4
Network Working Group S. Weiler
5
Internet-Draft SPARTA, Inc
6
Updates: 4034, 4035 (if approved) J. Ihren
7
Expires: November 13, 2005 Autonomica AB
11
Minimally Covering NSEC Records and DNSSEC On-line Signing
12
draft-ietf-dnsext-dnssec-online-signing-00
16
By submitting this Internet-Draft, each author represents that any
17
applicable patent or other IPR claims of which he or she is aware
18
have been or will be disclosed, and any of which he or she becomes
19
aware will be disclosed, in accordance with Section 6 of BCP 79.
21
Internet-Drafts are working documents of the Internet Engineering
22
Task Force (IETF), its areas, and its working groups. Note that
23
other groups may also distribute working documents as Internet-
26
Internet-Drafts are draft documents valid for a maximum of six months
27
and may be updated, replaced, or obsoleted by other documents at any
28
time. It is inappropriate to use Internet-Drafts as reference
29
material or to cite them other than as "work in progress."
31
The list of current Internet-Drafts can be accessed at
32
http://www.ietf.org/ietf/1id-abstracts.txt.
34
The list of Internet-Draft Shadow Directories can be accessed at
35
http://www.ietf.org/shadow.html.
37
This Internet-Draft will expire on November 13, 2005.
41
Copyright (C) The Internet Society (2005).
45
This document describes how to construct DNSSEC NSEC resource records
46
that cover a smaller range of names than called for by RFC4034. By
47
generating and signing these records on demand, authoritative name
48
servers can effectively stop the disclosure of zone contents
49
otherwise made possible by walking the chain of NSEC records in a
55
Weiler & Ihren Expires November 13, 2005 [Page 1]
57
Internet-Draft NSEC Epsilon May 2005
60
Changes from weiler-01 to ietf-00
62
Inserted RFC numbers for 4033, 4034, and 4035.
64
Specified contents of bitmap field in synthesized NSEC RR's, pointing
65
out that this relaxes a constraint in 4035. Added 4035 to the
68
Changes from weiler-00 to weiler-01
70
Clarified that this updates RFC4034 by relaxing requirements on the
73
Added examples covering wildcard names.
75
In the 'better functions' section, reiterated that perfect functions
78
Added a reference to RFC 2119.
111
Weiler & Ihren Expires November 13, 2005 [Page 2]
113
Internet-Draft NSEC Epsilon May 2005
118
1. Introduction and Terminology . . . . . . . . . . . . . . . . 4
119
2. Minimally Covering NSEC Records . . . . . . . . . . . . . . 4
120
3. Better Increment & Decrement Functions . . . . . . . . . . . 6
121
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
122
5. Security Considerations . . . . . . . . . . . . . . . . . . 7
123
6. Normative References . . . . . . . . . . . . . . . . . . . . 8
124
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8
125
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 8
126
Intellectual Property and Copyright Statements . . . . . . . 10
167
Weiler & Ihren Expires November 13, 2005 [Page 3]
169
Internet-Draft NSEC Epsilon May 2005
172
1. Introduction and Terminology
174
With DNSSEC [1], an NSEC record lists the next instantiated name in
175
its zone, proving that no names exist in the "span" between the
176
NSEC's owner name and the name in the "next name" field. In this
177
document, an NSEC record is said to "cover" the names between its
178
owner name and next name.
180
Through repeated queries that return NSEC records, it is possible to
181
retrieve all of the names in the zone, a process commonly called
182
"walking" the zone. Some zone owners have policies forbidding zone
183
transfers by arbitrary clients; this side-effect of the NSEC
184
architecture subverts those policies.
186
This document presents a way to prevent zone walking by constructing
187
NSEC records that cover fewer names. These records can make zone
188
walking take approximately as many queries as simply asking for all
189
possible names in a zone, making zone walking impractical. Some of
190
these records must be created and signed on demand, which requires
191
on-line private keys. Anyone contemplating use of this technique is
192
strongly encouraged to review the discussion of the risks of on-line
193
signing in Section 5.
195
The technique presented here may be useful to a zone owner that wants
196
to use DNSSEC, is concerned about exposure of its zone contents via
197
zone walking, and is willing to bear the costs of on-line signing.
199
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
200
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
201
document are to be interpreted as described in RFC 2119 [4].
203
2. Minimally Covering NSEC Records
205
This mechanism involves changes to NSEC records for instantiated
206
names, which can still be generated and signed in advance, as well as
207
the on-demand generation and signing of new NSEC records whenever a
208
name must be proven not to exist.
210
In the 'next name' field of instantiated names' NSEC records, rather
211
than list the next instantiated name in the zone, list any name that
212
falls lexically after the NSEC's owner name and before the next
213
instantiated name in the zone, according to the ordering function in
214
RFC4034 [2] section 6.2. This relaxes the requirement in section
215
4.1.1 of RFC4034 that the 'next name' field contains the next owner
216
name in the zone. This change is expected to be fully compatible
217
with all existing DNSSEC validators. These NSEC records are returned
218
whenever proving something specifically about the owner name (e.g.
219
that no resource records of a given type appear at that name).
223
Weiler & Ihren Expires November 13, 2005 [Page 4]
225
Internet-Draft NSEC Epsilon May 2005
228
Whenever an NSEC record is needed to prove the non-existence of a
229
name, a new NSEC record is dynamically produced and signed. The new
230
NSEC record has an owner name lexically before the QNAME but
231
lexically following any existing name and a 'next name' lexically
232
following the QNAME but before any existing name.
234
The generated NSEC record's type bitmap SHOULD have the RRSIG and
235
NSEC bits set and SHOULD NOT have any other bits set. This relaxes
236
the requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
237
names that did not exist before the zone wsa signed.
239
The functions to generate the lexically following and proceeding
240
names need not be perfect nor consistent, but the generated NSEC
241
records must not cover any existing names. Furthermore, this
242
technique works best when the generated NSEC records cover as few
245
An NSEC record denying the existence of a wildcard may be generated
246
in the same way. Since the NSEC record covering a non-existent
247
wildcard is likely to be used in response to many queries,
248
authoritative name servers using the techniques described here may
249
want to pregenerate or cache that record and its corresponding RRSIG.
251
For example, a query for an A record at the non-instantiated name
252
example.com might produce the following two NSEC records, the first
253
denying the existence of the name example.com and the second denying
254
the existence of a wildcard:
256
exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
258
).com 3600 IN NSEC +.com ( RRSIG NSEC )
260
Before answering a query with these records, an authoritative server
261
must test for the existence of names between these endpoints. If the
262
generated NSEC would cover existing names (e.g. exampldd.com or
263
*bizarre.example.com), a better increment or decrement function may
264
be used or the covered name closest to the QNAME could be used as the
265
NSEC owner name or next name, as appropriate. If an existing name is
266
used as the NSEC owner name, that name's real NSEC record MUST be
267
returned. Using the same example, assuming an exampldd.com
268
delegation exists, this record might be returned from the parent:
270
exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
272
Like every authoritative record in the zone, each generated NSEC
273
record MUST have corresponding RRSIGs generated using each algorithm
274
(but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
275
described in RFC4035 [3] section 2.2. To minimize the number of
279
Weiler & Ihren Expires November 13, 2005 [Page 5]
281
Internet-Draft NSEC Epsilon May 2005
284
signatures that must be generated, a zone may wish to limit the
285
number of algorithms in its DNSKEY RRset.
287
3. Better Increment & Decrement Functions
289
Section 6.2 of RFC4034 defines a strict ordering of DNS names.
290
Working backwards from that definition, it should be possible to
291
define increment and decrement functions that generate the
292
immediately following and preceding names, respectively. This
293
document does not define such functions. Instead, this section
294
presents functions that come reasonably close to the perfect ones.
295
As described above, an authoritative server should still ensure than
296
no generated NSEC covers any existing name.
298
To increment a name, add a leading label with a single null (zero-
301
To decrement a name, decrement the last character of the leftmost
302
label, then fill that label to a length of 63 octets with octets of
303
value 255. To decrement a null (zero-value) octet, remove the octet
304
-- if an empty label is left, remove the label. Defining this
305
function numerically: fill the left-most label to its maximum length
306
with zeros (numeric, not ASCII zeros) and subtract one.
308
In response to a query for the non-existent name foo.example.com,
309
these functions produce NSEC records of:
311
fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
312
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
313
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
314
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
315
\255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
317
)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
318
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
319
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
320
\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
321
\255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )
323
The first of these NSEC RRs proves that no exact match for
324
foo.example.com exists, and the second proves that there is no
325
wildcard in example.com.
327
Both of these functions are imperfect: they don't take into account
328
constraints on number of labels in a name nor total length of a name.
329
As noted in the previous section, though, this technique does not
330
depend on the use of perfect increment or decrement functions: it is
331
sufficient to test whether any instantiated names fall into the span
335
Weiler & Ihren Expires November 13, 2005 [Page 6]
337
Internet-Draft NSEC Epsilon May 2005
340
covered by the generated NSEC and, if so, substitute those
341
instantiated owner names for the NSEC owner name or next name, as
344
4. IANA Considerations
346
Per RFC4041, IANA should think carefully about the protection of
347
their immortal souls.
349
5. Security Considerations
351
This approach requires on-demand generation of RRSIG records. This
352
creates several new vulnerabilities.
354
First, on-demand signing requires that a zone's authoritative servers
355
have access to its private keys. Storing private keys on well-known
356
internet-accessible servers may make them more vulnerable to
357
unintended disclosure.
359
Second, since generation of public key signatures tends to be
360
computationally demanding, the requirement for on-demand signing
361
makes authoritative servers vulnerable to a denial of service attack.
363
Lastly, if the increment and decrement functions are predictable, on-
364
demand signing may enable a chosen-plaintext attack on a zone's
365
private keys. Zones using this approach should attempt to use
366
cryptographic algorithms that are resistant to chosen-plaintext
367
attacks. It's worth noting that while DNSSEC has a "mandatory to
368
implement" algorithm, that is a requirement on resolvers and
369
validators -- there is no requirement that a zone be signed with any
372
The success of using minimally covering NSEC record to prevent zone
373
walking depends greatly on the quality of the increment and decrement
374
functions chosen. An increment function that chooses a name
375
obviously derived from the next instantiated name may be easily
376
reverse engineered, destroying the value of this technique. An
377
increment function that always returns a name close to the next
378
instantiated name is likewise a poor choice. Good choices of
379
increment and decrement functions are the ones that produce the
380
immediately following and preceding names, respectively, though zone
381
administrators may wish to use less perfect functions that return
382
more human-friendly names than the functions described in Section 3
385
Another obvious but misguided concern is the danger from synthesized
386
NSEC records being replayed. It's possible for an attacker to replay
387
an old but still validly signed NSEC record after a new name has been
391
Weiler & Ihren Expires November 13, 2005 [Page 7]
393
Internet-Draft NSEC Epsilon May 2005
396
added in the span covered by that NSEC, incorrectly proving that
397
there is no record at that name. This danger exists with DNSSEC as
398
defined in [-bis]. The techniques described here actually decrease
399
the danger, since the span covered by any NSEC record is smaller than
400
before. Choosing better increment and decrement functions will
401
further reduce this danger.
403
6. Normative References
405
[1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
406
"DNS Security Introduction and Requirements", RFC 4033,
409
[2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
410
"Resource Records for the DNS Security Extensions", RFC 4034,
413
[3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
414
"Protocol Modifications for the DNS Security Extensions",
415
RFC 4035, March 2005.
417
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
418
Levels", BCP 14, RFC 2119, March 1997.
425
7075 Samuel Morse Drive
426
Columbia, Maryland 21046
429
Email: weiler@tislabs.com
438
Email: johani@autonomica.se
440
Appendix A. Acknowledgments
442
Many individuals contributed to this design. They include, in
443
addition to the authors of this document, Olaf Kolkman, Ed Lewis,
447
Weiler & Ihren Expires November 13, 2005 [Page 8]
449
Internet-Draft NSEC Epsilon May 2005
452
Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
453
Jakob Schlyter, Bill Manning, and Joao Damas.
455
The key innovation of this document, namely that perfect increment
456
and decrement functions are not necessary, arose during a discussion
457
among the above-listed people at the RIPE49 meeting in September
503
Weiler & Ihren Expires November 13, 2005 [Page 9]
505
Internet-Draft NSEC Epsilon May 2005
508
Intellectual Property Statement
510
The IETF takes no position regarding the validity or scope of any
511
Intellectual Property Rights or other rights that might be claimed to
512
pertain to the implementation or use of the technology described in
513
this document or the extent to which any license under such rights
514
might or might not be available; nor does it represent that it has
515
made any independent effort to identify any such rights. Information
516
on the procedures with respect to rights in RFC documents can be
517
found in BCP 78 and BCP 79.
519
Copies of IPR disclosures made to the IETF Secretariat and any
520
assurances of licenses to be made available, or the result of an
521
attempt made to obtain a general license or permission for the use of
522
such proprietary rights by implementers or users of this
523
specification can be obtained from the IETF on-line IPR repository at
524
http://www.ietf.org/ipr.
526
The IETF invites any interested party to bring to its attention any
527
copyrights, patents or patent applications, or other proprietary
528
rights that may cover technology that may be required to implement
529
this standard. Please address the information to the IETF at
533
Disclaimer of Validity
535
This document and the information contained herein are provided on an
536
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
537
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
538
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
539
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
540
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
541
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
546
Copyright (C) The Internet Society (2005). This document is subject
547
to the rights, licenses and restrictions contained in BCP 78, and
548
except as set forth therein, the authors retain all their rights.
553
Funding for the RFC Editor function is currently provided by the
559
Weiler & Ihren Expires November 13, 2005 [Page 10]