INTERNET-DRAFT Mapping AS Number into the DNS
July 1997
Expires January 1998
Mapping Autonomous Systems Number into the Domain Name System
------- ---------- ------- ------ ---- --- ------ ---- ------
Donald E. Eastlake 3rd
Status of This Document
This draft, file name draft-ietf-dnssec-as-map-05.txt, is intended to
be become a Best Current Practice RFC concerning utilization of the
Domain Name System (DNS) to support routing security. Distribution of
this document is unlimited. Comments should be sent to the DNS
Security Working Group mailing list <dns-security@tis.com> or to the
author.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months. Internet-Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet-
Drafts as reference material or to cite them other than as a
``working draft'' or ``work in progress.''
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (East USA), ftp.isi.edu (West USA),
nic.nordu.net (North Europe), ftp.nis.garr.it (South Europe),
munnari.oz.au (Pacific Rim), or ftp.is.co.za (Africa).
Donald E. Eastlake 3rd [Page 1]
INTERNET-DRAFT Mapping AS Numbers into the DNS
Abstract
One requirement of secure routing is that independent routing
entities, such as those identified by Internet Autonomous System
Numbers, be able to authenticate messages to each other. Additions
have developed to the Domain Name System to enable it to be used for
authenticated public key distribution [RFC 2065]. This draft maps
all Autonomous System numbers into DNS Domain Names so that the DNS
security can be used to distribute their public keys.
[Changes from previous version are to accommodate AS numbers larger
than 16 bits and to delegate on decimal boundaries rather than binary
boundaries.]
Acknowledgements
The contributions of the following persons, listed in alphabetic
order, to this draft are gratefully acknowledged:
Ran Atkinson
Christian Huitema
Tony Li
Michael A. Patton.
Donald E. Eastlake 3rd [Page 2]
INTERNET-DRAFT Mapping AS Numbers into the DNS
Table of Contents
Status of This Document....................................1
Abstract...................................................2
Acknowledgements...........................................2
Table of Contents..........................................3
1. Introduction............................................4
2. Autonomous System Number Mapping........................5
3. Meaning of RRs..........................................6
4. Security Considerations.................................8
References.................................................8
Author's Address...........................................8
Expiration and File Name...................................9
Donald E. Eastlake 3rd [Page 3]
INTERNET-DRAFT Mapping AS Numbers into the DNS
1. Introduction
There are a number of elements required to secure routing in the
Internet. One of these is a way that independently operated routing
domains be able to authenticate messages to each other.
Sharing a private symmetric key between each pair of such domains is
impractical. Assuming 2**16 Autonomous System routing entities,
which is what is allowed in current versions of BGP, [RFC 1771], this
would imply approximately 2**31 pairs, an impractical number of keys
to securely generate, install, and periodically replace.
The solution is to use public key technology whereby each routing
domain has a private key it can use to sign messages. Other domains
that know the corresponding public key can then authenticate these
messages. Such authenticated messages can be used to set up and
maintain efficient symmetric keys on an as needed basis.
But how do the domains securely obtain the Autonomous System number
to public key mapping?
Extensions have been developed for the Domain Name System that enable
it to be conveniently used for authenticated public key distribution
[RFC 2065]. A variety of key types can be supported. All that is
required is a mapping of Autonomous System numbers into domain names,
which is provided by this draft.
It should be noted that the public keys retrieved from DNS will
likely be used primarily to authenticate initial connection set up
messages. Autonomous Systems that need to converse with any
frequency will probably negotiate more efficient symmetric session
keys.
Donald E. Eastlake 3rd [Page 4]
INTERNET-DRAFT Mapping AS Numbers into the DNS
2. Autonomous System Number Mapping
Autonomous System (AS) numbers are usually written as decimal number
and when blocks of AS numbers are delegated to a registry, it is
normally on decimal boundaries. Their current use in BGP is limited
to 16 bits providing a maximum value of 65,535. For example, ANS is
autonomous system 690. However, there is no inherent size limit in
the AS concept. AS numbers are mapped into a domain name as
described below.
Write the AS number, as usual, as a decimal number without any
"thousands" punctuation. If it is less than 5 digits, add leading
zeros to bring it up to five digits. Then simply reverse the order
of the digits, put a period between them, and append ".length.in-
as.arpa" where "length" is the number of AS digits. This mapping is
analogous to the IPv4 address mapping into the in-addr.arpa DNS
domain.
Thus the domain name correspond to Autonomous System 690 (decimal) is
the domain corresponding to the largest possible AS number in BGP is
the domain corresponding to AS number 65,000 is
and the domain correspond to a hypothetical future greater than 16
bit AS number 1,234,567 is
Donald E. Eastlake 3rd [Page 5]
INTERNET-DRAFT Mapping AS Numbers into the DNS
3. Meaning of RRs
The following guidance is given for some resource record (RR) types
that could be stored under the names mapped from AS numbers. The KEY
RR is given first, followed by the SIG RR, the NXT RR, and then some
additional RR types in alphabetic order.
KEY: This type of RR associates a public key with the owner name
which, in this case, corresponds to an Autonomous System (AS). Under
DNS security as proposed in RFC 2065 the KEY RR can be used to store
a variety of digital keys. A KEY for use in securing routing
communications between ASs will have the end entity flag bit on, the
authentication use prohibited flag bit off, and a protocol byte or
flag bit indicating routing communications use. Such a public key can
be used to authenticate communications with or between ASs. The
existence of such KEY RRs in the primary reason for mapping AS names
into the DNS.
SIG: The SIG signature resource record authenticates the RRs
that it signs as described in RFC 2065. Assuming the signer who
generated the SIG is trustworthy, such as the in-as.arpa zone owner,
then the signed RRs can be trusted.
NXT: An NXT RR is used in DNS security to provide authenticated
denial of the existence of types and names as described in RFC 2065.
A, AAAA: Type A or AAAA RRs SHOULD NOT be placed at AS nodes.
AS domain names are reserved for Autonomous Systems only and should
NOT be used for a host or any type of end entity other than an
Autonomous System.
CNAME: This type of RR is an alias pointing to another domain
name. An AS could have a CNAME pointing to a different AS but this
is not likely to be very useful as AS RRs will normally be looked up
when the AS number is actually encountered in use.
MX: There is no special use for an MX RR for an AS name. It
could point to a host that would accept mail related to that AS.
NS: The presence of NS records under an AS name means that it
has been carved out as a subzone. This gives the AS complete control
over the zone refresh parameters and control over the creation of
inferior names. No special meaning is currently assigned to such
inferior names so, although this is not advised, they could be used
for hosts or whatever. In this case, the will also be a zone KEY at
the AS name, indicated by having the zone flag bit on.
PTR: The part of the forward domain tree that administratively
corresponds to the AS SHOULD be indicated by a PTR RR. If some
entity, say example.xx, has several ASs, there would be PTRs to
Donald E. Eastlake 3rd [Page 6]
INTERNET-DRAFT Mapping AS Numbers into the DNS
example.xx from several names in the in-as.arpa hierarchy.
RP: A Responsible Person RR SHOULD appear under each AS name
telling you who you should contact in the case of problems with that
AS
TXT: Text RRs can be used for comments, postal address, or
similar notes under an AS name.
Donald E. Eastlake 3rd [Page 7]
INTERNET-DRAFT Mapping AS Numbers into the DNS
4. Security Considerations
This document concerns a means to map Internet Autonomous System
numbers into the Domain Name System (DNS) so that DNS can be used to
provide secure distribution of Autonomous System's public keys. The
security of the resulting AS to key mapping is dependent on the
security of the DNS security extensions and of the DNS zone where the
key is stored.
The most obvious way of using the AS keys retrieved from DNS is to
authenticate communications with a directly connected AS. However,
this does not prove that any routing information exchanged is
actually correct and note that routing information communicated over
this secured path may be indirectly forwarded from or to yet other
ASs.
References
[RFC 1034] - Domain Names - Concepts and Facilities, P. Mockapetris,
November 1987
[RFC 1035] - Domain Names - Implementation and Specifications, P.
Mockapetris, November 1987.
[RFC 1771] - Y. Rekhter, T. Li, "A Border Gateway Protocol 4 (BGP-
4)", 03/21/1995.
[RFC 2065] - Domain Name System Security Extensions, D. Eastlake, C.
Kaufman, January 1997.
Author's Address
Donald E. Eastlake 3rd
CyberCash, Inc.
318 Acton Street
Carlisle, MA 01741 USA
Telephone: +1 508 287 4877
+1 703 620-4200 (main office, Reston, VA)
FAX: +1 508 371 7148
EMail: dee@cybercash.com
Donald E. Eastlake 3rd [Page 8]
INTERNET-DRAFT Mapping AS Numbers into the DNS
Expiration and File Name
This draft expires January 1998.
Its file name is draft-ietf-dnssec-as-map-05.txt.
Donald E. Eastlake 3rd [Page 9]