Internet DRAFT - draft-ietf-dnsop-compact-denial-of-existence
draft-ietf-dnsop-compact-denial-of-existence
Internet Engineering Task Force S. Huque
Internet-Draft Salesforce
Updates: 4034, 4035 (if approved) C. Elmerot
Intended status: Standards Track O. Gudmundsson
Expires: 5 September 2024 Cloudflare
4 March 2024
Compact Denial of Existence in DNSSEC
draft-ietf-dnsop-compact-denial-of-existence-03
Abstract
This document describes a technique to generate a signed DNS response
on demand for a non-existent name by claiming that the name exists
but doesn't have any data for the queried record type. Such answers
require only one minimal NSEC record, allow online signing servers to
minimize signing operations and response sizes, and prevent zone
content disclosure.
Discussion Venues
This note is to be removed before publishing as an RFC.
Source for this draft and an issue tracker can be found at
https://github.com/shuque/id-dnssec-compact-lies.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 5 September 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
Huque, et al. Expires 5 September 2024 [Page 1]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction and Motivation . . . . . . . . . . . . . . . . . 2
2. Distinguishing NXDOMAIN from Empty Non-Terminal Names . . . . 3
3. Generating Responses . . . . . . . . . . . . . . . . . . . . 4
3.1. Responses for Non-Existent Names . . . . . . . . . . . . 4
3.2. Responses for Non-Existent Types . . . . . . . . . . . . 5
3.3. Responses for Wildcard Matches . . . . . . . . . . . . . 5
3.4. Responses to explicit queries for NXNAME . . . . . . . . 6
4. Response Code Restoration . . . . . . . . . . . . . . . . . . 6
4.1. Signaled Response Code Restoration . . . . . . . . . . . 6
5. Operational Implications . . . . . . . . . . . . . . . . . . 7
6. Updates to RFCs . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Updates to RFC 4034 . . . . . . . . . . . . . . . . . . . 8
6.2. Updates to RFC 4035 . . . . . . . . . . . . . . . . . . . 8
7. Implementation Status . . . . . . . . . . . . . . . . . . . . 9
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
11.1. Normative References . . . . . . . . . . . . . . . . . . 10
11.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction and Motivation
One of the functions of the Domain Name System Security Extensions
(DNSSEC) [RFC9364] is "Authenticated Denial of Existence", i.e.
proving that a DNS name or record type does not exist. Normally,
this is done by means of signed NSEC or NSEC3 records. In the
precomputed signature model, these records chain together existing
names, or cryptographic hashes of them in the zone. In the online
signing model, described in NSEC and NSEC3 "White Lies" [RFC4470]
[RFC7129], they are used to dynamically compute an epsilon function
around the queried name. A 'type bitmap' in the data field of the
NSEC or NSEC3 record asserts which resource record types are present
at the name.
Huque, et al. Expires 5 September 2024 [Page 2]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
The response for a non-existent name requires up to 2 signed NSEC
records or up to 3 signed NSEC3 records (and for online signers, the
associated cryptographic computation), to prove that (1) the name did
not explicitly exist in the zone, and (2) that it could not have been
synthesized by a wildcard.
This document describes an alternative technique, "Compact Denial of
Existence" or "Compact Answers", to generate a signed DNS response on
demand for a non-existent name by claiming that the name exists but
has no resource records associated with the queried type, i.e. it
returns a NODATA response rather than an NXDOMAIN response. A NODATA
response, which has a response code (RCODE) of NOERROR and an empty
ANSWER section, requires only one NSEC record matching the queried
name. This has two advantages: the DNS response size is smaller, and
it reduces the online cryptographic work involved in generating the
response.
The use of minimally covering NSEC records also prevents adversaries
from enumerating the entire contents of DNS zones by walking NSEC
chains.
2. Distinguishing NXDOMAIN from Empty Non-Terminal Names
Since NODATA responses are generated for non-existent names, and
there are no defined record types for the name, the NSEC type bitmap
in the response will only contain "NSEC" and "RRSIG". Tools that
need to accurately identify non-existent names in responses cannot
rely on this specific type bitmap because Empty Non-Terminal (ENT)
names (which positively exist) also have no record types at the name
and will return exactly the same type bitmap.
Previously, some specific implementations of Compact Answers have
tried to avoid the NXDOMAIN identification problem by synthesizing
the NSEC type bitmap for ENTs to include all record types supported
except for the queried type. This has the undesirable effect of no
longer being able to reliably determine the existence of ENTs, and of
making the Type Bitmaps field larger than it needs to be. It also
has the potential to confuse validators and others tools that infer
type existence from the NSEC record.
This document defines the use of a synthetic Resource Record type to
signal the presence of a non-existent name. The mnemonic for this RR
type is "NXNAME", chosen to clearly distinguish it from the response
code mnemonic NXDOMAIN.
Type Value Meaning
NXNAME [TBD] NXDOMAIN indicator for Compact Denial of Existence
Huque, et al. Expires 5 September 2024 [Page 3]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
This RR type is added to the NSEC type bitmap for responses to non-
existent names (in addition to the required RRSIG and NSEC types).
It is a "Meta-Type", as defined in [RFC6895], stores no data in a DNS
zone, and cannot be usefully queried. Section 3.4 describes what a
DNS resolver or authoritative server should do if it receives an
explicit query for NXNAME.
No special handling of this RR type is required on the part of DNS
resolvers. However, resolvers may optionally implement the behavior
described in Section 4.1 (Response Code Restoration) to better
restore NXDOMAIN visibility to various applications.
An alternative way to distinguish NXDOMAIN from ENT is to define the
synthetic Resource Record type for ENTs instead, as specified in
[ENT-SENTINEL], and this was already successfully deployed in the
field for a period of time. This typically imposes less work on the
server since NXDOMAIN responses are a lot more common than ENTs. At
the time it was deployed, it also allowed a common bitmap pattern
("NSEC RRSIG") to identify NXDOMAIN across this and other
implementations that returned a broad bitmap pattern for Empty Non-
Terminals. However, the advantage of the NXNAME RR type is that it
explicitly identifies NXDOMAIN responses, and allows them to be
distinguished conclusively from potential ENT responses in other
online signing NSEC implementations.
3. Generating Responses
This section describes various types of answers generated by
authoritative servers implementing Compact Denial of Existence. At
the current time, the compact denial scheme is only defined for NSEC.
While it could support NSEC3 too, there is no benefit in introducing
the additional complexity associated with it.
3.1. Responses for Non-Existent Names
When the authoritative server receives a query for a non-existent
name in a zone that it serves, a NODATA response (response code
NOERROR, empty Answer section) is generated with a dynamically
constructed NSEC record with the owner name matching the queried name
(QNAME).
The Next Domain Name field SHOULD be set to the immediate
lexicographic successor of the QNAME. The Type Bit Maps field MUST
only have the bits set for the following RR Types: RRSIG, NSEC, and
NXNAME.
Huque, et al. Expires 5 September 2024 [Page 4]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
For example, a request for the non-existing name a.example.com would
cause the following NSEC record to be generated (in DNS presentation
format):
a.example.com. 3600 IN NSEC \000.a.example.com. RRSIG NSEC NXNAME
The NSEC record MUST have corresponding RRSIGs generated.
3.2. Responses for Non-Existent Types
When the authoritative server receives a query for a name that
exists, but has no resource record sets associated with the queried
type, it generates a NODATA response, with a dynamically constructed
signed NSEC record in the Authority Section. The owner name of the
NSEC record matches the queried name. The Next Domain Name field is
set to the immediate lexicographic successor of the QNAME. The Type
Bitmaps field lists the available Resource Record types at the name.
An Empty Non-Terminal is a special subset of this category, where the
name has no resource record sets of any type (but has descendant
names that do). For a query for an Empty Non-Terminal, the NSEC type
bitmap will only contain RRSIG and NSEC. (Note that this is
substantially different than the ENT response in precomputed NSEC,
where the NSEC record has the same type bitmap, but "covers" rather
than matches the ENT, and has the Next Domain Name field set to the
next lexicographic descendent of the ENT in the zone.)
3.3. Responses for Wildcard Matches
For wildcard matches, the authoritative server will provide a
dynamically signed response that claims that the queried name exists
explicitly. Specifically, the answer RR set will have an RRSIG
record demonstrating an exact match (i.e. the label count in the
RRSIG RDATA will be equal to the number of labels in the query name
minus the root label). This obviates the need to include an NSEC
record in the Authority section of the response that shows that no
closer match than the wildcard was possible.
For a Wildcard NODATA match (where the queried name matches a
wildcard but no data for the queried type exists), a response akin to
a non-wildcard NODATA is returned. The Answer section is empty, and
the Authority section contains a single NSEC record that matches the
query name with a type bitmap representing the list of types
available at the wildcard.
Huque, et al. Expires 5 September 2024 [Page 5]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
3.4. Responses to explicit queries for NXNAME
NXNAME is a meta type which should not appear anywhere in a DNS
message apart from the NSEC type bitmap of a Compact Answer response
for a non-existent name. If however a DNS server implementing this
specification receives an explicit query for the NXNAME RR type, this
section describes what the response should be.
If an explicit query for the NXNAME RR type is received, the DNS
server MUST return a Format Error (response code FORMERR). A
resolver should not forward these queries upstream or attempt
iterative resolution. Many DNS server implementations already return
errors for all types in the meta and q-type range unless they are
defined to support queries. This general behavior however is not
clearly specified in any existing protocol specification document and
should be.
4. Response Code Restoration
For non-existent names, implementations should try wherever possible,
to preserve the response code value of 3 (NXDOMAIN). This is
generally possible for non-DNSSEC enabled queries, namely those which
do not set the DNSSEC_OK EDNS flag (DO bit). For such queries,
authoritative servers implementing Compact Denial of Existence could
return a normal NXDOMAIN response. There may be limited benefit to
doing this however, since most modern DNS resolvers are DNSSEC-aware,
and by [RFC3225] Section 3, DNSSEC-aware recursive servers are
required to set the DO bit on outbound queries, regardless of the
status of the DO bit on incoming requests.
A validating resolver that understands the NXNAME signal from an
authoritative server could modify the response code from NOERROR to
NXDOMAIN in responses they return to downstream queriers that have
not set the DO bit in their requests.
4.1. Signaled Response Code Restoration
This section describes an optional but recommended scheme to permit
signaled restoration of the NXDOMAIN RCODE for DNSSEC enabled
responses. A new EDNS0 [RFC6891] header flag is defined in the 2nd
most significant bit of the flags field in the EDNS0 OPT header.
This flag is referred to as the "Compact Answers OK (CO)" flag.
Huque, et al. Expires 5 September 2024 [Page 6]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
+0 (MSB) +1 (LSB)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
0: | EXTENDED-RCODE | VERSION |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
2: |DO|CO| Z |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
When this flag is sent in a query by a resolver, it indicates that
the resolver will accept a signed NXNAME enhanced NODATA response for
a non-existent name together with the response code field set to
NXDOMAIN (3).
In responses to such queries, a Compact Denial authoritative
implementing this signaling scheme, will set the Compact Answers OK
EDNS header flag, and for non-existent names will additionally set
the response code field to NXDOMAIN.
EDNS is a hop by hop signal, so resolvers will need to record the
presence of this flag in associated cache data and respond to
downstream DNSSEC enabled queriers appropriately. If the querier
does not set the Compact Answers OK flag, the resolver will need to
reset the response code back to NOERROR (0) for an NXNAME response.
5. Operational Implications
For DNSSEC enabled queries, a signed zone at an authoritative server
implementing Compact Answers will never return a response with a
response code of NXDOMAIN, unless they have implemented the optional
response code restoration feature described in Section 4.1.
Similarly, resolvers not implementing this feature will also not be
able to return NXDOMAIN. In the absence of this, tools that rely on
accurately determining non-existent names will need to infer them
from the presence of the NXNAME RR type in the type bitmap of the
NSEC record in NODATA responses from these servers.
Address lookup functions typically invoked by applications may need
to do more work when dealing with implementations of Compact Answers.
For example, a NODATA response to the lookup of an AAAA record for a
non-existent name, can cause such functions to issue another query at
the same name for an A record. Whereas an NXDOMAIN response to the
first query would suppress additional queries for other types at that
name. Address lookup functions could be enhanced to issue DNSSEC
enabled queries and to examine the NSEC type bitmaps in responses to
accurately determine non-existent names.
Huque, et al. Expires 5 September 2024 [Page 7]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
6. Updates to RFCs
6.1. Updates to RFC 4034
[RFC4034] Section 4.1.2, The Type Bit Maps Field, states the
following:
* Bits representing pseudo-types MUST be clear, as they do not
appear in zone data. If encountered, they MUST be ignored upon
being read.
This paragraph is updated to the following:
* Bits representing pseudo-types MUST be clear, as they do not
appear in zone data. If encountered, they MUST be ignored upon
being read. There is one exception to this rule for Compact
Denial of Existence (RFC TBD), where the NXNAME pseudo-type is
allowed to appear in responses to non-existent names.
Note: as a practical matter, no known resolver insists that pseudo-
types must be clear in the NSEC type bitmap, so this restriction
(prior to its revision) has posed no problem for the deployment of
this mechanism.
6.2. Updates to RFC 4035
[RFC4035] Section 2.3, Including NSEC RRs in a Zone, states the
following:
* An NSEC record (and its associated RRSIG RRset) MUST NOT be the
only RRset at any particular owner name. That is, the signing
process MUST NOT create NSEC or RRSIG RRs for owner name nodes
that were not the owner name of any RRset before the zone was
signed. The main reasons for this are a desire for namespace
consistency between signed and unsigned versions of the same zone
and a desire to reduce the risk of response inconsistency in
security oblivious recursive name servers.
This paragraph is updated to the following::
* An NSEC record (and its associated RRSIG RRset) MUST NOT be the
only RRset at any particular owner name. That is, the signing
process MUST NOT create NSEC or RRSIG RRs for owner name nodes
that were not the owner name of any RRset before the zone was
signed. The main reasons for this are a desire for namespace
consistency between signed and unsigned versions of the same zone
and a desire to reduce the risk of response inconsistency in
security oblivious recursive name servers. This concern only
Huque, et al. Expires 5 September 2024 [Page 8]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
applies to implementations of DNSSEC that employ pre-computed
signatures. There is an exception to this rule for online signing
implementations of DNSSEC (e.g Minimally Covering NSEC, and
Compact Denial of Existence (RFC TBD), where dynamically generated
NSEC records can be produced for owner names that don't exist or
are empty non-terminals.
7. Implementation Status
Cloudflare, NS1, and Amazon Route53 currently implement the Compact
Denial of Existence method. From early 2021 until November 2023, NS1
had deployed the Empty Non-Terminal distinguisher using the private
RR type code 65281. At the present time Cloudflare (since July 2023)
and NS1 (since November 2023) both implement the NXNAME distinguisher
using the private RR type code 65283. Amazon Route53 is expected to
implement NXNAME after the specification is finalized and an official
code point is allocated. At the current time, there are only
prototype implementations of the signaled rcode restoration scheme.
8. Security Considerations
Online signing of DNS records requires authoritative servers for the
DNS zone to have access to the private signing keys. Exposing
signing keys on Internet reachable servers makes them more vulnerable
to attack.
Additionally, generating signatures on-demand is more computationally
intensive than returning pre-computed signatures. Although the
Compact Answers scheme reduces the number of online signing
operations compared to previous techniques like White Lies, it still
may make authoritative servers more vulnerable to computational
denial of service attacks than pre-computed signatures. The use of
signature algorithms (like those based on Elliptic Curves) that have
a comparatively low cost for signing is recommended.
Some security tools rely on detection of non-existent domain names by
examining the response code field of DNS response messages. A
NOERROR code in that field rather than NXDOMAIN will impact such
tools. Implementation of the optional response code restoration
scheme will help recover NXDOMAIN visibility for these tools. Note
that the DNS header is not cryptographically protected, so the
response code field cannot be authenticated. Thus inferring the
status of a response from signed data in the body of the DNS message
is actually more secure. These tools could be enhanced to recognize
the (signed) NXNAME signal.
Huque, et al. Expires 5 September 2024 [Page 9]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
If the motivating aspects of this specification (minimizing response
size and computational costs) are not a concern, DNSSEC deployments
can opt for a different method (e.g. traditional online signing or
pre-computed signatures), and avoid imposing the challenges of
NXDOMAIN visibility.
9. Acknowledgements
The Compact Answers technique (then called "Black Lies") was
originally proposed in [BLACK-LIES] by Filippo Valsorda and Olafur
Gudmundsson, and implemented by Cloudflare. The Empty Non-Terminal
distinguisher RR type was originally proposed in [ENT-SENTINEL] by
Shumon Huque, and deployed by NS1. The NXNAME type is based on the
FDOM type proposed in [NXDOMAIN-TYPE] by Gudmundsson and Valsorda.
Especially detailed discussions on many technical aspects of this
document were conducted with Paul Vixie, Jan Vcelak, Viktor Dukhovni,
and Ed Lewis. The authors would also like to thank the many other
members of the IETF DNS Operations working group for helpful comments
and discussions.
10. IANA Considerations
IANA is requested to allocate a new DNS Resource Record type code for
NXNAME in the DNS parameters registry, from the meta type range.
Specifically, the lowest available number (currently 128) in the meta
range is requested to be allocated. A lower number lowers the size
of the type bitmap, which reduces the size of the DNS response
message.
Type Value Meaning
NXNAME [TBD] NXDOMAIN indicator for Compact Denial of Existence
IANA is additionally requested to allocate the "Compact Answers OK"
flag in the EDNS header, as described in Section 4.1
11. References
11.1. Normative References
[RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC",
RFC 3225, DOI 10.17487/RFC3225, December 2001,
<https://www.rfc-editor.org/info/rfc3225>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>.
Huque, et al. Expires 5 September 2024 [Page 10]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<https://www.rfc-editor.org/info/rfc4035>.
[RFC4470] Weiler, S. and J. Ihren, "Minimally Covering NSEC Records
and DNSSEC On-line Signing", RFC 4470,
DOI 10.17487/RFC4470, April 2006,
<https://www.rfc-editor.org/info/rfc4470>.
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
for DNS (EDNS(0))", STD 75, RFC 6891,
DOI 10.17487/RFC6891, April 2013,
<https://www.rfc-editor.org/info/rfc6891>.
[RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
April 2013, <https://www.rfc-editor.org/info/rfc6895>.
[RFC7129] Gieben, R. and W. Mekking, "Authenticated Denial of
Existence in the DNS", RFC 7129, DOI 10.17487/RFC7129,
February 2014, <https://www.rfc-editor.org/info/rfc7129>.
[RFC9364] Hoffman, P., "DNS Security Extensions (DNSSEC)", BCP 237,
RFC 9364, DOI 10.17487/RFC9364, February 2023,
<https://www.rfc-editor.org/info/rfc9364>.
11.2. Informative References
[BLACK-LIES]
Valsorda, F. and O. Gudmundsson, "Compact DNSSEC Denial of
Existence or Black Lies", <https://tools.ietf.org/html/
draft-valsorda-dnsop-black-lies>.
[ENT-SENTINEL]
Huque, S., "Empty Non-Terminal Sentinel for Black Lies",
<https://www.ietf.org/archive/id/draft-huque-dnsop-
blacklies-ent-01.html>.
[NXDOMAIN-TYPE]
Gudmundsson, O. and F. Valsorda, "Signaling NSEC record
owner name nonexistence", <https://tools.ietf.org/html/
draft-ogud-fake-nxdomain-type/>.
Authors' Addresses
Huque, et al. Expires 5 September 2024 [Page 11]
�
Internet-Draft Compact Denial of Existence in DNSSEC March 2024
Shumon Huque
Salesforce
415 Mission Street, 3rd Floor
San Francisco, CA 94105
United States of America
Email: shuque@gmail.com
Christian Elmerot
Cloudflare
101 Townsend St.
San Francisco, CA 94107
United States of America
Email: elmerot@cloudflare.com
Olafur Gudmundsson
Cloudflare
101 Townsend St.
San Francisco, CA 94107
United States of America
Email: olafur@cloudflare.com
Huque, et al. Expires 5 September 2024 [Page 12]
