1 Network Working Group S. Weiler
2 Request for Comments: 4470 SPARTA, Inc.
3 Updates: 4035, 4034 J. Ihren
4 Category: Standards Track Autonomica AB
5 April 2006
6
7
8 Minimally Covering NSEC Records and DNSSEC On-line Signing
9
10
11 Status of This Memo
12
13 This document specifies an Internet standards track protocol for the
14 Internet community, and requests discussion and suggestions for
15 improvements. Please refer to the current edition of the "Internet
16 Official Protocol Standards" (STD 1) for the standardization state
17 and status of this protocol. Distribution of this memo is unlimited.
18
19 Copyright Notice
20
21 Copyright (C) The Internet Society (2006).
22
23 Abstract
24
25 This document describes how to construct DNSSEC NSEC resource records
26 that cover a smaller range of names than called for by RFC 4034. By
27 generating and signing these records on demand, authoritative name
28 servers can effectively stop the disclosure of zone contents
29 otherwise made possible by walking the chain of NSEC records in a
30 signed zone.
31
32 Table of Contents
33
34 1. Introduction ....................................................1
35 2. Applicability of This Technique .................................2
36 3. Minimally Covering NSEC Records .................................2
37 4. Better Epsilon Functions ........................................4
38 5. Security Considerations .........................................5
39 6. Acknowledgements ................................................6
40 7. Normative References ............................................6
41
42 1. Introduction
43
44 With DNSSEC [1], an NSEC record lists the next instantiated name in
45 its zone, proving that no names exist in the "span" between the
46 NSEC's owner name and the name in the "next name" field. In this
47 document, an NSEC record is said to "cover" the names between its
48 owner name and next name.
49
50
51
52 Weiler & Ihren Standards Track [Page 1]
53 RFC 4470 NSEC Epsilon April 2006
54
55
56 Through repeated queries that return NSEC records, it is possible to
57 retrieve all of the names in the zone, a process commonly called
58 "walking" the zone. Some zone owners have policies forbidding zone
59 transfers by arbitrary clients; this side effect of the NSEC
60 architecture subverts those policies.
61
62 This document presents a way to prevent zone walking by constructing
63 NSEC records that cover fewer names. These records can make zone
64 walking take approximately as many queries as simply asking for all
65 possible names in a zone, making zone walking impractical. Some of
66 these records must be created and signed on demand, which requires
67 on-line private keys. Anyone contemplating use of this technique is
68 strongly encouraged to review the discussion of the risks of on-line
69 signing in Section 5.
70
71 1.2. Keywords
72
73 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
74 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
75 document are to be interpreted as described in RFC 2119 [4].
76
77 2. Applicability of This Technique
78
79 The technique presented here may be useful to a zone owner that wants
80 to use DNSSEC, is concerned about exposure of its zone contents via
81 zone walking, and is willing to bear the costs of on-line signing.
82
83 As discussed in Section 5, on-line signing has several security
84 risks, including an increased likelihood of private keys being
85 disclosed and an increased risk of denial of service attack. Anyone
86 contemplating use of this technique is strongly encouraged to review
87 the discussion of the risks of on-line signing in Section 5.
88
89 Furthermore, at the time this document was published, the DNSEXT
90 working group was actively working on a mechanism to prevent zone
91 walking that does not require on-line signing (tentatively called
92 NSEC3). The new mechanism is likely to expose slightly more
93 information about the zone than this technique (e.g., the number of
94 instantiated names), but it may be preferable to this technique.
95
96 3. Minimally Covering NSEC Records
97
98 This mechanism involves changes to NSEC records for instantiated
99 names, which can still be generated and signed in advance, as well as
100 the on-demand generation and signing of new NSEC records whenever a
101 name must be proven not to exist.
102
103
104
105
106
107 Weiler & Ihren Standards Track [Page 2]
108 RFC 4470 NSEC Epsilon April 2006
109
110
111 In the "next name" field of instantiated names' NSEC records, rather
112 than list the next instantiated name in the zone, list any name that
113 falls lexically after the NSEC's owner name and before the next
114 instantiated name in the zone, according to the ordering function in
115 RFC 4034 [2] Section 6.1. This relaxes the requirement in Section
116 4.1.1 of RFC 4034 that the "next name" field contains the next owner
117 name in the zone. This change is expected to be fully compatible
118 with all existing DNSSEC validators. These NSEC records are returned
119 whenever proving something specifically about the owner name (e.g.,
120 that no resource records of a given type appear at that name).
121
122 Whenever an NSEC record is needed to prove the non-existence of a
123 name, a new NSEC record is dynamically produced and signed. The new
124 NSEC record has an owner name lexically before the QNAME but
125 lexically following any existing name and a "next name" lexically
126 following the QNAME but before any existing name.
127
128 The generated NSEC record's type bitmap MUST have the RRSIG and NSEC
129 bits set and SHOULD NOT have any other bits set. This relaxes the
130 requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
131 names that did not exist before the zone was signed.
132
133 The functions to generate the lexically following and proceeding
134 names need not be perfect or consistent, but the generated NSEC
135 records must not cover any existing names. Furthermore, this
136 technique works best when the generated NSEC records cover as few
137 names as possible. In this document, the functions that generate the
138 nearby names are called "epsilon" functions, a reference to the
139 mathematical convention of using the greek letter epsilon to
140 represent small deviations.
141
142 An NSEC record denying the existence of a wildcard may be generated
143 in the same way. Since the NSEC record covering a non-existent
144 wildcard is likely to be used in response to many queries,
145 authoritative name servers using the techniques described here may
146 want to pregenerate or cache that record and its corresponding RRSIG.
147
148 For example, a query for an A record at the non-instantiated name
149 example.com might produce the following two NSEC records, the first
150 denying the existence of the name example.com and the second denying
151 the existence of a wildcard:
152
153 exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
154
The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.
This RFC is included in the DNS RFCs annotation project whose home page is here.
This RFC is implemented in BIND 9.18 (all versions). Minimally Covering NSEC records are accepted but not generated.
155 \).com 3600 IN NSEC +.com ( RRSIG NSEC )
156
157
158
159
160
161
162 Weiler & Ihren Standards Track [Page 3]
163 RFC 4470 NSEC Epsilon April 2006
164
165
166 Before answering a query with these records, an authoritative server
167 must test for the existence of names between these endpoints. If the
168 generated NSEC would cover existing names (e.g., exampldd.com or
169 *bizarre.example.com), a better epsilon function may be used or the
170 covered name closest to the QNAME could be used as the NSEC owner
171 name or next name, as appropriate. If an existing name is used as
172 the NSEC owner name, that name's real NSEC record MUST be returned.
173 Using the same example, assuming an exampldd.com delegation exists,
174 this record might be returned from the parent:
175
176 exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
177
178 Like every authoritative record in the zone, each generated NSEC
179 record MUST have corresponding RRSIGs generated using each algorithm
180 (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
181 described in RFC 4035 [3] Section 2.2. To minimize the number of
182 signatures that must be generated, a zone may wish to limit the
183 number of algorithms in its DNSKEY RRset.
184
185 4. Better Epsilon Functions
186
187 Section 6.1 of RFC 4034 defines a strict ordering of DNS names.
188 Working backward from that definition, it should be possible to
189 define epsilon functions that generate the immediately following and
190 preceding names, respectively. This document does not define such
191 functions. Instead, this section presents functions that come
192 reasonably close to the perfect ones. As described above, an
193 authoritative server should still ensure than no generated NSEC
194 covers any existing name.
195
196 To increment a name, add a leading label with a single null (zero-
197 value) octet.
198
199 To decrement a name, decrement the last character of the leftmost
200 label, then fill that label to a length of 63 octets with octets of
201 value 255. To decrement a null (zero-value) octet, remove the octet
202 -- if an empty label is left, remove the label. Defining this
203 function numerically: fill the leftmost label to its maximum length
204 with zeros (numeric, not ASCII zeros) and subtract one.
205
206 In response to a query for the non-existent name foo.example.com,
207 these functions produce NSEC records of the following:
208
209
210
211
212
213
214
215
216
217 Weiler & Ihren Standards Track [Page 4]
218 RFC 4470 NSEC Epsilon April 2006
219
220
221 fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
222 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
223 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
224 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
225 \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
226
227 \)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
228 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
229 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
230 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
231 \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )
232
233 The first of these NSEC RRs proves that no exact match for
234 foo.example.com exists, and the second proves that there is no
235 wildcard in example.com.
236
237 Both of these functions are imperfect: they do not take into account
238 constraints on number of labels in a name nor total length of a name.
239 As noted in the previous section, though, this technique does not
240 depend on the use of perfect epsilon functions: it is sufficient to
241 test whether any instantiated names fall into the span covered by the
242 generated NSEC and, if so, substitute those instantiated owner names
243 for the NSEC owner name or next name, as appropriate.
244
245 5. Security Considerations
246
247 This approach requires on-demand generation of RRSIG records. This
248 creates several new vulnerabilities.
249
250 First, on-demand signing requires that a zone's authoritative servers
251 have access to its private keys. Storing private keys on well-known
252 Internet-accessible servers may make them more vulnerable to
253 unintended disclosure.
254
255 Second, since generation of digital signatures tends to be
256 computationally demanding, the requirement for on-demand signing
257 makes authoritative servers vulnerable to a denial of service attack.
258
259 Last, if the epsilon functions are predictable, on-demand signing may
260 enable a chosen-plaintext attack on a zone's private keys. Zones
261 using this approach should attempt to use cryptographic algorithms
262 that are resistant to chosen-plaintext attacks. It is worth noting
263 that although DNSSEC has a "mandatory to implement" algorithm, that
264 is a requirement on resolvers and validators -- there is no
265 requirement that a zone be signed with any given algorithm.
266
267 The success of using minimally covering NSEC records to prevent zone
268 walking depends greatly on the quality of the epsilon functions
269
270
271
272 Weiler & Ihren Standards Track [Page 5]
273 RFC 4470 NSEC Epsilon April 2006
274
275
276 chosen. An increment function that chooses a name obviously derived
277 from the next instantiated name may be easily reverse engineered,
278 destroying the value of this technique. An increment function that
279 always returns a name close to the next instantiated name is likewise
280 a poor choice. Good choices of epsilon functions are the ones that
281 produce the immediately following and preceding names, respectively,
282 though zone administrators may wish to use less perfect functions
283 that return more human-friendly names than the functions described in
284 Section 4 above.
285
286 Another obvious but misguided concern is the danger from synthesized
287 NSEC records being replayed. It is possible for an attacker to
288 replay an old but still validly signed NSEC record after a new name
289 has been added in the span covered by that NSEC, incorrectly proving
290 that there is no record at that name. This danger exists with DNSSEC
291 as defined in [3]. The techniques described here actually decrease
292 the danger, since the span covered by any NSEC record is smaller than
293 before. Choosing better epsilon functions will further reduce this
294 danger.
295
296 6. Acknowledgements
297
298 Many individuals contributed to this design. They include, in
299 addition to the authors of this document, Olaf Kolkman, Ed Lewis,
300 Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
301 Jakob Schlyter, Bill Manning, and Joao Damas.
302
303 In addition, the editors would like to thank Ed Lewis, Scott Rose,
304 and David Blacka for their careful review of the document.
305
306 7. Normative References
307
308 [1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
309 "DNS Security Introduction and Requirements", RFC 4033, March
310 2005.
311
312 [2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
313 "Resource Records for the DNS Security Extensions", RFC 4034,
314 March 2005.
315
316 [3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
317 "Protocol Modifications for the DNS Security Extensions", RFC
318 4035, March 2005.
319
320 [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
321 Levels", BCP 14, RFC 2119, March 1997.
322
323
324
325
326
327 Weiler & Ihren Standards Track [Page 6]
328 RFC 4470 NSEC Epsilon April 2006
329
330
331 Authors' Addresses
332
333 Samuel Weiler
334 SPARTA, Inc.
335 7075 Samuel Morse Drive
336 Columbia, Maryland 21046
337 US
338
339 EMail: weiler@tislabs.com
340
341
342 Johan Ihren
343 Autonomica AB
344 Bellmansgatan 30
345 Stockholm SE-118 47
346 Sweden
347
348 EMail: johani@autonomica.se
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382 Weiler & Ihren Standards Track [Page 7]
383 RFC 4470 NSEC Epsilon April 2006
384
385
386 Full Copyright Statement
387
388 Copyright (C) The Internet Society (2006).
389
390 This document is subject to the rights, licenses and restrictions
391 contained in BCP 78, and except as set forth therein, the authors
392 retain all their rights.
393
394 This document and the information contained herein are provided on an
395 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
396 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
397 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
398 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
399 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
400 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
401
402 Intellectual Property
403
404 The IETF takes no position regarding the validity or scope of any
405 Intellectual Property Rights or other rights that might be claimed to
406 pertain to the implementation or use of the technology described in
407 this document or the extent to which any license under such rights
408 might or might not be available; nor does it represent that it has
409 made any independent effort to identify any such rights. Information
410 on the procedures with respect to rights in RFC documents can be
411 found in BCP 78 and BCP 79.
412
413 Copies of IPR disclosures made to the IETF Secretariat and any
414 assurances of licenses to be made available, or the result of an
415 attempt made to obtain a general license or permission for the use of
416 such proprietary rights by implementers or users of this
417 specification can be obtained from the IETF on-line IPR repository at
418 http://www.ietf.org/ipr.
419
420 The IETF invites any interested party to bring to its attention any
421 copyrights, patents or patent applications, or other proprietary
422 rights that may cover technology that may be required to implement
423 this standard. Please address the information to the IETF at
424 ietf-ipr@ietf.org.
425
426 Acknowledgement
427
428 Funding for the RFC Editor function is provided by the IETF
429 Administrative Support Activity (IASA).
430
431
432
433
434
435
436
437 Weiler & Ihren Standards Track [Page 8]
438
The first of these NSEC RRs proves that no exact match for foo.example.com exists, and the second proves that there is no wildcard in example.com.
TBD
\)\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255 \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )