Clarifications and Implementation Notes for DNSSECbis
SPARTA, Inc.
7110 Samuel Morse Drive
Columbia, Maryland
21046
US
weiler@tislabs.com
VeriSign, Inc.
21345 Ridgetop Circle
Dulles
VA
20166
US
davidb@verisign.com
DNSSEC
This document is a collection of technical clarifications to
the DNSSECbis document set. It is meant to serve as a resource
to implementors as well as a repository of DNSSECbis errata.
This document lists some clarifications and corrections to
DNSSECbis, as described in , , and .
It is intended to serve as a resource for implementors and as
a repository of items that need to be addressed when advancing
the DNSSECbis documents from Proposed Standard to Draft
Standard.
The clarifications to DNSSECbis are sorted according to
their importance, starting with ones which could, if ignored,
lead to security and stability problems and progressing down
to clarifications that are expected to have little operational
impact.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in .
This section provides
describes the use and behavior of
the NSEC3 and NSEC3PARAM records for hashed denial of
existence. Validator implementations are strongly encouraged
to include support for NSEC3 as a number of highly visible
zones are expected to use it. Validators that do not
support validation of responses using NSEC3 will likely be
hampered in validating large portions of the DNS space.
should be considered part of the
DNS Security Document Family as described by , Section 10.
describes the use of SHA-256 as a
digest algorithm for use with Delegation Signer (DS) RRs.
describes
the use of the RSASHA256 algorthim for use in DNSKEY and RRSIG
RRs. Validator implementations are strongly encouraged to
include support for this algorithm for DS, DNSKEY, and RRSIG
records.
Both and should also be
considered part of the DNS Security Document Family as
described by , Section 10.
This section provides clarifications that, if overlooked,
could lead to security issues or major interoperability
problems.
Section 5.4 underspecifies the
algorithm for checking non-existence proofs. In particular,
the algorithm as presented would incorrectly allow an NSEC or
NSEC3 RR from an ancestor zone to prove the non-existence of
other RRs at that name in the child zone or other names in the
child zone.
An "ancestor delegation" NSEC RR (or NSEC3 RR) is one
with:
the NS bit set,
the SOA bit clear, and
a signer field that is shorter than the owner name of
the NSEC RR, or the original owner name for the NSEC3
RR.
Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to
assume non-existence of any RRs below that zone cut, which
include all RRs at that (original) owner name other than DS
RRs, and all RRs below that owner name regardless of type.
Similarly, the algorithm would also allow an NSEC RR at the
same owner name as a DNAME RR, or an NSEC3 RR at the same
original owner name as a DNAME, to prove the non-existence of
names beneath that DNAME. An NSEC or NSEC3 RR with the DNAME
bit set MUST NOT be used to assume the non-existence of any
subdomain of that NSEC/NSEC3 RR's (original) owner name.
does not address how to validate
responses when QTYPE=*. As described in Section 6.2.2 of
, a proper response to QTYPE=* may
include a subset of the RRsets at a given name -- it is not
necessary to include all RRsets at the QNAME in the
response.
When validating a response to QTYPE=*, validate all
received RRsets that match QNAME and QCLASS. If any of those
RRsets fail validation, treat the answer as Bogus. If there
are no RRsets matching QNAME and QCLASS, validate that fact
using the rules in Section 5.4 (as
clarified in this document). To be clear, a validator must
not expect to receive all records at the QNAME in response to
QTYPE=*.
Section 5 of says little about
validating responses based on (or that should be based on)
CNAMEs. When validating a NOERROR/NODATA response, validators
MUST check the CNAME bit in the matching NSEC or NSEC3 RR's
type bitmap. If the CNAME bit is set, the validator MUST
validate the CNAME RR and follow it, as appropriate.
Section 5.2 specifies that a
validator, when proving a delegation is not secure, needs to
check for the absence of the DS and SOA bits in the NSEC (or
NSEC3) type bitmap. The validator also needs to check for the
presence of the NS bit in the NSEC (or NSEC3) RR (proving that
there is, indeed, a delegation). If this is not checked,
spoofed unsigned delegations might be used to claim that an
existing signed record is not signed.
When canonicalizing DNS names, DNS names in the RDATA
section of NSEC and RRSIG resource records are not
downcased.
Section 6.2 item 3 has a list of
resource record types for which DNS names in the RDATA are
downcased for purposes of DNSSEC canonical form (for both
ordering and signing). That list erroneously contains NSEC
and RRSIG. According to , DNS names
in the RDATA of NSEC and RRSIG should not be downcased.
The same section also erroneously lists HINFO, and twice at
that. Since HINFO records contain no domain names, they are
not subject to downcasing.
Section 5.2 of includes rules for
how to handle delegations to zones that are signed with
entirely unsupported algorithms, as indicated by the
algorithms shown in those zone's DS RRsets. It does not
explicitly address how to handle DS records that use
unsupported message digest algorithms. In brief, DS records
using unknown or unsupported message digest algorithms MUST be
treated the same way as DS records referring to DNSKEY RRs of
unknown or unsupported algorithms.
The existing text says:
If the validator does not support any of the algorithms
listed in an authenticated DS RRset, then the resolver has
no supported authentication path leading from the parent
to the child. The resolver should treat this case as it
would the case of an authenticated NSEC RRset proving that
no DS RRset exists, as described above.
To paraphrase the above, when determining the security
status of a zone, a validator discards (for this purpose only)
any DS records listing unknown or unsupported algorithms. If
none are left, the zone is treated as if it were unsigned.
Modified to consider DS message digest algorithms, a
validator also discards any DS records using unknown or
unsupported message digest algorithms.
As discussed above, section 5.2 of
requires that validators make decisions about the security
status of zones based on the public key algorithms shown in
the DS records for those zones. In the case of private
algorithms, as described in Appendix
A.1.1, the eight-bit algorithm field in the DS RR is not
conclusive about what algorithm(s) is actually in use.
If no private algorithms appear in the DS set or if any
supported algorithm appears in the DS set, no special
processing will be needed. In the remaining cases, the
security status of the zone depends on whether or not the
resolver supports any of the private algorithms in use
(provided that these DS records use supported hash functions,
as discussed in ). In these cases, the
resolver MUST retrieve the corresponding DNSKEY for each
private algorithm DS record and examine the public key field
to determine the algorithm in use. The security-aware
resolver MUST ensure that the hash of the DNSKEY RR's owner
name and RDATA matches the digest in the DS RR. If they do
not match, and no other DS establishes that the zone is
secure, the referral should be considered BAD data, as
discussed in .
This clarification facilitates the broader use of private
algorithms, as suggested by .
When multiple RRSIGs cover a given RRset, Section 5.3.3 suggests that "the local
resolver security policy determines whether the resolver also
has to test these RRSIG RRs and how to resolve conflicts if
these RRSIG RRs lead to differing results." In most cases, a
resolver would be well advised to accept any valid RRSIG as
sufficient. If the first RRSIG tested fails validation, a
resolver would be well advised to try others, giving a
successful validation result if any can be validated and
giving a failure only if all RRSIGs fail validation.
If a resolver adopts a more restrictive policy, there's a
danger that properly-signed data might unnecessarily fail
validation, perhaps because of cache timing issues.
Furthermore, certain zone management techniques, like the
Double Signature Zone-signing Key Rollover method described in
section 4.2.1.2 of might not work
reliably.
Appendix B.1 incorrectly defines
the Key Tag field calculation for algorithm 1. It correctly
says that the Key Tag is the most significant 16 of the least
significant 24 bits of the public key modulus. However, then goes on to incorrectly say that this
is 4th to last and 3rd to last octets of the public key
modulus. It is, in fact, the 3rd to last and 2nd to last
octets.
does not provide any instructions
to servers as to how to set the DO bit. Some authoritative
server implementations have chosen to copy the DO bit settings
from the incoming query to the outgoing response. Others have
chosen to never set the DO bit in responses. Either behavior
is permitted. To be clear, in replies to queries with the
DO-bit set servers may or may not set the DO bit.
Section 3.2.3 of describes under
which conditions a validating resolver should set or clear the
AD bit in a response. In order to protect legacy stub
resolvers and middleboxes, validating resolvers SHOULD only
set the AD bit when a response both meets the conditions
listed in RFC 4035, section 3.2.3, and the request contained
either a set DO bit or a set AD bit.
Note that the use of the AD bit in the query was previously
undefined. This document defines it as a signal indicating
that the requester understands and is interested in the value
of the AD bit in the response. This allows a requestor to
indicate that it understands the AD bit without also
requesting DNSSEC data via the DO bit.
When processing a request with the CD bit set, the resolver
MUST set the CD bit on its upstream queries.
A DNSSEC validator may be configured such that, for a given
response, more than one trust anchor could be used to validate
the chain of trust to the response zone. For example, imagine
a validor configured with trust anchors for "example." and
"zone.example." When the validator is asked to validate a
response to "www.sub.zone.example.", either trust anchor could
apply.
When presented with this situation, DNSSEC validators
SHOULD try all applicable trust anchors until one
succeeds.
There are some scenarios where different behaviors, such as
choosing the trust anchor closest to the QNAME of the
response, may be desired. A DNSSEC validator MAY enable such
behaviors as configurable overrides.
Appendix C.8 of discusses sending
DS queries to the servers for a parent zone. To do that, a
resolver may first need to apply special rules to discover
what those servers are.
As explained in Section 3.1.4.1 of , security-aware name servers need to apply
special processing rules to handle the DS RR, and in some
situations the resolver may also need to apply special rules
to locate the name servers for the parent zone if the resolver
does not already have the parent's NS RRset. Section 4.2 of
specifies a mechanism for doing
that.
Questions of the form "can I use a different DNSKEY for
signing this RRset" have occasionally arisen.
The short answer is "yes, absolutely". You can even use a
different DNSKEY for each RRset in a zone, subject only to
practical limits on the size of the DNSKEY RRset. However, be
aware that there is no way to tell resolvers what a
particularly DNSKEY is supposed to be used for -- any DNSKEY
in the zone's signed DNSKEY RRset may be used to authenticate
any RRset in the zone. For example, if a weaker or less
trusted DNSKEY is being used to authenticate NSEC RRsets or
all dynamically updated records, that same DNSKEY can also be
used to sign any other RRsets from the zone.
Furthermore, note that the SEP bit setting has no effect on
how a DNSKEY may be used -- the validation process is
specifically prohibited from using that bit by section 2.1.2. It is possible to use a
DNSKEY without the SEP bit set as the sole secure entry point
to the zone, yet use a DNSKEY with the SEP bit set to sign all
RRsets in the zone (other than the DNSKEY RRset). It's also
possible to use a single DNSKEY, with or without the SEP bit
set, to sign the entire zone, including the DNSKEY RRset
itself.
The text in Section C.1 refers to
the examples in B.1 as "x.w.example.com" while B.1 uses
"x.w.example". This is painfully obvious in the second
paragraph where it states that the RRSIG labels field value of
3 indicates that the answer was not the result of wildcard
expansion. This is true for "x.w.example" but not for
"x.w.example.com", which of course has a label count of 4
(antithetically, a label count of 3 would imply the answer was
the result of a wildcard expansion).
The first paragraph of Section C.6
also has a minor error: the reference to "a.z.w.w.example"
should instead be "a.z.w.example", as in the previous
line.
A NSEC3 record, that matches an Empty Non-Terminal,
effectively has no type associated with it. This NSEC3 record
has an empty type bit map. Section 3.2.1 of contains the statement:
Blocks with no types present MUST NOT be included.
However, the same section contains a regular expression:
Type Bit Maps Field = ( Window Block # | Bitmap Length |
Bitmap )+
The plus sign in the regular expression indicates that
there is one or more of the preceding element. This means that
there must be at least one window block. If this window block
has no types, it contradicts with the first
statement. Therefore, the correct text in RFC 5155 3.2.1
should be:
Type Bit Maps Field = ( Window Block # | Bitmap Length |
Bitmap )*
This document specifies no IANA Actions.
This document does not make fundamental changes to the DNSSEC
protocol, as it was generally understood when DNSSECbis was
published. It does, however, address some ambiguities and
omissions in those documents that, if not recognized and
addressed in implementations, could lead to security failures.
In particular, the validation algorithm clarifications in are critical for preserving the security
properties DNSSEC offers. Furthermore, failure to address some
of the interoperability concerns in
could limit the ability to later change or expand DNSSEC,
including by adding new algorithms.
The editors would like the thank Rob Austein for his previous
work as an editor of this document.
The editors are extremely grateful to those who, in addition
to finding errors and omissions in the DNSSECbis document set,
have provided text suitable for inclusion in this document.
The lack of specificity about handling private algorithms, as
described in , and the lack of
specificity in handling ANY queries, as described in , were discovered by David Blacka.
The error in algorithm 1 key tag calculation, as described in
, was found by Abhijit Hayatnagarkar.
Donald Eastlake contributed text for .
The bug relating to delegation NSEC RR's in was found by Roy Badami. Roy Arends found
the related problem with DNAME.
The errors in the examples were
found by Roy Arends, who also contributed text for of this document.
The editors would like to thank Ed Lewis, Danny Mayer, Olafur
Gudmundsson, Suzanne Woolf, and Scott Rose for their substantive
comments on the text of this document.