Internet-Draft cds-consistency July 2022
Thomassen Expires 10 January 2023 [Page]
Workgroup:
DNSOP Working Group
Internet-Draft:
draft-thomassen-dnsop-cds-consistency-00
Updates:
7344 (if approved)
Published:
Intended Status:
Standards Track
Expires:
Author:
P. Thomassen
deSEC, Secure Systems Engineering

Ensuring CDS/CDNSKEY Consistency is Mandatory

Abstract

For maintaining DNSSEC Delegation Trust, DS records have to be kept up to date. [RFC7344] automates this by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Parent-side entities (e.g. Registries, Registrars) can use these records to update the delegation's DS records. A common method for detecting changes in CDS/CDNSKEY record sets is to query them periodically from the child zone ("polling"), as described in Section 6.1 of [RFC7344].

This document specifies that if polling is used, parent-side entities MUST ensure that CDS/CDNSKEY record sets are equivalent across all of the child's authoritative nameservers, before taking any action based on these records.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 10 January 2023.

Table of Contents

1. Introduction

[RFC7344] automates DNSSEC delegation trust maintenance by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Parent-side entities (e.g. Registries, Registrars) can use these records to update the delegation's DS records. A common method for detecting changes in CDS/CDNSKEY record sets is to query them periodically from the child zone ("polling"), as described in Section 6.1 of [RFC7344].

While [RFC7344] does specify acceptance rules (Section 4.1 ) for CDS/CDNSKEY records that have been retrieved, it does not mention how specifically the poll queries should be done. A naive implementation would thus be likely to simply query CDS or CDNSKEY records through a trusted validating resolver, and use the validated answer.

This may be fine if all authoritative nameservers are controlled by the same entity (= DNS operator). However, it poses a problem in conjunction with multi-signer setups ([RFC8901]): When the CDS/CDNSKEY are retrieved "normally" using a validating resolver, chances are that records are retrieved from one nameserver only, without checking for consistency across other NS hostnames.

In a multi-signer setup, this means that a single provider could (accidentally or maliciously) roll the DS record set at the parent. For example, a provider could be performing a key rollover and then accidentally publish CDS/CDNSKEY records for its own keys. As a result, when the parent happens to retrieve the records from a nameserver controlled by this provider, the other providers' DS records would be removed from the parent, breaking the zone for some or all queries.

A single provider should not be in the position to remove the other providers' trust anchors. To address this issue, this document specifies that if polling is used, parent-side entities MUST ensure that CDS/CDNSKEY record sets are equivalent across all of the child's authoritative nameservers, before taking any action based on these records.

Readers are expected to be familiar with DNSSEC, including [RFC4033], [RFC4034], [RFC4035], [RFC6781], [RFC7344], and [RFC8901].

1.1. Requirements Notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. Polling a CDS or CDNSKEY Record Set

The terminology in this section is as defined in [RFC7344].

To retrieve a Child's CDS/CDNSKEY RRset for DNSSEC delegation trust maintenance, the Parental Agent, knowing both the Child zone name and its NS hostnames, MUST ascertain that queries are made against all of the nameservers listed in the Child's delegation from the Parent, and ensure that the set of referenced keys is equal.

In other words, CDS/CDNSKEY records at the Child zone apex MUST be queried directly from each of the authoritative servers as determined by the delegation's NS record set, with DNSSEC validation enforced. When a key is referenced in the CDS or CDNSKEY record set returned by one nameserver, but not referenced in the corresponding answers of all of the other nameservers, the CDS/CDNSKEY state MUST be considered inconsistent.

If an inconsistent CDS/CDNSKEY state is encountered, the Parental Agent MUST take no action. Specifically, it MUST NOT delete or alter the existing DS RRset.

3. Security Considerations

The level of rigor mandated by this document is needed to prevent publication of a half-baked DS RRset (authorized only under a subset of NS hostnames). This ensures, for example, that an operator in a multi-homed setup cannot unilaterally remove another operator's trust anchor from the delegation's DS records.

As a consequence, DS records can only be modified when there is consensus across all operators.

4. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC4033]
Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, DOI 10.17487/RFC4033, , <https://www.rfc-editor.org/info/rfc4033>.
[RFC4034]
Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, , <https://www.rfc-editor.org/info/rfc4034>.
[RFC4035]
Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, DOI 10.17487/RFC4035, , <https://www.rfc-editor.org/info/rfc4035>.
[RFC6781]
Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC Operational Practices, Version 2", RFC 6781, DOI 10.17487/RFC6781, , <https://www.rfc-editor.org/info/rfc6781>.
[RFC7344]
Kumari, W., Gudmundsson, O., and G. Barwood, "Automating DNSSEC Delegation Trust Maintenance", RFC 7344, DOI 10.17487/RFC7344, , <https://www.rfc-editor.org/info/rfc7344>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC8901]
Huque, S., Aras, P., Dickinson, J., Vcelak, J., and D. Blacka, "Multi-Signer DNSSEC Models", RFC 8901, DOI 10.17487/RFC8901, , <https://www.rfc-editor.org/info/rfc8901>.

Appendix A. Change History (to be removed before publication)

Initial public draft.

Author's Address

Peter Thomassen
deSEC, Secure Systems Engineering
Berlin
Germany