Message Digest for DNS Zones
RFC 8976
| Document | Type | RFC - Proposed Standard (February 2021; Errata) | |
|---|---|---|---|
| Authors | Duane Wessels , Piet Barber , Matt Weinberg , Warren Kumari , Wes Hardaker | ||
| Last updated | 2021-02-11 | ||
| Replaces | draft-wessels-dns-zone-digest | ||
| Stream | IETF | ||
| Formats | plain text html xml pdf htmlized bibtex | ||
| Reviews | |||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Tim Wicinski | ||
| Shepherd write-up | Show (last changed 2020-07-24) | ||
| IESG | IESG state | RFC 8976 (Proposed Standard) | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Yes | ||
| Telechat date | |||
| Responsible AD | Barry Leiba | ||
| Send notices to | Tim Wicinski <tjw.ietf@gmail.com> | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA action state | RFC-Ed-Ack | ||
Internet Engineering Task Force (IETF) D. Wessels
Request for Comments: 8976 P. Barber
Category: Standards Track Verisign
ISSN: 2070-1721 M. Weinberg
Amazon
W. Kumari
Google
W. Hardaker
USC/ISI
February 2021
Message Digest for DNS Zones
Abstract
This document describes a protocol and new DNS Resource Record that
provides a cryptographic message digest over DNS zone data at rest.
The ZONEMD Resource Record conveys the digest data in the zone
itself. When used in combination with DNSSEC, ZONEMD allows
recipients to verify the zone contents for data integrity and origin
authenticity. This provides assurance that received zone data
matches published data, regardless of how the zone data has been
transmitted and received. When used without DNSSEC, ZONEMD functions
as a checksum, guarding only against unintentional changes.
ZONEMD does not replace DNSSEC: DNSSEC protects individual RRsets
(DNS data with fine granularity), whereas ZONEMD protects a zone's
data as a whole, whether consumed by authoritative name servers,
recursive name servers, or any other applications.
As specified herein, ZONEMD is impractical for large, dynamic zones
due to the time and resources required for digest calculation.
However, the ZONEMD record is extensible so that new digest schemes
may be added in the future to support large, dynamic zones.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8976.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
1.1. Motivation
1.2. Alternative Approaches
1.3. Design Overview
1.4. Use Cases
1.4.1. Root Zone
1.4.2. Providers, Secondaries, and Anycast
1.4.3. Response Policy Zones
1.4.4. Centralized Zone Data Service
1.4.5. General Purpose Comparison Check
1.5. Terminology
2. The ZONEMD Resource Record
2.1. Non-apex ZONEMD Records
2.2. ZONEMD RDATA Wire Format
2.2.1. The Serial Field
2.2.2. The Scheme Field
2.2.3. The Hash Algorithm Field
2.2.4. The Digest Field
2.3. ZONEMD Presentation Format
2.4. ZONEMD Example
2.5. Including ZONEMD RRs in a Zone
3. Calculating the Digest
3.1. Add ZONEMD Placeholder
3.2. Optionally, Sign the Zone
3.3. Scheme-Specific Processing
3.3.1. The SIMPLE Scheme
3.3.1.1. SIMPLE Scheme Inclusion/Exclusion Rules
3.3.1.2. SIMPLE Scheme Digest Calculation
3.4. Update ZONEMD RR
4. Verifying Zone Digest
5. IANA Considerations
5.1. ZONEMD RRtype
5.2. ZONEMD Scheme
5.3. ZONEMD Hash Algorithms
6. Security Considerations
6.1. Using Zone Digest without DNSSEC
6.2. Attacks against the Zone Digest
6.3. Use of Multiple ZONEMD Hash Algorithms
6.4. DNSSEC Timing Considerations
6.5. Attacks Utilizing ZONEMD Queries
6.6. Resilience and Fragility
7. Performance Considerations
7.1. SIMPLE SHA384
8. Privacy Considerations
9. References
9.1. Normative References
9.2. Informative References
Appendix A. Example Zones with Digests
A.1. Simple EXAMPLE Zone
A.2. Complex EXAMPLE Zone
A.3. EXAMPLE Zone with Multiple Digests
Show full document text