| TOC |
|
This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 30, 2004.
Copyright (C) The Internet Society (2004). All Rights Reserved.
DNSSEC-bis uses the NSEC record to provide authenticated denial of existence of RRsets. NSEC also has the side-effect of permitting zone enumeration, even if zone transfers have been forbidden. Because some see this as a problem, this document has been assembled to detail the possible requirements for denial of existence A/K/A signed proof of non-existence.
1.
Introduction
2.
Zone Enumeration
3.
Zone Size
4.
Single Method
5.
Empty Non-terminals
6.
Prevention of Precomputed Dictionary Attacks
7.
DNSSEC-Adoption and Zone-Growth Relationship
8.
Non-overlap of denial records with possible zone records
9.
Acknowledgements
10.
Requirements notation
11.
Security Considerations
§.
Normative References
§.
Informative References
§
Authors' Addresses
§
Intellectual Property and Copyright Statements
| TOC |
NSEC records allow trivial enumeration of zones - a situation that has existed for several years but which has recently been raised as a significant concern for DNSSECbis deployment in several zones. Alternate proposals have been made that make zone enumeration more difficult, and some previous proposals to modify DNSSEC had related requirements/desirements that are relevant to the discussion. In addition the original designs for NSEC/NXT records were based on working group discussions and the choices made were not always documented with context and requirements-- so some of those choices may need to be restated as requirements. Overall, the working group needs to better understand the requirements for denial of existence (and certain other requirements related to DNSSECbis deployment) in order to evaluate the proposals that may replace NSEC.
In the remainder of this document, "NSEC++" is used as shorthand for "a denial of existence proof that will replace NSEC". "NSECbis" has also been used as shorthand for this, but we avoid that usage since NSECbis will not be part of DNSSECbis and therefore there might be some confusion.
| TOC |
Authenticated denial should not permit trivial zone enumeration.
Additional discussion: NSEC (and NXT before it) provide a linked list that could be "walked" to trivially enumerate all the signed records in a zone. This requirement is primarily (though not exclusively) important for zones that either are delegation-only/-mostly or do not have reverse lookup (PTR) records configured, since enterprises that have PTR records for all A records have already provided a similar capability to enumerate the contents of DNS zones.
Contributor: various
| TOC |
Requirement: NSEC++ should make it possible to take precautions against trivial zone size estimates. Since not all zone owners care about others estimation of the size of a zone, it is not always necessary to prohibit trivial estimation of the size of the zone but NSEC++ should not prevent such measures.
Additional Discussion: Even with NSEC2 it is trivial to give very good estimates of the number of domains in a certain zone. Just send 10 random queries and look at the range between the two hash values returned in each NSEC2. As hash output can be assumed to follow a rectangular random distribution, using the mean difference between the two values, you can estimate the total number of records. It is probably sufficient to look at even one NSEC2, since the two hash values should follow a (I believe) Poisson distribution.
The concern is motivated by some wording remembered from NSEC, which stated that NSEC MUST only be present for existing owner names in the zone, and MUST NOT be present for non-existing owner names. If similar wording were carried over to NSEC2, introducing bogus owner names in the hash chain (an otherwise simple solution to guard against trivial estimates of zone size) wouldn't be allowed.
One simple attempt at solving this is to describe in the specifications how zone signer tools can add a number of random "junk" records.
Contributor: Simon Josefsson.
| TOC |
Requirement: A single NSEC++ method must be able to carry both old-style denial (i.e. plain labels) and whatever the new style looks like. Having two separate denial methods could result in cornercases where one method can deny the other and vice versa.
Additional discussion: This requirement can help -bis folks to a smooth upgrade to -ter. First they'd change the method while the content is the same, then they can change content of the method. As an example, NSEC2 currently can have only hashed labels, so the choice for a zone operator would be to use either NSEC or NSEC2 with no smooth transition possible. DNSNR can handle both methods. (Of course NSEC2 can easily be made to do that).
Contributor: Roy Arends.
| TOC |
Requirement: Empty-non-terminals (ENT) should remain empty. In other words, adding NSEC++ records to an existing DNS structure should not cause the creation of NSEC++ records (or related records) at points that are otherwise ENT.
Additional discussion: Currently NSEC complies with ENT requirement: b.example.com NSEC a.c.example.com implies the existence of an ENT with ownername c.example.com. NSEC2 breaks that requirement, since the ownername is entirely hashed causing the structure to disappear. This is why EXIST was introduced. But EXIST causes ENT to be non-empty-terminals. Next to the dissappearance of ENT, it causes (some) overhead since an EXIST record needs a SIG, NSEC2 and SIG(NSEC2). DNSNR honours this requirement by hashing individual labels instead of ownernames. However this causes very long labels. Truncation is a measure against very long ownernames, but that is controversial. There is a fair discussion of the validity of truncation in the DNSNR draft, but that hasn't got proper review yet.
Contributor: Roy Arends.
(Editor comment: it is not clear to us that an EXIST record needs an NSEC2 record, since it is a special purpose record only used for denial of existence)
| TOC |
Requirement: NSEC++ needs to provide a method to reduce the effectiveness of precomputed dictionary attacks.
Additional Discussion: Salt is a measure against dictionary attacks. There are other possible measures (such as iterating hashes in NSEC2). The salt needs to be communicated in every response, since it is needed in every verification. Some have suggested to move the salt to a special record instead of the denial record. I think this is not wise. Response size has more priority over zone size. An extra record causes a larger response than a larger existing record.
Contributor: Roy Arends.
(Editor comment: the current version of NSEC2 also has the salt in every NSEC2 record)
| TOC |
Background: Currently with NSEC, when a delegation centric zone deploys DNSSEC, the zone-size multiplies by a non-trivial factor even when the DNSSEC-adoption rate of the subzones remains low--because each delegation point creates at least one NSEC record and corresponding signature in the parent even if the child is not signed.
Requirements: A delegation-only (or delegation-mostly) zone that is signed but which has no signed child zones should initially need only to add SIG(SOA), DNSKEY, and SIG(DNSKEY) at the apex, along with some minimal set of NSEC++ records to cover zone contents. Further, during the transition of a delegation-only zone from 0% signed children to 100% signed children, the growth in the delegation-only zone should be roughly proportional to the percentage of signed child zones.
Additional Discussion: This is why DNSNR has the Authoritative Only bit. This is similar to opt-in for delegations only. This (bit) is currently the only method to help delegation-centric zone cope with zone-growth due to DNSSEC adoption. As an example, A delegation only zone which deploys DNSSEC with the help of this bit, needs to add SIG(SOA), DNSKEY, SIG(DNSKEY), DNSNR, SIG(DNSNR) at the apex. No more than that.
Contributor: Roy Arends.
| TOC |
Requirement: NSEC++ records should in some way be differentiated from regular zone records, so that there is no possibility that a record in the zone could be duplicated by a non-existence proof (NSEC++) record.
Additional discussion: This requirement is derived from a discussion on the DNSEXT mailing list related to copyrights and domain names. As was outlined there, one solution is to put NSEC++ records in a separate namespace, e.g.: $ORIGIN co.uk. 873bcdba87401b485022b8dcd4190e3e IN NS jim.rfc1035.com ; your delegation 873bcdba87401b485022b8dcd4190e3e._no IN NSEC++ 881345... ; for amazon.co.uk.
Contributor: various
(Editor comment: One of us still does not see why a conflict matters. Even if there is an apparent conflict or overlap, the "conflicting" NSEC2 name _only_ appears in NSEC2 records, and the other name _never_ appears in NSEC2 records.)
| TOC |
| TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, March 1997..
| TOC |
There are currently no security considerations called out in this draft. There will be security considerations in the choice of which requirements will be implemented, but there are no specific security requirements during the requirements collection process.
| TOC |
| TOC |
| [dnssecbis-protocol] | "DNSSECbis Protocol Definitions", BCP XX, RFC XXXX, September 1998. |
| TOC |
| [RFC2026] | Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. |
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 (HTML, XML). |
| [RFC2418] | Bradner, S., "IETF Working Group Guidelines and Procedures", BCP 25, RFC 2418, September 1998 (HTML, XML). |
| TOC |
| Ben Laurie | |
| Nominet | |
| 17 Perryn Road | |
| London W3 7LR | |
| England | |
| Phone: | +44 (20) 8735 0686 |
| EMail: | ben@algroup.co.uk |
| Rip Loomis | |
| Science Applications International Corporation | |
| 7125 Columbia Gateway Drive, Suite 300 | |
| Columbia, MD 21046 | |
| US | |
| EMail: | gilbert.r.loomis@saic.com |
| TOC |
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Funding for the RFC Editor function is currently provided by the Internet Society.