Message Digest for DNS Zones
RFC 8976
Document | Type | RFC - Proposed Standard (February 2021; Errata) | |
---|---|---|---|
Authors | Duane Wessels , Piet Barber , Matt Weinberg , Warren Kumari , Wes Hardaker | ||
Last updated | 2021-02-11 | ||
Replaces | draft-wessels-dns-zone-digest | ||
Stream | IETF | ||
Formats | plain text html xml pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Tim Wicinski | ||
Shepherd write-up | Show (last changed 2020-07-24) | ||
IESG | IESG state | RFC 8976 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Barry Leiba | ||
Send notices to | Tim Wicinski <tjw.ietf@gmail.com> | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | RFC-Ed-Ack |
Internet Engineering Task Force (IETF) D. Wessels Request for Comments: 8976 P. Barber Category: Standards Track Verisign ISSN: 2070-1721 M. Weinberg Amazon W. Kumari Google W. Hardaker USC/ISI February 2021 Message Digest for DNS Zones Abstract This document describes a protocol and new DNS Resource Record that provides a cryptographic message digest over DNS zone data at rest. The ZONEMD Resource Record conveys the digest data in the zone itself. When used in combination with DNSSEC, ZONEMD allows recipients to verify the zone contents for data integrity and origin authenticity. This provides assurance that received zone data matches published data, regardless of how the zone data has been transmitted and received. When used without DNSSEC, ZONEMD functions as a checksum, guarding only against unintentional changes. ZONEMD does not replace DNSSEC: DNSSEC protects individual RRsets (DNS data with fine granularity), whereas ZONEMD protects a zone's data as a whole, whether consumed by authoritative name servers, recursive name servers, or any other applications. As specified herein, ZONEMD is impractical for large, dynamic zones due to the time and resources required for digest calculation. However, the ZONEMD record is extensible so that new digest schemes may be added in the future to support large, dynamic zones. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8976. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction 1.1. Motivation 1.2. Alternative Approaches 1.3. Design Overview 1.4. Use Cases 1.4.1. Root Zone 1.4.2. Providers, Secondaries, and Anycast 1.4.3. Response Policy Zones 1.4.4. Centralized Zone Data Service 1.4.5. General Purpose Comparison Check 1.5. Terminology 2. The ZONEMD Resource Record 2.1. Non-apex ZONEMD Records 2.2. ZONEMD RDATA Wire Format 2.2.1. The Serial Field 2.2.2. The Scheme Field 2.2.3. The Hash Algorithm Field 2.2.4. The Digest Field 2.3. ZONEMD Presentation Format 2.4. ZONEMD Example 2.5. Including ZONEMD RRs in a Zone 3. Calculating the Digest 3.1. Add ZONEMD Placeholder 3.2. Optionally, Sign the Zone 3.3. Scheme-Specific Processing 3.3.1. The SIMPLE Scheme 3.3.1.1. SIMPLE Scheme Inclusion/Exclusion Rules 3.3.1.2. SIMPLE Scheme Digest Calculation 3.4. Update ZONEMD RR 4. Verifying Zone Digest 5. IANA Considerations 5.1. ZONEMD RRtype 5.2. ZONEMD Scheme 5.3. ZONEMD Hash Algorithms 6. Security Considerations 6.1. Using Zone Digest without DNSSEC 6.2. Attacks against the Zone Digest 6.3. Use of Multiple ZONEMD Hash Algorithms 6.4. DNSSEC Timing Considerations 6.5. Attacks Utilizing ZONEMD Queries 6.6. Resilience and Fragility 7. Performance Considerations 7.1. SIMPLE SHA384 8. Privacy Considerations 9. References 9.1. Normative References 9.2. Informative References Appendix A. Example Zones with Digests A.1. Simple EXAMPLE Zone A.2. Complex EXAMPLE Zone A.3. EXAMPLE Zone with Multiple DigestsShow full document text