   redundant records.  DNS round-robin may be relied upon to reorder

3.1.1 Successful Authentication

   If the chain of signatures validates the initial Client records as
   well as any further records referenced if a DNSsec referral is
   performed, an authentication attempt MAY be performed.  If an
   attempted authentication succeeds, the SDA MUST accept the
   authentication as valid.

3.1.2 Failure in Authentication

   If any break in the signature chain occurs in DNSsec verification of
   the records required for authentication, the authentication SHOULD
   fail.  If alternate mechanisms exist for authenticating the
   Authentication Server, they MAY be used.

   If an Authentication Service is selected, and the authentication
   fails for non-technical reasons [different word?], then the
   authentication MUST fail.  If a technical failure occurs (such as
   being unable to contact the Authentication Server), the SDA MAY
   select another AR record to attempt or MAY retry on the same server.
   If no further AR records are present and any retries have also
   failed, then the authentication MUST fail.

4. Security Considerations

   It is expected that some system of access control will be used to
   determine what, if any, services are provided to the authenticated

Watson                                                          [Page 9]

Internet DRAFT       DNSsec Authentication Referral        November 1997

4.1 DNSsec Use

   Spoofing of AR RRs could result in unauthorized authentication.
   DNSsec MUST be used to verify the authenticity of the AR RRs, as well
   as the chain to the DNS root.  For example, if an AR refers to
   Kerberos IV, DNSsec MUST be used to verify the retrieval of the
   Client's AR record, and the retrieval of the Kerberos IV Server's IP
   address from Authentication Server FQDN.

4.2 The Weakest Link

   While DNSsec provides strong cryptography to protect data
   authenticity and to allow expiration, many distributed security
   mechanisms are not as strong.  For example, while an AR record may be
   valid, an NIS server connection may be spoofed, hijacked,
   eavesdropped, etc.

4.3 Local Site Policy

   Local site policy is relied upon for a number of key decisions in the
   authentication process.  For example, before attempting to follow an
   AR chain, the SDA must first confirm that the initial name provided
   is allowed to authenticate to it.  It must also determine which
   authentication service types in the AR list for the name are
   appropriate for use.  An SDA MAY choose not to accept authenticatino
   to a weak Authentication Service.  The definition of weak SHOULD be
   defined in a local site policy.

   A site might accept initial attempts at authentication to
   *.user.watson.org.  On a successful and verified referral, it might
   then be willing to accept authentication against any strong
   Authentication Service (e.g., KerberosIV or KerberosV), but not
   against weaker services (e.g., NIS).

   If AR information can be verified externally, do so.  For example, if
   Kerberos IV server to realm mapping information exists in a local
   krb.conf, consistency should be verified.

   Correct logging practice, as well as approaches for dealing with
   various types of failures given the varied mechanisms provided may
   also involve significant local determination.  All authentication
   events SHOULD be logged.  Selective reporting of errors to the Client
   may also improve security.

Watson                                                         [Page 10]

Internet DRAFT       DNSsec Authentication Referral        November 1997

5. References

   [RFC1034]     P. Mockapetris, ``Domain Names - Concepts and
                 Facilities,'' RFC 1034, ISI, November 1987.

   [RFC1035]     P. Mockapetris, ``Domain Names - Implementation and
                 Specification,'' RFC 1034, ISI, November 1987.

   [DNSSEC]      D. Eastlake, C. Kaufman, ``Domain System Security
                 Extensions,'' RFC 2065, CyberCash & Irix, January 1997.

   [HESIOD]      S. Dryer, ``The Hesiod Name Server,'' MIT, January 1988.

   [IPSEC]       R. Atkinson, ``Security Architecture for the Internet
                 Protocol,'' RFC 1825, Navy Research Laboratory, August

   [SSH]         M. Ylonen, T. Kivinen, M. Saarinen, ``SSH Transport Layer
                 Protocol,'' draft-ietf-secsh-transport-02.txt, SSH,
                 October 1997.

   [KERBEROSIV]  S. Miller, B. Neuman, J. Schiller, J. Saltzer, ``Kerberos
                 Authentication and Authorization System,'' MIT, December

   [RADIUS]      C. Rigney, A. Rubens, W. Simpson, S. Willens, ``Remote
                 Authentication Dial In User Service (RADIUS),'' RFC 2138,
                 April 1997.

6. Author's Address

   Robert Watson
   Carnegie Mellon University
   SMC 4105
   PO Box 3015
   Pittsburgh, PA 15230

   Phone: (412) 862-2696

   Email: robert+ietf@cyrus.watson.org

Watson                                                         [Page 11]