<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd" [ <!-- One method to get references from the online citation libraries. There has to be one entity for each item to be referenced. An alternate method (rfc include) is described in the references. --> <!ENTITY RFC1034 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml"> <!ENTITY RFC1035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml"> <!ENTITY RFC1995 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1995.xml"> <!ENTITY RFC2136 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2136.xml"> <!ENTITY RFC2845 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2845.xml"> <!ENTITY RFC4033 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4033.xml"> <!ENTITY RFC4034 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4034.xml"> <!ENTITY RFC4035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4035.xml"> <!ENTITY RFC5155 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5155.xml"> <!ENTITY RFC5731 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5731.xml"> <!ENTITY RFC5936 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5936.xml"> <!ENTITY RFC6781 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6781.xml"> <!ENTITY RFC7129 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7129.xml"> <!ENTITY RFC7344 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7344.xml"> <!ENTITY RFC7858 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7858.xml"> <!ENTITY RFC8078 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8078.xml"> <!ENTITY RFC8198 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8198.xml"> <!ENTITY RFC8484 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8484.xml"> <!ENTITY RFC8499 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8499.xml"> <!ENTITY I-D.narten-iana-considerations-rfc2434bis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.narten-iana-considerations-rfc2434bis.xml"> ]> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <!-- used by XSLT processors --> <!-- For a complete list and description of processing instructions (PIs), please see http://xml.resource.org/authoring/README.html. --> <!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use. (Here they are set differently than their defaults in xml2rfc v1.32) --> <?rfc strict="yes" ?> <!-- give errors regarding ID-nits and DTD validation --> <!-- control the table of contents (ToC) --> <?rfc toc="yes"?> <!-- generate a ToC --> <?rfc tocdepth="4"?> <!-- the number of levels of subsections in ToC. default: 3 --> <!-- control references --> <?rfc symrefs="yes"?> <!-- use symbolic references tags, i.e, [RFC2119] instead of [1] --> <?rfc sortrefs="yes" ?> <!-- sort the reference entries alphabetically --> <!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) --> <?rfc compact="yes" ?> <!-- do not start each main section on a new page --> <?rfc subcompact="no" ?> <!-- keep one blank line between list items --> <!-- end of list of popular I-D processing instructions -->"rfc2629-xhtml.ent"> <rfccategory="info"xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-dnsop-multi-provider-dnssec-05"ipr="trust200902"> <!-- category values: std, bcp, info, exp, and historic ipr values: full3667, noModification3667, noDerivatives3667 you can add the attributes updates="NNNN" and obsoletes="NNNN" they will automatically be output with "(if approved)" -->number="8901" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" category="info" consensus="true" xml:lang="en" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="3"> <!--***** FRONT MATTER *****xml2rfc v2v3 conversion 2.44.0 --> <front> <titleabbrev="Multi Signerabbrev="Multi-Signer DNSSECmodels">Multi SignerModels">Multi-Signer DNSSECmodels</title>Models</title> <seriesInfo name="RFC" value="8901"/> <author fullname="Shumon Huque" initials="S." surname="Huque"> <organization>Salesforce</organization> <address> <postal> <street>415 Mission Street, 3rd Floor</street> <city>San Francisco</city> <region>CA</region> <code>94105</code> <country>United States of America</country> </postal> <email>shuque@gmail.com</email><!-- uri and facsimile elements may also be added --></address> </author> <author fullname="Pallavi Aras" initials="P." surname="Aras"> <organization>Salesforce</organization> <address> <postal> <street>415 Mission Street, 3rd Floor</street> <city>San Francisco</city> <region>CA</region> <code>94105</code> <country>United States of America</country> </postal> <email>paras@salesforce.com</email><!-- uri and facsimile elements may also be added --></address> </author> <author fullname="John Dickinson" initials="J." surname="Dickinson"><organization>Sinodun</organization><organization>Sinodun IT</organization> <address> <postal> <street>Magdalen Centre</street> <street>Oxford Science Park</street> <city>Oxford</city> <code>OX4 4GA</code> <country>United Kingdom</country> </postal> <email>jad@sinodun.com</email><!-- uri and facsimile elements may also be added --></address> </author> <author fullname="Jan Vcelak" initials="J." surname="Vcelak"> <organization>NS1</organization> <address> <postal> <street>55 Broad Street, 19th Floor</street> <city>New York</city> <region>NY</region> <code>10004</code> <country>United States of America</country> </postal> <email>jvcelak@ns1.com</email><!-- uri and facsimile elements may also be added --></address> </author> <author fullname="David Blacka" initials="D." surname="Blacka"> <organization>Verisign</organization> <address> <postal> <street>12061 Bluemont Way</street> <city>Reston</city> <region>VA</region> <code>20190</code> <country>United States of America</country> </postal> <email>davidb@verisign.com</email><!-- uri and facsimile elements may also be added --></address> </author> <datemonth="April" year="2020" /> <!-- Meta-data Declarations -->month="September" year="2020"/> <area>General</area> <workgroup>Internet Engineering Task Force</workgroup><keyword>Internet-Draft</keyword><keyword>DNSSEC</keyword> <keyword>Multiple</keyword> <keyword>Provider</keyword> <keyword>Signer</keyword> <keyword>Models</keyword> <abstract> <t> Many enterprises today employ the service of multiple DNS providers to distribute their authoritative DNS service. Deploying DNSSEC in such an environment may present somechallengeschallenges, depending on the configuration and feature set in use. In particular, when each DNS provider independently signs zone data with their own keys, additionalkey managementkey-management mechanisms are necessary. This document presents deployment models that accommodate this scenario anddescribedescribes thesekey managementkey-management requirements. These models do not require any changes to the behavior of validating resolvers, nor do they impose the newkey managementkey-management requirements on authoritative servers not involved inmulti signermulti-signer configurations. </t> </abstract> </front> <middle> <sectiontitle="Introductionnumbered="true" toc="default"> <name>Introduction andMotivation"> <t> RFC EDITOR: PLEASE REMOVE THIS PARAGRAPH BEFORE PUBLISHING: The source for this draft is maintained in GitHub at: https://github.com/shuque/multi-provider-dnssec </t>Motivation</name> <t> Many enterprises today employ the service of multiple Domain Name System (DNS) <xref target="RFC1034"/>format="default"/> <xref target="RFC1035"/>format="default"/> providers to distribute their authoritative DNS service. This is primarily done for redundancy and availability, and it allows the DNS service to survive a complete, catastrophic failure of any single provider. Additionally, enterprises or providers occasionally have requirements that preclude standardzone transferzone-transfer techniques <xref target="RFC1995"/> <xrefformat="default"/><xref target="RFC5936"/> :format="default"/>: eithernon-standardizednonstandardized DNS features are in use that are incompatible with zone transfer, or operationally a provider must be able to(re)sign(re-)sign DNS records using their own keys. This document outlines some possible models of DNSSEC <xref target="RFC4033"/>format="default"/> <xref target="RFC4034"/>format="default"/> <xref target="RFC4035"/>format="default"/> deployment in such an environment. </t> <t> This document assumes a reasonable level of familiarity with DNS operations and protocol terms. Much of the terminology is explained in further detail in <xreftarget="RFC8499"> DNS Terminology</xref>.target="RFC8499" format="default"> "DNS Terminology"</xref>. </t> </section> <sectiontitle="Deployment Models" anchor="models">anchor="models" numbered="true" toc="default"> <name>Deployment Models</name> <t> If a zone owner can use standardzone transferzone-transfer techniques, then the presence of multiple providers does not require modifications to the normal deployment models. In these deployments, there is a single signing entity (which may be the zone owner, one of the providers, or a separate entity), while the providers act as secondary authoritative servers for the zone. </t> <t> Occasionally, however, standardzone transferzone-transfer techniques cannot be used. This could be due to the use ofnon-standardnonstandard DNSfeatures,features ordue tothe operational requirements of a given provider (e.g., a provider that only supports "onlinesigning".)signing"). In these scenarios, the multiple providers each act like primary servers, independently signing data received from the zone owner and serving it to DNS queriers. This configuration presents some novel challenges and requirements. </t> <sectiontitle="Multiple Signer models" anchor="multi-sign">anchor="multi-sign" numbered="true" toc="default"> <name>Multiple-Signer Models</name> <t> In this category of models, multiple providers each independently sign and serve the same zone. The zone owner typically uses provider-specific APIs to update zone content identically at each of theproviders,providers and relies on the provider to perform signing of the data. A key requirement here is to manage the contents of the DNSKEY and Delegation Signer (DS) RRsets in such a way that validating resolvers always have a viable path to authenticate the DNSSEC signature chain, no matter which provider is queried. This requirement is achieved by having each provider import the public Zone Signing Keys (ZSKs) of all other providers into their DNSKEY RRsets. </t> <t> These models can support DNSSEC even for thenon-standardnonstandard features mentioned previously, if the DNS providers have the capability of signing the response data generated by those features. Since these responses are often generated dynamically at query time, one method is for the provider to perform online signing (also known as on-the-fly signing). However, another possible approach is topre-computeprecompute all the possible response sets and associatedsignatures,signatures and then algorithmically determine at query time which response set and signatureneedsneed to be returned. </t><!-- davib: unsure if this paragraph is needed --><t> In the models presented, the function of coordinating the DNSKEY or DS RRset does not involve the providers communicating directly with each other. Feedback from several commercialmanaged DNSmanaged-DNS providers indicates that they may be unlikely to directly communicate, since they typically have a contractual relationship only with the zone owner. However, if the parties involved are agreeable, it may be possible to devise a protocol mechanism by which the providers directly communicate to share keys. Details of such a protocol are deferred to a future specification document, should there be interest. </t> <t> In the descriptions below, the Key Signing Key(KSK),(KSK) and Zone Signing Key(ZSK),(ZSK) correspond to the definitions in <xref target="RFC8499"/>,format="default"/>, with the caveat that the KSK not only signs the zone apex DNSKEYRRset,RRset but also serves as the Secure Entry Point (SEP) into the zone. </t> <sectiontitle="Modelanchor="model1" numbered="true" toc="default"> <name>Model 1: Common KSKset,Set, Unique ZSKsetSet perprovider" anchor="model1"> <t> <list style="symbols"> <t>TheProvider</name> <ul spacing="normal"> <li>The zone owner holds the KSK set, manages the DS record set, and is responsible for signing the DNSKEY RRset and distributing it to theproviders.</t> <t>Eachproviders.</li> <li>Each provider has their own ZSKsetset, which is used to sign data in thezone.</t> <t>Thezone.</li> <li>The providers have an API that the zone owner uses to query the ZSK publickeys,keys and insert a combined DNSKEY RRset that includes the ZSK sets of eachprovider,provider and the KSK set, signed by theKSK.</t> <t>NoteKSK.</li> <li>Note that even if the contents of the DNSKEY RRset do not change, the zone owner needs to periodically re-sign it as signature expiration approaches. The provider API is also used to thus periodically redistribute the refreshed DNSKEYRRset.</t> <t>KeyRRset.</li> <li>Key rollovers need coordinated participation of the zone owner to update the DNSKEY RRset (for KSK orZSK),ZSK) and the DS RRset (forKSK).</t> <t>(OneKSK).</li> <li>(One specific variant of this model that may be interesting is a configuration in which there is only a single provider. A possible use case for this is where the zone owner wants to outsource the signing and operation of their DNS zone to a single3rd party provider,third-party provider but still control the KSK, so that they can authorize and/or revoke the use of specific zone signingkeys.)</t> </list> </t>keys.)</li> </ul> </section> <sectiontitle="Modelanchor="model2" numbered="true" toc="default"> <name>Model 2: Unique KSKsetSet and ZSKsetSet perprovider" anchor="model2"> <t> <list style="symbols"> <t>EachProvider</name> <ul spacing="normal"> <li>Each provider has their own KSK and ZSKsets.</t> <t>Eachsets.</li> <li>Each provider offers an API that the zone owner uses to import the ZSK sets of the other providers into their DNSKEYRRset.</t> <t>TheRRset.</li> <li>The DNSKEY RRset is signed independently by each provider using their ownKSK.</t> <t>TheKSK.</li> <li>The zone owner manages the DS RRset located in the parent zone. This is comprised of DS records corresponding to the KSKs of eachprovider.</t> <t>Keyprovider.</li> <li>Key rollovers need coordinated participation of the zone owner to update the DS RRset (forKSK),KSK) and the DNSKEY RRset (forZSK).</t> </list> </t>ZSK).</li> </ul> </section> </section> </section> <sectiontitle="Validatinganchor="resolver" numbered="true" toc="default"> <name>Validating ResolverBehavior" anchor="resolver">Behavior</name> <t> The central requirement for both of the <xreftarget="multi-sign">Multiple Signertarget="multi-sign" format="default">multiple-signer models</xref> is to ensure that the ZSKs from all providers are present in each provider's apex DNSKEYRRset,RRset andisvouched for by either the single KSK (inmodelModel 1) or each provider's KSK (inmodelModel 2.) If this is not done, the following situation can arise (assuming twoprovidersproviders, A and B):<list style="symbols"> <t>The</t> <ul spacing="normal"> <li>The validating resolver follows a referral(i.e.(i.e., secure delegation) to the zone inquestion.</t> <t>Itquestion.</li> <li>It retrieves the zone's DNSKEY RRset from one ofproviderProvider A's nameservers, authenticates it against the parent DS RRset, and cachesit.</t> <t>Atit.</li> <li>At some point in time, the resolver attempts to resolve a name in thezone,zone while the DNSKEY RRset received fromproviderProvider A is still viable in itscache.</t> <t>Itcache.</li> <li>It queries one ofproviderProvider B's nameservers to resolve thename,name and obtains a response that is signed byproviderProvider B's ZSK, which it cannot authenticate because this ZSK is not present in its cached DNSKEY RRset for the zone that it received fromprovider A.</t> <t>TheProvider A.</li> <li>The resolver will not accept this response. It may still be able to ultimately authenticate the name by querying other nameservers for the zone until it elicits a response from one ofproviderProvider A's nameservers. But it has incurred the penalty of additionalroundtripsround trips with other nameservers, with the corresponding latency and processing costs. The exact number of additionalroundtripsround trips depends on details of the resolver'snameserver selectionnameserver-selection algorithm and the number of nameservers configured atprovider B.</t> <t>ItProvider B.</li> <li>It may also be the case that a resolver is unable to provide an authenticatedresponseresponse, because it gave up after a certain number of retries or a certain amount ofdelay,delay; or it is possible that downstream clients of the resolver that originated the query timed out waiting for a response.</t> </list></li> </ul> <t> Hence, it is important that the DNSKEY RRset at each provider is maintained with the active ZSKs of all participating providers. This ensures that resolvers can validate a response no matter which provider's nameservers it came from. </t> <t> Details of how the DNSKEY RRset itself is validated differ. In <xreftarget="model1">modeltarget="model1" format="default">Model 1</xref>, one unique KSK managed by the zone owner signs an identical DNSKEY RRset deployed at each provider, and the signed DS record in the parent zone refers to this KSK. In <xreftarget="model2">modeltarget="model2" format="default">Model 2</xref>, each provider has a distinct KSK and signs the DNSKEY RRset with it. The zone owner deploys a DS RRset at the parent zone that contains multiple DS records, each referring to a distinct provider's KSK.HenceHence, it does not matter which provider's nameservers the resolver obtains the DNSKEY RRsetfrom,from; the signed DS record in each model can authenticate the associated KSK. </t> </section> <sectiontitle="Signing Algorithm Considerations" anchor="algorithms">anchor="algorithms" numbered="true" toc="default"> <name>Signing-Algorithm Considerations</name> <t> DNS providers participating in multi-signer models need to use a common DNSSEC signing algorithm (or a common set of algorithms ifmultipleseveral are in use). This is because the current specifications require that if there are multiple algorithms in the DNSKEY RRset, then RRsets in the zone need to be signed with at least one DNSKEY of each algorithm, as described in <xreftarget="RFC4035">RFC 4035</xref>, Section 2.2.target="RFC4035" sectionFormat="comma" section="2.2"/>. If providers employ distinct signing algorithms, then this requirement cannot be satisfied. </t> </section> <sectiontitle="Authenticated Denial Considerations" anchor="nsec">anchor="nsec" numbered="true" toc="default"> <name>Authenticated-Denial Considerations</name> <t> Authenticated denial of existence enables a resolver to validate that a record does not exist. For this purpose, an authoritative server presents, in a response to the resolver, signed NSEC(Section 3.1.3 of <xref(<xref target="RFC4035"/>)sectionFormat="of" section="3.1.3"/>) or NSEC3(Section 7.2 of <xref(<xref target="RFC5155"/>)sectionFormat="of" section="7.2"/>) records that provide cryptographic proof of thisnon-existence.nonexistence. The NSEC3 method enhances NSEC by providing opt-out for signing insecure delegations and also adds limited protection againstzone enumerationzone-enumeration attacks. </t> <t> An authoritative server response carrying records for authenticated denial is alwaysself-containedself-contained, and the receiving resolver doesn't need to send additional queries to complete the proof of denial. For this reason, no rollover is needed when switching between NSEC and NSEC3 for a signed zone. </t> <t> Sinceauthenticated denialauthenticated-denial responses are self-contained, NSEC and NSEC3 can be used by different providers to serve the same zone. Doingso howeverso, however, defeats the protection against zone enumeration provided by NSEC3 (because an adversary can trivially enumerate the zone by just querying the providers that employ NSEC). A better configuration involves multiple providers using different authenticateddenial of existencedenial-of-existence mechanisms that all providezone enumerationzone-enumeration defense, such aspre-computedprecomputed NSEC3, <xreftarget="RFC7129">NSEC3 White Lies</xref>,target="RFC7129" format="default">NSEC3 white lies</xref>, <xreftarget="BLACKLIES">NSEC Black Lies</xref>,target="I-D.valsorda-dnsop-black-lies" format="default">NSEC black lies</xref>, etc.Note howeverNote, however, that having multiple providers offering differentauthenticated denialauthenticated-denial mechanisms may impact how effectively resolvers are able to make use of the caching of negative responses. </t> <sectiontitle="Single Method">numbered="true" toc="default"> <name>Single Method</name> <t> Usually, the NSEC and NSEC3 methods are used exclusively(i.e.(i.e., the methods are not used at the same time by different servers). This configuration ispreferredpreferred, because the behavior iswell-definedwell defined andisclosest to current operational practice. </t> </section> <sectiontitle="Mixing Methods">numbered="true" toc="default"> <name>Mixing Methods</name> <t> Compliant resolvers should be able to validate zone data when different authoritative servers for the same zone respond with differentauthenticated denial methodsauthenticated-denial methods, because this is normally observed when NSEC and NSEC3 are being switched or when NSEC3PARAM is updated. </t> <t> Resolver software may, however, be designed to handle a single transition between two authenticated denial configurations more optimally than a permanent setup with mixedauthenticated denialauthenticated-denial methods. This could make caching on the resolver side lessefficientefficient, and the authoritative servers may observe a higher number of queries. This aspect should be considered especially in the context of <xref target="RFC8198">Aggressiveformat="default">"Aggressive Use of DNSSEC-ValidatedCache</xref>.Cache"</xref>. </t> <t> In case all providers cannot be configured with the sameauthenticated denialauthenticated-denial mechanism, it is recommended to limit the distinct configurations to the lowest number feasible. </t> <t> Note that NSEC3 configuration on all providers with different NSEC3PARAM values is considered a mixed setup. </t> </section> </section> <sectiontitle="Keyanchor="keyrollover" numbered="true" toc="default"> <name>Key RolloverConsiderations" anchor="keyrollover">Considerations</name> <t> The <xreftarget="multi-sign">Multiple Signer</xref>target="multi-sign" format="default">multiple-signer</xref> models introduce some new requirements for DNSSEC key rollovers. Since this process necessarily involves coordinated actions on the part of providers and the zone owner, one reasonable strategy is for the zone owner to initiatekey rolloverkey-rollover operations. But other operationally plausible models may also suit, such as a DNS provider initiating a key rollover and signaling their intent to the zone owner in some manner. The mechanism to communicate this intent could be some secure out-of-band channel that has been agreed upon, or the provider could offer an API function that could be periodically polled by the zone owner. </t> <t>TheFor simplicity, the descriptions in this section assume two DNSproviders for simplicity.providers. They also assume that KSK rollovers employ the commonly usedDouble SignatureDouble-Signature KSKRollover Method,rollover method and that ZSK rollovers employ the Pre-Publish ZSKRollover Method,rollover method, as described in detail in <xreftarget="RFC6781"/>.target="RFC6781" format="default"/>. With minor modifications, they can be easily adapted to other models, such asDouble DSDouble-DS KSKRolloverrollover orDouble SignatureDouble-Signature ZSK rollover, if desired.Key useKey-use timing should follow the recommendations outlined in <xreftarget="RFC6781"/>,target="RFC6781" format="default"/>, but taking into account the additional operations needed by themulti signermulti-signer models. For example, "time to propagate data to all the authoritative servers" now includes the time to import the new ZSKs into each provider. </t> <sectiontitle="Modelanchor="krc-model1" numbered="true" toc="default"> <name>Model 1: Common KSK, Unique ZSK perprovider" anchor="krc-model1"> <t> <list style="symbols"> <t>Provider</name> <ul spacing="normal"> <li> Key Signing Key Rollover: In this model, the twomanaged DNSmanaged-DNS providers share a common KSK (public key) in their respective zones, and the zone ownercontrolshas sole access to theKSK signing key.private key portion of the KSK. To initiate the rollover, the zone owner generates a new KSK and obtains the DNSKEY RRset of each DNS provider using their respective APIs. The new KSK is added to each provider's DNSKEYRRsetRRset, and the RRset is re-signed with both the new and the old KSK. This new DNSKEY RRset is then transferred to each provider. The zone owner then updates the DS RRset in the parent zone to point to the newKSK, andKSK and, after the necessary DS record TTL period has expired, proceeds with updating the DNSKEY RRset to remove the old KSK.</t> <t></li> <li> Zone Signing Key Rollover: In this model, each DNS provider has separate Zone Signing Keys. Each provider can choose to roll their ZSK independently byco-ordinatingcoordinating with the zone owner. Provider A would generate a new ZSK and communicate their intent to perform a rollover (note that Provider A cannot immediately insert this new ZSK into their DNSKEYRRsetRRset, because the RRset has to be signed by the zone owner). The zone owner obtains the new ZSK from Provider A. It then obtains the current DNSKEY RRset from each provider (including Provider A), inserts the new ZSK into each DNSKEY RRset, re-signs the DNSKEY RRset, and sends it back to each provider for deployment via their respectivekey managementkey-management APIs. Once the necessary time periodishas elapsed(i.e.(i.e., all zone data has been re-signed by the new ZSK and propagated to all authoritative servers for the zone, plus the maximumzone TTLzone-TTL value of any of the data in the zone that has been signed by the old ZSK), Provider A and the zone owner can initiate the next phase of removing the oldZSK,ZSK and re-signing the resulting new DNSKEY RRset.</t> </list> </t></li> </ul> </section> <sectiontitle="Modelanchor="krc-model2" numbered="true" toc="default"> <name>Model 2: Unique KSK and ZSK perprovider" anchor="krc-model2"> <t> <list style="symbols"> <t>Provider</name> <ul spacing="normal"> <li> Key Signing Key Rollover: In Model 2, eachmanaged DNSmanaged-DNS provider has their own KSK. A KSK roll forproviderProvider A does not require any change in the DNSKEY RRset ofprovider B,Provider B but does require co-ordination with the zone owner in order to get the DS record set in the parent zone updated. The KSK roll starts with Provider A generating a new KSK and including it in their DNSKEY RRSet. The DNSKey RRset would then be signed by both the new and old KSK. The new KSK is communicated to the zone owner, after which the zone owner updates the DS RRset to replace the DS record for the old KSK with a DS record for the new KSK. After the necessary DS RRset TTL period has elapsed, the old KSK can be removed fromproviderProvider A's DNSKEY RRset.</t> <t></li> <li> Zone Signing Key Rollover: In Model 2, eachmanaged DNSmanaged-DNS provider has their own ZSK. The ZSK roll forproviderProvider A would start with them generating a newZSK andZSK, including it in their DNSKEYRRsetRRset, and re-signing the new DNSKEY RRset with their KSK. The new ZSK ofproviderProvider A would then be communicated to the zone owner, whowillwould initiate the process of importing this ZSK into the DNSKEY RRsets of the other providers, using their respective APIs. Before signing zone data with the new ZSK, Provider A should wait for the DNSKEY TTL plus the time to import the ZSK into Provider B, plus the time to propagate the DNSKEY RRset to all authoritative servers of both providers. Once the necessary Pre-Publishkey rolloverkey-rollover time periods have elapsed,providerProvider A and the zone owner can initiate the process of removing the old ZSK from the DNSKEYRRsetRRsets of all providers.</t> </list> </t></li> </ul> </section> </section> <section anchor="CSK"title="Usingnumbered="true" toc="default"> <name>Using Combined SigningKeys">Keys</name> <t> A Combined Signing Key (CSK) is one in which the same key serves thepurposepurposes ofbeingboth being the secure entry point (SEP) key for thezone,zone andalso forsigning all the zonedatadata, including the DNSKEY RRset (i.e., there is no KSK/ZSK split). </t> <t> Model 1 is not compatible with CSKs because the zone owner would then hold the sole signing key, and providers would not be able to sign their own zone data. </t> <t> Model 2 can accommodate CSKs without issue. In this case, any or all of the providers could employ a CSK. The DS record in the parent zone would reference the provider's CSK instead of KSK, and the public CSKwillwould need to be imported into the DNSKEY RRsets of all of the other providers. A CSK key rollover for such a provider would involve the following: The provider generates a new CSK, installs the new CSK into the DNSKEY RRset, and signs it with both the old and newCSK.CSKs. The new CSK is communicated to the zone owner. The zone owner exports this CSK into the other provider's DNSKEY RRsets and replaces the DS record referencing the old CSK with one referencing the new one in the parent DS RRset. Once all the zone data has been re-signed with the new CSK, the old CSK is removed from the DNSKEY RRset, and the latter is re-signed with only the new CSK. Finally, the old CSK is removed from the DNSKEY RRsets of the other providers. </t> </section> <section anchor="CDS-CDNSKEY"title="Usenumbered="true" toc="default"> <name>Use of CDS andCDNSKEY">CDNSKEY</name> <t> CDS and CDNSKEY records <xref target="RFC7344"/> <xrefformat="default"/><xref target="RFC8078"/>format="default"/> are used to facilitate automated updates of DNSSECsecure entry pointsecure-entry-point keys between parent and child zones. Multi-signer DNSSEC configurations can supportthisthis, too. In Model 1, CDS/CDNSKEY changes are centralized at the zone owner. However, the zone owner will still need to push down updated signed CDNS/DNSKEY RRsets to the providers via thekey managementkey-management mechanism. In Model 2, thekey managementkey-management mechanism needs to supportcross importationcross-importation of the CDS/CDNSKEY records, so that a common view of the RRset can be constructed at eachprovider,provider and is visible to the parent zone attempting to update the DS RRset. </t> </section> <section anchor="Key-Management"title="Key Management Mechanism Requirements">numbered="true" toc="default"> <name>Key-Management-Mechanism Requirements</name> <t>Managed DNSManaged-DNS providers typically have their own proprietary zone configuration anddata managementdata-management APIs, commonly utilizingHTTPS/RESTHTTPS and Representational State Transfer (REST) interfaces. So, rather than outlining a new API for key management here, we describe the specific functions that the provider API needs to support in order to enable the multi-signer models. The zone owner is expected to use these API functions to performkey managementkey-management tasks. Other mechanisms that can partly offer these functions, if supported by the providers, include the <xreftarget="RFC2136">DNStarget="RFC2136" format="default">DNS UPDATE protocol</xref> and <xreftarget="RFC5731">EPP</xref>. </t> <t> <list style="symbols"> <t>Thetarget="RFC5731" format="default">Extensible Provisioning Protocol (EPP)</xref>. </t> <ul spacing="normal"> <li>The API must offer a way to query the current DNSKEY RRset of theprovider</t> <t>For modelprovider.</li> <li>For Model 1, the API must offer a way to import a signed DNSKEY RRset and replace the current one at the provider. Additionally, if CDS/CDNSKEY is supported, the API must also offer a way to import a signed CDS/CDNSKEYRRset.</t> <t>For modelRRset.</li> <li>For Model 2, the API must offer a way to import a DNSKEY record from an external provider into the current DNSKEY RRset. Additionally, if CDS/CDNSKEY is supported, the API must offer a mechanism to import individual CDS/CDNSKEY records from an externalprovider.</t> </list> </t>provider.</li> </ul> <t> InmodelModel 2, once initially bootstrapped with each other'szone signingzone-signing keys via these API mechanisms, providers could, if desired, periodically query each other's DNSKEY RRsets, authenticate their signatures, and automatically import or withdraw ZSKs in the keyset askey rolloverkey-rollover events happen. </t> </section> <section anchor="Response-Size"title="DNS Response Size Considerations">numbered="true" toc="default"> <name>DNS Response-Size Considerations</name> <t> TheMulti-Signermulti-signer models result in larger DNSKEY RRsets, so the size of a response to a query for the DNSKEY RRset will be larger. The actual size increase depends on multiple factors: DNSKEY algorithm and keysize choices, the number of providers, whether additional keys arepre-published,prepublished, how many simultaneous key rollovers are inprogressprogress, etc. Newerelliptic curveelliptic-curve algorithms produce keys small enough that the responses will typically be far below the commonInternet pathInternet-path MTU.ThusThus, operational concerns related to IP fragmentation or truncation and TCP fallback are unlikely to be encountered. In any case, DNS operators need to ensure that they can emit and process large DNS UDP responses when necessary, and a future migration to alternative transports like <xreftarget="RFC7858">DNStarget="RFC7858" format="default">DNS over TLS</xref> or <xreftarget="RFC8484">DNStarget="RFC8484" format="default">DNS over HTTPS</xref> may make this topic moot. </t> </section> <section anchor="IANA"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>This documentincludeshas norequest to IANA.</t>IANA actions.</t> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t> TheMulti Signermulti-signer models necessarily involve3rd partythird-party providers holding the private keys that sign thezone owner'szone-owner's data.ObviouslyObviously, this means that the zone owner has decided to place a great deal of trust in these providers. By contrast, the more traditional model in which the zone owner runs a hidden master and uses thezone transferzone-transfer protocol with theproviders,providers is arguably more secure, because only the zone owner holds the private signing keys, and the3rd partythird-party providers cannot serve bogus data without detection by validating resolvers. </t> <t> TheZone keyzone-key import and export APIs required by these models need to be strongly authenticated to prevent tampering of key material by malicious third parties. Many providers today offer REST/HTTPSAPIs, where the HTTPS layer provides transport security and server authentication, andAPIs that utilize a number ofclient authenticationclient-authentication mechanisms (username/password, API keysetc).etc) and whose HTTPS layer provides transport security and server authentication. Multifactor authentication could be used to further strengthen security. If DNS protocol mechanisms like UPDATE are being used for key insertion and deletion, they should similarly be stronglyauthenticated, e.g.authenticated -- e.g., by employing <xreftarget="RFC2845">target="RFC2845" format="default"> Transaction Signatures (TSIG)</xref>.Multi-factor authentication could be used to further strengthen security.KeyGenerationgeneration and other generalsecurity relatedsecurity-related operations should follow the guidance specified in <xreftarget="RFC6781"/>.target="RFC6781" format="default"/>. </t> </section> </middle> <back> <displayreference target="I-D.valsorda-dnsop-black-lies" to="BLACKLIES"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2845.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4033.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4034.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4035.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5155.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6781.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7344.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8078.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8198.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1995.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2136.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5731.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5936.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7129.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8484.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8499.xml"/> <!-- [BLACKLIES] I-D.valsorda-dnsop-black-lies; IESG state Expired --> <xi:include href="https://www.rfc-editor.org/refs/bibxml3/reference.I-D.valsorda-dnsop-black-lies.xml"/> </references> </references> <sectiontitle="Acknowledgments">numbered="false" toc="default"> <name>Acknowledgments</name> <t> The initial version of this document benefited from discussions with and review fromDuane Wessels.<contact fullname="Duane Wessels"/>. Additional helpful comments were provided bySteve Crocker, Ulrich Wisser, Tony Finch, Olafur Gudmundsson, Matthijs Mekking, Daniel Migault, and Ben Kaduk.<contact fullname="Steve Crocker"/>, <contact fullname="Ulrich Wisser"/>, <contact fullname="Tony Finch"/>, <contact fullname="Olafur Gudmundsson"/>, <contact fullname="Matthijs Mekking"/>, <contact fullname="Daniel Migault"/>, and <contact fullname="Ben Kaduk"/>. </t> </section></middle> <!-- *****BACK MATTER ***** --> <back> <references title="Normative References"> &RFC1034; &RFC1035; &RFC2845; &RFC4033; &RFC4034; &RFC4035; &RFC5155; &RFC6781; &RFC7344; &RFC8078; &RFC8198; </references> <references title="Informative References"> &RFC1995; &RFC2136; &RFC5731; &RFC5936; &RFC7129; &RFC7858; &RFC8484; &RFC8499; <reference anchor="BLACKLIES" target="https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies"> <front> <title>Compact DNSSEC Denial of Existence or Black Lies</title> <author fullname="Filippo Valsorda" initials="F" surname="Valsorda" /> <author fullname="Olafur Gudmundsson" initials="O" surname="Gudmundsson" /> <date /> </front> </reference> </references></back> </rfc>