A Root Key Trust Anchor Sentinel for DNSSEC
RFC 8509

Document Type RFC - Proposed Standard (December 2018; No errata)
Last updated 2018-12-18
Replaces draft-huston-kskroll-sentinel
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Tim Wicinski
Shepherd write-up Show (last changed 2018-07-20)
IESG IESG state RFC 8509 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Terry Manderson
Send notices to Benno Overeinder <benno@NLnetLabs.nl>, Tim Wicinski <tjw.ietf@gmail.com>
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
Internet Engineering Task Force (IETF)                         G. Huston
Request for Comments: 8509                                      J. Damas
Category: Standards Track                                          APNIC
ISSN: 2070-1721                                                W. Kumari
                                                                  Google
                                                           December 2018

              A Root Key Trust Anchor Sentinel for DNSSEC

Abstract

   The DNS Security Extensions (DNSSEC) were developed to provide origin
   authentication and integrity protection for DNS data by using digital
   signatures.  These digital signatures can be verified by building a
   chain of trust starting from a trust anchor and proceeding down to a
   particular node in the DNS.  This document specifies a mechanism that
   will allow an end user and third parties to determine the trusted key
   state for the root key of the resolvers that handle that user's DNS
   queries.  Note that this method is only applicable for determining
   which keys are in the trust store for the root key.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8509.

Huston, et al.               Standards Track                    [Page 1]
RFC 8509               DNSSEC Trusted Key Sentinel         December 2018

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Sentinel Mechanism in Resolvers . . . . . . . . . . . . . . .   4
     2.1.  Preconditions . . . . . . . . . . . . . . . . . . . . . .   5
     2.2.  Special Processing  . . . . . . . . . . . . . . . . . . .   6
   3.  Sentinel Tests for a Single DNS Resolver  . . . . . . . . . .   7
     3.1.  Forwarders  . . . . . . . . . . . . . . . . . . . . . . .   9
   4.  Sentinel Tests for Multiple Resolvers . . . . . . . . . . . .  10
     4.1.  Test Scenario and Objective . . . . . . . . . . . . . . .  11
     4.2.  Test Assumptions  . . . . . . . . . . . . . . . . . . . .  11
     4.3.  Test Procedure  . . . . . . . . . . . . . . . . . . . . .  12
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
   6.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .  14
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  14
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  14
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  14
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  15
   Appendix A.  Protocol Walk-Through Example  . . . . . . . . . . .  16
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  19
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  19

Huston, et al.               Standards Track                    [Page 2]
RFC 8509               DNSSEC Trusted Key Sentinel         December 2018

1.  Introduction

   The DNS Security Extensions (DNSSEC) [RFC4033], [RFC4034], and
   [RFC4035] were developed to provide origin authentication and
   integrity protection for DNS data by using digital signatures.
   DNSSEC uses Key Tags to efficiently match signatures to the keys from
   which they are generated.  The Key Tag is a 16-bit value computed
   from the RDATA of a DNSKEY Resource Record (RR) as described in
   Appendix B of [RFC4034].  RRSIG RRs contain a Key Tag field whose
   value is equal to the Key Tag of the DNSKEY RR that was used to
   generate the corresponding signature.

   This document specifies how security-aware DNS resolvers that perform
   validation of their responses can respond to certain queries in a
   manner that allows an agent performing the queries to deduce whether
Show full document text