Internet-Draft                                               S. Weiler
                                                          SPARTA, Inc.
                                                              J. Ihren
                                                            Autonomica
                                                       30 October 2004


       Minimally Covering NSEC Records and DNSSEC On-line Signing
            draft-weiler-dnsext-dnssec-online-signing-00.txt



Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
   author represents that any applicable patent or other IPR claims of
   which he or she is aware have been or will be disclosed, and any of
   which he or she become aware will be disclosed, in accordance with
   RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other
   documents at any time.  It is inappropriate to use Internet-Drafts
   as reference material or to cite them other than as "work in
   progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on 30 April 2005.

Copyright Notice

   Copyright (C) The Internet Society (2004).

Abstract

   This document describes how to construct DNSSEC NSEC resource
   records that cover a smaller range of names than called for by
   [-records].  By generating and signing these records on demand,
   authoritative name servers can effectively stop the disclosure of
   zone contents otherwise made possible by walking the chain of NSEC
   records in a signed zone.

Introduction and Terminology

   With DNSSEC [-records], an NSEC record lists the next instantiated
   name in its zone, proving that no names exist in the "span" between
   the NSEC's owner name and the name in the "next name" field.  In
   this document, an NSEC record is said to "cover" the names between
   its owner name and next name.

   Through repeated queries that return NSEC records, it is possible
   to retrieve all of the names in the zone, a process commonly called
   "walking" the zone.  Some zones have policies forbidding zone
   transfers by arbitrary clients; this side-effect of the NSEC
   architecture subverts those policies.

   This document presents a way to prevent zone walking by
   constructing NSEC records that cover fewer names.  These records
   can make zone walking take approximately as many queries as simply
   asking for all possible names in a zone, making zone walking
   impractical.  Some of these records must be created and signed on
   demand, which requires on-line private keys.  Anyone contemplating
   use of this technique is strongly encouraged to review the
   discussion of the risks of on-line signing in section [Security
   Considerations].

   The technique presented here may be useful to a zone that wants to
   use DNSSEC, is concerned about exposure of its zone contents via
   zone walking, and is willing to bear the costs of on-line signing.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
   this document are to be interpreted as described in RFC 2119.
   [RFC2119].

Minimally Covering NSEC Records

   This mechanism involves both changes to NSEC records for
   instantiated names, which can still be generated and signed in
   advance, as well as the on-demand generation and signing of new
   NSEC records whenever a name must be proven not to exist.

   In the 'next name' field of instantiated names' NSEC records,
   rather than list the next instantiated name in the zone, list any
   name that falls lexically after the NSEC's owner name and before
   the next instantiated name in the zone, according to the ordering
   function in [-records] section 6.2.  These NSEC records are
   returned whenever proving something specifically about the owner
   name (e.g. that no resource records of a given type appear at that
   name).

   Whenever an NSEC record is needed to prove the non-existence of a
   name, a new NSEC record is produced and signed.  The new NSEC
   record has an owner name lexically before the QNAME but lexically
   following any existing name and a "next name" lexically following
   the QNAME but before any existing name.

   The functions to generate the lexically following and proceeding
   names need not be perfect nor consistent, but the generated NSEC
   records must not cover any existing names.  Furthermore, this
   technique works better when the generated NSEC records cover very
   little of the zone's namespace.

   For example, a query for the non-instantiated name example.com
   might produce the following NSEC record:

      exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )

   Before answering a query with this record, an authoritative server
   must test for the existence of names between these endpoints.  If
   the generated NSEC would cover existing names (e.g. exampldd.com),
   a better increment or decrement function may be used or the covered
   name closest to the QNAME could be used as the NSEC owner name or
   next name, as appropriate.  If an existing name is used as the NSEC
   owner name, that name's real NSEC record MUST be returned.  Using
   the same example, assuming an exampldd.com delegation exists, this
   record might be returned from the parent:

      exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )

   Like every authoritative record in the zone, each generated NSEC
   record MUST have corresponding RRSIGs generated using each
   algorithm (but not necessarily each DNSKEY) in the zone's DNSKEY
   RRset, as described in [-protocol] section 2.2.  To minimize the
   number of signatures that must be generated, a zone may wish to
   limit the number of algorithms in its DNSKEY RRset.

Better Increment & Decrement Functions

   Section 6.2 of [-records] defines a strict ordering of DNS names.
   Working backwards from that definition, it should be possible to
   define increment and decrement functions that generate the
   immediately following and preceeding names, respectively.  This
   document does not define such functions.  Instead, this section
   presents functions that come reasonably close to the perfect ones.
   As described above, an authoritative server MUST ensure than no
   generated NSEC covers any existing name.

   To increment a name, add a leading label with a single null octet.

   To decrement a name, decrement the last character of the leftmost
   label, then fill that label to a length of 63 octets with octets of
   value 255.  To decrement a null octet, remove the octet -- if an
   empty label is left, remove the label.  Defining this function
   numerically: fill the left-most label to its maximum length with
   zeros (numeric, not ASCII zeros) and subtract one.

   In response to a query for the non-existent name foo.example.com,
   these functions produce an NSEC record of:

      fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
      \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
      \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
      \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
      \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )

   Both of these functions are imperfect: they don't take into account
   constraints on number of labels in a name nor total length of a
   name.

IANA Considerations

   This document has no IANA Actions.

Security Considerations

   This approach requires on demand generation of RRSIG records.  This
   creates several new vulnerabilities.

   First, on demand signing requires that a zone's authoritative
   servers have access to its private keys.  Storing private keys on
   well-known internet-accessible servers may make them more
   vulnerable to unintended disclosure.

   Second, since generation of public key signatures tends to be
   computationally demanding, the requirement for on demand signing
   makes authoritative servers vulnerable to a denial of service
   attack.

   Lastly, if the increment and decrement functions are predictable,
   on-demand signing may enable a chosen-plaintext attack on a zone's
   private keys.  Zones using this approach should attempt to use
   cryptographic algorithms that are resistant to chosen-plaintext
   attacks.  It's worth noting that while DNSSEC has a "mandatory to
   implement" algorithm, that is a requirement on resolvers and
   validators -- there is no requirement that a zone be signed with
   any given algorithm.  If any "mandatory to implement" algorithm is
   found to be particularly vulnerable to chosen plaintext attack, a
   zone may which to switch to another algorithm or use less
   predictable increment and decrement function.

   The success of using minimally covering NSEC record to prevent zone
   walking depends greatly on the quality of the increment and
   decrement functions chosen.  An increment function that chooses a
   name obviously derived from the next instantiated name may be
   easily reverse engineered, destroying the value of this technique.
   An increment function that always returns a name close to the next
   instantiated name is likewise a poor choice.  A good choice of
   increment and decrement functions are the ones that produce the
   immediately following and preceeding names, respectively, though
   zone administrators may wish to use less perfect functions that
   return more human-friendly names than the functions described in
   section X above.

   Another obvious but misguided concern is the danger from
   synthesized NSEC records being replayed.  It's possible for an
   attacker to replay an old but still validly signed NSEC record
   after a new name has been added in the span covered by that NSEC,
   incorrectly proving that there is no record at that name.  This
   danger exists with DNSSEC as defined in [-bis].  The techniques
   described here actually decrease the danger, since the span covered
   by any NSEC record is smaller than before.  Choosing better
   increment and decrement functions will further reduce this danger.

Normative References

   (out of date versions)
   [I-D.ietf-dnsext-dnssec-intro]
              Arends, R., Austein, R., Larson, M., Massey, D. and S.
              Rose, "DNS Security Introduction and Requirements",
              draft-ietf-dnsext-dnssec-intro-10 (work in progress),
              May 2004.

   [I-D.ietf-dnsext-dnssec-records]
              Arends, R., Austein, R., Larson, M., Massey, D. and S.
              Rose, "Resource Records for DNS Security Extensions",
              draft-ietf-dnsext-dnssec-records-08 (work in progress),
              May 2004.

   [I-D.ietf-dnsext-dnssec-protocol]
              Arends, R., Austein, R., Larson, M., Massey, D. and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", draft-ietf-dnsext-dnssec-protocol-06 (work
              in progress), May 2004.


Acknowledgements

   Many individuals contributed to this design.  They include, in
   addition to the authors of this document, Olaf Kolkman, Ed Lewis,
   Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap
   Akkerhuis, Jakob Schlyter, Bill Manning, and Joao Damas.


Authors' Addresses

   Samuel Weiler
   SPARTA, Inc.
   7075 Samuel Morse Drive
   Columbia, MD 21046
   USA

   EMail: weiler@tislabs.com

   Johan Ihren
   Autonomica
   Bellmansgatan 30
   SE-118 47 Stockholm, Sweden
   Mail: johani@autonomica.se
