draft-ietf-dnsind-rollover-00.txt revision 599c6d44f4d41aab5d3da98214492eb26e674b65
842ae4bd224140319ae7feec1872b93dfd491143fieldingINTERNET-DRAFT DNSIND Key Rollover
842ae4bd224140319ae7feec1872b93dfd491143fieldingUPDATES RFC 1996 April 1999
842ae4bd224140319ae7feec1872b93dfd491143fielding Expires October 1999
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd Domain Name System (DNS) Security Key Rollover
945173cae9e0f894a50aec717acea9399680fdd5bnicholes ------ ---- ------ ----- -------- --- --------
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd Donald E. Eastlake 3rd, Mark Andrews
945173cae9e0f894a50aec717acea9399680fdd5bnicholesStatus of This Document
945173cae9e0f894a50aec717acea9399680fdd5bnicholes This draft, file name draft-ietf-dnsind-rollover-00.txt, is intended
945173cae9e0f894a50aec717acea9399680fdd5bnicholes to be become a Proposed Standard RFC. Distribution of this document
945173cae9e0f894a50aec717acea9399680fdd5bnicholes is unlimited. Comments should be sent to the DNS working group
e8f95a682820a599fe41b22977010636be5c2717jim mailing list <namedroppers@internic.net> or to the authors.
e8f95a682820a599fe41b22977010636be5c2717jim This document is an Internet-Draft and is in full conformance with
945173cae9e0f894a50aec717acea9399680fdd5bnicholes all provisions of Section 10 of RFC2026. Internet-Drafts are working
945173cae9e0f894a50aec717acea9399680fdd5bnicholes documents of the Internet Engineering Task Force (IETF), its areas,
945173cae9e0f894a50aec717acea9399680fdd5bnicholes and its working groups. Note that other groups may also distribute
945173cae9e0f894a50aec717acea9399680fdd5bnicholes working documents as Internet-Drafts.
e8f95a682820a599fe41b22977010636be5c2717jim Internet-Drafts are draft documents valid for a maximum of six
945173cae9e0f894a50aec717acea9399680fdd5bnicholes months. Internet-Drafts may be updated, replaced, or obsoleted by
945173cae9e0f894a50aec717acea9399680fdd5bnicholes other documents at any time. It is not appropriate to use Internet-
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Drafts as reference material or to cite them other than as a
945173cae9e0f894a50aec717acea9399680fdd5bnicholes ``working draft'' or ``work in progress.''
945173cae9e0f894a50aec717acea9399680fdd5bnicholes The list of current Internet-Drafts can be accessed at
945173cae9e0f894a50aec717acea9399680fdd5bnicholes The list of Internet-Draft Shadow Directories can be accessed at
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Deployment of Domain Name System (DNS) security with good cryptologic
945173cae9e0f894a50aec717acea9399680fdd5bnicholes practice will involve large volumes of key rollover traffic. A
945173cae9e0f894a50aec717acea9399680fdd5bnicholes standard format and protocol for such messages will be necessary for
6d805bdcf42852dba0612f41f77ecf6724b7c033bnicholes this to be practical and is specified herein.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes [Note: this draft has been moved to dnsind from dnssec as part of the
945173cae9e0f894a50aec717acea9399680fdd5bnicholes ongoing combination of these working groups. It would have been
945173cae9e0f894a50aec717acea9399680fdd5bnicholesD. Eastlake 3rd, M. Andrews [Page 1]
9558e9fdb620dd6f42ca93beac6c3ab734086706bnicholesINTERNET-DRAFT April 1999 DNSSEC Key Rollover
9558e9fdb620dd6f42ca93beac6c3ab734086706bnicholesTable of Contents
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Status of This Document....................................1
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Abstract...................................................1
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Table of Contents..........................................2
8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes 1. Introduction............................................3
945173cae9e0f894a50aec717acea9399680fdd5bnicholes 2. Key Rollover Scenario...................................3
945173cae9e0f894a50aec717acea9399680fdd5bnicholes 3. Rollover Operation......................................5
945173cae9e0f894a50aec717acea9399680fdd5bnicholes 3.1 Rollover to Parent.....................................5
945173cae9e0f894a50aec717acea9399680fdd5bnicholes 3.2 Rollover to Children...................................6
945173cae9e0f894a50aec717acea9399680fdd5bnicholes 4. Secure Zone Cuts and Joinders...........................7
945173cae9e0f894a50aec717acea9399680fdd5bnicholes 5. Security Considerations.................................8
945173cae9e0f894a50aec717acea9399680fdd5bnicholes 6. IANA Considerations.....................................9
945173cae9e0f894a50aec717acea9399680fdd5bnicholes References................................................10
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Authors Address...........................................10
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Expiration and File Name..................................11
5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawickD. Eastlake 3rd, M. Andrews [Page 2]
945173cae9e0f894a50aec717acea9399680fdd5bnicholesINTERNET-DRAFT April 1999 DNSSEC Key Rollover
945173cae9e0f894a50aec717acea9399680fdd5bnicholes1. Introduction
3fa816e4832a1c70600bdfd6fc5ef60e9f1c18bbsf The Domain Name System (DNS) [RFC 1034, 1035] is the global
945173cae9e0f894a50aec717acea9399680fdd5bnicholes hierarchical replicated distributed database system for Internet
945173cae9e0f894a50aec717acea9399680fdd5bnicholes addressing, mail proxy, and other information. The DNS has been
5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick extended to include digital signatures and cryptographic keys as
945173cae9e0f894a50aec717acea9399680fdd5bnicholes described in [RFC 2535].
74e3c3e110c5da220a384579543086f1519632a6bnicholes The principle security service provided for DNS data is data origin
945173cae9e0f894a50aec717acea9399680fdd5bnicholes authentication. The owner of each zone signs the data in that zone
945173cae9e0f894a50aec717acea9399680fdd5bnicholes with a private key known only to the zone owner. Anyone that knows
945173cae9e0f894a50aec717acea9399680fdd5bnicholes the corresponding public key can then authenticate that zone data is
8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes from the zone owner. To avoid having to preconfigure resolvers with
8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes all zone's public keys, keys are stored in the DNS with each zone's
945173cae9e0f894a50aec717acea9399680fdd5bnicholes key signed by its parent (if the parent is secure).
c71d98d9fe23826dfc3ee53bbfa39c3f121a839bbnicholes To obtain high levels of security, keys must be periodically changed,
945173cae9e0f894a50aec717acea9399680fdd5bnicholes or "rolled over". The longer a private key is used, the more likely
945173cae9e0f894a50aec717acea9399680fdd5bnicholes it is to be compromised due to cryptanalysis, accident, or treachery
0fa3ef0701a92c35f594a810eaf3808be7a26cdabnicholes In a widely deployed DNS security system, the volume of update
abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes traffic will be large. Just consider the .com zone. If only 10% of
945173cae9e0f894a50aec717acea9399680fdd5bnicholes its children are secure and change their keys only once a year, you
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes are talking about hundreds of thousands of new child public keys that
4e692b4a3b2030db8c188b994ebdaa374a6d467cbnicholes must be securely sent to the .com manager to sign and return with
4e692b4a3b2030db8c188b994ebdaa374a6d467cbnicholes their new parent signature. And when .com rolls over its private
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes key, it will needs to send hundred of thousands of new signatures on
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes the existing child public keys to the child zones.
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes It will be impractical to handle such update volumes manually on a
945173cae9e0f894a50aec717acea9399680fdd5bnicholes case by case basis. The bulk of such key rollover updates must be
c31c1eba9cad174e94bf0b436a505ca888d244faclar The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes in this document are to be interpreted as described in [RFC 2119].
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes2. Key Rollover Scenario
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes Although DNSSEC provides for the storage of other keys in the DNS for
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes other purposes, DNSSEC zone keys are included solely for the purpose
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes of being retrieved to authenticate DNSSEC signatures. Thus, when a
945173cae9e0f894a50aec717acea9399680fdd5bnicholes zone key is being rolled over, the old public key should be left in
945173cae9e0f894a50aec717acea9399680fdd5bnicholes the zone, along with the addition of the new public key, for as long
ecc16907392dd9a7a11037d54aa463cc1149788abnicholes as it will reasonably be needed to authenticate old signatures that
ecc16907392dd9a7a11037d54aa463cc1149788abnicholes have been cached or are held by applications. Similarly, old parent
ecc16907392dd9a7a11037d54aa463cc1149788abnicholes SIGs should be retained for a short time after a parent KEY(s) roll
ecc16907392dd9a7a11037d54aa463cc1149788abnicholes over and new parent SIGs have been installed.
ecc16907392dd9a7a11037d54aa463cc1149788abnicholesD. Eastlake 3rd, M. Andrews [Page 3]
e8f95a682820a599fe41b22977010636be5c2717jimINTERNET-DRAFT April 1999 DNSSEC Key Rollover
c2d0a204f2777824f9c49c30296cfc2ae8ff4b0bjwoolley If DNSSEC were universally deployed and all DNS server's clocks were
ecc16907392dd9a7a11037d54aa463cc1149788abnicholes synchronized and zone transfers were instantaneous etc., it might be
e4d36aa1eb0631a1b696c7a70d696f9c869bddccjwoolley possible to avoid ever having duplicate old/new KEY/SIG RRsets due to
ecc16907392dd9a7a11037d54aa463cc1149788abnicholes simultaneous expiration of SIGs everywhere in the DNS. But these
4054c01b59274ea24974fd3399f71c9d47373eadbnicholes assumptions do not hold. Security aware DNS servers decrease the TTL
0fa3ef0701a92c35f594a810eaf3808be7a26cdabnicholes of secure RRs served as the expiration of their authenticating SIG(s)
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes approaches but some dithered fudge must generally be left due to
e8f95a682820a599fe41b22977010636be5c2717jim clock skew, RR retention by applications, and the like. Retaining
ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick old KEYs for a while after rolling over to new KEYs will be necessary
945173cae9e0f894a50aec717acea9399680fdd5bnicholes in practical cases.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Assume a middle zone with a secure parent and a secure child wishes
3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd to role over its KEY RRset. This RRset would probably be one KEY RR
3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd per crypto algorithm used to secure the zone, but for this scenario,
3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd we will simply assume it is one KEY RR. The old KEY RR and two SIG
3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd RRs will exist at the apex of the middle zone. (These RRs may also
3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd exist at the leaf node for this zone in its parent if the parent
3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd chooses to store them there.) The contents of the middle zone and the
3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd zone KEY RRs of its secure child will have SIGs under the old key.
b5b31852ab27739ab90febad74faefe8dab5b24efuankg The middle zone owner needs to communicate with its parent to obtain
945173cae9e0f894a50aec717acea9399680fdd5bnicholes a new parental signature covering both the old and new KEY RRs and
b5b31852ab27739ab90febad74faefe8dab5b24efuankg covering just the new KEY RR. The signature on both is needed so the
945173cae9e0f894a50aec717acea9399680fdd5bnicholes old KEY can be retain for the period it might be needed to
945173cae9e0f894a50aec717acea9399680fdd5bnicholes authenticate old SIGs. The middle zone would probably want to obtain
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes these in advance so that it can install them at the right time along
b5b31852ab27739ab90febad74faefe8dab5b24efuankg with its new SIG RRs covering the content of its zone. Finally, it
945173cae9e0f894a50aec717acea9399680fdd5bnicholes needs to give new SIG RRs to its child that cover its KEY RRs so it
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes must signal its children to ask for such SIG RRs.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes BEFORE ROLLOVER SHORTLY AFTER AFTER ROLLOVER
b5b31852ab27739ab90febad74faefe8dab5b24efuankg m.p.x SIG(KEY) M1 m.p.x SIG(KEY) P1 m.p.x SIG(KEY) M2
c4fbc4018fd2b6716673a38ee27eeb36cba41c5djwoolley c.m.p.x SIG(KEY) M1 c.m.p.x SIG(KEY) M2 c.m.p.x SIG(KEY) M2
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes c.m.p.x SIG(KEY) C1 c.m.p.x SIG(KEY) M1 c.m.p.x SIG(KEY) C1
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes p = parent, m = middle, c = child, GP = grandparent key
b5b31852ab27739ab90febad74faefe8dab5b24efuankg P* = parent key, M* = middle zone key, C* = child key
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholesD. Eastlake 3rd, M. Andrews [Page 4]
b5b31852ab27739ab90febad74faefe8dab5b24efuankgINTERNET-DRAFT April 1999 DNSSEC Key Rollover
b5b31852ab27739ab90febad74faefe8dab5b24efuankg3. Rollover Operation
345aaf5706b61fecdedf85f06936b4ebe2f441e0bnicholes Rollover operations use a DNS request syntactically identical to the
b5b31852ab27739ab90febad74faefe8dab5b24efuankg UPDATE request [RFC 2136] (except that the operation code is ROLLOVER
5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick which is equal to (TBD)) and use a new form of NOTIFY [RFC 1996].
5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick Considerations for such requests to the parent and children of a zone
5c41f042c648e1e44b54d0d1b77a48ff16ef890dtrawick are givens below.
b5b31852ab27739ab90febad74faefe8dab5b24efuankg All rollover operations involve significant amounts of cryptographic
b5b31852ab27739ab90febad74faefe8dab5b24efuankg calculations. Appropriate rate limiting SHOULD be applied to avoid
945173cae9e0f894a50aec717acea9399680fdd5bnicholes denial of service attacks.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes [This draft does not consider cross-certification key rollover.]
b5b31852ab27739ab90febad74faefe8dab5b24efuankg3.1 Rollover to Parent
945173cae9e0f894a50aec717acea9399680fdd5bnicholes A zone rolling over its KEY RRset sends an upward ROLLOVER request to
945173cae9e0f894a50aec717acea9399680fdd5bnicholes its parent. Actually, it will normally do two upward ROLLOVERs, one
945173cae9e0f894a50aec717acea9399680fdd5bnicholes for a combined KEY RRset of its old and new KEYs and one for just its
945173cae9e0f894a50aec717acea9399680fdd5bnicholes new KEY RRset, as discussed above.
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes The server selection algorithm in [RFC 2136] section 4 should be
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes used. A child needs to be configured with or determine the name of
4e692b4a3b2030db8c188b994ebdaa374a6d467cbnicholes its parent but SHOULD NOT remember the location of its parent other
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes than via normal DNS caching of address RRs so that rollover will
8eddc914b28a460d7c590331ee9313d1fd9ae125bnicholes continue to work if its parent servers are moved.
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes The ROLLOVER request Zone should be specified as the parent zone.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes The request Update section has the new KEY RRset on which the parent
945173cae9e0f894a50aec717acea9399680fdd5bnicholes signature is requested along with the requesting zone's SIG(s) under
945173cae9e0f894a50aec717acea9399680fdd5bnicholes its old KEY(s) as RRs to be "added" to the parent zone. The
8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes inception and expiration times in this child SIG or SIGs are the
8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes requested inception and expiration times for the new parent SIG(s).
8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes The "prerequisites" section has the old child KEY RRset with the
8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes parent SIG (see next paragraph).
945173cae9e0f894a50aec717acea9399680fdd5bnicholes An upward ROLLOVER request MUST be signed and if not signed a BADAUTH
945173cae9e0f894a50aec717acea9399680fdd5bnicholes response generated. The signature MUST be under the previous zone
945173cae9e0f894a50aec717acea9399680fdd5bnicholes KEY, so the parent can validate it, or under a valid TSIG key
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes [draft-ietf-dnsind-tsig-*.txt] arranged with the parent. Including
f4d8b0f32a6e28c425a3460b12ee3cc2a760b113bnicholes the "prerequisite" section as specified above enables a parent that
f4d8b0f32a6e28c425a3460b12ee3cc2a760b113bnicholes keeps no record of its children's KEYs to still authenticate a
f4d8b0f32a6e28c425a3460b12ee3cc2a760b113bnicholes child's ROLLOVER request based on the old child KEY because the
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes parent is presented with its own SIG on the old KEY.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes If the ROLLOVER command is erroneous or violates parental policy, an
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Error response is returned. If a parent retains copies of its
945173cae9e0f894a50aec717acea9399680fdd5bnicholes children's KEYs, it may use that knowledge to validate ROLLOVER
945173cae9e0f894a50aec717acea9399680fdd5bnicholesD. Eastlake 3rd, M. Andrews [Page 5]
945173cae9e0f894a50aec717acea9399680fdd5bnicholesINTERNET-DRAFT April 1999 DNSSEC Key Rollover
945173cae9e0f894a50aec717acea9399680fdd5bnicholes request SIGs and ignore the "prerequisites" section.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes If the ROLLOVER command is OK and the parent can sign online, its
945173cae9e0f894a50aec717acea9399680fdd5bnicholes response MAY include the new parent SIG(s) in the response Update
945173cae9e0f894a50aec717acea9399680fdd5bnicholes section. This response MUST be sent to the originator of the
945173cae9e0f894a50aec717acea9399680fdd5bnicholes If the parent can not sign online, it should return a response with
8f4a965eb33d3fae938e4ecfc6b1139454750df8bnicholes an empty Update section and queue the SIG(s) calculation request.
e970053cef302d9a33c4d6f848adc004cc2e916dbnicholes This response MUST be sent to the originator of the request.
ef51c0782d5ae6867ee33fab6ed29fc4745ed66fbnicholes ROLLOVER response messages MUST always include the actual parent's
8f4a965eb33d3fae938e4ecfc6b1139454750df8bnicholes SOA signed with a key the child should recognize in the Additional
8f4a965eb33d3fae938e4ecfc6b1139454750df8bnicholes Information section (see section 4 below).
8f4a965eb33d3fae938e4ecfc6b1139454750df8bnicholes Regardless of whether the server has sent the new signatures above,
e970053cef302d9a33c4d6f848adc004cc2e916dbnicholes it MUST, once it has calculated the new SIG(s), send a ROLLOVER to
8eddc914b28a460d7c590331ee9313d1fd9ae125bnicholes the child zone using the DNS port (53) and the server selection
8eddc914b28a460d7c590331ee9313d1fd9ae125bnicholes algorithm defined in RFC 2136, Section 4. This ROLLOVER reqeust
e970053cef302d9a33c4d6f848adc004cc2e916dbnicholes contains the KEY RRset that triggered it and the new SIG(s). There
e970053cef302d9a33c4d6f848adc004cc2e916dbnicholes are several reasons for sending the ROLLOVER response regardless of
945173cae9e0f894a50aec717acea9399680fdd5bnicholes whether the new SIG RR(s) were sent in the original response. One is
945173cae9e0f894a50aec717acea9399680fdd5bnicholes to provide an indication to the operators of the zone in the event
945173cae9e0f894a50aec717acea9399680fdd5bnicholes someone is trying to hijack the zone. Another is that this maximizes
945173cae9e0f894a50aec717acea9399680fdd5bnicholes the probability of the response getting through.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Although the parent zone need not hold or serve the child's key, if
945173cae9e0f894a50aec717acea9399680fdd5bnicholes it does the ROLLOVER command REQUEST SHOULD NOT automatically update
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes the parent zone. A later UPDATE command can be used to actually put
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes the new KEY into the parent zone if desired and supported by parent
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes This document does not cover the question of parental policy on key
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes rollovers. Parents may have restrictions on how far into the future
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes they will sign KEY RRsets, what algorithms or key lengths they will
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes support, might require payment for the service, etc. The signing of
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes a future KEY by a parent is, to some extent, a granting of future
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes authoritative existence to the controller of the child private key
945173cae9e0f894a50aec717acea9399680fdd5bnicholes even if the child zone ownership should change. The only effective
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes way of invalidating such future signed child public keys would be for
e4d36aa1eb0631a1b696c7a70d696f9c869bddccjwoolley the parent to roll over its key(s), which might be an expensive
26dfa083a1662d57ba7cc410eec4e0696b9be469wrowe3.2 Rollover to Children
8abb6edf46e43b7bf1af3eb4c006a644f7c4bec0trawick When a secure zone is going to rollover its key(s), it needs to re-
945173cae9e0f894a50aec717acea9399680fdd5bnicholes sign the zone keys of any secure children under its new key(s). The
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes parent simply notifIES the child via a rollover NOTIFY [RFC 1996]
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholesD. Eastlake 3rd, M. Andrews [Page 6]
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholesINTERNET-DRAFT April 1999 DNSSEC Key Rollover
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes that the parent KEY(s) have changed. The child then proceeds to do
8abb6edf46e43b7bf1af3eb4c006a644f7c4bec0trawick an upward ROLLOVER request, as described in 3.1 above to obtain the
8abb6edf46e43b7bf1af3eb4c006a644f7c4bec0trawick new parental SIG(s).
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes A rollover NOTIFY is a NOTIFY request [RFC 1996] that has a QTYPE of
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes SIG and the owner name of the child zone. The answer section has the
abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes current parent SOA signed by a key the child will know (see section
945173cae9e0f894a50aec717acea9399680fdd5bnicholes A rollover NOTIFY MUST be signed and if not signed a BADAUTH response
e4d36aa1eb0631a1b696c7a70d696f9c869bddccjwoolley generated. The signature MUST be under the previous parental zone
e4d36aa1eb0631a1b696c7a70d696f9c869bddccjwoolley KEY, so the child can validate it, or under a valid TSIG key [draft-
0110ff70d8ad94ea7e36dceea84b468ef1309987bnicholes ietf-dnsind-tsig-*.txt] negotiated between parent and child.
e4d36aa1eb0631a1b696c7a70d696f9c869bddccjwoolley The rollover NOTIFY can be sent to any of the nameservers for the
a8d5767403f4ba224becb84ff1b3a286370550dfbnicholes child using the nameserver selection algorithm defined in RFC 2136,
0fa3ef0701a92c35f594a810eaf3808be7a26cdabnicholes Section 4. Nameservers for the child zone receiving a rollover
945173cae9e0f894a50aec717acea9399680fdd5bnicholes NOTIFY query will forward the rollover NOTIFY in the same manner as
945173cae9e0f894a50aec717acea9399680fdd5bnicholes an UPDATE is forwarded.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Unless the master server is configured to initiate an automatic
945173cae9e0f894a50aec717acea9399680fdd5bnicholes ROLLOVER it MUST seek to inform its operators that a rollover NOTIFY
945173cae9e0f894a50aec717acea9399680fdd5bnicholes request has been received. This could be done by a number of methods
945173cae9e0f894a50aec717acea9399680fdd5bnicholes including generating a log message, generating an email request to
945173cae9e0f894a50aec717acea9399680fdd5bnicholes the child zone's SOA RNAME or any other method defined in the
945173cae9e0f894a50aec717acea9399680fdd5bnicholes server's configuration for the zone. The default SHOULD be to send
945173cae9e0f894a50aec717acea9399680fdd5bnicholes mail to the zone's SOA RNAME. As with all rollover operations, care
0110ff70d8ad94ea7e36dceea84b468ef1309987bnicholes should be taken to rate limit these messages so prevent them being
c2d0a204f2777824f9c49c30296cfc2ae8ff4b0bjwoolley used to facilitate a denial of service attack.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Once the message has been sent (or suppressed if so configured) to
e8f95a682820a599fe41b22977010636be5c2717jim the child zone's administrator the master server for the child zone
ca47a2b6bcea23e8af185c68f256dcbbfd2a0f9dtrawick is free to respond to the rollover NOTIFY request.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes4. Secure Zone Cuts and Joinders
945173cae9e0f894a50aec717acea9399680fdd5bnicholes There are two other events that have some similarity to key rollover.
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholes The first is when a secure zone the is more than one level deep has a
8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholes zone cut introduced inside it. For example, assume zone example.com
945173cae9e0f894a50aec717acea9399680fdd5bnicholes has a.b.c.example.com, d.b.c.example.com and e.example.com in it. A
945173cae9e0f894a50aec717acea9399680fdd5bnicholes zone cut could be introduced such that b.c.example.com became a
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes separate child zone of example.com. A real world exampe would be a
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes company that structures its DNS as host.branch.company.example. It
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes might start out will all of these names in one zone but later decide
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes to delegate all or some of the branches to branch zone file
b89b35cce5ae706ee1ec75425799edf7f694f7fbbnicholes maintainers.
b89b35cce5ae706ee1ec75425799edf7f694f7fbbnicholesD. Eastlake 3rd, M. Andrews [Page 7]
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholesINTERNET-DRAFT April 1999 DNSSEC Key Rollover
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes The second is when a secure zone absorbs a child zone eliminating a
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes zone cut. This is simply the inverse of the previous paragraph.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes From the point of view of the parent zone above the splitting zone or
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes above the upper of the two combining zones, there is no change.
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes When a zone is split by introducing a cut, the newly created child
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes must be properly configured.
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes However, from the point of view of a child of the splitting zone
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes which becomes a grandchild or a grandchild that becomes a child due
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes to joinder, there is a change in parent name. Therefore, in general,
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes there is a change in parent KEY(s). Unless the entity that handles
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes rollovers for the zone whose parent name has changed is appropriately
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes updated, future automated rollover will fail because it will be sent
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes to the old parent.
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes For this reason and so that other consistency checks can be made, the
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes parent SOA and SIG(SOA) are always included in the Answer section of
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes rollover NOTIFY requests and in ROLLOVER responsess. For automated
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes rollover to the new cut or joined state to work, these SOAs must be
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes signed with old KEY(s) of the former parent so the signatures can be
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes validated by the zone whose parent name is changing. In the case of
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes a joinder, if the private key of the pinched out middle zone is not
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes available, then manual update of the former grandchild, now child,
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes will be necessary. In the case of introducing a cut, operational
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes coordination with the former parent, now grandparent, signing the
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes initial updates to the former child, now grandchild, will be needed
1fbf6ba0f5207e6637b49f9a9dfcc779bbe952a9trawick to automate the reconfiguration of the zones.
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes5. Security Considerations
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes The security of ROLLOVER or UPDATE requests is essential, otherwise
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes false children could steal parental authorization or a false parent
65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes could cause a child to install an invalid signature on its zone key,
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes A ROLLOVER request can be authenticated by request SIG(s)under the
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes old zone KEY(s) of the requestor [RFC 2535]. The response SHOULD
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes have transaction SIG(s) under the old zone KEY(s) of the responder.
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes (This public key security could be used to rollover a zone to the
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes unsecured state but at that point it would generally not be possible
945173cae9e0f894a50aec717acea9399680fdd5bnicholes to roll back without manual intervention.)
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes Alternatively, if there is a prior arrangement between a child and a
66a6ca2064281d93f6b7e8393ca2622458e21ed3bnicholes parent, ROLLOVER requests and responses can be secured and
abb33f4c0ab7b5e2a1b404b913776a3f5487d69bbnicholes authenticated using TSIG [draft-ietf-dnsind-tsig-*.txt]. (TSIG
9179fa90e821c964d10f28b97fc6acee776af7cfwrowe security could be used to rollover a zone to unsecured and to
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholesD. Eastlake 3rd, M. Andrews [Page 8]
8ab4d23ce5b402430c92e7540a1953523afbae4fbnicholesINTERNET-DRAFT April 1999 DNSSEC Key Rollover
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes rollover an unsecured zone to the secured state.)
4ceb1c7cc31a6fa57903b73d23201f84ba41727ebnicholes A server that implements online signing SHOULD have the ability to
b6215bd93a599b7962b7ed6387b4990de3a8adb5bnicholes black list a zone and force manual processing or demand that a
65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes particular signature be used to generate the ROLLOVER request. This
a4b7c1da4db700744951841a7424809a3025e9b8clar it to allow ROLLOVER to be used even after a private key has been
65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes compromised.
65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes6. IANA Considerations
65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes The DNS operation code (TBD) is assigned to ROLLOVER. There are no
65a99b1db8af484b996b11cd3a73e3192bce145dbnicholes other IANA considerations in this document.
2fc50921b88defeb7127985dfe4b4130175e069ejwoolleyD. Eastlake 3rd, M. Andrews [Page 9]
d7d24786c80ad1ae337b916a0a44b2a7b8fcb54drbbINTERNET-DRAFT April 1999 DNSSEC Key Rollover
945173cae9e0f894a50aec717acea9399680fdd5bnicholes [RFC 1034] - "Domain names - concepts and facilities", P.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Mockapetris, 11/01/1987.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes [RFC 1035] - "Domain names - implementation and specification", P.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Mockapetris, 11/01/1987.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes [RFC 1996] - "A Mechanism for Prompt Notification of Zone Changes
945173cae9e0f894a50aec717acea9399680fdd5bnicholes (DNS NOTIFY)", P. Vixie, August 1996.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes [RFC 2119] - "Key words for use in RFCs to Indicate Requirement
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Levels", S. Bradner. March 1997.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes [RFC 2136] - "Dynamic Updates in the Domain Name System (DNS
e8f95a682820a599fe41b22977010636be5c2717jim UPDATE)", P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound. April
8b6db5ee2c727568cccb16a035c90ab970d310febnicholes [draft-ietf-dnsind-tsig-*.txt]
945173cae9e0f894a50aec717acea9399680fdd5bnicholes [RFC 2535] - "Domain Name System Security Extensions", D. Eastlake.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes [RFC 2541] - "DNS Security Operational Considerations", D. Eastlake.
945173cae9e0f894a50aec717acea9399680fdd5bnicholesAuthors Address
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Donald E. Eastlake 3rd
945173cae9e0f894a50aec717acea9399680fdd5bnicholes 65 Sindegan Hill Road, RR #1
e8f95a682820a599fe41b22977010636be5c2717jim Carmel, NY 10512
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Telephone: +1 914-276-2668 (h)
945173cae9e0f894a50aec717acea9399680fdd5bnicholes +1 914-784-7913 (w)
945173cae9e0f894a50aec717acea9399680fdd5bnicholes FAX: +1 914-784-3833 (w)
945173cae9e0f894a50aec717acea9399680fdd5bnicholes EMail: dee3@us.ibm.com
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Mark Andrews
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Internet Software Consortium
945173cae9e0f894a50aec717acea9399680fdd5bnicholes 1 Seymour Street
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Dundas Valley, NSW 2117
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Telephone: +61-2-9871-4742
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Email: marka@isc.org
945173cae9e0f894a50aec717acea9399680fdd5bnicholesD. Eastlake 3rd, M. Andrews [Page 10]
945173cae9e0f894a50aec717acea9399680fdd5bnicholesINTERNET-DRAFT April 1999 DNSSEC Key Rollover
945173cae9e0f894a50aec717acea9399680fdd5bnicholesExpiration and File Name
945173cae9e0f894a50aec717acea9399680fdd5bnicholes This draft expires in October 1999.
945173cae9e0f894a50aec717acea9399680fdd5bnicholes Its file name is draft-ietf-dnsind-rollover-00.txt.
7858523f0ca7d8d4365f6639fdb79b5200eff7bbbnicholesD. Eastlake 3rd, M. Andrews [Page 11]