DNSOP Working Group P. Thomassen Internet-Draft deSEC, Secure Systems Engineering Updates: 7344 (if approved) 9 July 2022 Intended status: Standards Track Expires: 10 January 2023 Ensuring CDS/CDNSKEY Consistency is Mandatory draft-thomassen-dnsop-cds-consistency-00 Abstract For maintaining DNSSEC Delegation Trust, DS records have to be kept up to date. [RFC7344] automates this by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Parent-side entities (e.g. Registries, Registrars) can use these records to update the delegation's DS records. A common method for detecting changes in CDS/CDNSKEY record sets is to query them periodically from the child zone ("polling"), as described in Section 6.1 of [RFC7344]. This document specifies that if polling is used, parent-side entities MUST ensure that CDS/CDNSKEY record sets are equivalent across all of the child's authoritative nameservers, before taking any action based on these records. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 10 January 2023. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. Thomassen Expires 10 January 2023 [Page 1] Internet-Draft cds-consistency July 2022 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3 2. Polling a CDS or CDNSKEY Record Set . . . . . . . . . . . . . 3 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 4. Normative References . . . . . . . . . . . . . . . . . . . . 4 Appendix A. Change History (to be removed before publication) . 5 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction [RFC7344] automates DNSSEC delegation trust maintenance by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Parent-side entities (e.g. Registries, Registrars) can use these records to update the delegation's DS records. A common method for detecting changes in CDS/CDNSKEY record sets is to query them periodically from the child zone ("polling"), as described in Section 6.1 of [RFC7344]. While [RFC7344] does specify acceptance rules (Section 4.1 ) for CDS/ CDNSKEY records that have been retrieved, it does not mention how specifically the poll queries should be done. A naive implementation would thus be likely to simply query CDS or CDNSKEY records through a trusted validating resolver, and use the validated answer. This may be fine if all authoritative nameservers are controlled by the same entity (= DNS operator). However, it poses a problem in conjunction with multi-signer setups ([RFC8901]): When the CDS/ CDNSKEY are retrieved "normally" using a validating resolver, chances are that records are retrieved from one nameserver only, without checking for consistency across other NS hostnames. Thomassen Expires 10 January 2023 [Page 2] Internet-Draft cds-consistency July 2022 In a multi-signer setup, this means that a single provider could (accidentally or maliciously) roll the DS record set at the parent. For example, a provider could be performing a key rollover and then accidentally publish CDS/CDNSKEY records for its own keys. As a result, when the parent happens to retrieve the records from a nameserver controlled by this provider, the other providers' DS records would be removed from the parent, breaking the zone for some or all queries. A single provider should not be in the position to remove the other providers' trust anchors. To address this issue, this document specifies that if polling is used, parent-side entities MUST ensure that CDS/CDNSKEY record sets are equivalent across all of the child's authoritative nameservers, before taking any action based on these records. Readers are expected to be familiar with DNSSEC, including [RFC4033], [RFC4034], [RFC4035], [RFC6781], [RFC7344], and [RFC8901]. 1.1. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Polling a CDS or CDNSKEY Record Set The terminology in this section is as defined in [RFC7344]. To retrieve a Child's CDS/CDNSKEY RRset for DNSSEC delegation trust maintenance, the Parental Agent, knowing both the Child zone name and its NS hostnames, MUST ascertain that queries are made against all of the nameservers listed in the Child's delegation from the Parent, and ensure that the set of referenced keys is equal. In other words, CDS/CDNSKEY records at the Child zone apex MUST be queried directly from each of the authoritative servers as determined by the delegation's NS record set, with DNSSEC validation enforced. When a key is referenced in the CDS or CDNSKEY record set returned by one nameserver, but not referenced in the corresponding answers of all of the other nameservers, the CDS/CDNSKEY state MUST be considered inconsistent. If an inconsistent CDS/CDNSKEY state is encountered, the Parental Agent MUST take no action. Specifically, it MUST NOT delete or alter the existing DS RRset. Thomassen Expires 10 January 2023 [Page 3] Internet-Draft cds-consistency July 2022 3. Security Considerations The level of rigor mandated by this document is needed to prevent publication of a half-baked DS RRset (authorized only under a subset of NS hostnames). This ensures, for example, that an operator in a multi-homed setup cannot unilaterally remove another operator's trust anchor from the delegation's DS records. As a consequence, DS records can only be modified when there is consensus across all operators. 4. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, DOI 10.17487/RFC4033, March 2005, . [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, March 2005, . [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, . [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC Operational Practices, Version 2", RFC 6781, DOI 10.17487/RFC6781, December 2012, . [RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating DNSSEC Delegation Trust Maintenance", RFC 7344, DOI 10.17487/RFC7344, September 2014, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Thomassen Expires 10 January 2023 [Page 4] Internet-Draft cds-consistency July 2022 [RFC8901] Huque, S., Aras, P., Dickinson, J., Vcelak, J., and D. Blacka, "Multi-Signer DNSSEC Models", RFC 8901, DOI 10.17487/RFC8901, September 2020, . Appendix A. Change History (to be removed before publication) * draft-thomassen-dnsop-cds-consistency-00 | Initial public draft. Author's Address Peter Thomassen deSEC, Secure Systems Engineering Berlin Germany Email: peter@desec.io Thomassen Expires 10 January 2023 [Page 5]