Network Working Group                                           J. Ihren
Internet-Draft                                             Autonomica AB
Updates: [-records] (if approved)                              S. Weiler
Expires: August 24, 2005                                     SPARTA, Inc
                                                       February 20, 2005

       Minimally Covering NSEC Records and DNSSEC On-line Signing

Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
   author represents that any applicable patent or other IPR claims of
   which he or she is aware have been or will be disclosed, and any of
   which he or she become aware will be disclosed, in accordance with
   RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on August 24, 2005.

Copyright Notice

   Copyright (C) The Internet Society (2005).


   This document describes how to construct DNSSEC NSEC resource records
   that cover a smaller range of names than called for by [-records].
   By generating and signing these records on demand, authoritative name
   servers can effectively stop the disclosure of zone contents
   otherwise made possible by walking the chain of NSEC records in a

Ihren & Weiler           Expires August 24, 2005                [Page 1]

Internet-Draft                NSEC Epsilon                 February 2005

   signed zone.

Changes -00 to -01

   Clarified that this updates -records by relaxing requirements on the
   next name field.

   Added examples covering wildcard names.

   In the 'better functions' section, reiterated that perfect functions
   aren't needed.

   Added a reference to 2119.

1.  Introduction and Terminology

   With DNSSEC [1], an NSEC record lists the next instantiated name in
   its zone, proving that no names exist in the "span" between the
   NSEC's owner name and the name in the "next name" field.  In this
   document, an NSEC record is said to "cover" the names between its
   owner name and next name.

   Through repeated queries that return NSEC records, it is possible to
   retrieve all of the names in the zone, a process commonly called
   "walking" the zone.  Some zone owners have policies forbidding zone
   transfers by arbitrary clients; this side-effect of the NSEC
   architecture subverts those policies.

   This document presents a way to prevent zone walking by constructing
   NSEC records that cover fewer names.  These records can make zone
   walking take approximately as many queries as simply asking for all
   possible names in a zone, making zone walking impractical.  Some of
   these records must be created and signed on demand, which requires
   on-line private keys.  Anyone contemplating use of this technique is
   strongly encouraged to review the discussion of the risks of on-line
   signing in Section 5.

   The technique presented here may be useful to a zone owner that wants
   to use DNSSEC, is concerned about exposure of its zone contents via
   zone walking, and is willing to bear the costs of on-line signing.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [4].

2.  Minimally Covering NSEC Records

   This mechanism involves changes to NSEC records for instantiated

Ihren & Weiler           Expires August 24, 2005                [Page 2]

Internet-Draft                NSEC Epsilon                 February 2005

   names, which can still be generated and signed in advance, as well as
   the on-demand generation and signing of new NSEC records whenever a
   name must be proven not to exist.

   In the 'next name' field of instantiated names' NSEC records, rather
   than list the next instantiated name in the zone, list any name that
   falls lexically after the NSEC's owner name and before the next
   instantiated name in the zone, according to the ordering function in
   [-records] [2] section 6.2.  This relaxes the requirement in section
   4.1.1 of [-records] that the 'next name' field contains the next
   owner name in the zone.  This change is expected to be fully
   compatible with all existing DNSSEC validators.  These NSEC records
   are returned whenever proving something specifically about the owner
   name (e.g.  that no resource records of a given type appear at that

   Whenever an NSEC record is needed to prove the non-existence of a
   name, a new NSEC record is dynamically produced and signed.  The new
   NSEC record has an owner name lexically before the QNAME but
   lexically following any existing name and a 'next name' lexically
   following the QNAME but before any existing name.

   The functions to generate the lexically following and proceeding
   names need not be perfect nor consistent, but the generated NSEC
   records must not cover any existing names.  Furthermore, this
   technique works best when the generated NSEC records cover as few
   names as possible.

   An NSEC record denying the existence of a wildcard may be generated
   in the same way.  Since the NSEC record covering a non-existent
   wildcard is likely to be used in response to many queries,
   authoritative name servers using the techniques described here may
   want to pregenerate or cache that record and its corresponding RRSIG.

   For example, a query for the non-instantiated name might
   produce the following NSEC record: For example, a query for an A
   record at the non-instantiated name might produce the
   following two NSEC records, the first denying the existence of the
   name and the second denying the existence of a wildcard:

          ).com 3600 IN NSEC ( RRSIG NSEC )

   Before answering a query with these records, an authoritative server
   must test for the existence of names between these endpoints.  If the
   generated NSEC would cover existing names (e.g. or
   *, a better increment or decrement function may
   be used or the covered name closest to the QNAME could be used as the

Ihren & Weiler           Expires August 24, 2005                [Page 3]

Internet-Draft                NSEC Epsilon                 February 2005

   NSEC owner name or next name, as appropriate.  If an existing name is
   used as the NSEC owner name, that name's real NSEC record MUST be
   returned.  Using the same example, assuming an
   delegation exists, this record might be returned from the parent:


   Like every authoritative record in the zone, each generated NSEC
   record MUST have corresponding RRSIGs generated using each algorithm
   (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
   described in [-protocol] [3] section 2.2.  To minimize the number of
   signatures that must be generated, a zone may wish to limit the
   number of algorithms in its DNSKEY RRset.

3.  Better Increment & Decrement Functions

   Section 6.2 of [-records] defines a strict ordering of DNS names.
   Working backwards from that definition, it should be possible to
   define increment and decrement functions that generate the
   immediately following and preceding names, respectively.  This
   document does not define such functions.  Instead, this section
   presents functions that come reasonably close to the perfect ones.
   As described above, an authoritative server should still ensure than
   no generated NSEC covers any existing name.

   To increment a name, add a leading label with a single null
   (zero-value) octet.

   To decrement a name, decrement the last character of the leftmost
   label, then fill that label to a length of 63 octets with octets of
   value 255.  To decrement a null (zero-value) octet, remove the octet
   -- if an empty label is left, remove the label.  Defining this
   function numerically: fill the left-most label to its maximum length
   with zeros (numeric, not ASCII zeros) and subtract one.

   In response to a query for the non-existent name,
   these functions produce NSEC records of:

     \ 3600 IN NSEC \ ( NSEC RRSIG )


Ihren & Weiler           Expires August 24, 2005                [Page 4]

Internet-Draft                NSEC Epsilon                 February 2005

     \255\ 3600 IN NSEC \000.* ( NSEC RRSIG )

   The first of these NSEC RRs proves that no exact match for exists, and the second proves that there is no
   wildcard in

   Both of these functions are imperfect: they don't take into account
   constraints on number of labels in a name nor total length of a name.
   As noted in the previous section, though, this technique does not
   depend on the use of perfect increment or decrement functions: it is
   sufficient to test whether any instantiated names fall into the span
   covered by the generated NSEC and, if so, substitute those
   instantiated owner names for the NSEC owner name or next name, as

4.  IANA Considerations

   This document specifies no IANA Actions.

5.  Security Considerations

   This approach requires on-demand generation of RRSIG records.  This
   creates several new vulnerabilities.

   First, on-demand signing requires that a zone's authoritative servers
   have access to its private keys.  Storing private keys on well-known
   internet-accessible servers may make them more vulnerable to
   unintended disclosure.

   Second, since generation of public key signatures tends to be
   computationally demanding, the requirement for on-demand signing
   makes authoritative servers vulnerable to a denial of service attack.

   Lastly, if the increment and decrement functions are predictable,
   on-demand signing may enable a chosen-plaintext attack on a zone's
   private keys.  Zones using this approach should attempt to use
   cryptographic algorithms that are resistant to chosen-plaintext
   attacks.  It's worth noting that while DNSSEC has a "mandatory to
   implement" algorithm, that is a requirement on resolvers and
   validators -- there is no requirement that a zone be signed with any
   given algorithm.

   The success of using minimally covering NSEC record to prevent zone
   walking depends greatly on the quality of the increment and decrement
   functions chosen.  An increment function that chooses a name
   obviously derived from the next instantiated name may be easily
   reverse engineered, destroying the value of this technique.  An
   increment function that always returns a name close to the next

Ihren & Weiler           Expires August 24, 2005                [Page 5]

Internet-Draft                NSEC Epsilon                 February 2005

   instantiated name is likewise a poor choice.  Good choices of
   increment and decrement functions are the ones that produce the
   immediately following and preceding names, respectively, though zone
   administrators may wish to use less perfect functions that return
   more human-friendly names than the functions described in Section 3

   Another obvious but misguided concern is the danger from synthesized
   NSEC records being replayed.  It's possible for an attacker to replay
   an old but still validly signed NSEC record after a new name has been
   added in the span covered by that NSEC, incorrectly proving that
   there is no record at that name.  This danger exists with DNSSEC as
   defined in [-bis].  The techniques described here actually decrease
   the danger, since the span covered by any NSEC record is smaller than
   before.  Choosing better increment and decrement functions will
   further reduce this danger.

6.  Normative References

   [1]  Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose,
        "DNS Security Introduction and Requirements",
        Internet-Draft draft-ietf-dnsext-dnssec-intro-13, October 2004.

   [2]  Arends, R., "Resource Records for the DNS Security Extensions",
        Internet-Draft draft-ietf-dnsext-dnssec-records-11, October

   [3]  Arends, R., "Protocol Modifications for the DNS Security
        Internet-Draft draft-ietf-dnsext-dnssec-protocol-09, October

   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

Authors' Addresses

   Johan Ihren
   Autonomica AB
   Bellmansgatan 30
   Stockholm  SE-118 47


Ihren & Weiler           Expires August 24, 2005                [Page 6]

Internet-Draft                NSEC Epsilon                 February 2005

   Samuel Weiler
   SPARTA, Inc
   7075 Samuel Morse Drive
   Columbia, Maryland  21046


Appendix A.  Acknowledgments

   Many individuals contributed to this design.  They include, in
   addition to the authors of this document, Olaf Kolkman, Ed Lewis,
   Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
   Jacob Schlyter, Bill Manning, and Joao Damas.

   The key innovation of this document, namely that perfect increment
   and decrement functions are not necessary, arose during a discussion
   among the above-listed people at the RIPE49 meeting in September

Ihren & Weiler           Expires August 24, 2005                [Page 7]

Internet-Draft                NSEC Epsilon                 February 2005

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at

Disclaimer of Validity

   This document and the information contained herein are provided on an

Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


   Funding for the RFC Editor function is currently provided by the
   Internet Society.

Ihren & Weiler           Expires August 24, 2005                [Page 8]