Internet-Draft | DNSSEC automation | July 2021 |
Wisser & Huque | Expires 11 January 2022 | [Page] |
This document describes an algorithm and a protocol to automate DNSSEC Multi-Signer [RFC8901] "Multi-Signer DNSSEC Models" setup, operations and decomissioning. Using Model 2 of the Multi-Signer specification, where each operator has their own distinct KSK and ZSK sets (or CSK sets), [RFC8078] "Managing DS Records from the Parent via CDS/CDNSKEY" and [RFC7477] "Child-to-Parent Synchronization in DNS" to accomplish this.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 January 2022.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
[RFC8901] describes the necessary steps and API for a Multi-Signer DNSSEC configuration. In this document we will combine [RFC8901] with [RFC8078] and [RFC7477] to define an automatable algorithm for setting up, operating and decomissioning of a Multi-Signer DNSSEC configuration.¶
One of the special cases of Multi-Signer DNSSEC is the secure change of DNS operator. Using Multi-Signer Model 2 the secure change of DNS operator can be accomplished.¶
In order for any Multi-Signer group to give consistent answers across all nameservers, the data contents of the zone also have to be synchronized (in addition to infrastructure records like NS, DNSKEY, CDS etc). This content synchronization is out-of-scope for this document (although there are a number of methods that can be used, such as making the the same updates to each operator using their respective APIs, using zone transfer in conjunction with "inline signing" at each operator, etc.)¶
Short definitions of expressions used in this document¶
Signer¶
An entity signing a zone¶
Multi-Signer Group¶
A group of signers that sign the same zone¶
Controller¶
An entity controlling the multi-signer group. Used in the decentralized model.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
As described in [RFC8901] a Multi-Signer DNSSEC configuration has some challenges that can be overcome with the right infrastructure and following a number of steps for setup and operation.¶
In this document we describe, except for the initial trust, how the steps in the Multi-Signer DNSSEC setup can be automated.¶
Changing the nameserver operator of a DNSSEC signed zone can be challenging. Currently the most common method is temporarily "going insecure". This is poor for security, and for users relying on the security of the zone. Furthermore, when DNSSEC is being used for application security functions like DANE [RFC6698], it is critical that the DNSSEC chain of trust remain unbroken during the transfer.¶
Multi-Signer DNSSEC Model 2 provides a mechanism for transitioning from one nameserver operator to another without "going insecure". A new operator joins the current operator in a temporary Multi-Signer group. Once that is accomplished and stable the old operator leaves the Multi-Signer group completing the transition.¶
Automation of the necessary steps can be categorized into two main models, centralized and decentralized. Both have pros and cons, and a zone operator should carefully choose the model that works best.¶
In a centralized model the zone operator will run controller that executes all steps necessary and controls all signers.¶
A centralized controller needs to have authorized access to all signers. This can be achieved in a variety of different ways. For example will many service providers offer access through a REST API. Another possibility is access through Dynamic Update [RFC2136] with TSIG authentication.¶
In the decentralized models all signers will communicate with each other and execute the necessary steps on their instance only. For this signers need a specialized protocol to communicate configuration details that are not part of the zone data.¶
In order for any of the models to work the signer must support the following capabilities.¶
Each Signer to be added, including the initial Signer, must meet the following prerequisites before joining the Multi-Signer Group¶
Once the parent has picked up and published the new DS record set, the any further changes MUST to be delayed until the new DS set has propagated.¶
The minimum DS Waiting Time is the TTL of the DS RRset.¶
Once the DNSKEY sets of all signers are updated, any further changes MUST to be delayed until the new DNSKEY set has propagated.¶
The minimum DNSKEY Waiting Time is the maximum of all DNSKEYS TTL values from all signers plus the time it takes to publish the zone on all secondaries.¶
Once the parent has picked up and published the new NS record set, any further changes MUST be delayed until the new NS set has propagated.¶
The minimum NS Waiting Time is the maximum of the TTL value of the NS set in the parent zone and all NS sets from all signers.¶
The zone is already authoritatively served by one DNS operator and is DNSSEC signed. For full automation both the KSK and ZSK or CSK must be online.¶
This would be a special case, a Multi-Signer group with only one signer.¶
Section 2.2 of [RFC4035] states that a signed zone MUST include a DNSKEY for each algorithm present in the zone's DS RRset and expected trust anchors for the zone.¶
A setup where different signers use different key algorithms therefore violates [RFC4035].¶
According to Section 5.11 of [RFC6840] validators SHOULD NOT insist that all algorithms signaled in the DS RRset work, and they MUST NOT insist that all algorithms signaled in the DNSKEY RRset work.¶
So a Multi-Signer setup where different signers use different key algorithms should still validate.¶
This could be an acceptable risk in a situation where going insecure is not desirable or impossible and name servers have to be changed between operators which only support distinct set of key algorithms.¶
We have to consider the following scenarios¶
Validator supports both algorithms¶
Validation should be stable through all stages of the multi-signer algorithms.¶
Validator supports none of the algorithms¶
The validator will treat the zone as unsigned. Resolution should work through all stages of the multi-signer algorithms.¶
Validator supports only one of the algorithms¶
The validator will not be able to validate the DNSKEY RR set or any data from one of the signers. So in some cases the validator will consider the zone bogus and reply with a SERVFAIL response code.¶
The later scenario can be mitigated, but not fully eliminated, by selecting two well supported algorithms.¶
The authors would like to thank the following for their review of this work and their valuable comments: Steve Crocker, Eric Osterweil, Roger Murray, Jonas Andersson, Peter Thomassen.¶
One implementation of a centralized controller which supports updates through Dynamic DNS or REST API's of several vendors has been implemented by the Swedish Internet Foundation.¶
The code can be found as part of the Multi-Signer project on Github https://github.com/DNSSEC-Provisioning/multi-signer-controller¶
Every step of the multi-signer algorithms has to be carefully executed at the right time and date. Any failure could resolve in the loss of resolution for the domain.¶
Independently of the chosen model, it is crucial that only authorized entities will be able to change the zone data. Some providers or software installation allow to make more specific configuration on the allowed changes. All extra steps to allows as little access to change zone data as possible should be taken.¶
If used correctly the multi-signer algorithm will strengthen the DNS security by avoiding "going insecure" at any stage of the domain life cycle.¶