6 Domain Name System Security Working Group R. Watson
7 INTERNET DRAFT November 1997
8 <draft-ietf-dnssec-ar-00.txt> Expires in six months
11 DNSsec Authentication Referral Record (AR)
14 Status of this Document
16 This document is an Internet-Draft. Internet-Drafts are working
17 documents of the Internet Engineering Task Force (IETF), its areas,
18 and its working groups. Note that other groups may also distribute
19 working documents as Internet-Drafts.
21 Internet-Drafts are draft documents valid for a maximum of six months
22 and may be updated, replaced, or obsoleted by other documents at any
23 time. It is inappropriate to use Internet-Drafts as reference
24 material or to cite them other than as "work in progress."
26 To view the entire list of current Internet-Drafts, please check the
27 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
28 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
29 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
30 ftp.isi.edu (US West Coast).
34 Authentication Referrals allow DNS to refer to authentication
35 mechanisms that supplement or replace the KEY RRs of DNSsec.
37 Five Authentication Service types are defined: DNSsec, Kerberos IV,
38 Kerberos V, Network Information Service (NIS+), and Radius.
59 Internet DRAFT DNSsec Authentication Referral November 1997
64 Domain Name System Security [DNSSEC] extends the Domain Name System
65 (DNS) [RFC1034, RFC1035] to provide for data origin authentication,
66 public key distribution, and query and transaction authentication,
67 all based on public key cryptography and public key based digital
68 signatures. In many organizations, it is desirable to provide a
69 centralized source for authentication data, especially in
70 environments where multiple systems are used (for example, KerberosIV
71 and NIS+). Systems have been defined for distributing user
72 information in the DNS name-space [HESIOD], but DNS has traditionally
73 lacked the security necessary to safely distribute sensitive
74 authentication information. Authentication Referrals use DNSsec's
75 authenticated data capabilities to distribute mappings from entities
76 to authentication mechanisms.
80 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
81 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
82 document are to be interpreted as described in RFC 2119.
84 1.2 Definition of Terms
86 Service Desiring Authentication (SDA): A service requiring a user to
87 authenticate before providing access. For example, the login program
88 on a UNIX host is an SDA.
90 Authentication Service: A type of authentication system that allows
91 an SDA to verify the identity of a Client communicating with the SDA.
92 Services are typically accessed using an Authentication Server such
93 as a KerberosIV or Radius server. In a referral, both the type of
94 authentication service and the server address are provided.
96 Client: An entity that wishes to connect to a service, in particular,
97 to an SDA. Clients are identified using a unique DNS Fully Qualified
98 Domain Name (FQDN), which contains records providing information on
99 verifying authentication. Authentication Client may refer to both
100 humans and hosts in this document.
102 Authentication Username: In the event that an Authentication Service
103 is used, the Username may differ from the Client's FQDN in DNS.
105 Authentication Realm: Some distributed authentication systems allow
106 for multiple "realms" in which authentication takes place. Realms
107 typically represent a set of identities and services over which a
108 single authority is responsible for authentication. Where
109 appropriate, referrals contain the name of the realm against which
115 Internet DRAFT DNSsec Authentication Referral November 1997
120 Authentication Server: Many authentication systems rely on a
121 centralized database, which may be found on the Authentication
122 Server. This database can be identified using the DNS FQDN for the
123 host. It is assumed that the Authentication Service type will
124 provide all other information necessary to communicate with the
125 Authentication Server.
127 1.3 Authentication in DNSsec
129 DNSsec provides a mechanism for the authentication of entities it
130 describes via KEY records containing public keys. This is adequate
131 for IP Security [IPSEC] and other key-based protocols (such as Secure
132 Shell [SSH]), but it is not useful for individual user
133 authentication. Typically such an authentication process involves
134 the encryption of data using the Client's public key (extracted from
135 DNSsec), which must then be decrypted by the Client and returned in
136 some other form (often encrypted with the SDA's public key to protect
137 both the challenge and the response). Users may be reluctant to
138 replace their traditional alpha-numeric password with 514-bit private
139 keys and then perform computation-intensive key manipulation and
140 signature-operations in their heads. While devices are available
141 that perform this function in a more accessible manner, they are not
142 yet mainstream, and a standard has not yet been proposed for
143 interaction between these devices and DNSsec-based authentication
146 Existing distributed authentication systems commonly rely on a
147 password (shared secret) or a variable challenge-response mechanism
148 using a system-specific protocol. For example, both KerberosIV
149 [KERBEROSIV] and Radius [RADIUS] use protocols employing different
150 packet formats and privacy mechanisms. Because DNS was designed as a
151 publicly accessible distributed database, no mechanism for the
152 distribution of private data is provided, which makes the inclusion
153 of password data in the system both difficult and inappropriate.
155 The AR resource record (RR type TBD) allows DNSsec to refer an SDA to
156 an Authentication Service when direct authentication based on the KEY
159 2. Authentication Referral Resource Record Format
161 To provide storage for authentication referral information, a new RR
162 type is defined with the mnemonic AR. More than one AR RR MAY exist
163 in an RRset; the RRset MUST contain the complete list of
164 authentication mechanisms allowed for the DNS name.
171 Internet DRAFT DNSsec Authentication Referral November 1997
176 NAME The domain name of the entity to be authenticated.
178 CLASS IN (HS may also be appropriate)
183 Field Name Data Type Notes
184 ------------------------ ----------- -------------------------
185 Authentication Server dname FQDN of the server that
188 Authentication Realm dname Realm in which
189 authentication occurs
190 Authentication Service 16-bit int Authentication Service
191 Type as defined in 2.3
192 Username Length 16-bit int Length of Authentication
193 Username string in octets
194 Authentication Username 8-bit int[] UTF-8 encoded name whose
195 use is defined by the
197 Other Data undefined Ignore any following
200 All integer values are stored in network byte order. The
201 Authentication Username field is an octet stream of length Username
204 Meaning of Authentication Realm, Authentication Server,
205 Authentication Username are specific to each Authentication Service
208 2.2 Text Representation
210 A simple text representation for the AR RR might be:
212 NAME. IN AR [Server] [Realm] [AuthMnemonic] [Username]
214 2.3 Authentication Service Types
216 Different Authentication Services types will be assigned numeric
217 value. New services MUST be registered with IANA.* A mnemonic is
218 associated with each type to simplify textual representation.
227 Internet DRAFT DNSsec Authentication Referral November 1997
230 Value Mnemonic Authentication Service Name
231 ------ ----------- ---------------------------
233 1 KERBEROS_V4 Kerberos IV
234 2 KERBEROS_V5 Kerberos V
238 * A method for registration will be described in detail in a later
239 version of this document.
241 2.3.1 DNSsec Referral
243 It may be desirable to refer authentication to another FQDN. For
244 example, an organization may have several user zones defined, but one
245 Client may exist in several of them. Rather than requiring separate
246 AR RRs, authentication may be forwarded to one canonical AR RR
247 containing other useful data, or to a record with a KEY RR. Some
248 fields defined across the AR record are not used:
251 ------------------------ ----------------------------------
252 Authentication Server (empty)
253 Authentication Realm (empty)
254 Authentication Service 0 (DNSSEC)
255 Username Length (as appropriate)
256 Authentication Username FQDN of the entity referred to
258 When using DNSsec referrals, it is important to avoid referral loops.
259 The appropriate interpretation order of coexisting KEY and AR records
260 is discussed in section 3. Referrals may point to either another AR
261 record or a record with authentication KEYs. If a DNSsec referral
262 record points to a non-existent name or no authentication information
263 is available at that name, the authentication MUST fail.
265 2.3.1.1 DNSsec Referral Example
267 NAME ROBERT.USER.WATSON.ORG.
271 RdLen (as appropriate)
283 Internet DRAFT DNSsec Authentication Referral November 1997
289 ------------------------ ----------------------------------
290 Authentication Server (empty)
291 Authentication Realm (empty)
292 Authentication Service 0 (DNSSEC)
294 Authentication Username rnw.andrew.cmu.edu.
296 A textual representation of this record in zone USER.WATSON.ORG would
299 ROBERT IN AR (. . DNSSEC "rnw.andrew.cmu.edu.")
301 2.3.2 Kerberos IV Referral
303 The Authentication Username is a "principal.instance" pair where
304 instance may be alphanumeric, null, or the wildcard "*". For
305 authentication against user robert in realm WATSON.ORG, an
306 appropriate Authentication Username would be "robert.", indicating
307 that no instance is to be used. To require authentication against
308 another instance, the form "robert.admin" is appropriate. In some
309 circumstances, a wild-card Username entry might be used, "robert.*",
310 indicating that the Client MAY be prompted for a specific instance.
313 ----------------------- --------------------------------------
314 Authentication Server Kerberos IV Server
315 Authentication Realm Kerberos IV Realm
316 Authentication Service 1 (Kerberos IV)
317 Username Length (length of Username in octets)
318 Authentication Username Kerberos IV principal.instance
320 2.3.2.1 Kerberos IV Referral Example
322 NAME ROBERT.USER.WATSON.ORG.
326 RdLen (as appropriate)
339 Internet DRAFT DNSsec Authentication Referral November 1997
345 ----------------------- ----------------------
346 Authentication Server KERBEROS.WATSON.ORG.
347 Authentication Realm WATSON.ORG.
348 Authentication Service 1 (KERBEROS_V4)
350 Authentication Username robert.admin
352 A textual representation of this record in zone USER.WATSON.ORG would
355 ROBERT IN AR (KERBEROS.WATSON.ORG. WATSON.ORG.
356 KERBEROS_V4 "robert.admin")
358 2.3.3. Kerberos V Referral
360 The specifics of this type will be specified in a future draft. It
361 is expected that Kerberos V referrals will be almost identical to
362 Kerberos IV, but with the "." principal/instance separator replaced
365 2.3.4 Radius Referral
368 ----------------------- ---------------------------------
369 Authentication Server Radius Server
370 Authentication Realm (empty)
371 Authentication Service 3 (RADIUS)
372 Username Length (as appropriate)
373 Authentication Username Radius Username
375 2.3.4.1 Radius Referral Example
377 NAME ROBERT.USER.WATSON.ORG.
381 RdLen (as appropriate)
395 Internet DRAFT DNSsec Authentication Referral November 1997
401 ----------------------- ----------------------
402 Authentication Server RADIUS.WATSON.ORG.
403 Authentication Realm (empty)
404 Authentication Service 5 (RADIUS)
406 Authentication Username robert
408 A textual representation of this record in zone USER.WATSON.ORG would
411 ROBERT IN AR (RADIUS.WATSON.ORG. .
416 NIS+ referral will be documented in a separate document. Due to the
417 complex interactions between NIS and DNS, there are additional
418 concerns that must be addressed in greater detail than is appropriate
421 2.4 DNS Server Handling of the AR Resource Record
423 When returning an AR RR as part of an RRset, a DNS server MAY include
424 Additional Records [RFC1034: Section 3.7] that it anticipates the SDA
427 3. AR Resource Record Evaluation
429 When performing a lookup on a Client's DNS entry, a signed RRset is
430 returned containing KEY RRs, SIG RRs, other data, and possibly an AR
431 RR. If KEY RRs are present and are permitted for use in user
432 authentication, public/private key authentication may take place.
433 Alternatively, the SDA may choose a different authentication
434 mechanism from the list of AR RRs.
436 3.1 Authentication Rules
438 Multiple AR RRs of different Authentication Service types may exist.
439 Similarly, multiple RRs of the same type may exist in an RRset. When
440 multiple RRs are returned, the SDA must select some subset of these
441 to try. A combination of local policy and and the desire for load
442 balancing determines the correct use of these RRs.
444 Where multiple AR RRs of different Authentication Service type exist,
445 one of the available Services SHOULD be selected. This choice could
451 Internet DRAFT DNSsec Authentication Referral November 1997
454 be made by local site policy (i.e., only to accept authentication by
455 Kerberos, or to not allow AR referral to another DNSsec name), or
456 with Client interaction (the user is prompted for the mechanism they
457 wish to authenticate against). If one Authentication Service fails,
458 the choice to retry against the same service or against different
459 Services should be made in accordance with local security policy.
461 Where multiple RRs with the same Authentication Service Type exist
462 but different Authentication Realm or Username are present, the SDA
463 should make a choice in accordance with local site policy. For
464 example, a site might choose only to accept authentication to their
467 Load balancing is desirable in the event that multiple RRs with the
468 same Authentication Realm, Authentication Service, and Username are
469 present. Such sets of related AR RRs may be considered to be
470 redundant records. DNS round-robin may be relied upon to reorder
473 3.1.1 Successful Authentication
475 If the chain of signatures validates the initial Client records as
476 well as any further records referenced if a DNSsec referral is
477 performed, an authentication attempt MAY be performed. If an
478 attempted authentication succeeds, the SDA MUST accept the
479 authentication as valid.
481 3.1.2 Failure in Authentication
483 If any break in the signature chain occurs in DNSsec verification of
484 the records required for authentication, the authentication SHOULD
485 fail. If alternate mechanisms exist for authenticating the
486 Authentication Server, they MAY be used.
488 If an Authentication Service is selected, and the authentication
489 fails for non-technical reasons [different word?], then the
490 authentication MUST fail. If a technical failure occurs (such as
491 being unable to contact the Authentication Server), the SDA MAY
492 select another AR record to attempt or MAY retry on the same server.
493 If no further AR records are present and any retries have also
494 failed, then the authentication MUST fail.
496 4. Security Considerations
498 It is expected that some system of access control will be used to
499 determine what, if any, services are provided to the authenticated
507 Internet DRAFT DNSsec Authentication Referral November 1997
512 Spoofing of AR RRs could result in unauthorized authentication.
513 DNSsec MUST be used to verify the authenticity of the AR RRs, as well
514 as the chain to the DNS root. For example, if an AR refers to
515 Kerberos IV, DNSsec MUST be used to verify the retrieval of the
516 Client's AR record, and the retrieval of the Kerberos IV Server's IP
517 address from Authentication Server FQDN.
521 While DNSsec provides strong cryptography to protect data
522 authenticity and to allow expiration, many distributed security
523 mechanisms are not as strong. For example, while an AR record may be
524 valid, an NIS server connection may be spoofed, hijacked,
527 4.3 Local Site Policy
529 Local site policy is relied upon for a number of key decisions in the
530 authentication process. For example, before attempting to follow an
531 AR chain, the SDA must first confirm that the initial name provided
532 is allowed to authenticate to it. It must also determine which
533 authentication service types in the AR list for the name are
534 appropriate for use. An SDA MAY choose not to accept authenticatino
535 to a weak Authentication Service. The definition of weak SHOULD be
536 defined in a local site policy.
538 A site might accept initial attempts at authentication to
539 *.user.watson.org. On a successful and verified referral, it might
540 then be willing to accept authentication against any strong
541 Authentication Service (e.g., KerberosIV or KerberosV), but not
542 against weaker services (e.g., NIS).
544 If AR information can be verified externally, do so. For example, if
545 Kerberos IV server to realm mapping information exists in a local
546 krb.conf, consistency should be verified.
548 Correct logging practice, as well as approaches for dealing with
549 various types of failures given the varied mechanisms provided may
550 also involve significant local determination. All authentication
551 events SHOULD be logged. Selective reporting of errors to the Client
552 may also improve security.
563 Internet DRAFT DNSsec Authentication Referral November 1997
568 [RFC1034] P. Mockapetris, ``Domain Names - Concepts and
569 Facilities,'' RFC 1034, ISI, November 1987.
571 [RFC1035] P. Mockapetris, ``Domain Names - Implementation and
572 Specification,'' RFC 1034, ISI, November 1987.
574 [DNSSEC] D. Eastlake, C. Kaufman, ``Domain System Security
575 Extensions,'' RFC 2065, CyberCash & Irix, January 1997.
577 [HESIOD] S. Dryer, ``The Hesiod Name Server,'' MIT, January 1988.
579 [IPSEC] R. Atkinson, ``Security Architecture for the Internet
580 Protocol,'' RFC 1825, Navy Research Laboratory, August
583 [SSH] M. Ylonen, T. Kivinen, M. Saarinen, ``SSH Transport Layer
584 Protocol,'' draft-ietf-secsh-transport-02.txt, SSH,
587 [KERBEROSIV] S. Miller, B. Neuman, J. Schiller, J. Saltzer, ``Kerberos
588 Authentication and Authorization System,'' MIT, December
591 [RADIUS] C. Rigney, A. Rubens, W. Simpson, S. Willens, ``Remote
592 Authentication Dial In User Service (RADIUS),'' RFC 2138,
598 Carnegie Mellon University
603 Phone: (412) 862-2696
605 Email: robert+ietf@cyrus.watson.org