| RFC 9615 | DNSSEC Bootstrapping | July 2024 |
| Thomassen & Wisiol | Standards Track | [Page] |
This document introduces an in-band method for DNS operators topublish arbitrary information about the zones for which they are authoritative, in an authenticated fashion and on a per-zone basis.The mechanism allows managed DNS operators to securely announceDNSSEC key parameters for zones under their management, including forzones that are not currently securely delegated.¶
Whenever DS records are absent for a zone's delegation, this signalenables the parent's registry or registrar to cryptographicallyvalidate the CDS/CDNSKEY records found at the child's apex.The parent can then provision DS records for the delegation withoutresorting to out-of-band validation or weaker types of cross-checkssuch as "Accept after Delay".¶
This document establishes the DS enrollment method described inSection 4 of this document as the preferred method overthose from Section 3 of RFC 8078. It also updates RFC 7344.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9615.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Securing a DNS delegation for the first time requires that thechild's DNSSEC parameters be conveyed to the parent through sometrusted channel.While the communication conceptually has to occur between the parentregistry and the DNSSEC key holder, what that means exactly and howcommunication is coordinated traditionally depends on therelationship the child has with the parent.¶
A typical situation is that the key is held by the child DNSoperator; thus, the communication often involves this entity.In addition, depending on the circumstances, it may also involve theregistrar, possibly via the registrant (for details, seeAppendix A of [RFC7344].¶
As observed in[RFC7344], these dependencies often result in a manualprocess that is susceptible to mistakes and/or errors.In addition, due to the annoyance factor of the process, involvedparties may avoid the process of getting a DS resource record set (RRset)published in the first place.¶
To alleviate these problems, automated provisioning of DS records hasbeen specified in[RFC8078].It is based on the parental agent (registry or registrar) fetchingDNSSEC key parameters from the CDS and CDNSKEY records ([RFC7344])located at the child zone's apex, and validating them somehow.This validation can be done using the child's existing DNSSEC chain oftrust if the objective is to update an existing DS RRset (such asduring key rollover).However, when bootstrapping a DNSSEC delegation, the child zone hasno existing DNSSEC validation path, so other means to ensure theCDS/CDNSKEY records' legitimacy must be found.¶
Due to the lack of a comprehensive DNS-innate solution, eitherout-of-band methods have been used so far to complete the chain oftrust, or cryptographic validation has been entirely dispensed with, inexchange for weaker types of cross-checks such as "Accept afterDelay" (Section 3.3 of [RFC8078]).[RFC8078] does not define an in-band validation method for enablingDNSSEC.¶
This document aims to close this gap by introducing an in-band methodfor DNS operators to publish arbitrary information about the zonesfor which they are authoritative, in an authenticated manner and on aper-zone basis.The mechanism allows managed DNS operators to securely announceDNSSEC key parameters for zones under their management.The parent can then use this signal to cryptographically validate theCDS/CDNSKEY RRsets found at an insecure child zone's apex and, uponsuccess, secure the delegation.¶
While applicable to the vast majority of domains, the protocol doesnot support certain edge cases, such as excessively long child zonenames, or DNSSEC bootstrapping for domains with in-domain nameserversonly (seeSection 4.4).¶
DNSSEC bootstrapping is just one application of the generic signalingmechanism specified in this document.Other applications might arise in the future, such as publishingoperational metadata or auxiliary information that the DNS operatorlikes to make known (e.g., API endpoints for third-party interaction).¶
Readers are expected to be familiar with DNSSEC[BCP237].¶
This section defines the terminology used in this document.¶
_signal to ahostname taken from a delegation's NS RRset.There are as many signaling domains as there are distinct NStargets.¶_dsboot for DNSSEC bootstrapping.¶The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The DS enrollment methods described inSection 3 of [RFC8078] are lesssecure than the method described inSection 4 of thisdocument.Therefore, child DNS operators and parental agents wishing to use CDS/CDNSKEYrecords for initial DS enrollmentSHOULD support theauthentication protocol described here.¶
In order to facilitate publication of signaling records for the purposeof DNSSEC bootstrapping (seeSection 4.1), the first bullet("Location") ofSection 4.1 of [RFC7344] is removed.¶
This section describes the general mechanism by which a child DNSoperator can publish an authenticated signal about a child zone.Parental agents (or any other party) can then discover and process thesignal.Authenticity is ensured through standard DNSSEC validation.¶
If a child DNS operator implements this specification, each signalingzoneMUST be signed and be validatable by the parental agent (i.e., havea valid publicly resolvable DNSSEC chain of trust).This is typically achieved by securely delegating each signaling zone.¶
For example, when publishing a signal that relates to a child zonewith NS recordsns1.example.net andns2.example.org, the childDNS operator needs to ensure that the parental agent has a valid DNSSECchain of trust for the zone(s) that are authoritative for the signalingdomains_signal.ns1.example.net and_signal.ns2.example.org.¶
To publish information about the child zone in anauthenticated fashion, the child DNS operatorMUST publish one ormore signaling records at a signaling name under each signaling domain.¶
Signaling recordsMUST be accompanied by RRSIG records created withthe corresponding signaling zone's key(s).The type and contents of these signaling records depend on the type ofsignal.¶
The signaling name identifies the child and the signaling type.It is identical to the child name (with the final root label removed),prefixed with a label containing the signaling type.¶
When the child zone's CDS/CDNSKEY RRsets are used for setting up initialtrust, they need to be authenticated.This is achieved by copublishing the child's CDS/CDNSKEY RRsets as anauthenticated signal as described inSection 3.The parent can discover and validate it, thus transferring trust fromthe child DNS operator nameservers' chain of trust to the child zone.¶
This protocol is not intended for updating an existing DS RRset.For this purpose, the parental agent can validate the child'sCDS/CDNSKEY RRsets directly, using the chain of trust established bythe existing DS RRset (Section 4 of [RFC7344]).¶
To confirm its willingness to act as the child's delegated signer andauthenticate the child's CDS/CDNSKEY RRsets, the child DNS operatorMUST copublish them at the corresponding signaling name under eachsignaling domain, excluding those that would fall within the childdomain (Section 3.2).For simplicity, the child DNS operatorMAY also copublish the child'sCDS/CDNSKEY RRsets under signaling domains within the child domain,although those signaling domains are not used for validation(Section 4.2).¶
Unlike the CDS/CDNSKEY RRsets at the child's apex, a signalingRRsetMUST be signed with the corresponding signaling zone'skey(s). Its contentsMUST be identical to the correspondingRRset published at the child's apex.¶
Existing use of CDS/CDNSKEY records was specified at the child apexonly (Section 4.1 of [RFC7344]). This protocol extends the use ofthese record types to non-apex owner names for the purpose of DNSSECbootstrapping. To exclude the possibility of semantic collision,thereMUST NOT be a zone cut at a signaling name.¶
For the purposes of bootstrapping the child zoneexample.co.uk with NSrecordsns1.example.net,ns2.example.org, andns3.example.co.uk,the required signaling domains are_signal.ns1.example.net and_signal.ns2.example.org.¶
In the zones containing these domains, the child DNS operatorauthenticates the CDS/CDNSKEY RRsets found at the child's apex bycopublishing them as CDS/CDNSKEY RRsets at the names:¶
_dsboot.example.co.uk._signal.ns1.example.net_dsboot.example.co.uk._signal.ns2.example.org¶
These RRsets are signed with DNSSEC just like any other zone data.¶
Publication of signaling records under the in-domain name_signal.ns3.example.co.uk is not required.¶
To validate a child's CDS/CDNSKEY RRset for DNSSEC bootstrapping, theparental agent, knowing both the child zone name and its NShostnames,MUST execute the following steps:¶
verify that the child has no DS records published at the parent andthat at least one of its nameservers is outside the child domain;¶
query the CDS/CDNSKEY RRset at the child zone apex directly fromeach of the authoritative servers as determined by the delegation's(parent-side) NS RRset, without caching;¶
query the CDS/CDNSKEY RRset located at the signaling name undereach signaling domain (except those falling within the child domain)using a trusted DNS resolver and enforce DNSSEC validation;¶
check (separately by record type) that all RRsets retrievedin Steps 2 and 3 have equal contents;¶
If the above steps succeed without error, the CDS/CDNSKEY RRsets aresuccessfully verified, and the parental agent can proceed with thepublication of the DS RRset under the precautions described inSection 5 of [RFC8078].¶
The parental agentMUST abort the procedure if an errorcondition occurs, in particular:¶
inStep 1: the child is already securely delegated or has in-domainnameservers only;¶
inStep 2: any failure during the retrieval of the CDS/CDNSKEYRRset located at the child apex from any of the authoritativenameservers;¶
inStep 3: any failure to retrieve the CDS/CDNSKEY RRsets locatedat the signaling name under any signaling domain, including failureof DNSSEC validation, or unauthenticated data (AD bit not set);¶
inStep 4: inconsistent responses (for at least one of the types),including an RRset that is empty in one of Steps2 or3, butnon-empty in the other.¶
To verify the CDS/CDNSKEY RRsets for the childexample.co.uk, theparental agent (assuming that the child delegation's NS records arens1.example.net,ns2.example.org, andns3.example.co.uk)¶
checks that the child domain is not yet securely delegated;¶
queries the CDS/CDNSKEY RRsets forexample.co.uk directly fromns1.example.net,ns2.example.org, andns3.example.co.uk(without caching);¶
queries and validates the CDS/CDNSKEY RRsets located at (seeSection 3.2;ns3.example.co.uk is ignored because it isin-domain)¶
_dsboot.example.co.uk._signal.ns1.example.net_dsboot.example.co.uk._signal.ns2.example.org¶
If all of these steps succeed, the parental agent can proceed to publisha DS RRset as indicated by the validated CDS/CDNSKEY RRset.¶
As in-domain signaling names do not have a chain of trust atbootstrapping time, the parental agent does not consider them duringvalidation.Consequently, if all NS hostnames are in-domain, validation cannot becompleted and DS records are not published.¶
Parental agentsSHOULD trigger the procedure described inSection 4.2once one of the following conditions is fulfilled:¶
The parental agent receives a new or updated NS RRset for achild;¶
The parental agent receives a notification indicating that the childwishes to have its CDS/CDNSKEY RRset processed;¶
The parental agent encounters a signaling record during a proactive,opportunistic scan (e.g., daily queries of signaling records forsome or all of its delegations);¶
The parental agent encounters a signaling record during an NSEC walkor when parsing a signaling zone (e.g., when made available via AXFRby the child DNS operator);¶
Any other condition deemed appropriate by local policy.¶
Timer-based trigger mechanisms (such as scans) exhibit undesirableproperties with respect to processing delay and scaling; on-demandtriggers (like notifications) are preferable. Whenever possible, childDNS operators and parental agents are thus encouraged to use them,reducing both delays and the amount of scanning traffic.¶
Most types of discovery (such as daily scans of delegations) are baseddirectly on the delegation's NS RRset.In this case, these NS names can be used as is by the bootstrappingalgorithm (Section 4.2) for querying signaling records.¶
Some discovery methods, however, do not imply reliable knowledge of thedelegation's NS RRset.For example, when discovering signaling names by performing an NSECwalk or zone transfer of a signaling zone, the parental agentMUST NOTassume that a nameserver under whose signaling domain a signalingrecord appears is actually authoritative for the corresponding child.¶
Instead, whenever a list of "bootstrappable domains" is obtained by means otherthan directly from the parent, the parentalagentMUST ascertain that the delegation actually contains thenameserver hostname seen during discovery, and ensure that signaling-record queries are only made against the proper set of nameservers aslisted in the child's delegation from the parent.¶
As a consequence ofStep 3 inSection 4.2, DS bootstrapping does notwork for fully in-domain delegations, as no preexisting chain oftrust to the child domain is available during bootstrapping.(As a workaround, one can add an out-of-domain nameserver to theinitial NS RRset and remove it once bootstrapping is completed.Automation for this is available via CSYNC records, see[RFC7477].)¶
Fully qualified signaling names must by valid DNS names.Label count and length requirements for DNS names (Section 3.1 of [RFC1035]) imply that the protocol does not work for unusually long childdomain names or NS hostnames.¶
It is possible to add CDS/CDNSKEY records and corresponding signalingrecords to a zone without the domain owner's explicit knowledge.To spare domain owners from being caught off guard by the ensuing DSchanges, child DNS operators following this practice are advised to makethat transparent, such as by informing the domain owner during zonecreation (e.g., in a GUI) or by notifying them via email.¶
When transferring a zone to another DNS operator, the old and new childDNS operators need to cooperate to achieve a smooth transition, e.g.,by using the multi-signer protocols described in[RFC8901].If all else fails, the domain owner might have to request the removal ofall DS records and have the transfer performed insecurely (see[INSEC]).¶
Signaling domainsSHOULD be delegated as standalone zones, sothat the signaling zone's apex coincides with the signaling domain (suchas_signal.ns1.example.net).While it is permissible for the signaling domain to be containedin a signaling zone of fewer labels (such asexample.net), azone cut ensures that bootstrapping activities do not requiremodifications of the zone containing the nameserver hostname.¶
Once a child DNS operator determines that specific signaling record setshave been processed (e.g., by seeing the result in the parent zone),they are advised to remove them.This will reduce the size of the signaling zone and facilitate moreefficient bulk processing (such as via zone transfers).¶
In order to ensure timely DNSSEC bootstrapping of insecure domains,stalemate situations due to mismatch of stale cached records (Step 4 ofSection 4.2) need to be avoided. It is thusRECOMMENDED that queries into signaling domains be performed with an (initially) empty resolver cache, or that some other method for retrieving fresh data from authoritative servers be used.¶
It is alsoRECOMMENDED that QNAME minimization[RFC9156] be used whenresolving queries for signaling records to guard against certainattacks (seeSection 6).¶
The DNSSEC bootstrapping method introduced in this document is based onthe approaches described inSection 3 of [RFC8078], butadds authentication to the CDS/CDNSKEY concept.Its security level is therefore strictly higher than that of existingapproaches described in that document (e.g., "Accept after Delay").Apart from this general improvement, the same Security Considerationsapply as in[RFC8078].¶
The level of rigor inSection 4.2 is needed to prevent publication of anill-conceived DS RRset (authorized only under a subset of NS hostnames).This ensures, for example, that an operator in a multi-homed setupcannot enable DNSSEC unless all other operators agree.¶
In any case, as the child DNS operator has authoritative knowledge ofthe child's CDS/CDNSKEY records, it can readily detect fraudulentprovisioning of DS records.¶
In order to prevent the parents of nameserver hostnames from becoming asingle point of failure for a delegation (both in terms of resolutionavailability and for the trust model of this protocol), diversifying the path from the root to the child's nameserver hostnames is advisable. For example, different and independently operated TLDs may be used for each one.¶
If QNAME minimization[RFC9156] is not used when querying forsignaling records, an upstream parent of a signaling domain will seethose CDS/CDNSKEY queries and could respond with an authoritative answersigned with its own key, instead of sending the referral.Enabling QNAME minimization reduces the attack surface for such forgery.¶
IANA has added the following entries to the"Underscored and Globally Scoped DNS Node Names" registry[RFC8552]:¶
| RR Type | _NODE NAME | Reference |
|---|---|---|
| CDS | _signal | RFC 9615 |
| CDNSKEY | _signal | RFC 9615 |
Thanks toBrian Dickson,Ondřej Caletka,John R. Levine,Christian Elmerot,Oli Schacher,Donald Eastlake,Libor Peltan,Warren Kumari,Scott Rose,Linda Dunbar,Tim Wicinski,Paul Wouters,Paul Hoffman,Peter Yee,Benson Muite,Roman Danyliw,Éric Vyncke, andJoe Abley forreviewing draft proposals and offering comments and suggestions.¶
Thanks also toSteve Crocker,Hugo Salgado, andUlrich Wisser forearly-stage brainstorming.¶