Network Working Group R. Arends
Request for Comments: 4956 Nominet
Category: Experimental M. Kosters
D. Blacka
VeriSign, Inc.
July 2007
Network Working Group R. Arends
Request for Comments: 4956 Nominet
Category: Experimental M. Kosters
D. Blacka
VeriSign, Inc.
July 2007
DNS Security (DNSSEC) Opt-In
DNS安全(DNSSEC)选择加入
Status of This Memo
关于下段备忘
This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.
这份备忘录为互联网社区定义了一个实验性协议。它没有规定任何类型的互联网标准。要求进行讨论并提出改进建议。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
Abstract
摘要
In the DNS security (DNSSEC) extensions, delegations to unsigned subzones are cryptographically secured. Maintaining this cryptography is not always practical or necessary. This document describes an experimental "Opt-In" model that allows administrators to omit this cryptography and manage the cost of adopting DNSSEC with large zones.
在DNS安全性(DNSSEC)扩展中,对未签名子区域的委托是加密安全的。维护这种加密并不总是切实可行或必要的。本文档描述了一个实验性的“选择加入”模型,该模型允许管理员省略此加密,并管理采用大区域DNSSEC的成本。
Table of Contents
目录
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions and Terminology . . . . . . . . . . . . . . . . . 3
3. Experimental Status . . . . . . . . . . . . . . . . . . . . . 4
4. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . 5
4.1. Server Considerations . . . . . . . . . . . . . . . . . . 6
4.1.1. Delegations Only . . . . . . . . . . . . . . . . . . . 6
4.1.2. Insecure Delegation Responses . . . . . . . . . . . . 6
4.1.3. Dynamic Update . . . . . . . . . . . . . . . . . . . . 6
4.2. Client Considerations . . . . . . . . . . . . . . . . . . 7
4.2.1. Delegations Only . . . . . . . . . . . . . . . . . . . 7
4.2.2. Validation Process Changes . . . . . . . . . . . . . . 7
4.2.3. NSEC Record Caching . . . . . . . . . . . . . . . . . 8
4.2.4. Use of the AD bit . . . . . . . . . . . . . . . . . . 8
5. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7. Transition Issues . . . . . . . . . . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . . 13
Appendix A. Implementing Opt-In Using "Views" . . . . . . . . . . 15
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions and Terminology . . . . . . . . . . . . . . . . . 3
3. Experimental Status . . . . . . . . . . . . . . . . . . . . . 4
4. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . 5
4.1. Server Considerations . . . . . . . . . . . . . . . . . . 6
4.1.1. Delegations Only . . . . . . . . . . . . . . . . . . . 6
4.1.2. Insecure Delegation Responses . . . . . . . . . . . . 6
4.1.3. Dynamic Update . . . . . . . . . . . . . . . . . . . . 6
4.2. Client Considerations . . . . . . . . . . . . . . . . . . 7
4.2.1. Delegations Only . . . . . . . . . . . . . . . . . . . 7
4.2.2. Validation Process Changes . . . . . . . . . . . . . . 7
4.2.3. NSEC Record Caching . . . . . . . . . . . . . . . . . 8
4.2.4. Use of the AD bit . . . . . . . . . . . . . . . . . . 8
5. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7. Transition Issues . . . . . . . . . . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . . 13
Appendix A. Implementing Opt-In Using "Views" . . . . . . . . . . 15
The cost to cryptographically secure delegations to unsigned zones is high for large delegation-centric zones and zones where insecure delegations will be updated rapidly. For these zones, the costs of maintaining the NextSECure (NSEC) record chain may be extremely high relative to the gain of cryptographically authenticating existence of unsecured zones.
对于大型以委派为中心的区域和不安全委派将快速更新的区域,以加密方式保护委派到未签名区域的成本很高。对于这些区域,维护NextSECure(NSEC)记录链的成本相对于加密验证不安全区域存在的收益可能非常高。
This document describes an experimental method of eliminating the superfluous cryptography present in secure delegations to unsigned zones. Using "Opt-In", a zone administrator can choose to remove insecure delegations from the NSEC chain. This is accomplished by extending the semantics of the NSEC record by using a redundant bit in the type map.
本文档描述了一种实验方法,用于消除对未签名区域的安全委托中存在的多余加密。使用“选择加入”,区域管理员可以选择从NSEC链中删除不安全的委派。这是通过在类型映射中使用冗余位来扩展NSEC记录的语义来实现的。
Throughout this document, familiarity with the DNS system (RFC 1035 [1]), DNS security extensions ([4], [5], and [6], referred to in this document as "standard DNSSEC"), and DNSSEC terminology (RFC 3090 [10]) is assumed.
在本文件中,假设熟悉DNS系统(RFC 1035[1])、DNS安全扩展([4]、[5]和[6],在本文件中称为“标准DNSSEC”)和DNSSEC术语(RFC 3090[10])。
The following abbreviations and terms are used in this document:
本文件中使用了以下缩写和术语:
RR: is used to refer to a DNS resource record.
RR:用于引用DNS资源记录。
RRset: refers to a Resource Record Set, as defined by [8]. In this document, the RRset is also defined to include the covering RRSIG records, if any exist.
RRset:指[8]定义的资源记录集。在本文件中,RRset还定义为包括覆盖的RRSIG记录(如有)。
signed name: refers to a DNS name that has, at minimum, a (signed) NSEC record.
签名名称:指至少具有(签名)NSEC记录的DNS名称。
unsigned name: refers to a DNS name that does not (at least) have an NSEC record.
未签名名称:指没有(至少)NSEC记录的DNS名称。
covering NSEC record/RRset: is the NSEC record used to prove (non)existence of a particular name or RRset. This means that for a RRset or name 'N', the covering NSEC record has the name 'N', or has an owner name less than 'N' and "next" name greater than 'N'.
覆盖NSEC记录/RRset:NSEC记录用于证明(不)特定名称或RRset的存在。这意味着,对于RRset或名称“N”,覆盖NSEC记录的名称为“N”,或所有者名称小于“N”,而“下一个”名称大于“N”。
delegation: refers to an NS RRset with a name different from the current zone apex (non-zone-apex), signifying a delegation to a subzone.
委派:指名称不同于当前区域顶点(非区域顶点)的NS RRset,表示委派给子区域。
secure delegation: refers to a signed name containing a delegation (NS RRset), and a signed DS RRset, signifying a delegation to a signed subzone.
安全委派:指包含委派(NS RRset)和已签名DS RRset的已签名名称,表示对已签名子区域的委派。
insecure delegation: refers to a signed name containing a delegation (NS RRset), but lacking a DS RRset, signifying a delegation to an unsigned subzone.
不安全的委派:指包含委派(NS RRset)但缺少DS RRset的签名名称,表示委派到未签名的子区域。
Opt-In insecure delegation: refers to an unsigned name containing only a delegation NS RRset. The covering NSEC record uses the Opt-In methodology described in this document.
选择加入不安全的委派:指仅包含委派集的未签名名称。涵盖的NSEC记录使用本文件中描述的选择加入方法。
The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [2].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[2]中所述进行解释。
This document describes an EXPERIMENTAL extension to DNSSEC. It interoperates with non-experimental DNSSEC using the technique described in [7]. This experiment is identified with the following private algorithms (using algorithm 253):
本文档描述了DNSSEC的实验扩展。它使用[7]中描述的技术与非实验性DNSSEC进行互操作。该实验通过以下私有算法(使用算法253)进行识别:
"3.optin.verisignlabs.com": is an alias for DNSSEC algorithm 3, DSA, and
“3.optin.verisinglabs.com”:是DNSSEC算法3、DSA和
"5.optin.verisignlabs.com": is an alias for DNSSEC algorithm 5, RSASHA1.
“5.optin.verisinglabs.com”:是DNSSEC算法5 RSASHA1的别名。
Servers wishing to sign and serve zones that utilize Opt-In MUST sign the zone with only one or more of these private algorithms and MUST NOT use any other algorithms.
希望签署并为使用Opt-In的区域提供服务的服务器必须仅使用一个或多个此类专用算法签署该区域,并且不得使用任何其他算法。
Resolvers MUST NOT apply the Opt-In validation rules described in this document unless a zone is signed using one or more of these private algorithms.
除非使用一个或多个专用算法对区域进行签名,否则解析程序不得应用本文档中描述的选择加入验证规则。
This experimental protocol relaxes the restriction that validators MUST ignore the setting of the NSEC bit in the type map as specified in RFC 4035 [6] Section 5.4.
该实验协议放宽了验证程序必须忽略RFC 4035[6]第5.4节规定的类型映射中NSEC位设置的限制。
The remainder of this document assumes that the servers and resolvers involved are aware of and are involved in this experiment.
本文档的其余部分假设所涉及的服务器和解析器知道并参与了此实验。
In DNSSEC, delegation NS RRsets are not signed, but are instead accompanied by an NSEC RRset of the same name and (possibly) a DS record. The security status of the subzone is determined by the presence or absence of the DS RRset, cryptographically proven by the NSEC record. Opt-In expands this definition by allowing insecure delegations to exist within an otherwise signed zone without the corresponding NSEC record at the delegation's owner name. These insecure delegations are proven insecure by using a covering NSEC record.
在DNSSEC中,授权NS RRset没有签名,而是伴随着同名的NSEC RRset和(可能)DS记录。子区域的安全状态由DS RRset的存在与否决定,NSEC记录以加密方式证明了这一点。Opt-In扩展了这一定义,允许不安全的委托存在于一个以其他方式签名的区域内,而在委托的所有者名下没有相应的NSEC记录。通过使用覆盖NSEC记录,这些不安全的委托被证明是不安全的。
Since this represents a change of the interpretation of NSEC records, resolvers must be able to distinguish between RFC standard DNSSEC NSEC records and Opt-In NSEC records. This is accomplished by "tagging" the NSEC records that cover (or potentially cover) insecure delegation nodes. This tag is indicated by the absence of the NSEC bit in the type map. Since the NSEC bit in the type map merely indicates the existence of the record itself, this bit is redundant and safe for use as a tag.
由于这代表了NSEC记录解释的变化,解析程序必须能够区分RFC标准DNSSEC NSEC记录和选择性加入NSEC记录。这是通过“标记”覆盖(或可能覆盖)不安全委派节点的NSEC记录来实现的。此标记由类型映射中缺少NSEC位表示。由于类型映射中的NSEC位仅指示记录本身的存在,因此该位是冗余的,可以安全地用作标记。
An Opt-In tagged NSEC record does not assert the (non)existence of the delegations that it covers (except for a delegation with the same name). This allows for the addition or removal of these delegations without recalculating or resigning records in the NSEC chain. However, Opt-In tagged NSEC records do assert the (non)existence of other RRsets.
选择加入标记的NSEC记录不声明其所涵盖的代表团(非)存在(同名代表团除外)。这允许添加或删除这些委托,而无需重新计算或更改NSEC链中的记录。然而,选择性加入标记的NSEC记录确实断言(不)存在其他RRSET。
An Opt-In NSEC record MAY have the same name as an insecure delegation. In this case, the delegation is proven insecure by the lack of a DS bit in the type map, and the signed NSEC record does assert the existence of the delegation.
选择加入NSEC记录可能与不安全的委派具有相同的名称。在这种情况下,由于类型映射中缺少DS位,委托被证明是不安全的,并且签名的NSEC记录确实断言委托的存在。
Zones using Opt-In MAY contain a mixture of Opt-In tagged NSEC records and standard DNSSEC NSEC records. If an NSEC record is not Opt-In, there MUST NOT be any insecure delegations (or any other records) between it and the RRsets indicated by the 'next domain name' in the NSEC RDATA. If it is Opt-In, there MUST only be insecure delegations between it and the next node indicated by the 'next domain name' in the NSEC RDATA.
使用Opt-In的区域可能包含Opt-In标记的NSEC记录和标准DNSSEC NSEC记录的混合。如果NSEC记录未选择加入,则其与NSEC RDATA中“下一个域名”指示的RRSET之间不得存在任何不安全的委托(或任何其他记录)。如果是选择性加入,则它与NSEC RDATA中“下一个域名”指示的下一个节点之间只能存在不安全的委托。
In summary,
总之,
o An Opt-In NSEC type is identified by a zero-valued (or not-specified) NSEC bit in the type bit map of the NSEC record.
o 选择加入NSEC类型由NSEC记录的类型位映射中的零值(或未指定)NSEC位标识。
o A standard DNSSEC NSEC type is identified by a one-valued NSEC bit in the type bit map of the NSEC record.
o 标准DNSSEC NSEC类型由NSEC记录的类型位映射中的一个单值NSEC位标识。
and
和
o An Opt-In NSEC record does not assert the non-existence of a name between its owner name and "next" name, although it does assert that any name in this span MUST be an insecure delegation.
o Opt-In NSEC记录并不断言其所有者名称和“next”名称之间不存在名称,尽管它断言此范围内的任何名称都必须是不安全的委派。
o An Opt-In NSEC record does assert the (non)existence of RRsets with the same owner name.
o Opt-In NSEC记录确实声明(不)存在具有相同所有者名称的RRSET。
Opt-In imposes some new requirements on authoritative DNS servers.
选择加入对权威DNS服务器提出了一些新要求。
This specification dictates that only insecure delegations may exist between the owner and "next" names of an Opt-In tagged NSEC record. Signing tools MUST NOT generate signed zones that violate this restriction. Servers MUST refuse to load and/or serve zones that violate this restriction. Servers also MUST reject AXFR or IXFR responses that violate this restriction.
本规范规定,选择性加入标记的NSEC记录的所有者和“下一个”名称之间只能存在不安全的委托。签名工具不得生成违反此限制的签名区域。服务器必须拒绝加载和/或服务违反此限制的区域。服务器还必须拒绝违反此限制的AXFR或IXFR响应。
When returning an Opt-In insecure delegation, the server MUST return the covering NSEC RRset in the Authority section.
当返回选择加入不安全的委派时,服务器必须返回权限部分中的覆盖NSEC RRset。
In standard DNSSEC, NSEC records already must be returned along with the insecure delegation. The primary difference that this proposal introduces is that the Opt-In tagged NSEC record will have a different owner name from the delegation RRset. This may require implementations to search for the covering NSEC RRset.
在标准DNSSEC中,NSEC记录必须与不安全的委托一起返回。该提案引入的主要区别在于,带Opt-In标记的NSEC记录的所有者名称将与委托集的所有者名称不同。这可能需要实现来搜索覆盖的NSEC RRset。
Opt-In changes the semantics of Secure DNS Dynamic Update [9]. In particular, it introduces the need for rules that describe when to add or remove a delegation name from the NSEC chain. This document does not attempt to define these rules. Until these rules are defined, servers MUST NOT process DNS Dynamic Update requests against zones that use Opt-In NSEC records. Servers SHOULD return responses to update requests with RCODE=REFUSED.
Opt-In更改安全DNS动态更新的语义[9]。特别是,它引入了对规则的需求,这些规则描述何时从NSEC链中添加或删除委派名称。本文档不尝试定义这些规则。在定义这些规则之前,服务器不得对使用Opt-In NSEC记录的区域处理DNS动态更新请求。服务器应返回RCODE=已拒绝的更新请求响应。
Opt-In imposes some new requirements on security-aware resolvers (caching or otherwise).
选择加入对安全感知解析器提出了一些新的要求(缓存或其他)。
As stated in Section 4.1 above, this specification restricts the namespace covered by Opt-In tagged NSEC records to insecure delegations only. Clients are not expected to take any special measures to enforce this restriction; instead, it forms an underlying assumption that clients may rely on.
如上文第4.1节所述,本规范将选择性加入标记的NSEC记录所涵盖的名称空间仅限于不安全的委托。客户无需采取任何特殊措施来执行该限制;相反,它形成了客户可能依赖的基本假设。
This specification does not change the resolver's resolution algorithm. However, it does change the DNSSEC validation process.
此规范不会更改解析器的解析算法。但是,它确实改变了DNSSEC验证过程。
Resolvers MUST be able to use Opt-In tagged NSEC records to cryptographically prove the validity and security status (as insecure) of a referral. Resolvers determine the security status of the referred-to zone as follows:
解析程序必须能够使用Opt-In标记的NSEC记录以加密方式证明引用的有效性和安全状态(不安全)。解析程序确定所引用区域的安全状态,如下所示:
o In standard DNSSEC, the security status is proven by the existence or absence of a DS RRset at the same name as the delegation. The existence of the DS RRset indicates that the referred-to zone is signed. The absence of the DS RRset is proven using a verified NSEC record of the same name that does not have the DS bit set in the type map. This NSEC record MAY also be tagged as Opt-In.
o 在标准DNSSEC中,安全状态通过存在或不存在与委托同名的DS RRset来证明。DS RRset的存在表明引用的区域已签名。使用在类型映射中未设置DS位的相同名称的已验证NSEC记录来证明没有DS RRset。此NSEC记录也可以标记为选择加入。
o Using Opt-In, the security status is proven by the existence of a DS record (for signed) or the presence of a verified Opt-In tagged NSEC record that covers the delegation name. That is, the NSEC record does not have the NSEC bit set in the type map, and the delegation name falls between the NSEC's owner and "next" name.
o 使用Opt-In,安全状态通过DS记录(用于签名)的存在或包含代表团名称的已验证Opt-In标记NSEC记录的存在来证明。也就是说,NSEC记录没有在类型映射中设置NSEC位,并且委托名称介于NSEC的所有者和“下一个”名称之间。
Using Opt-In does not substantially change the nature of following referrals within DNSSEC. At every delegation point, the resolver will have cryptographic proof that the referred-to subzone is signed or unsigned.
在DNSSEC内使用选择性加入不会实质性改变以下转介的性质。在每个委托点,解析器都会有密码证明,证明引用的子区域是有符号的或无符号的。
Since queries for DS records are directed to the parent side of a zone cut (see [5], Section 5), negative responses to these queries may be covered by an Opt-In flagged NSEC record.
由于对DS记录的查询指向分区切割的父侧(见[5],第5节),对这些查询的负面响应可能会被标记为选择加入的NSEC记录覆盖。
Resolvers MUST be able to use Opt-In tagged NSEC records to cryptographically prove the validity and security status of negative responses to queries for DS records. In particular, a NOERROR/NODATA (i.e., RCODE=3, but the answer section is empty) response to a DS query may be proven by an Opt-In flagged covering NSEC record, rather than an NSEC record matching the query name.
解析程序必须能够使用Opt-In标记的NSEC记录以加密方式证明对DS记录查询的否定响应的有效性和安全状态。特别地,对DS查询的NOERROR/NODATA(即,RCODE=3,但应答部分为空)响应可以通过覆盖NSEC记录的Opt-In标记来证明,而不是通过与查询名称匹配的NSEC记录。
Caching resolvers MUST be able to retrieve the appropriate covering Opt-In NSEC record when returning referrals that need them. This requirement differs from standard DNSSEC in that the covering NSEC will not have the same owner name as the delegation. Some implementations may have to use new methods for finding these NSEC records.
缓存解析程序必须能够在返回需要它们的引用时检索适当的覆盖Opt-In NSEC记录。该要求与标准DNSSEC的不同之处在于,涵盖NSEC的所有者名称与委托的所有者名称不同。一些实现可能必须使用新方法来查找这些NSEC记录。
The AD bit, as defined by [3] and [6], MUST NOT be set when:
在下列情况下,不得设置[3]和[6]定义的AD位:
o sending a Name Error (RCODE=3) response where the covering NSEC is tagged as Opt-In.
o 发送名称错误(RCODE=3)响应,其中覆盖NSEC被标记为Opt-In。
o sending an Opt-In insecure delegation response, unless the covering (Opt-In) NSEC record's owner name equals the delegation name.
o 发送选择加入不安全的委派响应,除非覆盖(选择加入)NSEC记录的所有者名称等于委派名称。
o sending a NOERROR/NODATA response when query type is DS and the covering NSEC is tagged as Opt-In, unless NSEC record's owner name matches the query name.
o 当查询类型为DS且覆盖NSEC标记为Opt-In时,发送NOERROR/NODATA响应,除非NSEC记录的所有者名称与查询名称匹配。
This rule is based on what the Opt-In NSEC record actually proves: for names that exist between the Opt-In NSEC record's owner and "next" names, the Opt-In NSEC record cannot prove the non-existence or existence of the name. As such, not all data in the response has been cryptographically verified, so the AD bit cannot be set.
该规则基于Opt-In NSEC记录实际证明的内容:对于Opt-In NSEC记录的所有者和“下一个”名称之间存在的名称,Opt-In NSEC记录不能证明该名称不存在或存在。因此,并非响应中的所有数据都经过加密验证,因此无法设置AD位。
Using Opt-In allows administrators of large and/or changing delegation-centric zones to minimize the overhead involved in maintaining the security of the zone.
使用Opt-In允许大型和/或不断变化的以委派为中心的区域的管理员将维护区域安全所涉及的开销降至最低。
Opt-In accomplishes this by eliminating the need for NSEC records for insecure delegations. This, in a zone with a large number of delegations to unsigned subzones, can lead to substantial space savings (both in memory and on disk). Additionally, Opt-In allows for the addition or removal of insecure delegations without modifying
选择加入通过消除不安全代表团对NSEC记录的需要来实现这一点。在有大量委托给未签名子区域的区域中,这可以节省大量空间(内存和磁盘)。此外,选择加入允许添加或删除不安全的委派,而无需修改
the NSEC record chain. Zones that are frequently updating insecure delegations (e.g., Top-Level Domains (TLDs)) can avoid the substantial overhead of modifying and resigning the affected NSEC records.
NSEC记录链。频繁更新不安全委托(例如顶级域(TLD))的区域可以避免修改和重新指定受影响的NSEC记录的大量开销。
Consider the zone EXAMPLE shown below. This is a zone where all of the NSEC records are tagged as Opt-In.
考虑下面显示的区域示例。这是一个区域,所有NSEC记录都标记为选择加入。
Example A: Fully Opt-In Zone.
示例A:完全选择加入区域。
EXAMPLE. SOA ... EXAMPLE. RRSIG SOA ... EXAMPLE. NS FIRST-SECURE.EXAMPLE. EXAMPLE. RRSIG NS ... EXAMPLE. DNSKEY ... EXAMPLE. RRSIG DNSKEY ... EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. ( SOA NS RRSIG DNSKEY ) EXAMPLE. RRSIG NSEC ...
实例SOA。。。实例RRSIG SOA。。。实例NS FIRST-SECURE.EXAMPLE。实例RRSIG NS。。。实例DNSKEY。。。实例RRSIG DNSKEY。。。实例NSEC FIRST-SECURE.EXAMPLE。(SOA NS RRSIG DNSKEY)示例。RRSIG NSEC。。。
FIRST-SECURE.EXAMPLE. A ... FIRST-SECURE.EXAMPLE. RRSIG A ... FIRST-SECURE.EXAMPLE. NSEC NOT-SECURE-2.EXAMPLE. A RRSIG FIRST-SECURE.EXAMPLE. RRSIG NSEC ...
第一个例子。A.第一个例子。RRSIG A。。。第一个例子。NSEC不安全-2.0示例。一个RRSIG FIRST-SECURE.EXAMPLE。RRSIG NSEC。。。
NOT-SECURE.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE. NS.NOT-SECURE.EXAMPLE. A ...
不安全。例如。NS.NOT-SECURE.EXAMPLE。NS.NOT-SECURE.EXAMPLE。A.
NOT-SECURE-2.EXAMPLE. NS NS.NOT-SECURE.EXAMPLE. NOT-SECURE-2.EXAMPLE NSEC SECOND-SECURE.EXAMPLE NS RRSIG NOT-SECURE-2.EXAMPLE RRSIG NSEC ...
不安全,例如。NS.NOT-SECURE.EXAMPLE。不安全-2.示例NSEC SECOND-SECURE.示例NS RRSIG不安全-2.示例RRSIG NSEC。。。
SECOND-SECURE.EXAMPLE. NS NS.ELSEWHERE. SECOND-SECURE.EXAMPLE. DS ... SECOND-SECURE.EXAMPLE. RRSIG DS ... SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DNSKEY SECOND-SECURE.EXAMPLE. RRSIG NSEC ...
第二个例子。在别处。第二个例子。DS。。。第二个例子。RRSIG DS。。。第二个例子。NSEC就是一个例子。NS RRSIG DNSKEY SECOND-SECURE.EXAMPLE。RRSIG NSEC。。。
UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE. NS.UNSIGNED.EXAMPLE. A ...
UNSIGNED.EXAMPLE。NS.UNSIGNED.EXAMPLE。NS.UNSIGNED.EXAMPLE。A.
Example A.
例A。
In this example, a query for a signed RRset (e.g., "FIRST-SECURE.EXAMPLE A") or a secure delegation ("WWW.SECOND-SECURE.EXAMPLE A") will result in a standard DNSSEC response.
在本例中,对签名RRset(例如,“FIRST-SECURE.example a”)或安全委托(“WWW.SECOND-SECURE.example a”)的查询将导致标准DNSSEC响应。
A query for a nonexistent RRset will result in a response that differs from standard DNSSEC by the following: the NSEC record will be tagged as Opt-In, there may be no NSEC record proving the non-existence of a matching wildcard record, and the AD bit will not be set.
对不存在的RRset的查询将导致响应与标准DNSSEC的不同之处在于:NSEC记录将标记为Opt-in,可能没有NSEC记录证明不存在匹配的通配符记录,并且不会设置AD位。
A query for an insecure delegation RRset (or a referral) will return both the answer (in the Authority section) and the corresponding Opt-In NSEC record to prove that it is not secure.
查询不安全的委托RRset(或转介)将返回答案(在授权部分)和相应的Opt-in NSEC记录,以证明其不安全。
Example A.1: Response to query for WWW.UNSIGNED.EXAMPLE. A
示例A.1:对WWW.UNSIGNED.Example查询的响应。A.
RCODE=NOERROR, AD=0
RCODE=NOERROR,AD=0
Answer Section:
答覆部分:
Authority Section: UNSIGNED.EXAMPLE. NS NS.UNSIGNED.EXAMPLE SECOND-SECURE.EXAMPLE. NSEC EXAMPLE. NS RRSIG DS SECOND-SECURE.EXAMPLE. RRSIG NSEC ...
权限部分:UNSIGNED.EXAMPLE。NS.UNSIGNED.EXAMPLE SECOND-SECURE.EXAMPLE。NSEC就是一个例子。NS RRSIG DS SECOND-SECURE.EXAMPLE。RRSIG NSEC。。。
Additional Section: NS.UNSIGNED.EXAMPLE. A ...
附加部分:NS.UNSIGNED.EXAMPLE。A.
Example A.1
例A.1
In the Example A.1 zone, the EXAMPLE. node MAY use either style of NSEC record, because there are no insecure delegations that occur between it and the next node, FIRST-SECURE.EXAMPLE. In other words, Example A would still be a valid zone if the NSEC record for EXAMPLE. was changed to the following RR:
在示例A.1区域中,示例。节点可以使用任意一种NSEC记录,因为在它和下一个节点FIRST-SECURE.EXAMPLE之间不存在不安全的委托。换句话说,举例来说,如果NSEC记录为空,则示例A仍然是有效区域。已更改为以下RR:
EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. (SOA NS RRSIG DNSKEY NSEC )
实例NSEC FIRST-SECURE.EXAMPLE。(国家海洋局、国家海洋局、挪威国家海洋局)
However, the other NSEC records (FIRST-SECURE.EXAMPLE. and SECOND-SECURE.EXAMPLE.) MUST be tagged as Opt-In because there are insecure delegations in the range they define. (NOT-SECURE.EXAMPLE. and UNSIGNED.EXAMPLE., respectively).
但是,其他NSEC记录(FIRST-SECURE.EXAMPLE.和SECOND-SECURE.EXAMPLE.)必须标记为Opt-In,因为在它们定义的范围内存在不安全的委托。(分别为NOT-SECURE.EXAMPLE.和UNSIGNED.EXAMPLE.)。
NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that is part of the NSEC chain and also covered by an Opt-In tagged NSEC record. Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot be
不安全,例如。是一个不安全的委托的例子,该委托是NSEC链的一部分,也包含在一个Opt-In标记的NSEC记录中。因为不安全,例如。是已签名的名称,不能为空
removed from the zone without modifying and resigning the prior NSEC record. Delegations with names that fall between NOT-SECURE-2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or removed without resigning any NSEC records.
从区域中删除,而不修改和重新指定先前的NSEC记录。名称介于NOT-SECURE-2之间的代表团。例如。还有第二个例子。可以在不放弃任何NSEC记录的情况下添加或删除。
Opt-In is not backwards compatible with standard DNSSEC and is considered experimental. Standard DNSSEC-compliant implementations would not recognize Opt-In tagged NSEC records as different from standard NSEC records. Because of this, standard DNSSEC implementations, if they were to validate Opt-In style responses, would reject all Opt-In insecure delegations within a zone as invalid. However, by only signing with private algorithms, standard DNSSEC implementations will treat Opt-In responses as unsigned.
选择加入与标准DNSSEC不向后兼容,被认为是实验性的。符合DNSSEC标准的实施不会将带选择性加入标签的NSEC记录识别为与标准NSEC记录不同。因此,如果标准DNSSEC实现要验证Opt-In样式的响应,则会将区域内所有Opt-In不安全的委托视为无效而拒绝。但是,通过仅使用私有算法签名,标准DNSSEC实现将把选择加入响应视为未签名。
It should be noted that all elements in the resolution path between (and including) the validator and the authoritative name server must be aware of the Opt-In experiment and implement the Opt-In semantics for successful validation to be possible. In particular, this includes any caching middleboxes between the validator and authoritative name server.
应该注意的是,验证程序和权威名称服务器之间(包括验证程序和权威名称服务器)的解析路径中的所有元素都必须知道Opt-in实验,并实现Opt-in语义,以便成功验证。特别是,这包括验证程序和权威名称服务器之间的任何缓存中间盒。
Opt-In allows for unsigned names, in the form of delegations to unsigned subzones, to exist within an otherwise signed zone. All unsigned names are, by definition, insecure, and their validity or existence cannot be cryptographically proven.
Opt-In允许未签名的名称以委托给未签名分区的形式存在于其他签名分区内。根据定义,所有未签名的名称都是不安全的,并且它们的有效性或存在性无法通过密码验证。
In general:
一般来说:
o Records with unsigned names (whether or not existing) suffer from the same vulnerabilities as records in an unsigned zone. These vulnerabilities are described in more detail in [12] (note in particular Sections 2.3, "Name Games" and 2.6, "Authenticated Denial").
o 具有未签名名称的记录(无论是否存在)与未签名区域中的记录具有相同的漏洞。这些漏洞在[12]中有更详细的描述(请特别注意第2.3节“命名游戏”和第2.6节“认证拒绝”)。
o Records with signed names have the same security whether or not Opt-In is used.
o 无论是否使用Opt-In,具有签名名称的记录都具有相同的安全性。
Note that with or without Opt-In, an insecure delegation may have its contents undetectably altered by an attacker. Because of this, the primary difference in security that Opt-In introduces is the loss of the ability to prove the existence or nonexistence of an insecure delegation within the span of an Opt-In NSEC record.
请注意,无论是否选择加入,不安全的委派的内容都可能被攻击者检测不到。因此,Opt-in引入的主要安全性差异是无法证明Opt-in NSEC记录范围内存在或不存在不安全的委托。
In particular, this means that a malicious entity may be able to insert or delete records with unsigned names. These records are normally NS records, but this also includes signed wildcard expansions (while the wildcard record itself is signed, its expanded name is an unsigned name), which can be undetectably removed or used to replace an existing unsigned delegation.
特别是,这意味着恶意实体可能能够插入或删除具有未签名名称的记录。这些记录通常是NS记录,但也包括有符号的通配符扩展(通配符记录本身是有符号的,其扩展名是无符号名称),可以不可检测地删除或用于替换现有的无符号委派。
For example, if a resolver received the following response from the example zone above:
例如,如果解析器从上面的示例区域收到以下响应:
Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE. A
示例S.1:对WWW.DOES-NOT-EXIST.Example查询的响应。A.
RCODE=NOERROR
RCODE=NOERROR
Answer Section:
答覆部分:
Authority Section: DOES-NOT-EXIST.EXAMPLE. NS NS.FORGED. EXAMPLE. NSEC FIRST-SECURE.EXAMPLE. SOA NS \ RRSIG DNSKEY EXAMPLE. RRSIG NSEC ...
权限部分:不存在。示例。伪造的。实例NSEC FIRST-SECURE.EXAMPLE。SOA NS\RRSIG DNSKEY示例。RRSIG NSEC。。。
Additional Section:
附加部分:
Attacker has forged a name
攻击者伪造了一个名字
The resolver would have no choice but to believe that the referral to NS.FORGED. is valid. If a wildcard existed that would have been expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could have undetectably removed it and replaced it with the forged delegation.
冲突解决者别无选择,只能相信提交给NS的文件是伪造的。这是有效的。如果存在一个通配符,该通配符将被扩展为包含“WWW.DOES-NOT-EXIST.EXAMPLE.”,则攻击者可能无法检测到该通配符并将其替换为伪造的委派。
Note that being able to add a delegation is functionally equivalent to being able to add any record type: an attacker merely has to forge a delegation to the nameserver under his/her control and place whatever records are needed at the subzone apex.
请注意,能够添加委派在功能上等同于能够添加任何记录类型:攻击者只需伪造对其控制下的名称服务器的委派,并将所需的任何记录放置在子区域顶点。
While in particular cases, this issue may not present a significant security problem, in general it should not be lightly dismissed. Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly. In particular, zone signing tools SHOULD NOT default to Opt-In, and MAY choose not to support Opt-In at all.
虽然在某些情况下,这一问题可能不会造成重大的安全问题,但总的来说,不应轻视这一问题。因此,强烈建议节约使用选择性加入。特别是,区域签名工具不应默认为Opt-In,并且可以选择根本不支持Opt-In。
The contributions, suggestions, and remarks of the following persons (in alphabetic order) to this document are acknowledged:
兹确认以下人士(按字母顺序)对本文件的贡献、建议和评论:
Mats Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill Manning, Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter, Brian Wellington.
Mats Kolkman、Edward Lewis、Ted Lindgreen、Rip Loomis、Bill Manning、Dan Massey、Scott Rose、Mike Schiraldi、Jakob Schlyter、Brian Wellington。
[1] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.
[1] Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 10351987年11月。
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[2] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[3] Wellington, B. and O. Gudmundsson, "Redefinition of DNS Authenticated Data (AD) bit", RFC 3655, November 2003.
[3] Wellington,B.和O.Gudmundsson,“DNS认证数据(AD)位的重新定义”,RFC 3655,2003年11月。
[4] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005.
[4] Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,2005年3月。
[5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005.
[5] Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的资源记录”,RFC 40342005年3月。
[6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005.
[6] Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的协议修改”,RFC 4035,2005年3月。
[7] Blacka, D., "DNSSEC Experiments", RFC 4955, July 2007.
[7] Blacka,D.,“DNSSEC实验”,RFC 49552007年7月。
[8] Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, July 1997.
[8] Elz,R.和R.Bush,“DNS规范的澄清”,RFC 21811997年7月。
[9] Wellington, B., "Secure Domain Name System (DNS) Dynamic Update", RFC 3007, November 2000.
[9] 威灵顿,B.,“安全域名系统(DNS)动态更新”,RFC 3007,2000年11月。
[10] Lewis, E., "DNS Security Extension Clarification on Zone Status", RFC 3090, March 2001.
[10] Lewis,E.“关于区域状态的DNS安全扩展澄清”,RFC 3090,2001年3月。
[11] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC 3225, December 2001.
[11] Conrad,D.“指示DNSSEC的分解器支持”,RFC 3225,2001年12月。
[12] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name System (DNS)", RFC 3833, August 2004.
[12] Atkins,D.和R.Austein,“域名系统(DNS)的威胁分析”,RFC 38332004年8月。
Appendix A. Implementing Opt-In Using "Views"
附录A.使用“视图”实施选择加入
In many cases, it may be convenient to implement an Opt-In zone by combining two separately maintained "views" of a zone at request time. In this context, "view" refers to a particular version of a zone, not to any specific DNS implementation feature.
在许多情况下,通过在请求时合并两个单独维护的区域“视图”,可以方便地实现选择加入区域。在此上下文中,“视图”指的是区域的特定版本,而不是任何特定的DNS实现功能。
In this scenario, one view is the secure view, the other is the insecure (or legacy) view. The secure view consists of an entirely signed zone using Opt-In tagged NSEC records. The insecure view contains no DNSSEC information. It is helpful, although not necessary, for the secure view to be a subset (minus DNSSEC records) of the insecure view.
在此场景中,一个视图是安全视图,另一个是不安全(或遗留)视图。安全视图由使用Opt-In标记的NSEC记录的完全签名区域组成。不安全视图不包含DNSSEC信息。将安全视图作为不安全视图的子集(减去DNSSEC记录)是有帮助的,尽管不是必需的。
In addition, the only RRsets that may solely exist in the insecure view are non-zone-apex NS RRsets. That is, all non-NS RRsets (and the zone apex NS RRset) MUST be signed and in the secure view.
此外,可能仅存在于不安全视图中的唯一RRSET是非分区apex NS RRSET。也就是说,所有非NS RRset(以及区域apex NS RRset)必须在安全视图中签名。
These two views may be combined at request time to provide a virtual, single Opt-In zone. The following algorithm is used when responding to each query:
这两个视图可以在请求时合并,以提供一个虚拟的单一选择加入区域。响应每个查询时使用以下算法:
V_A is the secure view as described above.
V_A是如上所述的安全视图。
V_B is the insecure view as described above.
V_B是如上所述的不安全视图。
R_A is a response generated from V_A, following standard DNSSEC.
R_A是由V_A生成的响应,遵循标准DNSSEC。
R_B is a response generated from V_B, following DNS resolution as per RFC 1035 [1].
R_B是根据RFC 1035[1]进行DNS解析后,由V_B生成的响应。
R_C is the response generated by combining R_A with R_B, as described below.
R_C是通过组合R_A和R_B生成的响应,如下所述。
A query is DNSSEC-aware if it either has the DO bit [11] turned on or is for a DNSSEC-specific record type.
如果查询的DO位[11]处于打开状态,或者是针对DNSSEC特定的记录类型,则该查询是DNSSEC感知的。
1. If V_A is a subset of V_B and the query is not DNSSEC-aware, generate and return R_B, otherwise
1. 如果V_A是V_B的子集,且查询不支持DNSSEC,则生成并返回R_B,否则
2. Generate R_A.
2. 生成R_A。
3. If R_A's RCODE != NXDOMAIN, return R_A, otherwise
3. 如果R_A的RCODE!=NXDOMAIN,返回R_A,否则为
4. Generate R_B and combine it with R_A to form R_C:
4. 生成R_B并将其与R_A组合以形成R_C:
For each section (ANSWER, AUTHORITY, ADDITIONAL), copy the records from R_A into R_B, EXCEPT the AUTHORITY section SOA record, if R_B's RCODE = NOERROR.
对于每个部分(答案、权限、附加),如果R_B的RCODE=NOERROR,则将记录从R_A复制到R_B,但权限部分SOA记录除外。
5. Return R_C.
5. 返回R_C。
Authors' Addresses
作者地址
Roy Arends Nominet Sandford Gate Sandy Lane West Oxford OX4 6LB UNITED KINGDOM
Roy Arends Nominet Sandford Gate Sandy Lane西牛津OX4 6LB英国
Phone: +44 1865 332211
EMail: roy@nominet.org.uk
Phone: +44 1865 332211
EMail: roy@nominet.org.uk
Mark Kosters VeriSign, Inc. 21355 Ridgetop Circle Dulles, VA 20166 US
Mark Kosters VeriSign,Inc.美国弗吉尼亚州杜勒斯Ridgetop Circle 21355,邮编20166
Phone: +1 703 948 3200
EMail: mkosters@verisign.com
URI: http://www.verisignlabs.com
Phone: +1 703 948 3200
EMail: mkosters@verisign.com
URI: http://www.verisignlabs.com
David Blacka VeriSign, Inc. 21355 Ridgetop Circle Dulles, VA 20166 US
David Blacka VeriSign,Inc.美国弗吉尼亚州杜勒斯Ridgetop Circle 21355,邮编20166
Phone: +1 703 948 3200
EMail: davidb@verisign.com
URI: http://www.verisignlabs.com
Phone: +1 703 948 3200
EMail: davidb@verisign.com
URI: http://www.verisignlabs.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。