2 INTERNET-DRAFT DNSSEC Key Rollover
9 Domain Name System (DNS) Security Key Rollover
10 ------ ---- ------ ----- -------- --- --------
12 Donald E. Eastlake 3rd, Mark Andrews
16 Status of This Document
18 This draft, file name draft-ietf-dnssec-rollover-00.txt, is intended
19 to be become a Proposed Standard RFC. Distribution of this document
20 is unlimited. Comments should be sent to the DNS security mailing
21 list <dns-security@tis.com> or to the authors.
23 This document is an Internet-Draft. Internet-Drafts are working
24 documents of the Internet Engineering Task Force (IETF), its areas,
25 and its working groups. Note that other groups may also distribute
26 working documents as Internet-Drafts.
28 Internet-Drafts are draft documents valid for a maximum of six
29 months. Internet-Drafts may be updated, replaced, or obsoleted by
30 other documents at any time. It is not appropriate to use Internet-
31 Drafts as reference material or to cite them other than as a
32 ``working draft'' or ``work in progress.''
34 To view the entire list of current Internet-Drafts, please check the
35 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
36 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
37 Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
38 Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
44 Practical deployment of Domain Name System (DNS) security with good
45 cryptologic practice will involve large volumes of key rollover
46 traffic. A standard format and protocol for such messages is
57 D. Eastlake 3rd, M. Andrews [Page 1]
60 INTERNET-DRAFT October 1998 DNSSEC Key Rollover
65 Status of This Document....................................1
66 Abstract...................................................1
68 Table of Contents..........................................2
70 1. Introduction............................................3
71 2. Key Rollover Scenarios..................................3
72 3. Rollover Operation......................................4
73 3.1 Rollover to Parent.....................................4
74 3.2 Rollover to Children...................................5
75 4. Rollover NOTIFY.........................................6
76 5. Security Considerations.................................7
78 References.................................................8
79 Authors Address............................................8
80 Expiration and File Name...................................9
115 D. Eastlake 3rd, M. Andrews [Page 2]
118 INTERNET-DRAFT October 1998 DNSSEC Key Rollover
123 The Domain Name System (DNS) [RFC 1034, RFC 1035] is the global
124 hierarchical replicated distributed database system for Internet
125 addressing, mail proxy, and other information. The DNS has been
126 extended to include digital signatures and cryptographic keys as
127 described in [draft-ietf-dnssec-secext2-*].
129 The principle security service provided for DNS data is data origin
130 authentication. The owner of each zone signs the data in that zone
131 with a private key known only to the zone owner. Anyone that knows
132 the corresponding public key can then authenticate that zone data is
133 from the zone owner. To avoid having to preconfigure resolvers with
134 all zone's public keys, keys are stored in the DNS with each zone's
135 key signed by its parent (if the parent is secure).
137 To obtain high levels of security, keys must be periodically changed,
138 or "rolled over". The longer a private key is used, the more likely
139 it is to be compromised due to cryptanalysis, accident, or treachery
140 [draft-ietf-dnssec-secops-*.txt].
142 In a widely deployed DNS security system, the volume of update
143 traffic will be large. Just consider the .com zone. If only 10% of
144 its children are secure and change their keys only once a year, you
145 are talking about hundreds of thousands of new child public keys that
146 must be securely sent to the .com manager to sign and return with
147 their new parent signature. And when .com rolls over its private
148 key, it will needs to send hundreds of thousands of new signatures on
149 the existing child public keys to the child zones.
151 The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
152 in this document are to be interpreted as described in RFC 2119.
156 2. Key Rollover Scenarios
158 Although DNSSEC provides for the storage of other keys in the DNS for
159 a variety of purposes, DNSSEC zone keys are included solely for the
160 purpose of being retrieved to authenticate DNSSEC signatures. Thus,
161 when a zone key is being rolled over, the old public key should be
162 left in the zone, along with the addition of the new public key, for
163 as long as it will reasonably be needed to authenticate old
164 signatures that have been cached or are held by applications. If
165 DNSSEC were universally deployed and all DNS server's clocks were
166 synchronized and zone transfers were instantaneous etc., it might be
167 possible to avoid ever having duplicate old/new KEY RRsets but they
168 will be necessary in practical cases. Security aware DNS servers
169 decrease the TTL of secure RRs served as the expiration of their
170 authenticating SIG(s) approaches but some dithered fudge must
173 D. Eastlake 3rd, M. Andrews [Page 3]
176 INTERNET-DRAFT October 1998 DNSSEC Key Rollover
179 generally be left due to clock skew and to avoid massive load on
180 large zones due to the signatures on their entire contents expiring
183 Assume a zone with a secure parent and secure children wishes to role
184 over its KEY RRset. This RRset would probably be one KEY RR per
185 crypto algorithm used to secure the zone, but for this scenario, we
186 will simply assume it is one KEY RR. The old KEY RR and two SIG RRs
187 will exist at the apex of the zone and these RRs may also exist at
188 the leaf node for this zone in its parent. The contents of the zone
189 and the zone KEY RRs of its secure children will have SIGs under the
192 The zone owner needs to communicate with its parent to obtain a new
193 parental signature covering both the old and new KEY RRs and covering
194 just the new KEY RR. It would probably want to obtain these in
195 advance so that it can install them at the right time along with its
196 new SIG RRs covering the content of the zone. Finally, it needs to
197 give new SIG RRs to its children that cover their KEY RRs if it has
198 these, or signal its children to ask for such SIG RRs.
202 3. Rollover Operation
204 Rollover operations use a DNS request syntactically identical to the
205 UPDATE request [RFC 2136] except that the operation is ROLLOVER which
206 is equal to TBD. Considerations for such request to the parent and
207 children of a zone are given in the subsections.
209 [This draft does not currently consider cross-certification key
214 3.1 Rollover to Parent
216 A zone rolling over its KEY RRset sends a ROLLOVER command to the
217 parent. The Zone should be specified as the parent zone and no
218 Prerequisites are included. The Update section has the KEY RRset on
219 which the parent signature is requested along with the requesting
220 zone's SIG(s) under its old KEY(s) as RRs to be added to the parent
221 zone. The inception and expiration times in this SIG are the
222 requested inception and expiration times for the parent SIG.
224 If the ROLLOVER command is erroneous or violates parental policy, an
225 Error response is returned.
227 If the ROLLOVER command is OK and the parent can sign online, its
228 response may include the new parent SIG(s) in the Update section.
231 D. Eastlake 3rd, M. Andrews [Page 4]
234 INTERNET-DRAFT October 1998 DNSSEC Key Rollover
237 This response MUST be sent to the originator of the request.
239 If the parent can not sign online, it should return a response with
240 an empty Update section and queue the SIG(s) calculation request.
241 This response MUST be sent to the originator of the request.
243 Regardless of whether the server has sent the new signatures above,
244 it MUST, once it has calculated the new SIG(s), send a ROLLOVER to
245 the child zone using the DNS port (53) and the server selection
246 algorithm defined in RFC 2136, Section 4. This ROLLOVER reqeust
247 contains the KEY RRset that triggered it and the new SIG(s). This
248 downward ROLLOVER request is distinguished from those in Section 3.2
249 below in that the Zone section is the parental zone.
251 The reason for sending the ROLLOVER request regardless of whether the
252 new SIG RR(s) were sent in the original response is to provide an
253 indication to the operators of the zone in the event someone is
254 trying to hijack the zone.
256 Although the parent zone need not hold or serve the child's key, the
257 ROLLOVER command MUST NOT actually update the parent zone. A later
258 UPDATE command can be used to actually put the new KEY into the
259 parent zone if desired and supported by parent policy.
261 This document does not cover the question of parental policy on key
262 rollovers. Parents may have restrictions on how far into the future
263 they will sign KEY RRsets, what algorithms or key lengths they will
264 support, might require payment for the service, etc. The signing of
265 a future KEY by a parent is, to some extent a granting to the
266 controller of the child private key of future authoritative existence
267 even if the child zone ownership should change. The only effective
268 way of invalidating such future signed child public keys would be for
269 the parent to roll over its key(s), which might be an expensive
274 3.2 Rollover to Children
276 When a zone is going to rollover its key(s), it needs to re-sign the
277 zone keys of any secure children under its new key(s).
279 If the parent holds the KEY RRset for the child (whether or not it
280 actually serves it from the parent zone), it can simply do a ROLLOVER
281 request to to child specifying the child as the Zone in the request
282 and the new SIG(KEY)s to be added in the Update section. The
283 inception and expiration times in the SIG(s) indicate the time during
284 which the parent will be utilizing the new parent key. It is up to
285 the child when and how it adds the new parental SIG(s). The ROLLOVER
286 request may optionally indicate the deletion of old parental SIG(s)
289 D. Eastlake 3rd, M. Andrews [Page 5]
292 INTERNET-DRAFT October 1998 DNSSEC Key Rollover
295 but SHOULD only do so if the corresponding key is being withdrawn by
296 the parent in advance of the expiration time in the old SIG(s). It
297 is up to the child when and how it deletes the old parental SIG(s).
298 Even if the expiration of the old SIG(s) equals the inception time of
299 the new SIG(s), the child should serve both signatures for a fudge
300 time to account for clock skew.
302 A ROLLOVER request is used instead of an UPDATE because serves may
303 wish to support ROLLOVER via special techniques, such as notification
304 to the operator, even when they have not implemented UPDATE. With
305 adequate advance notice, even manual cut and paste editing of the
306 master file and restarting of a DNS server process could work.
308 If the parent does not retain knowledge of the child KEY RRset, then
309 the parent simply notifies the child via a ROLLOVER NOTIFY (see
310 Section 4 below) that the parent KEY(s) have changed. The child then
311 proceeds to do an upward ROLLOVER request to obtain the new parental
312 SIG(s). (This requires that a different method, such as TSIG, be
313 used to secure such ROLLOVER requests since we are assuming the
314 parent does not have authoritative knowledge of the child public key.
315 See Section 5 below.)
317 The NOTIFY technique MAY also be used by parents who retain knowledge
318 of their children's KEY RRsets.
324 A ROLLOVER NOTIFY informs a child zone that the parent zone want it
325 to resubmit its keys for resigning.
327 A ROLLOVER NOTIFY MUST be signed and if not signed a BADAUTH response
330 A ROLLOVER NOTIFY is a NOTIFY reqeust [RFC 1996] that has a QTYPE of
331 SIG and the owner name of the child zone. The answer section is
334 The ROLLOVER NOTIFY can be sent to any of the nameservers for the
335 child using the nameserver selection algorithm defined in RFC 2136,
338 Nameservers for the child zone receiving a ROLLOVER NOTIFY query will
339 forward the ROLLOVER NOTIFY in the saem manner as an UPDATE is
342 Unless the master server is configured to initiate an automatic
343 ROLLOVER it MUST seek to inform its operators that a ROLLOVER NOTIFY
344 request has been received. This could be done by a number of methods
347 D. Eastlake 3rd, M. Andrews [Page 6]
350 INTERNET-DRAFT October 1998 DNSSEC Key Rollover
353 including generating a log message, generating an email request to
354 the child zone's SOA RNAME or any other method defined in the
355 server's configuration for the zone. The default should be to send
356 mail to the zone's SOA RNAME. Care should be taken to rate limit
357 these message so prevent them being used to facilitate a denial of
360 Once the message has been sent (or suppressed) to the child zone's
361 administrator the master server for the child zone is free to respond
362 to the ROLLOVER NOTIFY request.
366 5. Security Considerations
368 The security of ROLLOVER or UPDATE requests is essential, otherwise
369 false children could steal parental authorization or a false parent
370 could cause a child to install an invalid signature on its zone key,
373 A ROLLOVER request can be authentication by request SIG(s)under the
374 old zone KEY(s) of the requestor [draft-ietf-dnssec-secext2-*.txt].
375 The response SHOULD have transaction SIG(s) under the old zone KEY(s)
376 of the responder. (This public key security could be used to
377 rollover a zone to the unsecured state but at that point it would
378 generally not be possible to roll back without manual intervention.)
380 Alternatively, if there is a prior arrangement between a child and a
381 parent, ROLLOVER requests and responses can be secured and
382 authenticated using TSIG [draft-ietf-dnssec-tsig-*.txt]. (TSIG
383 security could be used to rollover a zone to unsecured and to
384 rollover an unsecured zone to the secured state.)
386 A server that implements online signing SHOULD have the ability to
387 black list a zone and force manual processing or demand that a
388 particular signature be used to generate the ROLLOVER request. This
389 it to allow ROLLOVER to be used even after a private key has been
405 D. Eastlake 3rd, M. Andrews [Page 7]
408 INTERNET-DRAFT October 1998 DNSSEC Key Rollover
413 [RFC 1034] - P. Mockapetris, "Domain names - concepts and
414 facilities", 11/01/1987.
416 [RFC 1035] - P. Mockapetris, "Domain names - implementation and
417 specification", 11/01/1987.
419 [RFC 1996] - P. Vixie, "A Mechanism for Prompt Notification of Zone
420 Changes (DNS NOTIFY)", August 1996.
422 [RFC 2136] - Dynamic Updates in the Domain Name System (DNS UPDATE).
423 P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound. April 1997.
425 [draft-ietf-dnsind-tsig-*.txt]
427 [draft-ietf-dnssec-update2-*.txt]
429 [draft-ietf-dnssec-secext2-*.txt]
431 [draft-ietf-dnssec-secops-*.txt]
437 Donald E. Eastlake 3rd
440 Carlisle, MA 01741 USA
442 Telephone: +1 978-287-4877
445 EMail: dee3@us.ibm.com
449 Internet Software Consortium
451 Dundas Valley, NSW 2117
454 Telephone: +61-2-9871-4742
463 D. Eastlake 3rd, M. Andrews [Page 8]
466 INTERNET-DRAFT October 1998 DNSSEC Key Rollover
469 Expiration and File Name
471 This draft expires in April 1999.
473 Its file name is draft-ietf-dnssec-rollover-00.txt.
521 D. Eastlake 3rd, M. Andrews [Page 9]