wdiff rfc7344.original rfc7344.txt

dnsop
Internet Engineering Task Force (IETF) W. Kumari
Internet-Draft
Request for Comments: 7344 Google
Intended status:
Category: Informational O. Gudmundsson
Expires: December 12, 2014 Shinkuro Inc.
ISSN: 2070-1721 OGUD Consulting
G. Barwood

June 10,
August 2014

Automating DNSSEC Delegation Trust Maintenance
draft-ietf-dnsop-delegation-trust-maintainance-14

Abstract

This document describes a method to allow DNS operators Operators to more
easily update DNSSEC Key Signing Keys using the DNS as a
communication channel. The technique described is aimed at
delegations in which it is currently hard to move information from
the child Child to parent. Parent.

Status of This Memo

This Internet-Draft document is submitted in full conformance with the
provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents not an Internet Standards Track specification; it is
published for informational purposes.

This document is a product of the Internet Engineering Task Force
(IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list It represents the consensus of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a maximum candidate for any level of Internet
Standard; see Section 2 of six months RFC 5741.

Information about the current status of this document, any errata,
and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

This Internet-Draft will expire on December 12, 2014.
http://www.rfc-editor.org/info/rfc7344.

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 5
2.1. DNS Delegations . . . . . . . . . . . . . . . . . . . . . 4 5
2.2. Relationship Between between Parent and Child DNS Operator Operators . . . 5
2.2.1. Solution Space . . . . . . . . . . . . . . . . . . . 6
2.2.2. DNSSEC key change process Key Change Process . . . . . . . . . . . . . . 6 7
3. CDS / (Child DS) and CDNSKEY (Child DS / Child DNSKEY) Record Definitions . 7
3.1. CDS Resource Record Format . . . . . . . . . . . . . . . 8
3.2. CDNSKEY Resource Record Format . . . . . . . . . . . . . 8
4. Automating DS Maintenance With CDS / CDNSKEY records with CDS/CDNSKEY Records . . . . . 8
4.1. CDS / and CDNSKEY Processing Rules . . . . . . . . . . . . . 8 9
5. CDS / CDNSKEY CDS/CDNSKEY Publication . . . . . . . . . . . . . . . . . . . 9
6. Parent Side CDS / CDNSKEY Parent-Side CDS/CDNSKEY Consumption . . . . . . . . . . . . . 9
6.1. Detecting a Changed CDS / CDNSKEY CDS/CDNSKEY . . . . . . . . . . . . 9 . 10
6.1.1. CDS / CDNSKEY CDS/CDNSKEY Polling . . . . . . . . . . . . . . . . . 10
6.1.2. Polling Triggers . . . . . . . . . . . . . . . . . . 10 11
6.2. Using the New CDS / CDNSKEY CDS/CDNSKEY Records . . . . . . . . . . . . 11
6.2.1. Parent Calculates DS . . . . . . . . . . . . . . . . 11 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12
9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 13
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 15
11.1. Normative References . . . . . . . . . . . . . . . . . . 14 15
11.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. RRR background Background . . . . . . . . . . . . . . . . . . . 15 17
Appendix B. CDS key rollover example . . . . . . . . . . . . . . 16
Appendix C. Changes / Author Notes. Key Rollover Example . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21

1. Introduction

The first time a DNS operator Operator signs a zone, they need to communicate
the keying material to their parent Parent through some out-of-band method
to complete the chain of trust. Depending on the desires of the
parent,
Parent, the child Child might send their DNSKEY record, a DS record, or
both.

Each time the child Child changes the key that is represented in the
parent,
Parent, the updated and / or and/or deleted key information has to be
communicated to the parent Parent and published in the parent's Parent's zone. How
this information is sent to the parent Parent depends on the relationship
the child Child has with the parent. Parent. In many cases this is a manual
process,
process -- and not an easy one. For each key change, there may be up
to two interactions with the parent. Parent. Any manual process is
susceptible to mistakes and / or and/or errors. In addition, due to the
annoyance factor of the process, operators Operators may avoid changing keys or
skip needed steps to publish the new DS at the parent. Parent.

DNSSEC provides data integrity to information published in DNS; thus thus,
DNS publication can be used to automate maintenance of delegation
information. This document describes a method to automate
publication of subsequent DS records, records after the initial one has been
published.

Readers are expected to be familiar with DNSSEC, including [RFC4033],
[RFC4034], [RFC4035], [RFC5011] [RFC5011], and [RFC6781].

This document outlines a technique in which the parent Parent periodically
(or upon request) polls its signed children Children and automatically
publishes new DS records. To a large extent, the procedures this
document follows are as described in [RFC6781] section [RFC6781], Section 4.1.2.

This technique is designed to be friendly both to fully automated
tools and humans. Fully automated tools can perform all the actions
needed without human intervention, intervention and thus can monitor when it is
safe to move to the next step.

The solution described in this document only allows transferring
information about DNSSEC keys (DS and DNSKEY) from the child Child to the
parental agent.
Parental Agent. It lists exactly what the parent Parent should publish, publish and
allows for publication of stand-by standby keys. A different protocol,
[I-D.csync],
[CPSYNC-DNS], can be used to maintain other important delegation
information, such as NS and glue. glue records. These two protocols have
been kept as separate solutions because the problems are
fundamentally
different, different and a combined solution is overly complex.

This document describes a method for automating maintenance of the
delegation trust information, information and proposes a polled / periodic polled/periodic trigger
for simplicity. Some users may prefer a different trigger, for example
example, a button on a webpage, web page, a REST interface interface, or a DNS NOTIFY.
These alternate / additional triggers are not discussed in this
document.

This proposal does not include all operations needed for the
maintenance of DNSSEC key material, specifically the initial
introduction or complete removal of all keys. Because of this,
alternate communications mechanisms must always exist, potentially
introducing more complexity.

1.1. Terminology

The terminology we use is defined in this section.

Highlighted roles: The highlighted
roles are as follows:

o Child: "The The entity on record that has the delegation of the domain
from the parent" Parent.

o Parent: "The The domain in which the child Child is registered" registered.

o Child DNS Operator: "The The entity that maintains and publishes the
zone information for the child DNS" Child DNS.

o Parental Agent: "The The entity that the child Child has a relationship with, with
to change its delegation information" information.

o Provisioning system: "A System: A system that the operator Operator of the master DNS
server operates to maintain the information published in the DNS.
This includes the systems that sign the DNS data" data.

o CDS/CDNSKEY: This notation refers to CDS and/or CDNSKEY, i.e., one
or both.

1.2. Requirements Notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119].

2. Background

2.1. DNS Delegations

DNS operation consists of delegations of authority. For each
delegation
delegation, there are (most of the time) two parties: the parent Parent and
the child. Child.

The parent Parent publishes information about the delegations to the child; Child;
for the name servers servers, it publishes an NS [RFC1035] RRset Resource Record
Set (RRset) that lists a hint for name servers that are authoritative
for the child. Child. The
child Child also publishes a an NS RRset, and this set is
the authoritative list of name servers to the child Child zone.

The second RRset the parent Parent sometimes publishes is the DS [RFC4034]
set. The DS RRset provides information about the DNSKEY(s) that the
child
Child has told the parent Parent it will use to sign its DNSKEY RRset. In
DNSSEC
DNSSEC, a trust relationship between zones is provided by the
following chain:

parent

Parent DNSKEY --> DS --> child Child DNSKEY.

A prior proposal [I-D.auto-cpsync] [AUTO-CPSYNC] suggested that the child Child send an
"update" to the parent Parent via a mechanism similar to Dynamic Update. DNS UPDATE. The
main issue became: How how does the child Child find the actual parental
agent/server Parental Agent/
server to send the update to? While that could have been solved via
technical means, it failed to reach consensus. There is also a
similar proposal in [I-D.parent-zones]. [PARENT-ZONES].

As the DS record can only be present at the parent ( [RFC4034]), Parent [RFC4034], some
other method is needed to automate which DNSKEYs are picked to be
represented in the parent Parent zone's DS records. One possibility is to
use flags in the DNSKEY record. If the SEP Secure Entry Point (SEP) bit
is set, this indicates that the DNSKEY is intended for use as a
secure entry point. This DNSKEY signs the DNSKEY RRset, and the
Parental Agent can calculate DS records based on that. But this
fails to meet some operating needs, including the child Child having no
influence on what DS digest algorithms are used and DS records that
can only be published for keys that are in the DNSKEY RRset, and thus RRset; thus,
this technique would not be compatible with Double-DS ( [RFC6781] ) key rollover. rollover
[RFC6781].

2.2. Relationship Between between Parent and Child DNS Operator Operators

In practical application, there are many different relationships
between the parent Parent and Child DNS Operators. The type of relationship
affects how the Child DNS Operator communicates with the parent. Parent.

This section will highlight some of the different situations, situations but is
by no means a complete list.

Different communication paths:

o Direct/API: The child Child can change the delegation information via
automated/scripted means. EPP[RFC5730], The Extensible Provisioning Protocol
(EPP) [RFC5730], used by many TLDs Top-Level Domains (TLDs), is an
example of this. Other examples are web-based programmatic
interfaces that Registrars make available to their Resellers.

o User Interface: The Child uses a (web) web site set up by the Parental
Agent for updating delegation information.

o Indirect: The communication has to be transmitted via out-of-band an out-of-
band mechanism between two parties, such as by email or telephone.
This is common when the Child's Child DNS operator Operator is neither the child Child
itself nor the Registrar for the domain domain, but a third party.

o Multi-step Combinations: The information flows through an
intermediary. It is possible, but unlikely, that all the steps
are automated via API's APIs and there are no humans involved.

A domain name holder (Child) may operate its own DNS servers or
outsource the operation. While we use the word parent "Parent" as a singular,
parent
a Parent can consist of a single entity or a composite of many
discrete parts that have rules and roles. We refer to the entity
that the
child Child corresponds with as the Parent.

An organization (such as an enterprise) may delegate parts of its
name-space to be operated by a group that is not the same as that
which operates the organization's DNS servers. In some of these
cases
cases, the flow of information is handled in either in an ad hoc manner
or via some corporate mechanism; this can range from email to fully- a fully
automated operation.

2.2.1. Solution Space

This document is aimed at the cases in which there is a separation
between the child Child and parent. Parent.

A further complication is when the Child DNS Operator is not the
Child. There are two common cases of this:

a) The Parental Agent (e.g. registrar) (e.g., Registrar) handles the DNS operation.

b) A third party takes care of the DNS operation.

If the Parental Agent is the DNS operator, Operator, life is much easier; the
Parental Agent can inject any delegation changes directly into the
Parent's Provisioning provisioning system. The techniques described below are not
needed in the case when the Parental Agent is the DNS operator. Operator.

In the case of a third party third-party DNS operator, Operator, the Child either needs to
relay changes in DNS delegation or give the Child DNS Operator access
to its delegation/registration account.

Some parents Parents want the child Child to express their DNSKEYs in the form of
DS records, while others want to receive the DNSKEY records and
calculate the DS records themselves. There is no consensus on which
method is better; both have good reasons to exist. This solution is
DS vs vs. DNSKEY agnostic, agnostic and allows operation with either.

2.2.2. DNSSEC key change process Key Change Process

After a Child DNS Operator first signs the zone, there is a need to
interact with the Parent, for example example, via a delegation account
interface,
interface to "upload / paste-in upload or paste in the zone's DS information". information. This
action of logging in through the delegation account user interface
authenticates that the user is authorized to change delegation
information for the child Child published in the parent Parent zone. In the case
where the Child DNS Operator does not have access to the registration
account, the Child needs to perform the action.

At a later date, the Child DNS Operator may want to publish a new DS
record in the parent, Parent, either because they are changing keys, keys or
because they want to publish a stand-by standby key. This involves performing
the same process as before. Furthermore Furthermore, when this is a manual
process with cut and paste, operational mistakes will happen -- or
worse, the update action is will not be performed at all.

The Child DNS Operator may also introduce new keys, keys and can do so when
old keys exist and can be used. The Child may also remove old keys,
but this document does not support removing all keys. This is to
avoid making signed zones unsigned. The Child may not enroll the
initial key or introduce a new key when there are no old keys that
can be used (without some additional, out of band, additional out-of-band validation of the
keys),
keys) because there is no way to validate the information.

3. CDS / (Child DS) and CDNSKEY (Child DS / Child DNSKEY) Record Definitions

This document specifies two new DNS resource records, CDS and
CDNSKEY. These records are used to convey, from one zone to its
parent,
Parent, the desired contents of the zone's DS resource record set
residing in the parent Parent zone.

The CDS / and CDNSKEY resource records are published in the child Child zone
and gives give the child Child control of what is published for it in the
parental zone. The child Child can publish these manually, or they can be
automatically maintained by DNS provisioning tools. The CDS /
CDNSKEY CDS/CDNSKEY
RRset expresses what the child Child would like the DS RRset to look like
after the change; it is a "replace" operation, and it is up to the
software that consumes the records to translate that into the
appropriate add/delete operations in the provisioning systems (and in
the case of CDNSKEY, to generate the DS from the DNSKEY). If no neither
CDS
/ nor CDNSKEY RRset is present in child, the Child, this means that no
change is needed.

[[RFC Editor: Please remove this paragraph before publication]
Version -04 of the ID that became this working group document
(http://tools.ietf.org/id/draft-kumari-ogud-dnsop-cds-04.txt) defined
a new record (CTA) that could hold either a DS or a DNSKEY record
(with a selector to differentiate between them). In a shocking
development, there was almost full consensus that this was horrid :-)
]

3.1. CDS Resource Record Format

The wire and presentation format of the CDS ("Child DS") Child DS (CDS) resource
record is identical to the DS record [RFC4034]. IANA has allocated
RR code 59 for the CDS resource record via expert review
[I-D.ds-publish]. Expert Review
[DNS-TRANSPORT]. The CDS RR uses the same registries as DS for its
fields.

No special processing is performed by authoritative servers or by
resolvers, when serving or resolving. For all practical purposes purposes,
CDS is a regular RR type.

3.2. CDNSKEY Resource Record Format

The wire and presentation format of the CDNSKEY ("Child DNSKEY")
resource record is identical to the DNSKEY record. IANA has
allocated RR code TBA1 60 for the CDNSKEY resource record via expert
review. Expert
Review. The CDNSKEY RR uses the same registries as DNSKEY for its
fields.

No special processing is performed by authoritative servers or by
resolvers, when serving or resolving. For all practical purposes purposes,
CDNSKEY is a regular RR type.

4. Automating DS Maintenance With CDS / CDNSKEY records

CDS / CDNSKEY with CDS/CDNSKEY Records

CDS/CDNSKEY resource records are intended to be "consumed" by
delegation trust maintainers. The use of CDS / CDNSKEY CDS/CDNSKEY is OPTIONAL.

If the child Child publishes either the CDS or the CDNSKEY resource record,
it SHOULD publish both. If the child Child knows which the parent Parent
consumes, it MAY choose to only publish that record type (for
example, some children Children wish the parent Parent to publish a DS, but they wish
to keep the DNSKEY "hidden" until needed). If the child Child publishes
both, the two RRsets MUST match in content.

4.1. CDS / and CDNSKEY Processing Rules

If there are no is neither CDS / nor CDNSKEY RRset in the child, Child, this signals
that no change should be made to the current DS set. This means
that, once the child Child and parent Parent are in sync, the Child DNS Operator
MAY remove all CDS and CDNSKEY resource records from the zone. The
Child DNS Operator may choose to do this to decrease the size of the zone,
zone or to decrease the workload for the parent Parent (if the parent Parent
receives no
CDS / CDNSKEY records CDS/CDNSKEY records, it can go back to sleep). If it
does receive a CDS or CDNSKEY RRset RRset, it needs to check them against
what is currently published - see (see Section 5.

Following 5).

The following acceptance rules are placed on the CDS / and CDNSKEY
resource records as follows:

o Location: the CDS / CDNSKEY resource records MUST be at the child Child zone apex.

o Signer: MUST be signed with a key that is represented in both the
current DNSKEY and DS RRsets (unless RRsets, unless the parent Parent uses the CDS / or
CDNSKEY RRset for initial enrollment, enrollment; in that case case, the parent Parent
validates the CDS / CDNSKEY CDS/CDNSKEY through some other means (see
Section 6.1 and the Security Considerations.) Considerations).

o Continuity: MUST NOT break the current delegation if applied to DS
RRset.

If any these conditions fail fail, the CDS / or CDNSKEY resource record MUST
be ignored, and this error SHOULD be logged.

5. CDS / CDNSKEY CDS/CDNSKEY Publication

The Child DNS Operator publishes CDS and / or CDNSKEY resource
records. CDS/CDNSKEY RRset(s). In order to
be valid, the CDS / CDNSKEY RRset CDS/CDNSKEY RRset(s) MUST be compliant with the rules
in Section 4.1. When the Parent DS is "in
sync" in sync with the CDS / CDNSKEY resource records, CDS/CDNSKEY
RRset(s), the Child DNS Operator MAY delete the CDS / CDNSKEY record(s); CDS/CDNSKEY RRset(s);
the child Child can determine if this is the case by querying for DS
records in the parent Parent.

6. Parent Side CDS / CDNSKEY Parent-Side CDS/CDNSKEY Consumption

The CDS / CDNSKEY RRset CDS/CDNSKEY RRset(s) SHOULD be used by the Parental Agent to
update the DS RRset in the parent Parent zone. The Parental Agent for this
uses a tool that understands the CDS / CDNSKEY CDS/CDNSKEY signing rules from in
Section 4.1 4.1, so it might not be able to use a standard validator.

The parent Parent MUST choose to use either CDNSKEY or CDS resource records
as their its default updating mechanism. The parent Parent MAY only accept either
CDNSKEY or CDS, but it MAY also accept both, both so it can use the other
in the absence of the default updating mechanism, but mechanism; it MUST NOT expect
there to be both.

6.1. Detecting a Changed CDS / CDNSKEY CDS/CDNSKEY

How the Parental Agent gets the CDS / CDNSKEY CDS/CDNSKEY RRset may differ, below differ. Below
are two examples as of how this can take place.

Polling

Polling: The Parental Agent operates a tool that periodically checks
each of the children Children that has a DS record to see if there is a
CDS or CDNSKEY RRset.

Pushing

Pushing: The delegation user interface has a button {Fetch DS} that,
when
pushed pushed, performs the CDS / CDNSKEY CDS/CDNSKEY processing. If the
Parent zone does not contain DS for this delegation delegation, then the
"push" SHOULD be ignored. If the Parental Agent displays the
contents of the CDS / CDSNKEY CDS/CDNSKEY to the user and gets confirmation
that this represents their key, the Parental Agent MAY use this
for initial enrollment (when the Parent zone does not contain
the DS for this delegation).

In either case case, the Parental Agent MAY apply additional rules that
defer the acceptance of a CDS / CDNSKEY change, these CDS/CDNSKEY change. These rules may
include a condition that the CDS / CDNSKEY CDS/CDNSKEY remains in place and valid
for some time period before it is accepted. It may be appropriate in
the "Pushing" case to assume that the Child is ready and thus accept
changes without delay.

6.1.1. CDS / CDNSKEY CDS/CDNSKEY Polling

This is the only defined use of CDS / CDNSKEY CDS/CDNSKEY resource records in this
document. There are limits to the scalability of polling
techniques, thus techniques;
thus, some other mechanism is likely to be specified later that
addresses CDS / CDNSKEY CDS/CDNSKEY resource record usage in the situation where
polling does not scale to. runs into scaling issues. Having said that, Polling polling will
work in many important cases such as enterprises, universities universities, and
smaller TLDs. In many regulatory environments environments, the registry Registry is
prohibited from talking to the registrant. Registrant. In most of these cases cases,
the
registrant Registrant has a business relationship with the registrar, and Registrar, so the
registrar
Registrar can offer this as a service.

If the CDS / CDNSKEY RRset does CDS/CDNSKEY RRset(s) do not exist, the Parental Agent MUST
take no action. Specifically Specifically, it MUST NOT delete or alter the
existing DS RRset.

6.1.2. Polling Triggers

It is assumed that other mechanisms will be implemented to trigger
the parent Parent to look for an updated CDS / CDNSKEY RRsets. CDS/CDNSKEY RRset. As the CDS / CDS/
CDNSKEY resource records are validated with DNSSEC, these mechanisms
can be unauthenticated. As an example, a child Child could telephone its
parent
Parent and request that they it process the new CDS or CDNSKEY resource
records
records, or an unauthenticated POST could be made to a webserver web server
(with rate-limiting).

Other documents can specify the trigger conditions.

6.2. Using the New CDS / CDNSKEY CDS/CDNSKEY Records

Regardless of how the Parental Agent detected changes to a CDS / CDS/
CDNSKEY RRset, the Parental Agent SHOULD use a DNSSEC validator to
obtain a validated CDS / CDNSKEY CDS/CDNSKEY RRset from the Child zone. A NOT
RECOMMENDED exception to this is if the parent Parent performs some
additional validation on the data to confirm that it is the "correct"
key.

The Parental Agent MUST ensure that previous versions of the CDS / CDS/
CDNSKEY RRset do not overwrite more recent versions. This MAY be
accomplished by checking that the signature inception in the RRSIG Resource
Record Signature (RRSIG) for CDS / CDNSKEY CDS/CDNSKEY RRset is later and / or and/or that
the serial number on the
child's SOA Child's Start of Authority (SOA) is greater.
This may require the Parental Agent to maintain some state
information.

The Parental Agent MAY take extra security measures. For example, to
mitigate the possibility that a Child's key signing key Key Signing Key (KSK) has
been compromised, the Parental Agent may, for example, may inform (by email or other
methods) the Child DNS Operator of the change. However However, the precise
out-of-band measures that a parent Parent zone takes are outside the scope
of this document.

Once the Parental Agent has obtained a valid CDS / CDNSKEY CDS/CDNSKEY RRset it
MUST check the publication rules from section Section 4.1. In particular particular,
the Parental Agent MUST check the Continuity rule and do its best not
to invalidate the Child zone. Once checked and checked, if the information in
the CDS / CDNSKEY CDS/CDNSKEY and DS differ differ, it may apply the changes to the
parent Parent
zone. If the parent Parent consumes CDNSKEY, the parent Parent should calculate
the DS before doing this comparison.

6.2.1. Parent Calculates DS

There are cases where the Parent wants to calculate the DS record due
to policy reasons. In this case, the Child publishes CDNSKEY records
records, and the parent Parent calculates the DS records on behalf of the children.
Children.

When a Parent operates in "calculate DS" mode mode, it can operate in one
of two sub-modes:

full: it The Parent only publishes DS records it calculates from DNSKEY
records,
records.

augment: it The Parent will make sure there are DS records for the
digest algorithm(s) it requires(s).

In the case where the parent Parent fetches the CDNSKEY RRset and calculates
the DS DS, the resulting DS can differ from the CDS published by the
child.
Child. It is expected that the differences are only due to the
different set of digest algorithms used.

7. IANA Considerations

IANA has assigned RR Type code 59 for the CDS resource record. This
was done for an earlier a draft version of whose content was later incorporated
into this document[I-D.ds-publish] document [DNS-TRANSPORT]. This document is to become the reference
for CDS RRtype.

IANA is requested to assign has assigned an RR Type for the CDNSKEY, see below CDNSKEY as described below:

Type: CDNSKEY

Value: TBD1 (60 suggested) 60

Meaning: DNSKEY(s) the child Child wants reflected in DS

Reference: This document

8. Privacy Considerations

All of the information handled / or transmitted by this protocol is
public information published in the DNS.

9. Security Considerations

This work is for the normal case; when things go wrong there is only
so much that automation can fix.

If child the Child breaks DNSSEC validation by removing all the DNSKEYs
that are represented in the DS set set, its only repair actions are to
contact the parent Parent or restore the DNSKEYs in the DS set.

In the event of a compromise of the server or system generating
signatures for a zone, an attacker might be able to generate and
publish new CDS / CDNSKEY CDS/CDNSKEY resource records. The modified CDS /
CDNSKEY CDS/CDNSKEY
records will be picked up by this technique and so may allow the
attacker to extend the effective time of his attack. If there is a
delay in accepting changes to DS, as in [RFC5011], then the attacker
needs to hope his activity is not detected before the DS in the parent
Parent is changed. If this type of change takes place, the child Child
needs to contact the parent Parent (possibly via a registrar Registrar web interface)
and remove any compromised DS keys.

A compromise of the account with the parent (e.g. registrar) Parent (e.g., Registrar) will
not be mitigated by this technique, as the "new registrant" Registrant" can
delete / or modify the DS records at will.

While it may be tempting, the techniques specified in this document
SHOULD NOT be used for initial enrollment of keys since there is no
way to ensure that the initial key is the correct one. If it is
used, strict rules for inclusion of keys -- such as hold down hold-down times,
challenge data inclusion inclusion, or similar, similar -- MUST be used, used along with some
kind of challenge mechanism. A child Child cannot use this mechanism to go
from signed to unsigned (publishing an empty CDS / CDNSKEY CDS/CDNSKEY RRset means no-change
no change should be made in the
parent). Parent).

The CDS RR type should allow for enhanced security by simplifying the
process. Since key change is automated, updating a DS RRset by other
means may be regarded as unusual and subject to extra security
checks.

As this introduces a new mechanism to update information in the
parent
Parent, it MUST be clear who is fetching the records and creating the
appropriate records in the parent Parent zone. Specifically Specifically, some
operations may use other mechanisms other than what is described here. For
example, a
registrar Registrar may assume that it is maintaining the DNSSEC key
information in the registry, Registry and may have this cached. If the
registry
Registry is fetching the CDS / CDNSKEY RRset CDS/CDNSKEY RRset, then the registry Registry and
registrar
Registrar may have different views of the DNSSEC key material and material; the
result of such a situation is unclear. Therefore, this mechanism
SHOULD NOT be use used to bypass intermediaries that might cache
information and and, because of that that, get the wrong state.

If there is a failure in applying changes in the child Child zone to all
DNS servers listed in either parent Parent or child Child NS set set, it is possible
that the Parental agent Agent may get confused, confused either because it gets
different answers on different checks or CDS RR validation fails. In
the worst case, the Parental Agent performs an action reversing a
prior action but after the child Child signing system decides to take the next
step in the key change process, resulting in a broken delegation.

DNS is a loosely coherent distributed database with local caching;
therefore, it is important to allow old information to expire from
caches before deleting DS or DNSKEY records. Similarly, it is
important to allow new records to propagate through the DNS before
use, see [RFC6781].
use (see [RFC6781]).

It is common practice for users to outsource their DNS hosting to a
third-party DNS provider. In order for that provider to be able to
maintain the DNSSEC information information, some users give the provider their
registrar
Registrar login credentials (which obviously has negative security
implications). Deploying the solution described in this document
allows the 3rd party third-party DNS provider providers to maintain the DNSSEC information
without Registrants giving them the registrar their Registrar credentials, thereby
improving security.

By automating the maintenance of the DNSSEC key information (and
removing humans from the process), we expect to decrease the number
of DNSSEC related outages, which should increase DNSSEC deployment.

10. Acknowledgements

We would like to thank a large number of folk, including: including Mark
Andrews, Joe Abley, Jaap Akkerhuis, Roy Arends, Doug Barton, Brian
Dickson, Paul Ebersman, Tony Finch, Jim Galvin, Paul Hoffman, Samir
Hussain, Tatuya Jinmei, Olaf Kolkman, Stephan Lagerholm, Cricket Liu,
Matt Larson, Marco Sanz, Antoin Verschuren, Suzanne Woolf, Paul
Wouters, John Dickinson, Timothe Litt Litt, and Edward Lewis.

Special thanks to Wes Hardaker for contributing significant text and
creating the complementary (CSYNC) solution, and to Patrik Faltstrom,
Paul Hoffman, Matthijs Mekking, Mukund Sivaraman Sivaraman, and Jeremy C. Reed
for text and in-depth review. Brian Carpender Carpenter provided a good Gen-
Art
Gen-ART review.

There were a number of other folk with whom we discussed this, this
document; apologies for not remembering everyone.

11. References

11.1. Normative References

[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005.

[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.

[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.

[RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC)
Trust Anchors", STD 74, RFC 5011, September 2007.

[RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC
Operational Practices, Version 2", RFC 6781, December
2012.

11.2. Informative References

[I-D.auto-cpsync]

[AUTO-CPSYNC]
Mekking, W., "Automated (DNSSEC) Child Parent
Synchronization using DNS UPDATE", draft-mekking-dnsop-
auto-cpsync-01 (work Work in progress), Progress,
December 2010.

[I-D.csync]

[CPSYNC-DNS]
Hardaker, W., "Child To Parent Synchronization in DNS",
draft-hardaker-dnsop-csync-02 (work
Work in progress), Progress, July
2013.

[I-D.ds-publish] 2014.

[DNS-TRANSPORT]
Barwood, G., "DNS Transport", draft-barwood-dnsop-ds-
publish-02 (work Work in progress), Progress, June 2011.

[I-D.parent-zones]

[PARENT-ZONES]
Andrews, M., "Updating Parent Zones", draft-andrews-dnsop-
update-parent-zones-04 (work Work in progress), Progress,
November 2013.

[RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
STD 69, RFC 5730, August 2009.

[RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS)
Security Extensions Mapping for the Extensible
Provisioning Protocol (EPP)", RFC 5910, May 2010.

Appendix A. RRR background Background

RRR is our shorthand for the Registry/Registrar/Registrant model of
parent child relationship.
Parent-Child relationships.

In the RRR world, the different parties are frequently from different
organizations. In the single enterprise world world, there are also
organizational / geographical /
organizational, geographical, and cultural separations that affect
how information flows from a Child to the parent. Parent.

Due to the complexity of the different roles and interconnections,
automation of delegation information has not yet occurred. There
have been proposals to automate this, in order to improve the
reliability of the DNS. These proposals have not gained enough
traction to become standards.

For example example, in many of the TLD cases cases, there is the RRR model
(Registry, Registrar and Registrant).
(Registry/Registrar/Registrant). The Registry operates DNS for the
TLD, and the Registrars accept registrations and place information
into the Registries Registry's database. The Registrant only communicates with
the Registrar; frequently frequently, the Registry is not allowed to communicate
with the Registrant. In that case case, as far as the registrant Registrant is
concerned
concerned, the Registrar is the same entity as the Parent.

In many RRR cases cases, the Registrar and Registry communicate via
EPP[RFC5730] EPP
[RFC5730] and use the EPP DNSSEC extension [RFC5910]. In a number of ccTLDs
Country Code TLDs (ccTLDs), there are other mechanisms in use as well
as EPP, but in
general general, there seems to be a movement towards EPP
usage when DNSSEC is enabled in the TLD.

Appendix B. CDS key rollover example Key Rollover Example

This section shows an example on how CDS is used when performing a
KSK rollover, this rollover. This example will demonstrate the the double DS Double-DS rollover
method from section Section 4.1.2 in of [RFC6781]. Other rollovers using
CDNSKEY and double KSK are left as an exercise to the reader. The
table below does not reflect the ZSK keys Zone Signing Keys (ZSKs) as they just do
not matter during KSK rollovers. The wait states below steps highlight what RRset
needs to expire from caches before progressing to the next step.

+------+---------------+---------+---------+--------------+---------+
| Step | State | Parent | Child | DNSKEY and | Child |
| | | DS | KSK | CDS signer | CDS |
+------+---------------+---------+---------+--------------+---------+
| | Beginning | A | A | A | |
| 1 | Add CDS | A | A | A | AB |
| Wait | for DS change | A | A | A | AB |
| 2 | Updated DS | AB | A | A | AB |
| Wait | > DS TTL | AB | A | A | AB |
| 3 | Actual | AB | B | B | AB |
| | Rollover | | | | |
| Wait | > DNSKEY TTL | AB | B | B | AB |
| 4 | Child Cleanup | AB | B | B | B |
| 5 | Parent cleans | B | B | B | B |
| 6 | Optional CDS | B | B | B | |
| | delete | | | | |
+------+---------------+---------+---------+--------------+---------+

Table 1: States

Appendix C. Changes / Author Notes.

[RFC Editor: Please remove this section before publication ]

WG-13 to WG-14 IETF Last call and IESG processing

o Applied text fixes from Phil Pennock

o Addressed comments from Brian Carpender GEN-ART review.

o Barry Leiba wanted better IANA considerations and suggested some
text changes in 6.1 and 6.2.1

o Reformatted the Appendix B table to be clearer.

WG-12 to WG-13

o Added appendix B showing Key rollover using CDS.

WG-11 to WG-12

o Many nits and helpful grammar fixes from Jeremy C. Reed.

WG-10 to WG-11

o More useful text from Matthijs.

o Explained why the child might want to remove the CDS / CDNSKEY
Records.

WG-09 to WG-10

o Incorporated off list comments from Stephan Lagerholm. Largest
change is fixing discrepancy between parent MAY perform OOB
validation and the Signer rule in 4.1. Clarified by updating
signer rule to allow enrolment if validation is performed OOB.

WG-08 to WG-09

o New text from Paul Hoffman for the first paragraph of the intro.

o And a modification from Jaap.

WG-07 to WG-08

o Incorporated text from Antoin Verschuren at the end of Section 6.

o Comments from Paul Hoffman and Tim W
WG-06 to WG-07

o Incorporated nits / editorial comments from Tim Wicinski.

* Reference for Mark's draft was incorrect, Wes Hardaker doesn't
work for ISC :-P

* Normalized CDS record / CDS resource record / records / etc.

* Language cleanup / nits / poor grammar.

* removed "punted" colloquialism.

WG-05 to WG-06

o Consensus (according to me!) was that mail thread said "Child MAY
remove the CDS record". Changed to accommodate.

o "The proposal below can operate with both models, but the child
needs to be aware of the parental policies." - removed "but the
child needs to be aware of the parental policies.". This is no
longer true, as we suggest publishing both CDS and CDSNKEY.

o Added: "without some additional out of band process" to "The Child
may not enroll the initial key or introduce a new key when there
are no old keys that can be used (without some additional, out of
band, validation of the keys), because there is no way to validate
the information."

o Added a bit to the IANA section, requesting that TBA1 be replaced
with the IANA allocated code.

o Removed: "Some parents prefer to accept DNSSEC key information in
DS format, some parents prefer to accept it in DNSKEY format, and
calculate the DS record on the child's behalf. Each method has
pros and cons, both technical and policy. This solution is DS vs
DNSKEY agnostic, and allows operation with either." from Section 4
as it is covered in Section 2.2.1

o Remove a bunch of comments from the XML. I was getting tired of
scrolling past them. If the authors need them back, they are in
SVN commit 47.

WG-04 to WG-05

o More comments from Patrik, Paul and Ed.

o Many nits and fixes from Matthijs Mekking.

o Outstanding question: Should we remove the "Child SHOULD remove
the CDS record" text? Mail sent to list.

WG-03 to WG-04

o Large number of comments and changes from Patrik.

WG-02 to WG-03

o Fixed some references to RFC 5011 - from Samir Hussain.

o Fixed some spelling / typos - from Samir Hussain.

o A number of clarifications on the meaning on an empty / non-
existant CDS RRset - thanks to JINMEI, Tatuya

o Be consistent in mentioning both CDS and CDNSKEY throughout the
document.

WG-01 to WG-02

o Many nits and suggestions from Mukund.

o Matthijs: " I still think that it is too strong that the Child DNS
Operator SHOULD/MUST delete the CDS RRset when the Parent DS is
"in sync". This should be a MAY"

WG-00 to WG-01

o Addressed Vancouver: "Paul Hoffmann: NOT ready for WGLC. None of
the 2 documents explain why there is a split between the two
strategies." Thanks to Paul for providing text.

From -05 to WG-00:

o Nothing changed, resubmit under new name.

From 04 to 05

o Renamed the record back to CDS.

From 03 to 04.

o Added text explaining that CDS and CSYNC complement each other,
not replace or compete.

o Changed format of record to be <selector> <data> to allow the
publication of DS **or** DNSKEY.

o Bunch of text changed to cover the above.

o Added a bit more text on the polling scaling stuff, expectation
that other triggers will be documented.

From 02 to 03

o Applied comments by Matthijs Mekking

o Incorporated suggestions from Edward Lewis about structure

o Reworked structure to be easier for implementors to follow

o Applied many suggestions from a wonderful thorough review by John
Dickinson

o Removed the going Unsigned option

From 01 to 02

o Major restructuring to facilitate easier discussion

o Lots of comments from DNSOP mailing list incorporated, including
making draft DNSKEY/DS neutral, explain different relationships
that exists,

o added more people to acks.

o added description of enterprise situations

o Unified on using Parental Agent over Parental Representative

o Removed redundant text when possible

o Added text to explain what can go wrong if not all child DNS
servers are in sync.

o Reference prior work by Matthijs Mekking

o Added text when parent calculates DS from DNSKEY

From - to -1.

o Removed from section .1: "If a child zone has gone unsigned, i.e.
no DNSKEY and no RRSIG in the zone, the parental representative
MAY treat that as intent to go unsigned. (NEEDS DISCUSSION)."
Added new text at end. -- suggestion by Scott Rose 20/Feb/13.

o Added some background on the different DNS Delegation operating
situations and how they affect interaction of parties. This moved
some blocks of text from later sections into here.

o Number of textual improvements from Stephan Lagerholm

o Added motivation why CDS is needed in CDS definition section

o Unified terminology in the document.

o Much more background

Authors' Addresses

Warren Kumari
Google
1600 Amphitheatre Parkway
Mountain View, CA 94043
US

Email:

EMail: warren@kumari.net

Olafur Gudmundsson
Shinkuro Inc.
4922 Fairmont Av, Suite 250
Bethesda,
OGUD Consulting
3821 Village Park Dr.
Chevy Chase, MD 20814
USA

Email: 20815
US

EMail: ogud@ogud.com

George Barwood
33 Sandpiper Close
Gloucester GL2 4LZ
United Kingdom

Email:

EMail: george.barwood@blueyonder.co.uk