To:
Mark Kosters <markk@netsol.com>, <dnssec@cafax.se>, <namedroppers@ops.ietf.org>
Cc:
Roy Arends <Roy.Arends@nominum.com>
From:
Roy Arends <Roy.Arends@nominum.com>
Date:
Wed, 4 Jul 2001 04:46:16 +0200 (CEST)
Delivery-Date:
Wed Jul 4 09:40:00 2001
Sender:
owner-dnssec@cafax.se
Subject:
Ideas on opt-in, was Re: I-D ACTION:draft-ietf-dnsext-dnssec-opt-in-00.txt
All,
You might have seen a few a messages on the list from my hand, which might
seem hard to interpret. The ideas mentioned in the second part of this
mail is what I wanted to make share. All ideas are a result of numerous
discussions with Jakob Schlyter, Mats Dufberg, Scott Rose, Dan Massey and
a visit at Verising-GRS Applied Research in Dulles, VA (Mark Kosters and
David Macka).
The following does however not reflect their opinion. Some may [not] agree
with [some] ideas, some may not even agree with this statement :-)
This is how I understand the opt-in draft:
Take the following zone.
$ORIGIN test.
@ SOA rdata ; the apex is signed
@ SIG (SOA) ;
@ NXT a SOA ;
@ SIG (NXT) ;
a NS ns.a ; this delegation RRset is signed
a SIG (NS) ;
a DS rdata ; DS or KEY
a SIG (DS) ;
a NXT d SIG NXT DS ; DS or KEY
a SIG (NXT) ;
b NS ns.b ; this delegation RRset is not signed
d MX rdata ; this RRset is signed.
d SIG (MX) ;
d NXT @ MX SIG NXT ;
d SIG (NXT) ;
e MX rdata ; this RRset is not signed.
Possible answers:
1) query for a.test. A
response from test. nameserver: (referral)
RCODE : NOERROR
ANSWER : -------
AUTHORITY: a.test. NS ns.a.test.
a.test. DS rdata
a.test. SIG (DS)
2) query for a.test. NS
response from test. nameserver: (referral)
RCODE : NOERROR
ANSWER : a.test. NS ns.a.test.
AUTHORITY: a.test. DS rdata
a.test. SIG (DS)
3) query for b.test. NS
response from test. nameserver: (referral)
RCODE : NOERROR
ANSWER : b.test. NS ns.b.test.
AUTHORITY: a.test. NXT d.test. SIG NXT DS
a.test. SIG (NXT)
4) query for c.test. NS
response from test. nameserver:
RCODE : NXDOMAIN
ANSWER : --------
AUTHORITY: b.test. NXT e.test. SIG NXT DS
b.test. SIG (NXT)
test. SOA rdata
test. SIG (SOA)
5) query for d.test. MX
response from test. nameserver: (authoritative)
RCODE : NOERROR
ANSWER : d.test. MX rdata
d.test. SIG (MX)
AUTHORITY: ---------
6) query for d.test. A
response from test. nameserver:
RCODE : NOERROR
ANSWER : -------
AUTHORITY: d.test. NXT test. MX SIG NXT
d.test. SIG (NXT)
7) query for e.test. MX
response from test. nameserver: (authoritative)
RCODE : NOERROR
ANSWER : e.test. MX rdata
AUTHORITY: d.test. NXT test. MX SIG NXT
d.test. SIG (NXT)
In all queries DO bit is set. The additional section is not specified
here.
1 and 2 indicate signed delegations.
3 indicates an unsigned delegation.
4 is of "NXDOMAIN". neither label nor type does exist in this zone.
5 is an authoritative response with a signed RRset in ANSWER.
6 is of "NO DATA". Label exists, but type does not exist in this zone.
7 is an authoritative response with an unsigned RRset in ANSWER.
A caching resolver does not give response 1,2 and 3, and has no AA
bit set on response 5 and 7.
Though query responses might be spoofed: All RRsets with accompanied SIG
are verifiably secure. All RCODEs, unsigned RRsets and header bits
(aa,tc,rd,ra,cd,ad) are not signed and can be spoofed (use tsig/sig(0)
to circumvent this).
Conclusion:
-----------
If the receiving secure resolver does not know whether the zone was
partially signed or fully signed, while a zone was fully signed (aka
rfc2535-style), responses like 3 and 7 are spoofed. It is necessary for
the resolver to know how to interpret the NXT record.
Please correct me if any of the above is wrong.
============================================================================
Now for the ideas:
------------------
As said it is necessary for a secure resolver to know how to interpret
the NXT record: This can be done on a per record basis if this is
signalled with the NXT record, say by setting some new defined RR-type
bit, a response can never be spoofed.
(In what follows I refer to the OPTIN RR-bit as "OPT")
The NXT records in the zone above would be:
$ORIGIN test.
@ NXT a SOA ; between @ and a are no records.
a NXT d SIG NXT DS OPT ; between a and d are no records signed.
d NXT @ MX SIG NXT OPT ; between d and @ are no records signed.
(note, setting OPT on the first NXT is optional. There is no
RRset between @ and a, so there is also no signed RRset between @ and
a)
query-responses 3 and 7 must have the OPT indication. If not, they are
spoofed.
Indication on a per record basis can not be done with either a bit in
the key, nor in a special SEC record.
In general:
-----------
One of the 2 below is mandatory in a signed zone:
A NXT+OPT is created for a label when there is some signed RRset by
that label. It points to the next signed label.
A NXT w/o OPT is created whenever there is some RRset for that label.
It points to the next label.
The APEX is allways signed in a secure zone, thus the APEX has always a
NXT.
Why and Who:
------------
The really strict zone administrator signs the whole zone and uses NXT
w/o OPT (fully rfc2535-style).
The very large (.com) zone administrator might want to sign just the
apex, and some delegations, sets the OPT on every NXT. (fully
optin-style)
For the fine-grained security-savvy administrator, that does not need
to sign delegations, its TXT,LOC,HINFO records, but wants to sign some
A records, and be sure that nothing is spoofed between the signed A
record www.test and zzz.test, creates NXT w/o OPT over "www.test. NXT
zzz.test.", and uses NXT+OPT at other signed labels.
How:
----
(partially signed zone)
Take a zone-file, flush the records you want to sign in a temp file,
sort and sign the temp file with NXT+OPT and concatenate it with the
zone-file again.
(fully signed zone)
Sort and sign the zone file with NXT w/o OPT.
(partially signed zone + denial of existence between some RRsets)
Take partially signed zone, add (or replace) a NXT w/o OPT + SIG(NXT)
for the part you want to deny existence for.
I hope this computes.
Regards,
Roy Arends
Nominum