1 Network Working Group                                        W. Hardaker   
    2 Request for Comments: 4509                                        Sparta   
    3 Category: Standards Track                                       May 2006   

The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.

This RFC is included in the DNS RFCs annotation project whose home page is here.

GLOBAL V. Risk, ISC.orgBIND 9 implementation note2022-08-15

This RFC is implemented in BIND 9.18 (all versions).

    4                                                                            
    5                                                                            
    6  Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)    
    7                                                                            
    8                                                                            
    9 Status of This Memo                                                        
   10                                                                            
   11    This document specifies an Internet standards track protocol for the    
   12    Internet community, and requests discussion and suggestions for         
   13    improvements.  Please refer to the current edition of the "Internet     
   14    Official Protocol Standards" (STD 1) for the standardization state      
   15    and status of this protocol.  Distribution of this memo is unlimited.   
   16                                                                            
   17 Copyright Notice                                                           
   18                                                                            
   19    Copyright (C) The Internet Society (2006).                              
   20                                                                            
   21 Abstract                                                                   
   22                                                                            
   23    This document specifies how to use the SHA-256 digest type in DNS       
   24    Delegation Signer (DS) Resource Records (RRs).  DS records, when        
   25    stored in a parent zone, point to DNSKEYs in a child zone.              
   26                                                                            
   27 Table of Contents                                                          
   28                                                                            
   29    1. Introduction ....................................................2   
   30    2. Implementing the SHA-256 Algorithm for DS Record Support ........2   
   31       2.1. DS Record Field Values .....................................2   
   32       2.2. DS Record with SHA-256 Wire Format .........................3   
   33       2.3. Example DS Record Using SHA-256 ............................3   
   34    3. Implementation Requirements .....................................3   
   35    4. Deployment Considerations .......................................4   
   36    5. IANA Considerations .............................................4   
   37    6. Security Considerations .........................................4   
   38       6.1. Potential Digest Type Downgrade Attacks ....................4   
   39       6.2. SHA-1 vs SHA-256 Considerations for DS Records .............5   
   40    7. Acknowledgements ................................................5   
   41    8. References ......................................................6   
   42       8.1. Normative References .......................................6   
   43       8.2. Informative References .....................................6   
   44                                                                            
   45                                                                            
   46                                                                            
   47                                                                            
   48                                                                            
   49                                                                            
   50                                                                            
   51                                                                            
   52 Hardaker                    Standards Track                     [Page 1]   

   53 RFC 4509            Use of SHA-256 in DNSSEC DS RRs             May 2006   
   54                                                                            
   55                                                                            
   56 1.  Introduction                                                           
   57                                                                            
   58    The DNSSEC [RFC4033] [RFC4034] [RFC4035] DS RR is published in parent   
   59    zones to distribute a cryptographic digest of one key in a child's      
   60    DNSKEY RRset.  The DS RRset is signed by at least one of the parent     
   61    zone's private zone data signing keys for each algorithm in use by      
   62    the parent.  Each signature is published in an RRSIG resource record,   
   63    owned by the same domain as the DS RRset, with a type covered of DS.    
   64                                                                            
   65    In this document, the key words "MUST", "MUST NOT", "REQUIRED",         
   66    "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",     
   67    and "OPTIONAL" are to be interpreted as described in [RFC2119].         
   68                                                                            
   69 2.  Implementing the SHA-256 Algorithm for DS Record Support               
   70                                                                            
   71    This document specifies that the digest type code 2 has been assigned   
   72    to SHA-256 [SHA256] [SHA256CODE] for use within DS records.  The        
   73    results of the digest algorithm MUST NOT be truncated, and the entire   
   74    32 byte digest result is to be published in the DS record.              
   75                                                                            
   76 2.1.  DS Record Field Values                                               
   77                                                                            
   78    Using the SHA-256 digest algorithm within a DS record will make use     
   79    of the following DS-record fields:                                      
   80                                                                            
   81    Digest type: 2                                                          
   82                                                                            
   83    Digest: A SHA-256 bit digest value calculated by using the following    
   84       formula ("|" denotes concatenation).  The resulting value is not     
   85       truncated, and the entire 32 byte result is to be used in the        
   86       resulting DS record and related calculations.                        
   87                                                                            
   88         digest = SHA_256(DNSKEY owner name | DNSKEY RDATA)                 
   89                                                                            
   90       where DNSKEY RDATA is defined by [RFC4034] as:                       
   91                                                                            
   92         DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key           
   93                                                                            
   94    The Key Tag field and Algorithm fields remain unchanged by this         
   95    document and are specified in the [RFC4034] specification.              
   96                                                                            
   97                                                                            
   98                                                                            
   99                                                                            
  100                                                                            
  101                                                                            
  102                                                                            
  103                                                                            
  104                                                                            
  105                                                                            
  106                                                                            
  107 Hardaker                    Standards Track                     [Page 2]   

  108 RFC 4509            Use of SHA-256 in DNSSEC DS RRs             May 2006   
  109                                                                            
  110                                                                            
  111 2.2.  DS Record with SHA-256 Wire Format                                   
  112                                                                            
  113    The resulting on-the-wire format for the resulting DS record will be    
  114    as follows:                                                             
  115                                                                            
  116                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3      
  117       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1      
  118      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+     
  119      |           Key Tag             |  Algorithm    | DigestType=2  |     
  120      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+     
  121      /                                                               /     
  122      /            Digest  (length for SHA-256 is 32 bytes)           /     
  123      /                                                               /     
  124      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|     
  125                                                                            
  126 2.3.  Example DS Record Using SHA-256                                      
  127                                                                            
  128    The following is an example DNSKEY and matching DS record.  This        
  129    DNSKEY record comes from the example DNSKEY/DS records found in         
  130    section 5.4 of [RFC4034].                                               
  131                                                                            
  132    The DNSKEY record:                                                      
  133                                                                            
  134    dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz   
  135                                                 fwJr1AYtsmx3TGkJaNXVbfi/   
  136                                                 2pHm822aJ5iI9BMzNXxeYCmZ   
  137                                                 DRD99WYwYqUSdjMmmAphXdvx   
  138                                                 egXd/M5+X7OrzKBaMbCVdFLU   
  139                                                 Uh6DhweJBjEVv5f2wwjM9Xzc   
  140                                                 nOf+EPbtG9DMBmADjFDc2w/r   
  141                                                 ljwvFw==                   
  142                                                 ) ;  key id = 60485        
  143                                                                            
  144    The resulting DS record covering the above DNSKEY record using a        
  145    SHA-256 digest:                                                         
  146                                                                            
  147    dskey.example.com. 86400 IN DS 60485 5 2   ( D4B7D520E7BB5F0F67674A0C   
  148                                                 CEB1E3E0614B93C4F9E99B83   
  149                                                 83F6A1E4469DA50A )         
  150                                                                            
  151 3.  Implementation Requirements                                            
  152                                                                            
  153    Implementations MUST support the use of the SHA-256 algorithm in DS     
  154    RRs.  Validator implementations SHOULD ignore DS RRs containing SHA-1   
  155    digests if DS RRs with SHA-256 digests are present in the DS RRset.     
  156                                                                            
  157                                                                            
  158                                                                            
  159                                                                            
  160                                                                            
  161                                                                            
  162 Hardaker                    Standards Track                     [Page 3]   

  163 RFC 4509            Use of SHA-256 in DNSSEC DS RRs             May 2006   
  164                                                                            
  165                                                                            
  166 4.  Deployment Considerations                                              
  167                                                                            
  168    If a validator does not support the SHA-256 digest type and no other    
  169    DS RR exists in a zone's DS RRset with a supported digest type, then    
  170    the validator has no supported authentication path leading from the     
  171    parent to the child.  The resolver should treat this case as it would   
  172    the case of an authenticated NSEC RRset proving that no DS RRset        
  173    exists, as described in [RFC4035], Section 5.2.                         
  174                                                                            
  175    Because zone administrators cannot control the deployment speed of      
  176    support for SHA-256 in validators that may be referencing any of        
  177    their zones, zone operators should consider deploying both SHA-1 and    
  178    SHA-256 based DS records.  This should be done for every DNSKEY for     
  179    which DS records are being generated.  Whether to make use of both      
  180    digest types and for how long is a policy decision that extends         
  181    beyond the scope of this document.                                      
  182                                                                            
  183 5.  IANA Considerations                                                    
  184                                                                            
  185    Only one IANA action is required by this document:                      
  186                                                                            
  187    The Digest Type to be used for supporting SHA-256 within DS records     
  188    has been assigned by IANA.                                              
  189                                                                            
  190    At the time of this writing, the current digest types assigned for      
  191    use in DS records are as follows:                                       
  192                                                                            
  193       VALUE     Digest Type          Status                                
  194         0       Reserved                -                                  
  195         1       SHA-1                MANDATORY                             
  196         2       SHA-256              MANDATORY                             
  197       3-255    Unassigned               -                                  
  198                                                                            
  199 6.  Security Considerations                                                
  200                                                                            
  201 6.1.  Potential Digest Type Downgrade Attacks                              
  202                                                                            
  203    A downgrade attack from a stronger digest type to a weaker one is       
  204    possible if all of the following are true:                              
  205                                                                            
  206    o  A zone includes multiple DS records for a given child's DNSKEY,      
  207       each of which uses a different digest type.                          
  208                                                                            
  209    o  A validator accepts a weaker digest even if a stronger one is        
  210       present but invalid.                                                 
  211                                                                            
  212                                                                            
  213                                                                            
  214                                                                            
  215                                                                            
  216                                                                            
  217 Hardaker                    Standards Track                     [Page 4]   

  218 RFC 4509            Use of SHA-256 in DNSSEC DS RRs             May 2006   
  219                                                                            
  220                                                                            
  221    For example, if the following conditions are all true:                  
  222                                                                            
  223    o  Both SHA-1 and SHA-256 based digests are published in DS records     
  224       within a parent zone for a given child zone's DNSKEY.                
  225                                                                            
  226    o  The DS record with the SHA-1 digest matches the digest computed      
  227       using the child zone's DNSKEY.                                       
  228                                                                            
  229    o  The DS record with the SHA-256 digest fails to match the digest      
  230       computed using the child zone's DNSKEY.                              
  231                                                                            
  232    Then, if the validator accepts the above situation as secure, then      
  233    this can be used as a downgrade attack since the stronger SHA-256       
  234    digest is ignored.                                                      
  235                                                                            
  236 6.2.  SHA-1 vs. SHA-256 Considerations for DS Records                      
  237                                                                            
  238    Users of DNSSEC are encouraged to deploy SHA-256 as soon as software    
  239    implementations allow for it.  SHA-256 is widely believed to be more    
  240    resilient to attack than SHA-1, and confidence in SHA-1's strength is   
  241    being eroded by recently announced attacks.  Regardless of whether      
  242    the attacks on SHA-1 will affect DNSSEC, it is believed (at the time    
  243    of this writing) that SHA-256 is the better choice for use in DS        
  244    records.                                                                
  245                                                                            
  246    At the time of this publication, the SHA-256 digest algorithm is        
  247    considered sufficiently strong for the immediate future.  It is also    
  248    considered sufficient for use in DNSSEC DS RRs for the immediate        
  249    future.  However, future published attacks may weaken the usability     
  250    of this algorithm within the DS RRs.  It is beyond the scope of this    
  251    document to speculate extensively on the cryptographic strength of      
  252    the SHA-256 digest algorithm.                                           
  253                                                                            
  254    Likewise, it is also beyond the scope of this document to specify       
  255    whether or for how long SHA-1 based DS records should be                
  256    simultaneously published alongside SHA-256 based DS records.            
  257                                                                            
  258 7.  Acknowledgements                                                       
  259                                                                            
  260    This document is a minor extension to the existing DNSSEC documents     
  261    and those authors are gratefully appreciated for the hard work that     
  262    went into the base documents.                                           
  263                                                                            
  264    The following people contributed to portions of this document in some   
  265    fashion: Mark Andrews, Roy Arends, Olafur Gudmundsson, Paul Hoffman,    
  266    Olaf M. Kolkman, Edward Lewis, Scott Rose, Stuart E. Schechter, Sam     
  267    Weiler.                                                                 
  268                                                                            
  269                                                                            
  270                                                                            
  271                                                                            
  272 Hardaker                    Standards Track                     [Page 5]   

  273 RFC 4509            Use of SHA-256 in DNSSEC DS RRs             May 2006   
  274                                                                            
  275                                                                            
  276 8.  References                                                             
  277                                                                            
  278 8.1.  Normative References                                                 
  279                                                                            
  280    [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate        
  281                 Requirement Levels", BCP 14, RFC 2119, March 1997.         
  282                                                                            
  283    [RFC4033]    Arends, R., Austein, R., Larson, M., Massey, D., and S.    
  284                 Rose, "DNS Security Introduction and Requirements", RFC    
  285                 4033, March 2005.                                          
  286                                                                            
  287    [RFC4034]    Arends, R., Austein, R., Larson, M., Massey, D., and S.    
  288                 Rose, "Resource Records for the DNS Security               
  289                 Extensions", RFC 4034, March 2005.                         
  290                                                                            
  291    [RFC4035]    Arends, R., Austein, R., Larson, M., Massey, D., and S.    
  292                 Rose, "Protocol Modifications for the DNS Security         
  293                 Extensions", RFC 4035, March 2005.                         
  294                                                                            
  295    [SHA256]     National Institute of Standards and Technology, "Secure    
  296                 Hash Algorithm. NIST FIPS 180-2", August 2002.             
  297                                                                            
  298 8.2.  Informative References                                               
  299                                                                            
  300    [SHA256CODE] Eastlake, D., "US Secure Hash Algorithms (SHA)", Work in   
  301                 Progress.                                                  
  302                                                                            
  303 Author's Address                                                           
  304                                                                            
  305    Wes Hardaker                                                            
  306    Sparta                                                                  
  307    P.O. Box 382                                                            
  308    Davis, CA  95617                                                        
  309    USA                                                                     
  310                                                                            
  311    EMail: hardaker@tislabs.com                                             
  312                                                                            
  313                                                                            
  314                                                                            
  315                                                                            
  316                                                                            
  317                                                                            
  318                                                                            
  319                                                                            
  320                                                                            
  321                                                                            
  322                                                                            
  323                                                                            
  324                                                                            
  325                                                                            
  326                                                                            
  327 Hardaker                    Standards Track                     [Page 6]   

  328 RFC 4509            Use of SHA-256 in DNSSEC DS RRs             May 2006   
  329                                                                            
  330                                                                            
  331 Full Copyright Statement                                                   
  332                                                                            
  333    Copyright (C) The Internet Society (2006).                              
  334                                                                            
  335    This document is subject to the rights, licenses and restrictions       
  336    contained in BCP 78, and except as set forth therein, the authors       
  337    retain all their rights.                                                
  338                                                                            
  339    This document and the information contained herein are provided on an   
  340    "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS   
  341    OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET      
  342    ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,     
  343    INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE           
  344    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED          
  345    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.      
  346                                                                            
  347 Intellectual Property                                                      
  348                                                                            
  349    The IETF takes no position regarding the validity or scope of any       
  350    Intellectual Property Rights or other rights that might be claimed to   
  351    pertain to the implementation or use of the technology described in     
  352    this document or the extent to which any license under such rights      
  353    might or might not be available; nor does it represent that it has      
  354    made any independent effort to identify any such rights.  Information   
  355    on the procedures with respect to rights in RFC documents can be        
  356    found in BCP 78 and BCP 79.                                             
  357                                                                            
  358    Copies of IPR disclosures made to the IETF Secretariat and any          
  359    assurances of licenses to be made available, or the result of an        
  360    attempt made to obtain a general license or permission for the use of   
  361    such proprietary rights by implementers or users of this                
  362    specification can be obtained from the IETF on-line IPR repository at   
  363    http://www.ietf.org/ipr.                                                
  364                                                                            
  365    The IETF invites any interested party to bring to its attention any     
  366    copyrights, patents or patent applications, or other proprietary        
  367    rights that may cover technology that may be required to implement      
  368    this standard.  Please address the information to the IETF at           
  369    ietf-ipr@ietf.org.                                                      
  370                                                                            
  371 Acknowledgement                                                            
  372                                                                            
  373    Funding for the RFC Editor function is provided by the IETF             
  374    Administrative Support Activity (IASA).                                 
  375                                                                            
  376                                                                            
  377                                                                            
  378                                                                            
  379                                                                            
  380                                                                            
  381                                                                            
  382 Hardaker                    Standards Track                     [Page 7]   
  383                                                                            
line-4 Matt McCutchen(Technical Erratum #2752) [Held for Document Update]
based on outdated version
It should say:
Updates: 4035

This document should update RFC 4035 because the statement in section 3, "Validator implementations SHOULD ignore DS RRs containing SHA-1 digests if DS RRs with SHA-256 digests are present in the DS RRset", modifies the rules for authenticating referrals in RFC 4035 section 5.2.