599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT DNSIND Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffUPDATES RFC 1996 April 1999
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Expires October 1999
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Domain Name System (DNS) Security Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ------ ---- ------ ----- -------- --- --------
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Donald E. Eastlake 3rd, Mark Andrews
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffStatus of This Document
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff This draft, file name draft-ietf-dnsind-rollover-00.txt, is intended
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to be become a Proposed Standard RFC. Distribution of this document
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff is unlimited. Comments should be sent to the DNS working group
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff mailing list <namedroppers@internic.net> or to the authors.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff This document is an Internet-Draft and is in full conformance with
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff all provisions of Section 10 of RFC2026. Internet-Drafts are working
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff documents of the Internet Engineering Task Force (IETF), its areas,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff and its working groups. Note that other groups may also distribute
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff working documents as Internet-Drafts.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Internet-Drafts are draft documents valid for a maximum of six
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff months. Internet-Drafts may be updated, replaced, or obsoleted by
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff other documents at any time. It is not appropriate to use Internet-
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Drafts as reference material or to cite them other than as a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ``working draft'' or ``work in progress.''
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The list of current Internet-Drafts can be accessed at
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The list of Internet-Draft Shadow Directories can be accessed at
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Deployment of Domain Name System (DNS) security with good cryptologic
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff practice will involve large volumes of key rollover traffic. A
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff standard format and protocol for such messages will be necessary for
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff this to be practical and is specified herein.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [Note: this draft has been moved to dnsind from dnssec as part of the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ongoing combination of these working groups. It would have been
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 1]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT April 1999 DNSSEC Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffTable of Contents
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Status of This Document....................................1
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Abstract...................................................1
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Table of Contents..........................................2
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 1. Introduction............................................3
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 2. Key Rollover Scenario...................................3
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3. Rollover Operation......................................5
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3.1 Rollover to Parent.....................................5
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 3.2 Rollover to Children...................................6
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 4. Secure Zone Cuts and Joinders...........................7
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 5. Security Considerations.................................8
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 6. IANA Considerations.....................................9
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff References................................................10
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Authors Address...........................................10
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Expiration and File Name..................................11
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 2]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT April 1999 DNSSEC Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff1. Introduction
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The Domain Name System (DNS) [RFC 1034, 1035] is the global
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff hierarchical replicated distributed database system for Internet
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff addressing, mail proxy, and other information. The DNS has been
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff extended to include digital signatures and cryptographic keys as
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff described in [RFC 2535].
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The principle security service provided for DNS data is data origin
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authentication. The owner of each zone signs the data in that zone
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff with a private key known only to the zone owner. Anyone that knows
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the corresponding public key can then authenticate that zone data is
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff from the zone owner. To avoid having to preconfigure resolvers with
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff all zone's public keys, keys are stored in the DNS with each zone's
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff key signed by its parent (if the parent is secure).
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff To obtain high levels of security, keys must be periodically changed,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff or "rolled over". The longer a private key is used, the more likely
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff it is to be compromised due to cryptanalysis, accident, or treachery
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff In a widely deployed DNS security system, the volume of update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff traffic will be large. Just consider the .com zone. If only 10% of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff its children are secure and change their keys only once a year, you
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff are talking about hundreds of thousands of new child public keys that
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff must be securely sent to the .com manager to sign and return with
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff their new parent signature. And when .com rolls over its private
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff key, it will needs to send hundred of thousands of new signatures on
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the existing child public keys to the child zones.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff It will be impractical to handle such update volumes manually on a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff case by case basis. The bulk of such key rollover updates must be
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff in this document are to be interpreted as described in [RFC 2119].
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff2. Key Rollover Scenario
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Although DNSSEC provides for the storage of other keys in the DNS for
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff other purposes, DNSSEC zone keys are included solely for the purpose
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff of being retrieved to authenticate DNSSEC signatures. Thus, when a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff zone key is being rolled over, the old public key should be left in
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the zone, along with the addition of the new public key, for as long
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff as it will reasonably be needed to authenticate old signatures that
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff have been cached or are held by applications. Similarly, old parent
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff SIGs should be retained for a short time after a parent KEY(s) roll
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff over and new parent SIGs have been installed.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 3]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT April 1999 DNSSEC Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff If DNSSEC were universally deployed and all DNS server's clocks were
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff synchronized and zone transfers were instantaneous etc., it might be
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff possible to avoid ever having duplicate old/new KEY/SIG RRsets due to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff simultaneous expiration of SIGs everywhere in the DNS. But these
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff assumptions do not hold. Security aware DNS servers decrease the TTL
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff of secure RRs served as the expiration of their authenticating SIG(s)
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff approaches but some dithered fudge must generally be left due to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff clock skew, RR retention by applications, and the like. Retaining
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff old KEYs for a while after rolling over to new KEYs will be necessary
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff in practical cases.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Assume a middle zone with a secure parent and a secure child wishes
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to role over its KEY RRset. This RRset would probably be one KEY RR
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff per crypto algorithm used to secure the zone, but for this scenario,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff we will simply assume it is one KEY RR. The old KEY RR and two SIG
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff RRs will exist at the apex of the middle zone. (These RRs may also
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff exist at the leaf node for this zone in its parent if the parent
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff chooses to store them there.) The contents of the middle zone and the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff zone KEY RRs of its secure child will have SIGs under the old key.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The middle zone owner needs to communicate with its parent to obtain
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff a new parental signature covering both the old and new KEY RRs and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff covering just the new KEY RR. The signature on both is needed so the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff old KEY can be retain for the period it might be needed to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authenticate old SIGs. The middle zone would probably want to obtain
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff these in advance so that it can install them at the right time along
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff with its new SIG RRs covering the content of its zone. Finally, it
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff needs to give new SIG RRs to its child that cover its KEY RRs so it
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff must signal its children to ask for such SIG RRs.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff BEFORE ROLLOVER SHORTLY AFTER AFTER ROLLOVER
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff p.x SIG(KEY) P1 p.x SIG(KEY) P1 p.x SIG(KEY) P1
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff p.x SIG(KEY) GP p.x SIG(KEY) GP p.x SIG(KEY) GP
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff m.p.x SIG(KEY) P1 m.p.x KEY M1 m.p.x SIG(KEY) P1
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff m.p.x SIG(KEY) M1 m.p.x SIG(KEY) P1 m.p.x SIG(KEY) M2
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff c.m.p.x SIG(KEY) M1 c.m.p.x SIG(KEY) M2 c.m.p.x SIG(KEY) M2
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff c.m.p.x SIG(KEY) C1 c.m.p.x SIG(KEY) M1 c.m.p.x SIG(KEY) C1
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff p = parent, m = middle, c = child, GP = grandparent key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff P* = parent key, M* = middle zone key, C* = child key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 4]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT April 1999 DNSSEC Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff3. Rollover Operation
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Rollover operations use a DNS request syntactically identical to the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff UPDATE request [RFC 2136] (except that the operation code is ROLLOVER
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff which is equal to (TBD)) and use a new form of NOTIFY [RFC 1996].
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Considerations for such requests to the parent and children of a zone
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff are givens below.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff All rollover operations involve significant amounts of cryptographic
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff calculations. Appropriate rate limiting SHOULD be applied to avoid
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff denial of service attacks.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [This draft does not consider cross-certification key rollover.]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff3.1 Rollover to Parent
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff A zone rolling over its KEY RRset sends an upward ROLLOVER request to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff its parent. Actually, it will normally do two upward ROLLOVERs, one
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff for a combined KEY RRset of its old and new KEYs and one for just its
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff new KEY RRset, as discussed above.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The server selection algorithm in [RFC 2136] section 4 should be
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff used. A child needs to be configured with or determine the name of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff its parent but SHOULD NOT remember the location of its parent other
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff than via normal DNS caching of address RRs so that rollover will
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff continue to work if its parent servers are moved.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The ROLLOVER request Zone should be specified as the parent zone.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The request Update section has the new KEY RRset on which the parent
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff signature is requested along with the requesting zone's SIG(s) under
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff its old KEY(s) as RRs to be "added" to the parent zone. The
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff inception and expiration times in this child SIG or SIGs are the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff requested inception and expiration times for the new parent SIG(s).
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The "prerequisites" section has the old child KEY RRset with the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff parent SIG (see next paragraph).
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff An upward ROLLOVER request MUST be signed and if not signed a BADAUTH
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff response generated. The signature MUST be under the previous zone
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff KEY, so the parent can validate it, or under a valid TSIG key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [draft-ietf-dnsind-tsig-*.txt] arranged with the parent. Including
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the "prerequisite" section as specified above enables a parent that
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff keeps no record of its children's KEYs to still authenticate a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff child's ROLLOVER request based on the old child KEY because the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff parent is presented with its own SIG on the old KEY.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff If the ROLLOVER command is erroneous or violates parental policy, an
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Error response is returned. If a parent retains copies of its
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff children's KEYs, it may use that knowledge to validate ROLLOVER
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 5]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT April 1999 DNSSEC Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff request SIGs and ignore the "prerequisites" section.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff If the ROLLOVER command is OK and the parent can sign online, its
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff response MAY include the new parent SIG(s) in the response Update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff section. This response MUST be sent to the originator of the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff If the parent can not sign online, it should return a response with
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff an empty Update section and queue the SIG(s) calculation request.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff This response MUST be sent to the originator of the request.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ROLLOVER response messages MUST always include the actual parent's
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff SOA signed with a key the child should recognize in the Additional
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Information section (see section 4 below).
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Regardless of whether the server has sent the new signatures above,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff it MUST, once it has calculated the new SIG(s), send a ROLLOVER to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the child zone using the DNS port (53) and the server selection
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff algorithm defined in RFC 2136, Section 4. This ROLLOVER reqeust
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff contains the KEY RRset that triggered it and the new SIG(s). There
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff are several reasons for sending the ROLLOVER response regardless of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff whether the new SIG RR(s) were sent in the original response. One is
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to provide an indication to the operators of the zone in the event
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff someone is trying to hijack the zone. Another is that this maximizes
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the probability of the response getting through.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Although the parent zone need not hold or serve the child's key, if
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff it does the ROLLOVER command REQUEST SHOULD NOT automatically update
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the parent zone. A later UPDATE command can be used to actually put
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the new KEY into the parent zone if desired and supported by parent
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff This document does not cover the question of parental policy on key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff rollovers. Parents may have restrictions on how far into the future
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff they will sign KEY RRsets, what algorithms or key lengths they will
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff support, might require payment for the service, etc. The signing of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff a future KEY by a parent is, to some extent, a granting of future
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authoritative existence to the controller of the child private key
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff even if the child zone ownership should change. The only effective
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff way of invalidating such future signed child public keys would be for
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the parent to roll over its key(s), which might be an expensive
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff3.2 Rollover to Children
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff When a secure zone is going to rollover its key(s), it needs to re-
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff sign the zone keys of any secure children under its new key(s). The
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff parent simply notifIES the child via a rollover NOTIFY [RFC 1996]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 6]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT April 1999 DNSSEC Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff that the parent KEY(s) have changed. The child then proceeds to do
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff an upward ROLLOVER request, as described in 3.1 above to obtain the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff new parental SIG(s).
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff A rollover NOTIFY is a NOTIFY request [RFC 1996] that has a QTYPE of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff SIG and the owner name of the child zone. The answer section has the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff current parent SOA signed by a key the child will know (see section
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff A rollover NOTIFY MUST be signed and if not signed a BADAUTH response
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff generated. The signature MUST be under the previous parental zone
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff KEY, so the child can validate it, or under a valid TSIG key [draft-
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ietf-dnsind-tsig-*.txt] negotiated between parent and child.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The rollover NOTIFY can be sent to any of the nameservers for the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff child using the nameserver selection algorithm defined in RFC 2136,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Section 4. Nameservers for the child zone receiving a rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff NOTIFY query will forward the rollover NOTIFY in the same manner as
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff an UPDATE is forwarded.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Unless the master server is configured to initiate an automatic
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff ROLLOVER it MUST seek to inform its operators that a rollover NOTIFY
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff request has been received. This could be done by a number of methods
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff including generating a log message, generating an email request to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the child zone's SOA RNAME or any other method defined in the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff server's configuration for the zone. The default SHOULD be to send
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff mail to the zone's SOA RNAME. As with all rollover operations, care
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff should be taken to rate limit these messages so prevent them being
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff used to facilitate a denial of service attack.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Once the message has been sent (or suppressed if so configured) to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff the child zone's administrator the master server for the child zone
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff is free to respond to the rollover NOTIFY request.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff4. Secure Zone Cuts and Joinders
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff There are two other events that have some similarity to key rollover.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The first is when a secure zone the is more than one level deep has a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff zone cut introduced inside it. For example, assume zone example.com
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff has a.b.c.example.com, d.b.c.example.com and e.example.com in it. A
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff zone cut could be introduced such that b.c.example.com became a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff separate child zone of example.com. A real world exampe would be a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff company that structures its DNS as host.branch.company.example. It
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff might start out will all of these names in one zone but later decide
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to delegate all or some of the branches to branch zone file
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 7]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT April 1999 DNSSEC Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The second is when a secure zone absorbs a child zone eliminating a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff zone cut. This is simply the inverse of the previous paragraph.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff From the point of view of the parent zone above the splitting zone or
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff above the upper of the two combining zones, there is no change.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff When a zone is split by introducing a cut, the newly created child
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff must be properly configured.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff However, from the point of view of a child of the splitting zone
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff which becomes a grandchild or a grandchild that becomes a child due
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to joinder, there is a change in parent name. Therefore, in general,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff there is a change in parent KEY(s). Unless the entity that handles
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff rollovers for the zone whose parent name has changed is appropriately
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff updated, future automated rollover will fail because it will be sent
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to the old parent.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff For this reason and so that other consistency checks can be made, the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff parent SOA and SIG(SOA) are always included in the Answer section of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff rollover NOTIFY requests and in ROLLOVER responsess. For automated
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff rollover to the new cut or joined state to work, these SOAs must be
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff signed with old KEY(s) of the former parent so the signatures can be
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff validated by the zone whose parent name is changing. In the case of
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff a joinder, if the private key of the pinched out middle zone is not
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff available, then manual update of the former grandchild, now child,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff will be necessary. In the case of introducing a cut, operational
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff coordination with the former parent, now grandparent, signing the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff initial updates to the former child, now grandchild, will be needed
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to automate the reconfiguration of the zones.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff5. Security Considerations
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The security of ROLLOVER or UPDATE requests is essential, otherwise
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff false children could steal parental authorization or a false parent
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff could cause a child to install an invalid signature on its zone key,
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff A ROLLOVER request can be authenticated by request SIG(s)under the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff old zone KEY(s) of the requestor [RFC 2535]. The response SHOULD
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff have transaction SIG(s) under the old zone KEY(s) of the responder.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (This public key security could be used to rollover a zone to the
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff unsecured state but at that point it would generally not be possible
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff to roll back without manual intervention.)
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Alternatively, if there is a prior arrangement between a child and a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff parent, ROLLOVER requests and responses can be secured and
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff authenticated using TSIG [draft-ietf-dnsind-tsig-*.txt]. (TSIG
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff security could be used to rollover a zone to unsecured and to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 8]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT April 1999 DNSSEC Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff rollover an unsecured zone to the secured state.)
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff A server that implements online signing SHOULD have the ability to
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff black list a zone and force manual processing or demand that a
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff particular signature be used to generate the ROLLOVER request. This
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff it to allow ROLLOVER to be used even after a private key has been
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff6. IANA Considerations
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff The DNS operation code (TBD) is assigned to ROLLOVER. There are no
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff other IANA considerations in this document.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 9]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT April 1999 DNSSEC Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC 1034] - "Domain names - concepts and facilities", P.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Mockapetris, 11/01/1987.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC 1035] - "Domain names - implementation and specification", P.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Mockapetris, 11/01/1987.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC 1996] - "A Mechanism for Prompt Notification of Zone Changes
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff (DNS NOTIFY)", P. Vixie, August 1996.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC 2119] - "Key words for use in RFCs to Indicate Requirement
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Levels", S. Bradner. March 1997.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC 2136] - "Dynamic Updates in the Domain Name System (DNS
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff UPDATE)", P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound. April
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [draft-ietf-dnsind-tsig-*.txt]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC 2535] - "Domain Name System Security Extensions", D. Eastlake.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff [RFC 2541] - "DNS Security Operational Considerations", D. Eastlake.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffAuthors Address
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Donald E. Eastlake 3rd
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 65 Sindegan Hill Road, RR #1
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Carmel, NY 10512
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Telephone: +1 914-276-2668 (h)
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff +1 914-784-7913 (w)
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff FAX: +1 914-784-3833 (w)
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff EMail: dee3@us.ibm.com
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Internet Software Consortium
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff 1 Seymour Street
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Dundas Valley, NSW 2117
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Telephone: +61-2-9871-4742
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Email: marka@isc.org
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 10]
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffINTERNET-DRAFT April 1999 DNSSEC Key Rollover
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffExpiration and File Name
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff This draft expires in October 1999.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael Graff Its file name is draft-ietf-dnsind-rollover-00.txt.
599c6d44f4d41aab5d3da98214492eb26e674b65Michael GraffD. Eastlake 3rd, M. Andrews [Page 11]