dnsop | W. Hardaker |
Internet-Draft | USC/ISI |
Intended status: Standards Track | W. Kumari |
Expires: November 21, 2017 | |
May 20, 2017 |
Security Considerations for RFC5011 Publishers
draft-ietf-dnsop-rfc5011-security-considerations-01
This document describes the math behind the minimum time-length that a DNS zone publisher must wait before using a new DNSKEY to sign records when supporting the RFC5011 rollover strategies.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 21, 2017.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
[RFC5011] defines a mechanism by which DNSSEC validators can extend their list of trust anchors when they've seen a new key published in a zone. However, RFC5011 [intentionally] provides no guidance to the publishers of DNSKEYs about how long they must wait before switching to a newly published key for signing records or how long they must wait before removing a revoked key from a zone. Because of this lack of guidance, zone publishers may derive incorrect assumptions about safe usage of the RFC5011 DNSKEY advertising, rolling and revocation process. This document describes the minimum security requirements from a publisher's point of view and is intended to compliment the guidance offered in RFC5011 (which is written to provide timing guidance solely to a Validating Resolver's point of view).
To verify this lack of understanding is wide-spread, the authors reached out to 5 DNSSEC experts to ask them how long they thought they must wait before signing a zone using a new KSK [RFC4033] that was being rolled according to the 5011 process. All 5 experts answered with an insecure value, and we determined that this lack of operational guidance is causing security concerns today and wrote this companion document to RFC5011. We hope that this document will rectify this understanding and provide better guidance to zone publishers that wish to make use of the RFC5011 rollover process.
One important note about ICANN's [currently upcoming] 2017/2018 KSK rollover plan for the root zone: the timing values chosen for rolling the KSK in the root zone appear completely safe, and are not affected by the timing concerns introduced by this draft
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
The RFC5011 process describes a process by which a Validating Resolver may accept a newly published KSK as a trust anchor for validating future DNSSEC signed records. It also describes the process for publicly revoking a published KSK. This document augments that information with additional constraints, as required from the DNSKEY publication and revocation's points of view. Note that it does not define any other operational guidance or recommendations about the RFC5011 process and restricts itself to solely the security and operational ramifications of switching to a new key or removing a revoked key too soon. Failure of a DNSKEY publisher to follow the minimum recommendations associated with this draft will result in potential denial-of-service attack opportunities against validating resolvers or in revoked old DNSKEYs remaining in the trust anchor storage of validating resolvers beyond their expected valid lifetime.
Also see Section 2 of [RFC4033] and [RFC7719] for additional terminology.
RFC5011's process of safely publishing a new key and then making use of that key falls into a number of high-level steps to be performed by the Trust Anchor Publisher:
This document discusses step 2 of the above process. Some interpretations of RFC5011 have erroneously determined that the wait time is equal to RFC5011's "hold down time".
Section 5 describes an attack based on this (common) erroneous belief, which results in a denial of service attack against the zone if that value is used.
RFC5011's process of advertising that an old key is to be revoked from RFC5011 validating resolvers falls into a number of high-level steps:
This document discusses step 3 of the above process. Some interpretations of RFC5011 have erroneously determined that the wait time is equal to RFC5011's "hold down time".
This document describes an attack based on this (common) erroneous belief, which results in a revoked DNSKEY potentially staying in a RFC5011 validating resolver long past its expected usage.
If an attacker is able to provide a RFC5011 Validating Resolver with past responses, such as when it is in-path or able to otherwise perform any number of cache poisoning attacks, the attacker may be able to leave compliant RFC5011-Validating Resolvers without an appropriate DNSKEY trust anchor. This scenario will remain until an administrator manually fixes the situation.
The following timeline illustrates this situation.
The following example settings are used in the example scenario within this section:
Given these settings, the sequence of events in Section 5.1.1 depicts how a Trust Anchor Publisher that waits for only the RFC5011 hold time timer length of 30 days subjects its users to a potential Denial of Service attack. The timing schedule listed below is based on a Trust Anchor Publisher publishing a new Key Signing Key (KSK), with the intent that it will later become a trust anchor. We label this publication time as "T+0". All numbers in this sequence refer to days before and after this initial publication event. Thus, T-1 is the day before the introduction of the new key, and T+15 is the 15th day after the key was introduced into the fictitious zone being discussed.
In this dialog, we consider two keys being published:
The following series of steps depicts the timeline in which an attack occurs that foils the adoption of a new DNSKEY by a Trust Anchor Publisher that starts signing with the new DNSKEY too quickly.
Given the attack description in Section 5, the correct minimum length of time required for the Zone Signer to wait before using K_new is:
waitTime = addHoldDownTime + (DNSKEY RRSIG Signature Validity) + MAX(MIN((DNSKEY RRSIG Signature Validity) / 2, MAX(original TTL of K_old DNSKEY RRSet) / 2, 15 days), 1 hour) + 2 * MAX(TTL of all records)
The RFC5011 "Active Refresh" requirements state that:
A resolver that has been configured for an automatic update of keys from a particular trust point MUST query that trust point (e.g., do a lookup for the DNSKEY RRSet and related RRSIG records) no less often than the lesser of 15 days, half the original TTL for the DNSKEY RRSet, or half the RRSIG expiration interval and no more often than once per hour.
The important timing constraint introduced by this memo relates to the last point at which a validating resolver may have received a replayed the original DNSKEY set (K_old) without the new key. It's the next query of the RFC5011 validator that the assured K_new will be seen without a potential replay afterward. Thus, the latest time a RFC5011 validator may begin their hold down timer is an "Active Refresh" period after the last point that an attacker can replay the K_old DNSKEY set.
The "Active Refresh" interval used by a RFC5011 validator is determined by the larger of (DNSKEY RRSIG Signature Validity) and (original TTL for the DNSKEY RRSet). The Following text assumes that (DNSKEY RRSIG Signature Validity) is larger of the two, which is operationally more common today.
Thus, the worst case scenario of this attack is when the attacker can replay K_old just before (DNSKEY RRSIG Signature Validity). If a RFC5011 validator picks up K_old at this this point, it will not have a hold down timer started as it will have been reset by previous replays. It's not until the next "Active Refresh" time that they'll pick up K_new with assurance, and thus start their (final) hold down timer. Thus, this is not at (DNSKEY RRSIG Signature Validity) time past publication but may be significantly longer based on the zone's DNSSEC parameters.
The extra 2 * MAX(TTL of all records) is the standard added safety margin when dealing with DNSSEC due to caching that can take place. Because the 5011 steps require direct validation using the signature validity, the authors aren't yet convinced it is needed in this particular case, but it is prudent to include it for added assurance.
waitTime = 30 + 10 + 10 / 2 + 2 * (1) (days) waitTime = 47 (days)
For the parameters listed in Section 5.1, our example:
This hold-down time of 47 days is 12 days longer than the (frequently perceived) 35 days in the example at T+35 above.
It is important to note that this value affects not just the publication of new DNSKEYs intended to be used as trust anchors, but also the length of time required to publish a DNSKEY with the revoke bit set. Both of these publication timing requirements are affected by the attacks described in this document.
This document contains no IANA considerations.
A companion document to RFC5011 was expected to be published that describes the best operational practice considerations from the perspective of a zone publisher and Trust Anchor Publisher. However, this companion document has yet to be published. The authors of this document hope that it will at some point in the future, as RFC5011 timing can be tricky as we have shown and we do not suggest "good operational practice" that might be associated with a BCP on the subject. This document is intended only to fill a single operational void that results in security ramifications (specifically a denial of service attack against an RFC5011 Validator). This document does not attempt to document any other missing operational guidance for zone publishers.
This document, is solely about the security considerations with respect to the Trust Anchor Publisher of RFC5011 trust anchors / keys. Thus the entire document is a discussion of Security Considerations when rolling DNSKEYs using the RFC5011 process.
The authors would like to especially thank to Michael StJohns for his help and advice and the care and thought he put into RFC5011 itself. We would also like to thank Bob Harold, Shane Kerr, Matthijs Mekking, Duane Wessels, Petr Petr Spacek, and the dnsop working group who have assisted with this document.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC4033] | Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, DOI 10.17487/RFC4033, March 2005. |
[RFC5011] | StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust Anchors", STD 74, RFC 5011, DOI 10.17487/RFC5011, September 2007. |
[RFC7719] | Hoffman, P., Sullivan, A. and K. Fujiwara, "DNS Terminology", RFC 7719, DOI 10.17487/RFC7719, December 2015. |
addHoldDownTime: 30 days Old DNSKEY RRSIG Signature Validity: 21 days Old DNSKEY TTL: 2 days
In 2017, ICANN expects to (or has, depending on when you're reading this) roll the key signing key (KSK) for the root zone. The relevant parameters associated with the root zone at the time of this writing is as follows:
waitTime = addHoldDownTime + (DNSKEY RRSIG Signature Validity) + MAX(MIN((DNSKEY RRSIG Signature Validity) / 2, MAX(original TTL of K_old DNSKEY RRSet) / 2, 15 days), 1 hour) + 2 * MAX(TTL of all records) waitTime = 30 + (21) + MAX(MIN((21) / 2, MAX(2 / 2, 15 days)), 1 hour) + 2 * MAX(2) waitTime = 30 + 21 + MAX(MIN(11.5, MAX( 1, 15)), 1 hour) + 4 waitTime = 30 + 21 + 11.5 + 4 waitTime = 66.5 days
Thus, sticking this information into the equation in Section Section 6 yields (in days):
Thus, ICANN should wait 66.5 days before switching to the newly published KSK and before removing the old revoked key once it is published as revoked. ICANN's current plans are to wait 70 days before using the new KEY and 69 days before removing the old, revoked key. Thus, their current rollover plans are sufficiently secure from the attack discussed in this memo.
From Individual-00 to DNSOP-00:
From -00 to -01:
From Ind-00 to -02:
From -02 to -03:
From -03 to -04:
From hardaker-04 to ietf-00:
From ietf-00 to ietf-01: