Internet DRAFT - draft-zhang-dnsop-weak-trust-anchor
draft-zhang-dnsop-weak-trust-anchor
Network Working Group Xiaodong. Lee, Ed.
Internet-Draft Haikuo. Zhang, Ed.
Intended status: Informational Nan. Wang, Ed.
Expires: December 1, 2014 Peng. Zuo, Ed.
Xiali. Yan, Ed.
Ce. Luo, Ed.
Hongtao. Li, Ed.
cnnic
May 30, 2014
Weak Trust Anchor Introduction
draft-zhang-dnsop-weak-trust-anchor-00
Abstract
DNS Security Extensions (DNSSEC) is an effective method to provide
security protection for resolvers and end users in the DNS protocols.
But the DNSSEC is too aggressive for the DNS service in the poor
network infrastructure, because the domain name will be invisible
when large DNSSEC messages were dropped by some other network
equipments, like the routers which have MTU problem or the old
firewalls which do not support ENDS0. This document defines a new
concept weak trust anchor which can be used on a security-aware
resolver to get rid of the above problem.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 1, 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
Lee, et al. Expires December 1, 2014 [Page 1]
Internet-Draft Weak Trust Anchor Introduction May 2014
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Authoritative Name server Considerations . . . . . . . . . . 3
4. Resolver Considerations . . . . . . . . . . . . . . . . . . . 3
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1. Normative References . . . . . . . . . . . . . . . . . . 5
7.2. Informative References . . . . . . . . . . . . . . . . . 6
1. Introduction
DNSSEC is described in a set of RFC documents, they are
[RFC4033][RFC4034] [RFC4035] [RFC4641] [RFC5011] [RFC5155] and so on.
DNSKEY has been introduced into signed zone file to help resolvers
build a chain of trust. The chain of trust is comprised of some
Delegation of Signing (DS) RRs, Key signing Key (KSK) RRs, Zone
signing key (ZSK) RRs, traditional RRs(like AAAA RRs), related
resource record signatures (RRsig),and so on [RFC4641].NSEC and NSEC3
RR can be used to prove non-existence of domain names in the zone
[RFC5155].
The security-aware resolver will verify DNS packets in the recursive
query process. If DNS packets are tampered by the man-in-the-middle
attack, the resolver will return Servfail to end users. Trust anchor
is used as starting point in the chain of trust at the security-aware
resolver side.
The size of a DNSSEC packet may be larger than 1500 bytes, and EDNS0
protocol has extended the size limitation of the regular DNS packet.
But this kind of DNSSEC packets could be lost or dropped in the
global network environment, because some routers in the transmission
may have MTU problem or some old firewalls could not support ENDS0.
Then some domains could be invisible for the end users who are using
this security-aware resolver, and this case is out of control for
Lee, et al. Expires December 1, 2014 [Page 2]
Internet-Draft Weak Trust Anchor Introduction May 2014
ISPs, so this situation may block the DNSSEC deployment at resolver
side.
Weak trust anchor is introduced to handle this problem.
2. Terms
MTU: Maximum Transmission Unit. It is the size of the largest data
unit that the layer can pass onwards.
Trust Anchor: DNSKEY RR or DS RR hash of a DNSKEY RR, and it is the
starting point of the authentication chain in the DNSSEC
verification. Described in [RFC4034].
Weak Trust Anchor: Almost same as Trust Anchor, except that Weak
Trust Anchor is relatively moderate. The resolver which was
configured with Trust Anchor should send DNSSEC queries to
Authoritative name servers. It is possible that the DNSSEC message
from authoritative name servers was blocked or dropped because of
some old network apparatuses which are mentioned above. In this
case, recursive name servers would return ServFail responses to stub
resolvers due to verification failure. However, the security-aware
resolver which is configured with Weak Trust Anchor should send non-
DNSSEC queries again to Authoritative name servers to get non-DNSSEC
responses when the DNSSEC packets were lost or dropped. If the
security-aware resolver gets non-DNSSEC responses, the resolver will
send the result to the end user as insecure DNS data.
3. Authoritative Name server Considerations
Weak trust anchor is only configured at the resolver side, so it is
useless to Authoritative name servers.
4. Resolver Considerations
Typically, a security-aware resolver will do the DNSSEC validation in
the process of a DNS query. This validation would fail if any DNS
message was faked or the DNS packet was dropped in the transmission.
With the implementation of DNSSEC, the DNS packet is growing larger
and its size would probably exceed 1500 bytes. Although both
security-aware resolvers and Authoritative name servers should
support EDNS0 to receive and send large packets, the problem still
exists because the packet loss possibly happens in some special area
in the Internet. In this case, the DNSSEC validation will be failed
because of the internet devices, and then the related domain names
will be invisible for some end users because the DNSSEC validation
failed.
Lee, et al. Expires December 1, 2014 [Page 3]
Internet-Draft Weak Trust Anchor Introduction May 2014
This document tries to solve this problem with weak trust anchor. If
the security-aware resolver was configured with the weak trust
anchor, it would do the DNSSEC verification as usual. It takes the
responsibilities of recursive requests and the DNSSEC validation.
After sending a request with DO bit set, there are three
possibilities at the security-aware resolver side:
o Receives a DNS packet with DNSSEC information
o Receives a DNS packet without DNSSEC information
o Receives nothing
If the security-aware resolver was configured with weak trust anchor,
the DNSSEC verification process is no different from the one with a
normal trust anchor in the first two cases. The resolver will use
this anchor to do the DNSSEC validation as the rule of
[RFC4033][RFC4034] [RFC4035].
Things are different in the third case. If the resolver was
configured with a weak trust anchor and got nothing after sending a
request with DO bit set, then it should clear DO bit in the EDNS0 in
the query message and query again to the authoritative name server.
So it could receive a normal DNS message (with no DNSSEC information,
if the previous packet loss was caused by large size) and continue
its DNS query process, then return the result as an insecure message.
The normal process is followed:
+------+ +--------------+ +-------------+
| |----a DNS query-> |security-aware|DNSSEC query->|authoritative|
|client| | | | name |
| | | resolver |<-no packet- -| server |
| |<- SERVFAIL answer| | | |
+------+ +--------------+ +-------------+
normal process of dnssec query
Figure 1
The process of a security- aware resolver with weak trust anchor is
shown as below:
Lee, et al. Expires December 1, 2014 [Page 4]
Internet-Draft Weak Trust Anchor Introduction May 2014
+-------+ +--------------+ +------+
| |--- a DNS query->|security-aware| -DNSSEC query-> |auth |
|client | |resolver with | < - - no packet |name |
| | a DNS response |weak trust | -normal query-> |server|
| |<--message which |anchor | <--a DNS packet-| |
+-------+ cleared AD bit +--------------+ +------+
weak trust anchor process of dnssec query
Figure 2
5. Security Considerations
This document tries to solve the problem that DNSSEC validation may
fail in some certain networks because of the packet loss. ISPs could
use this protocol to transfer the DNS service to DNSSEC-enabled DNS
service when they do not know the complicated network environment.
If the DNS packet was tampered in the man-in-the-middle attack, the
security-aware resolver will return servfail because of the DNSSEC
verification failure in the weak trust anchor protocol. If DNSSEC
packets are lost in the flight, the security-aware resolver can use
non-DNSSEC process to query the authoritative name server again when
it is configured with weak trust anchor, this technique can reduce
the loss for the ISPs and end users.
6. Acknowledgments
Thanks to jianjun and others who reviewed this draft and give some
valuable feedback.
7. References
7.1. Normative References
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
Lee, et al. Expires December 1, 2014 [Page 5]
Internet-Draft Weak Trust Anchor Introduction May 2014
[RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC)
Trust Anchors", RFC 5011, September 2007.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, March 2008.
7.2. Informative References
[RFC4641] Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
RFC 4641, September 2006.
Authors' Addresses
Xiaodong Lee (editor)
cnnic
EMail: xl@cnnic.cn
Haikuo Zhang (editor)
cnnic
EMail: zhanghaikuo@cnnic.cn
Nan Wang (editor)
cnnic
EMail: wangnan@cnnic.cn
Peng Zuo (editor)
cnnic
EMail: zuopeng@cnnic.cn
Xiali Yan (editor)
cnnic
EMail: yanxiali@cnnic.cn
Ce Luo (editor)
cnnic
EMail: luoce@cnnic.cn
Lee, et al. Expires December 1, 2014 [Page 6]
Internet-Draft Weak Trust Anchor Introduction May 2014
Hongtao Li (editor)
cnnic
EMail: lihongtao@cnnic.cn
Lee, et al. Expires December 1, 2014 [Page 7]