-
Notifications
You must be signed in to change notification settings - Fork 4
/
draft-thomassen-dnsop-dnssec-bootstrapping-01.txt
952 lines (623 loc) · 36.1 KB
/
draft-thomassen-dnsop-dnssec-bootstrapping-01.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
DNSOP Working Group P. Thomassen
Internet-Draft deSEC, Secure Systems Engineering
Intended status: Standards Track N. Wisiol
Expires: 27 March 2022 deSEC, Technische Universität Berlin
23 September 2021
Automatic Commissioning of New Signers: Solving the DNSSEC Bootstrapping
Problem using Authenticated Signals from the Zone's Operator
draft-thomassen-dnsop-dnssec-bootstrapping-01
Abstract
This document describes an authenticated in-band method for automatic
signaling of a Child DNS zone's delegation signer information from
the zone's DNS operator(s). The zone's registrar or registry may
subsequently use this signal for automatic DS record provisioning in
the parent zone. The protocol is particularly useful in case of
managed DNS providers hosting registrant's domains, where DS
provisioning has so far been cumbersome.
The signaling channel is not specific to the DS bootstrapping use
case, but equally suitable for announcing other zone-specific
information from the DNS Operator in an authenticated fashion.
Further potential applications thus include, for example, key
exchange between parties in an [RFC8901] multisigner setup.
[ Ed note: Text inside square brackets ([]) is additional background
information, answers to frequently asked questions, general musings,
etc. They will be removed before publication. This document is
being collaborated on at https://github.com/desec-io/draft-thomassen-
dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft-
thomassen-dnsop-dnssec-bootstrapping/). The most recent version of
the document, open issues, etc. should all be available there. The
authors gratefully accept pull requests. ]
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Thomassen & Wisiol Expires 27 March 2022 [Page 1]
Internet-Draft dnssec-bootstrapping September 2021
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 27 March 2022.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4
2. Signaling . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Preconditions . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1. Example . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Signaling Names . . . . . . . . . . . . . . . . . . . . . 5
3. Bootstrapping a DNSSEC Delegation . . . . . . . . . . . . . . 7
3.1. Signaling Intent to Act as the Child's Signer . . . . . . 7
3.1.1. Example . . . . . . . . . . . . . . . . . . . . . . . 7
3.2. Steps Taken by the Parental Agent . . . . . . . . . . . . 8
3.2.1. Example . . . . . . . . . . . . . . . . . . . . . . . 9
3.3. Opt-out . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.4. Triggers . . . . . . . . . . . . . . . . . . . . . . . . 10
4. Operational Recommendations . . . . . . . . . . . . . . . . . 11
4.1. Child DNS Operator . . . . . . . . . . . . . . . . . . . 11
4.2. Parental Agent . . . . . . . . . . . . . . . . . . . . . 11
5. Implementation Status . . . . . . . . . . . . . . . . . . . . 11
5.1. Child DNS Operator-side . . . . . . . . . . . . . . . . . 11
5.2. Parental Agent-side . . . . . . . . . . . . . . . . . . . 12
6. Security Considerations . . . . . . . . . . . . . . . . . . . 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
9. Normative References . . . . . . . . . . . . . . . . . . . . 13
Appendix A. Possible Extensions . . . . . . . . . . . . . . . . 14
Thomassen & Wisiol Expires 27 March 2022 [Page 2]
Internet-Draft dnssec-bootstrapping September 2021
A.1. Multi-Signer Setups: Onboarding a Signing Party . . . . . 15
A.1.1. Signaling Records . . . . . . . . . . . . . . . . . . 15
A.1.2. Import . . . . . . . . . . . . . . . . . . . . . . . 16
Appendix B. Change History (to be removed before final
publication) . . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction
*TODO remove*: this section is inspired by [RFC7344], Section 1.
The first time a Child DNS Operator signs a zone, they need to
communicate the keying material to the Parent. Depending on the
desires of the Parent, the Child might send their DNSKEY record, a DS
record, or both.
So far, out-of-band methods are typically used to complete the chain
of trust. In-band methods exist, in particular based on the CDS and
CDNSKEY record types as specified in [RFC7344] and [RFC8078].
However, such communication is only authenticated when performing a
rollover of the Child's keys represented in the parent. An
authenticated in-band channel for enabling DNSSEC so far has been
missing.
How the keying material is conveyed to the Parent during initial
DNSSEC bootstrapping depends on the relationship the Child has with
the Parent. The communication has to occur between the Child DNS
Operator and, depending on the circumstances, the Registry or the
Registrar, possibly via the Registrant (for details, see [RFC7344],
Appendix A). In many cases, this is a manual process -- and not an
easy one. Any manual process is susceptible to mistakes and/or
errors. In addition, due to the annoyance factor of the process,
involved parties may avoid the process of getting a DS record set
published at the Parent.
DNSSEC provides data integrity to information published in DNS; thus,
DNS publication can be used to automate maintenance of delegation
information. This document describes a method to automate
publication of initial DS records for a hitherto insecure delegation.
Readers are expected to be familiar with DNSSEC, including [RFC4033],
[RFC4034], [RFC4035], [RFC6781], [RFC7344], and [RFC8078].
1.1. Terminology
The terminology we use is defined in this section. The highlighted
roles are as follows:
Thomassen & Wisiol Expires 27 March 2022 [Page 3]
Internet-Draft dnssec-bootstrapping September 2021
Child The entity on record that has the delegation of the domain
from the Parent.
Parent The zone that contains the Child's delegation records.
Child DNS Operator The entity that maintains and publishes the zone
information for the Child DNS.
Parental Agent The entity that the Child has a relationship with to
change its delegation information.
Signaling Domain(s) For any given authoritative nameserver hostname
from the Child's NS record set, the hostname prefixed with the
label "_boot" is one of the Signaling Domains for the Child Zone.
Signaling Zone The zone which is authoritative for a given Signaling
Domain.
Signaling Name A name under a Signaling Domain that can be mapped
onto the Child zone's name.
Signaling Record A DNS record located at a Signaling Name under a
Signaling Domain. Signaling Records are used by the Child DNS
Operator to publish information about the Child.
CDS/CDNSKEY This notation refers to CDS and/or CDNSKEY, i.e., one or
both.
Base32hex Encoding "Base 32 Encoding with Extended Hex Alphabet" as
per [RFC4648].
1.2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Signaling
When setting up initial trust, the child generally wants to enable
global validation. As long as the child is insecure, DNS answers can
be forged. The goal is to promote the child from insecure to secure
as soon as reasonably possible by the parent. This means that the
period from the child's publication of CDS/CDNSKEY RRset to the
parent publishing the synchronized DS RRset should be as short as
possible.
Thomassen & Wisiol Expires 27 March 2022 [Page 4]
Internet-Draft dnssec-bootstrapping September 2021
This goal is achieved by transferring trust from the Child DNS
Operator by publishing an authenticated signal that can be discovered
and processed by the Parent. Implementation by Child DNS Operators
and Parental Agents is RECOMMENDED.
2.1. Preconditions
If a Child DNS Operator implements the protocol, the following
conditions have to be met:
1. Each Signaling Zone MUST be securely delegated, i.e. have a valid
DNSSEC chain of trust from the root.
2. The Child DNS Operator MUST publish CDS/CDNSKEY records at the
Child's apex, as described in [RFC7344].
[ In the course of the bootstrapping protocol, the Parental Agent
will fetch the CDS/CDNSKEY records from another source. The second
condition ensures that the Parental Agent can validate these records
against the customary CDS/CDNSKEY records from the Child. The
bootstrapping protocol is thus an extension of the existing CDS/
CDNSKEY protocol, and therefore provides strictly stronger guarantees
than the traditional model. ]
[ Requiring presence of CDS/CDNSKEY records in the Child also
faciliates simple opt-out by the zone administrator, protects against
synchronization errors, and -- if CDS is used, whose value depends on
the Child's name -- allows detecting situations of Child name
confusion due to hash collisions (see Section 2.2). ]
2.1.1. Example
When performing DNSSEC bootstrapping for the Child zone
"example.co.uk" using NS records "ns1.example.net" and
"ns2.example.net", the Child DNS Operator
1. needs to ensure that a valid DNSSEC chain of trust exists for the
zone(s) that are authoritative for the Signaling Domains
"_boot.ns1.example.net" and "_boot.ns2.example.net";
2. publishes CDS/CDNSKEY records at "example.co.uk".
2.2. Signaling Names
To publish a piece of information about the Child zone in an
authenticated fashion, the Child DNS Operator MUST publish one or
more Signaling Records at the Child's Signaling Name under each
Signaling Domain.
Thomassen & Wisiol Expires 27 March 2022 [Page 5]
Internet-Draft dnssec-bootstrapping September 2021
Signaling Records MUST be accompanied by RRSIG records created with
the corresponding Signaling Zone's key(s). The type and contents of
these Signaling Records depend on the specific use case as described
below.
The Signaling Name MUST consist of the following two labels:
1. the first label of the Child name;
2. a label equal to the SHA-256 hash digest of the fully qualified
domain name of the Child's immediate ancestor in the DNS tree
(one level up), using wire format for the hash input and "Base 32
Encoding with Extended Hex Alphabet" as specified in [RFC4648]
for the output. Trailing padding characters ("=") MUST be
dropped.
Note that the "fully qualified domain name of the Child's immediate
ancestor in the DNS tree" coincides with the Parent's FQDN only when
the delegation is directly (one level) under the Parent's apex. For
deeper delegations, it also contains the labels between the Parent
and the Child.
[ The purpose of the hash function is to avoid the possibility of
exceeding the maximum length of a DNS name, and to normalize the
number of labels in a Signaling Name. The encoding choice is like in
NSEC3, except that SHA-256 is used instead of SHA-1. This is to
prevent other tenants in shared hosting environments from creating
collisions. ]
[ Prefixing the first label verbatim minimizes the number of hash
calculations that need to be performed by the Child DNS Operator and
the Parental Agent, and also facilitates discovery of unprocessed
Signaling Records by the Parental Agent by means of NSEC walking the
Signaling Domain. (If the first label was part of the hash, the
Parental Agent would not be able to infer the Child's name.) ]
[ *Example code* (Python, with "dnspython" package):
Thomassen & Wisiol Expires 27 March 2022 [Page 6]
Internet-Draft dnssec-bootstrapping September 2021
from base64 import b32encode
from hashlib import sha256
import dns.name
from dns.rdtypes.ANY.NSEC3 import b32_normal_to_hex
child = 'example.co.uk.'
prefix, suffix = child.split('.', 1)
suffix_wire_format = dns.name.from_text(suffix).to_wire()
suffix_digest = sha256(suffix_wire_format).digest()
suffix_digest = b32encode(suffix_digest).translate(b32_normal_to_hex).rstrip(b'=')
signaling_name = prefix + '.' + suffix_digest.lower().decode()
print(signaling_name)
# >>> 'example.bge2bvlnqt4ei2oq3v9nr8a0lh9nkf6b4lh6c3j51k5kd67helmg'
]
3. Bootstrapping a DNSSEC Delegation
3.1. Signaling Intent to Act as the Child's Signer
To announce its willingness to act as the Child's delegated signer,
the Child DNS operator co-publishes the Child's CDS/CDNSKEY records
at the corresponding Signaling Name under each Signaling Domain as
defined in Section 2.2.
Previous use of CDS/CDNSKEY records is specified at the apex only
([RFC7344], Section 4.1). This protocol extends the use of these
record types at non-apex owner names for the purpose of DNSSEC
bootstrapping. To exclude the possibility of semantic collision,
there MUST NOT be a zone cut at a Signaling Name.
Unlike the CDS/CDNSKEY records at the Child's apex, Signaling Records
MUST be signed with the corresponding Signaling Zone's key(s). Their
contents MUST be identical to the corresponding records published at
the Child's apex.
3.1.1. Example
For the purposes of bootstrapping the Child zone "example.co.uk" with
NS records "ns1.example.net" and "ns2.example.net", the required
Signaling Domains are "_boot.ns1.example.net" and
"_boot.ns2.example.net".
In the zones containing these domains, the Child DNS Operator
publishes the Child's CDS/CDNSKEY records at the names
Thomassen & Wisiol Expires 27 March 2022 [Page 7]
Internet-Draft dnssec-bootstrapping September 2021
example.bge2bvlnqt4ei2oq3v9nr8a0lh9nkf6b4lh6c3j51k5kd67helmg._boot.ns1.example.net
example.bge2bvlnqt4ei2oq3v9nr8a0lh9nkf6b4lh6c3j51k5kd67helmg._boot.ns2.example.net
where "example.bge2bvlnqt4ei2oq3v9nr8a0lh9nkf6b4lh6c3j51k5kd67helmg"
is derived from the DNS Child Zone's name "example.co.uk" as
described in Section 2.2. The records are accompanied by RRSIG
records created using the key(s) of the respective Signaling Zone.
3.2. Steps Taken by the Parental Agent
To complete the bootstrapping process, Parental Agents implementing
this protocol can act based upon a number of triggers (see
Section 3.4). Once trigger conditions are fulfilled, the Parental
Agent, knowing both the Child zone name and its NS hostnames, MUST
1. verify that the Child is not currently securely delegated;
2. query the CDS/CDNSKEY records at the Child zone apex directly
from each of the authoritative servers as listed in the NS record
set;
3. query the CDS/CDNSKEY records located at each of the Signaling
Names using a trusted validating DNS resolver;
4. check (separately by record type) that all record sets retrieved
in Steps 2 and 3 have equal contents;
If the above steps succeeded without error, the Parental Agent MUST
construct a tentative DS record set either by copying the CDS record
contents or by computing DS records from the CDNSKEY record set, or
by doing both (i.e. amending the set of records copied from the CDS
record set).
The Parental Agent then MUST verify that for each signature algorithm
present, (at least) one of the keys referenced in the tentative DS
record set signs the Child's DNSKEY record set. [ TODO Which other
checks are needed to not break anything? ]
If this is the case, the Parental Agent SHOULD publish the DS record
set in the Parent zone, so as to secure the Child's delegation.
If, however, an error condition occurs, in particular:
* in Step 1: the Child is already securely delegated;
* in Step 2: any failure during the retrieval of the CDS/CDNSKEY
records located at the Child apex from any of the authoritative
nameservers, with an empty record set qualifying as a failure;
Thomassen & Wisiol Expires 27 March 2022 [Page 8]
Internet-Draft dnssec-bootstrapping September 2021
* in Step 3: DNS resolution failure during retrieval of CDS/CDNSKEY
records from any Signaling Name, including failure of DNSSEC
validation or unauthenticated data (AD bit not set);
* in Step 4: inconsistent responses;
* the tentative DS record set includes a signature algorithm without
referencing a key of that algorithm which signs the Child's DNSKEY
record set;
the Parental Agent MUST abort the procedure.
[ This level of rigor is needed for various reasons, including that
it prevents one operator from screwing up the zone in a multi-homed
setup (where several operators serve the same zone). ]
3.2.1. Example
To bootstrap the Child zone "example.co.uk" using NS records
"ns1.example.net" and "ns2.example.net", the Parental Agent
1. checks that the Child zone is not yet securely delegated;
2. queries CDS/CDNSKEY records for "example.co.uk" directly from
"ns1.example.net" and "ns2.example.net";
3. queries the CDS/CDNSKEY records located at the Signaling Names
(see Section 2.2)
example.bge2bvlnqt4ei2oq3v9nr8a0lh9nkf6b4lh6c3j51k5kd67helmg._boot.ns1.example.net
example.bge2bvlnqt4ei2oq3v9nr8a0lh9nkf6b4lh6c3j51k5kd67helmg._boot.ns2.example.net
4. checks that the CDS/CDNSKEY record sets retrieved in Steps 2 and
3 agree across responses.
The Parental Agent then publishes a DS record set according to the
information retrieved in the previous steps.
3.3. Opt-out
As a special case of Step 2 failure, the Child MAY opt out from
DNSSEC bootstrapping by publishing a CDS/CDNSKEY record with
algorithm 0 and other fields as specified in [RFC8078], Section 4, at
its apex.
Thomassen & Wisiol Expires 27 March 2022 [Page 9]
Internet-Draft dnssec-bootstrapping September 2021
This mechanism is workable without regard to whether the Child zone's
signatures are managed by the Child DNS Operator or by the zone
owner, and without regard to what the Child DNS Operator decides to
signal under the Signaling Domain.
3.4. Triggers
[ Clarity of this section needs to be improved. ]
Parental Agents SHOULD trigger the procedure described in Section 3.2
once one of the following conditions is fulfilled:
* The Parental Agent receives a new or updated NS record set for a
Child;
* The Parental Agent encounters Signaling Records for its Children
during a scan (e.g. daily) of known Signaling Domains (derived
from the NS records used in its delegations).
To perform such a scan, the Parental Agent iterates over some or
all of its delegations and strips the first label off each one to
construct the set of immediate ancestors of its children. (For
delegations one level below the Parent, such as second-level
domain registrations, this will simply be the Parent's name.) The
Parental Agent then uses these names to compute the second label
of the Signaling Names. The scan is completed by either
- performing a targeted NSEC walk starting one level below the
Signaling Domain, at the label that encodes the Child's
ancestor; or
- by performing a zone transfer of the zone containing the
(relevant part of the) Signaling Domain, if the Signaling Zone
operator allows it, and iterating over its contents.
The Child's name is constructed by prepending the first label of
the encountered Signaling Names to the ancestor from which the
Signaling Name's second label was computed;
* The Parental Agent performs an active (e.g. daily) scan by
opportunistically querying the Signaling Records for some or all
of its delegations;
* Any other condition as deemed appropriate by local policy.
Thomassen & Wisiol Expires 27 March 2022 [Page 10]
Internet-Draft dnssec-bootstrapping September 2021
4. Operational Recommendations
4.1. Child DNS Operator
Signaling Domains SHOULD be delegated as zones of their own, so that
the Signaling Zone's apex coincides with the Signaling Domain (such
as "_boot.ns1.example.net"). While it is permissible for the
Signaling Domain to be contained in a Signaling Zone of fewer labels
(such as "example.net"), a zone cut ensures that bootstrapping
activities do not require modifications of the zone containing the
nameserver hostname.
In addition, Signaling Zones SHOULD use NSEC to allow consumers to
efficiently discover pending bootstrapping operations by means of
zone walking (see Section 3.4). This is especially useful for bulk
processing after a Child DNS Operator has enabled the protocol.
To keep the size of the Signaling Zones minimal, Child DNS Operators
SHOULD remove Signaling Records which are found to have been acted
upon. This is particularly important when the Child DNS Operator
allows Parental Agents to perform scans of the Signaling Zone, either
by allowing zone transfers or by permitting zone walks via NSEC, so
that bulk processing remains efficient.
4.2. Parental Agent
It is RECOMMENDED to perform queries within Signaling Domains
(Section 3.2) with an (initially) cold resolver cache as to retrieve
the most current information regardless of TTL. (When a batch job is
used to attempt bootstrapping for a large number of delegations, the
cache does not need to get cleared in between.)
[It is expected that Signaling Records have few consumers only, so
that caching would not normally have a performance benefit. On the
other hand, perhaps it is better to RECOMMEND low TTLs instead?]
5. Implementation Status
*Note to the RFC Editor*: please remove this entire section before
publication.
5.1. Child DNS Operator-side
* Knot DNS supports manual creation of non-apex CDS/CDNSKEY/DNSKEY
records.
* PowerDNS supports manual creation of non-apex CDS/CDNSKEY/DNSKEY
records.
Thomassen & Wisiol Expires 27 March 2022 [Page 11]
Internet-Draft dnssec-bootstrapping September 2021
* Proof-of-concept Signaling Domains with several thousand Signaling
Names exist at "_boot.ns1.desec.io" and "_boot.ns2.desec.org".
Signaling Names can be discovered via NSEC walking.
* A tool to automatically generate signaling records for
bootstrapping purposes is under development by the authors.
5.2. Parental Agent-side
* A tool to retrieve and process Signaling Records for bootstrapping
purposes, either directly or via zone walking, is available at
https://github.com/desec-io/dsbootstrap (https://github.com/desec-
io/dsbootstrap). The tool implements outputs the validated DS
records which then can be added to the parent zone.
6. Security Considerations
Thoughts:
* We use at least one established chain of trust (via the secure
delegations of the zones containing the NS hostnames). As a
result,
- communication is authenticated;
- process is immediate (no need for observing CDS/CDNSKEY records
via TCP for several days);
- an active on-wire attacker cannot tamper with the delegation.
* The security level of the method is strictly higher than the
"accept CDS/CDNSKEY after a while"-approach that is already in use
at several ccTLD registries ("Accept after Delay", [RFC8078],
Section 3.3). This is because the method described here adds
stronger guarantees, but removes nothing.
* Actors in the chain(s) of trust of the zone(s) used for
bootstrapping (the DNS Operator themselves, plus entities further
up in the chain) can undermine the protocol. However,
- that's also possible in the case of CDS/CDNSKEY (see previous
point);
- if the Child DNS Operator doesn't control the zones in which
its NS hostnames live (including their nameservers' A records)
because the path from the root is untrusted, you probably don't
want to trust that operator as a whole;
Thomassen & Wisiol Expires 27 March 2022 [Page 12]
Internet-Draft dnssec-bootstrapping September 2021
- when bootstrapping is done upon receipt of a new NS record set,
the window of opportunity is very small;
- mitigation exists by diversifying e.g. the nameserver
hostname's TLDs, which is advisable anyways;
- correct bootstrapping is easily monitored by the Child DNS
operator.
* Prevention of accidental misprovisioning / enforcing explicit
provisioning:
- In case of a hash collision, two distinct child zones may be
associated with the same signaling name so that their keys may
get mixed up. While not currently feasible, malicious
customers in shared hosting environments may attempt to produce
such a collision. Is it worth mitigating this by introducing a
salt, e.g. stored in a TXT record located at the Signaling
Domain? (In case of a collision, one can set a new salt.)
7. IANA Considerations
*TODO:* reserve "_boot"?
This document has no IANA actions.
8. Acknowledgements
Thanks to Brian Dickson, John R. Levine, and Ondřej Caletka for
reviewing draft proposals and offering comments and suggestions.
Thanks also to Steve Crocker, Hugo Salgado, and Ulrich Wisser for
early-stage brainstorming.
9. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005,
<https://www.rfc-editor.org/info/rfc4033>.
Thomassen & Wisiol Expires 27 March 2022 [Page 13]
Internet-Draft dnssec-bootstrapping September 2021
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<https://www.rfc-editor.org/info/rfc4035>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>.
[RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
Operational Practices, Version 2", RFC 6781,
DOI 10.17487/RFC6781, December 2012,
<https://www.rfc-editor.org/info/rfc6781>.
[RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating
DNSSEC Delegation Trust Maintenance", RFC 7344,
DOI 10.17487/RFC7344, September 2014,
<https://www.rfc-editor.org/info/rfc7344>.
[RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS",
RFC 7477, DOI 10.17487/RFC7477, March 2015,
<https://www.rfc-editor.org/info/rfc7477>.
[RFC8078] Gudmundsson, O. and P. Wouters, "Managing DS Records from
the Parent via CDS/CDNSKEY", RFC 8078,
DOI 10.17487/RFC8078, March 2017,
<https://www.rfc-editor.org/info/rfc8078>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8901] Huque, S., Aras, P., Dickinson, J., Vcelak, J., and D.
Blacka, "Multi-Signer DNSSEC Models", RFC 8901,
DOI 10.17487/RFC8901, September 2020,
<https://www.rfc-editor.org/info/rfc8901>.
Appendix A. Possible Extensions
The mechanism described in Section 2.2 provides a public,
authenticated, in-band, unidirectional channel through which the
Child DNS Operator can publish information on the zones it serves.
Thomassen & Wisiol Expires 27 March 2022 [Page 14]
Internet-Draft dnssec-bootstrapping September 2021
By provisioning other types of Signaling Records, the Child DNS
Operator can therefore convey signals that pertain to use cases other
than bootstrapping a DNSSEC delegation.
A.1. Multi-Signer Setups: Onboarding a Signing Party
[RFC8901] describes multi-signer models in which several Child DNS
Operators serve the same Child zone. In one of these scenarios
(Model 2, [RFC8901], Section 2.1.2), each Child DNS Operator holds a
unique KSK set and ZSK set to sign the zone.
To ensure smooth resolution of Child zone queries, this scheme
demands that participating Child DNS Operators import the ZSK sets of
the other providers into their DNSKEY RRset. Further, each
operator's KSK(s) need to be included in the DS record set at the
delegation point in the Parent zone. When a new Child DNS Operator
is joining the scheme, these synchronization processes have to occur
before the new operator's nameserver hostnames are included in the
Child's NS record set.
So far, it has been assumed that the KSK and ZSK extraction and
provisioning would happen through some proprietary API at each DNS
operator ([RFC8901], Section 9). We now describe how a Child DNS
Operator can instead use Signaling Records to make its own set of
DNSKEY records available for querying by other signing parties, so
that they can retrieve, validate, and process them.
A.1.1. Signaling Records
Given a Child zone "example.co.uk" that is already securely delegated
with authoritative nameservers "ns1.example.net" and
"ns2.example.net", we consider how a new Child DNS Operator using
nameservers "ns3.example.org" and "ns4.example.org" can distribute
its DNSKEY record set to the existing signing parties, in order to
join the multi-signer group.
The Signaling Domains corresponding to the new Child DNS Operator's
nameservers are "_boot.ns3.example.org" and "_boot.ns4.example.org".
In the zones containing these domains, the new Child DNS Operator
publishes a DNSKEY record set containing the keys used by the
operator when operating the Child zone, at the Signaling Names
example.bge2bvlnqt4ei2oq3v9nr8a0lh9nkf6b4lh6c3j51k5kd67helmg._boot.ns3.example.org
example.bge2bvlnqt4ei2oq3v9nr8a0lh9nkf6b4lh6c3j51k5kd67helmg._boot.ns4.example.org
Thomassen & Wisiol Expires 27 March 2022 [Page 15]
Internet-Draft dnssec-bootstrapping September 2021
where the first label is calculated as described in Section 2.2. The
records are accompanied by RRSIG records created using the key(s) of
the respective Signaling Zone.
Note that DNSKEY records are not restricted to apex owner names
([RFC4035], Section 2.1). However, only apex DNSKEY records are used
for DNSSEC validation ([RFC4035], Section 5). As Signaling Names do
not occur on zone cuts (see Section 3.1), the use of DNSKEY records
described here does not interfere with existing DNSKEY uses.
A.1.2. Import
With the Signaling Records in place, an algorithm similar to the one
given in Section 3.2 can be used to query and validate the joining
operator's DNSKEY set. The required steps can either be taken
autonomously by each participating operator (query, validate, update
local zone copy with imported information), or be subject to central
coordination using "Multisigner Controller" tooling which interfaces
with each operator.
The new KSKs can then be added to the delegation's DS record set as
described in [RFC8901], Section 8 (i.e. via an [RFC7344] rollover
using CDS/CDNSKEY records), followed by the inclusion of the new ZSKs
in the other operators' DNSKEY record sets. Similarly, the new
operator can import the other operators' DNSKEYs into its local copy
of the Child zone (either autonomously, or via central coordination).
[ Note that the DNSKEY record set in the Child zone contains keys
from all operators, whereas the DNSKEY record set published under the
Signaling Domain is restricted to keys actively used by the
publishing operator. ]
After convergence on the served DNSKEY record sets has been achieved,
the joining process is completed by amending the Child's NS record
set to include the new operator's authoritative nameservers, followed
by a corresponding update of the NS delegation records at the Parent
(e.g. using CSYNC [RFC7477]).
Appendix B. Change History (to be removed before final publication)
* draft-thomassen-dnsop-dnssec-bootstrapping-01
| Add section on Triggers.
|
| Clarified title.
|
| Improved abstract.
|
Thomassen & Wisiol Expires 27 March 2022 [Page 16]
Internet-Draft dnssec-bootstrapping September 2021
| Require CDS/CDNSKEY records at the Child.
|
| Reworked Signaling Name scheme.
|
| Recommend using cold cache for consumption.
|
| Updated terminology (replace "Bootstrapping" by "Signaling").
|
| Added NSEC recommendation for Bootstrapping Zones.
|
| Added multi-signer use case.
|
| Editorial changes.
* draft-thomassen-dnsop-dnssec-bootstrapping-00
| Initial public draft.
Authors' Addresses
Peter Thomassen
deSEC, Secure Systems Engineering
Berlin
Germany
Email: [email protected]
Nils Wisiol
deSEC, Technische Universität Berlin
Berlin
Germany
Email: [email protected]
Thomassen & Wisiol Expires 27 March 2022 [Page 17]