-
Notifications
You must be signed in to change notification settings - Fork 2
/
nsec5.txt
1960 lines (1235 loc) · 71.3 KB
/
nsec5.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group J. Vcelak
Internet-Draft CZ.NIC
Intended status: Standards Track S. Goldberg
Expires: August 12, 2019 Boston University
D. Papadopoulos
HKUST
S. Huque
Salesforce
D. Lawrence
Akamai Technologies
February 8, 2019
NSEC5, DNSSEC Authenticated Denial of Existence
draft-vcelak-nsec5-07
Abstract
The Domain Name System Security Extensions (DNSSEC) introduced two
resource records (RR) for authenticated denial of existence: the NSEC
RR and the NSEC3 RR. This document introduces NSEC5 as an
alternative mechanism for DNSSEC authenticated denial of existence.
NSEC5 uses verifiable random functions (VRFs) to prevent offline
enumeration of zone contents. NSEC5 also protects the integrity of
the zone contents even if an adversary compromises one of the
authoritative servers for the zone. Integrity is preserved because
NSEC5 does not require private zone-signing keys to be present on all
authoritative servers for the zone, in contrast to DNSSEC online
signing schemes like NSEC3 White Lies.
Ed note
Text inside square brackets ([]) is additional background
information, answers to frequently asked questions, general musings,
etc. They will be removed before publication. This document is
being collaborated on in GitHub at <https://github.com/fcelda/
nsec5-draft>. The most recent version of the document, open issues,
etc should all be available there. The authors gratefully accept
pull requests.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
Vcelak, et al. Expires August 12, 2019 [Page 1]
Internet-Draft NSEC5 February 2019
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 12, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
2. Backward Compatibility . . . . . . . . . . . . . . . . . . . 6
3. How NSEC5 Works . . . . . . . . . . . . . . . . . . . . . . . 7
4. NSEC5 Algorithms . . . . . . . . . . . . . . . . . . . . . . 8
5. The NSEC5KEY Resource Record . . . . . . . . . . . . . . . . 9
5.1. NSEC5KEY RDATA Wire Format . . . . . . . . . . . . . . . 9
5.2. NSEC5KEY RDATA Presentation Format . . . . . . . . . . . 9
6. The NSEC5 Resource Record . . . . . . . . . . . . . . . . . . 9
6.1. NSEC5 RDATA Wire Format . . . . . . . . . . . . . . . . . 10
6.2. NSEC5 Flags Field . . . . . . . . . . . . . . . . . . . . 10
6.3. NSEC5 RDATA Presentation Format . . . . . . . . . . . . . 11
7. The NSEC5PROOF Resource Record . . . . . . . . . . . . . . . 11
7.1. NSEC5PROOF RDATA Wire Format . . . . . . . . . . . . . . 11
7.2. NSEC5PROOF RDATA Presentation Format . . . . . . . . . . 12
8. Types of Authenticated Denial of Existence with NSEC5 . . . . 12
8.1. Name Error Responses . . . . . . . . . . . . . . . . . . 12
8.2. No Data Responses . . . . . . . . . . . . . . . . . . . . 13
8.2.1. No Data Response, Opt-Out Not In Effect . . . . . . . 13
Vcelak, et al. Expires August 12, 2019 [Page 2]
Internet-Draft NSEC5 February 2019
8.2.2. No Data Response, Opt-Out In Effect . . . . . . . . . 14
8.3. Wildcard Responses . . . . . . . . . . . . . . . . . . . 14
8.4. Wildcard No Data Responses . . . . . . . . . . . . . . . 14
9. Authoritative Server Considerations . . . . . . . . . . . . . 15
9.1. Zone Signing . . . . . . . . . . . . . . . . . . . . . . 15
9.1.1. Precomputing Closest Provable Encloser Proofs . . . . 16
9.2. Zone Serving . . . . . . . . . . . . . . . . . . . . . . 17
9.3. NSEC5KEY Rollover Mechanism . . . . . . . . . . . . . . . 18
9.4. Secondary Servers . . . . . . . . . . . . . . . . . . . . 18
9.5. Zones Using Unknown NSEC5 Algorithms . . . . . . . . . . 18
9.6. Dynamic Updates . . . . . . . . . . . . . . . . . . . . . 18
10. Resolver Considerations . . . . . . . . . . . . . . . . . . . 19
11. Validator Considerations . . . . . . . . . . . . . . . . . . 19
11.1. Validating Responses . . . . . . . . . . . . . . . . . . 19
11.2. Validating Referrals to Unsigned Subzones . . . . . . . 20
11.3. Responses With Unknown NSEC5 Algorithms . . . . . . . . 20
12. Special Considerations . . . . . . . . . . . . . . . . . . . 20
12.1. Transition Mechanism . . . . . . . . . . . . . . . . . . 20
12.2. Private NSEC5 keys . . . . . . . . . . . . . . . . . . . 20
12.3. Domain Name Length Restrictions . . . . . . . . . . . . 21
13. Implementation Status . . . . . . . . . . . . . . . . . . . . 21
14. Performance Considerations . . . . . . . . . . . . . . . . . 21
15. Security Considerations . . . . . . . . . . . . . . . . . . . 21
15.1. Zone Enumeration Attacks . . . . . . . . . . . . . . . . 21
15.2. Compromise of the Private NSEC5 Key . . . . . . . . . . 22
15.3. Key Length Considerations . . . . . . . . . . . . . . . 22
15.4. NSEC5 Hash Collisions . . . . . . . . . . . . . . . . . 22
16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
17. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 23
18. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
18.1. Normative References . . . . . . . . . . . . . . . . . . 24
18.2. Informative References . . . . . . . . . . . . . . . . . 25
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 27
A.1. Name Error Example . . . . . . . . . . . . . . . . . . . 27
A.2. No Data Example . . . . . . . . . . . . . . . . . . . . . 29
A.3. Delegation to an Unsigned Zone in an Opt-Out span Example 30
A.4. Wildcard Example . . . . . . . . . . . . . . . . . . . . 31
A.5. Wildcard No Data Example . . . . . . . . . . . . . . . . 32
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction
1.1. Rationale
NSEC5 provides an alternative mechanism for authenticated denial of
existence for the DNS Security Extensions (DNSSEC). NSEC5 has two
key security properties. First, NSEC5 protects the integrity of the
Vcelak, et al. Expires August 12, 2019 [Page 3]
Internet-Draft NSEC5 February 2019
zone contents even if an adversary compromises one of the
authoritative servers for the zone. Second, NSEC5 prevents offline
zone enumeration, where an adversary makes a small number of online
DNS queries and then processes them offline in order to learn all of
the names in a zone. Zone enumeration can be used to identify
routers, servers or other "things" that could then be targeted in
more complex attacks. An enumerated zone can also be a source of
probable email addresses for spam, or as a "key for multiple WHOIS
queries to reveal registrant data that many registries may have legal
obligations to protect" [RFC5155].
All other DNSSEC mechanisms for authenticated denial of existence
either fail to preserve integrity against a compromised server, or
fail to prevent offline zone enumeration.
When offline signing with NSEC is used [RFC4034], an NSEC chain of
all existing domain names in the zone is constructed and signed
offline. The chain is made of resource records (RRs), where each RR
represents two consecutive domain names in canonical order present in
the zone. The authoritative server proves the non-existence of a
name by presenting a signed NSEC RR which covers the name. Because
the authoritative server does not need not to know the private zone-
signing key, the integrity of the zone is protected even if the
server is compromised. However, the NSEC chain allows for easy zone
enumeration: N queries to the server suffice to learn all N names in
the zone (see e.g., [nmap-nsec-enum], [nsec3map], and [ldns-walk]).
When offline signing with NSEC3 is used [RFC5155], the original names
in the NSEC chain are replaced by their cryptographic hashes.
Offline signing ensures that NSEC3 preserves integrity even if an
authoritative server is compromised. However, offline zone
enumeration is still possible with NSEC3 (see e.g., [nsec3walker],
[nsec3gpu]), and is part of standard network reconnaissance tools
(e.g., [nmap-nsec3-enum], [nsec3map]).
When online signing is used, the authoritative server holds the
private zone-signing key and uses this key to synthesize NSEC or
NSEC3 responses on the fly (e.g. NSEC3 White Lies (NSEC3-WL) or
Minimally-Covering NSEC, both described in [RFC7129]). Because the
synthesized response only contains information about the queried name
(but not about any other name in the zone), offline zone enumeration
is not possible. However, because the authoritative server holds the
private zone-signing key, integrity is lost if the authoritative
server is compromised.
Vcelak, et al. Expires August 12, 2019 [Page 4]
Internet-Draft NSEC5 February 2019
+----------+-------------+---------------+----------------+---------+
| Scheme | Integrity | Integrity vs | Prevents | Online |
| | vs network | compromised | offline zone | crypto? |
| | attacks? | auth. server? | enumeration? | |
+----------+-------------+---------------+----------------+---------+
| Unsigned | NO | NO | YES | NO |
| NSEC | YES | YES | NO | NO |
| NSEC3 | YES | YES | NO | NO |
| NSEC3-WL | YES | NO | YES | YES |
| NSEC5 | YES | YES | YES | YES |
+----------+-------------+---------------+----------------+---------+
NSEC5 prevents offline zone enumeration and also protects integrity
even if a zone's authoritative server is compromised. To do this,
NSEC5 replaces the unkeyed cryptographic hash function used in NSEC3
with a verifiable random function (VRF) [I-D.irtf-cfrg-vrf] [MRV99].
A VRF is the public-key version of a keyed cryptographic hash. Only
the holder of the private VRF key can compute the hash, but anyone
with public VRF key can verify the correctness of the hash.
The public VRF key is distributed in an NSEC5KEY RR, similar to a
DNSKEY RR, and is used to verify NSEC5 hash values. The private VRF
key is present on all authoritative servers for the zone, and is used
to compute hash values. For every query that elicits a negative
response, the authoritative server hashes the query on the fly using
the private VRF key, and also returns the corresponding precomputed
NSEC5 record(s). In contrast to the online signing approach
[RFC7129], the private key that is present on all authoritative
servers for NSEC5 cannot be used to modify the zone contents.
Like online signing approaches, NSEC5 requires the authoritative
server to perform online public key cryptographic operations for
every query eliciting a denying response. This is necessary; [nsec5]
proved that online cryptography is required to prevent offline zone
enumeration while still protecting the integrity of zone contents
against network attacks.
NSEC5 is not intended to replace NSEC or NSEC3. It is an alternative
mechanism for authenticated denial of existence. This document
specifies NSEC5 based on the VRFs in [I-D.irtf-cfrg-vrf] over the
FIPS 186-3 P-256 elliptic curve and over the the Ed25519 elliptic
curve. A formal cryptographic proof of security for NSEC5 is in
[nsec5ecc].
Vcelak, et al. Expires August 12, 2019 [Page 5]
Internet-Draft NSEC5 February 2019
1.2. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
1.3. Terminology
The reader is assumed to be familiar with the basic DNS and DNSSEC
concepts described in [RFC1034], [RFC1035], [RFC4033], [RFC4034], and
[RFC4035]; subsequent RFCs that update them in [RFC2136], [RFC2181],
[RFC2308], [RFC5155], and [RFC7129]; and DNS terms in [RFC7719].
The reader should also be familiar with verifiable random functions
(VRFs) as defined in [I-D.irtf-cfrg-vrf].
The following terminology is used through this document:
Base32hex: The "Base 32 Encoding with Extended Hex Alphabet" as
specified in [RFC4648]. The padding characters ("=") are not used
in the NSEC5 specification.
Base64: The "Base 64 Encoding" as specified in [RFC4648].
QNAME: The domain name being queried (query name).
Private NSEC5 key: The private key for the verifiable random
function (VRF).
Public NSEC5 key: The public key for the VRF.
NSEC5 proof: A VRF proof. The holder of the private NSEC5 key
(e.g., authoritative server) can compute the NSEC5 proof for an
input domain name. Anyone who knows the public VRF key can verify
that the NSEC5 proof corresponds to the input domain name.
NSEC5 hash: A cryptographic digest of an NSEC5 proof. If the NSEC5
proof is known, anyone can compute its corresponding NSEC5 hash.
NSEC5 algorithm: A triple of VRF algorithms that compute an NSEC5
proof (VRF_prove), verify an NSEC5 proof (VRF_verify), and process
an NSEC5 proof to obtain its NSEC5 hash (VRF_proof_to_hash).
2. Backward Compatibility
The specification describes a protocol change that is not backward
compatible with [RFC4035] and [RFC5155]. An NSEC5-unaware resolver
will fail to validate responses introduced by this document.
Vcelak, et al. Expires August 12, 2019 [Page 6]
Internet-Draft NSEC5 February 2019
To prevent NSEC5-unaware resolvers from attempting to validate the
responses, new DNSSEC algorithms identifiers are introduced in
Section 16 which alias existing algorithm numbers. The zones signed
according to this specification MUST use only these algorithm
identifiers, thus NSEC5-unaware resolvers will treat the zone as
insecure.
3. How NSEC5 Works
With NSEC5, the original domain name is hashed using a VRF
[I-D.irtf-cfrg-vrf] using the following steps:
1. The domain name is processed using a VRF keyed with the private
NSEC5 key to obtain the NSEC5 proof. Anyone who knows the public
NSEC5 key, normally acquired via an NSEC5KEY RR, can verify that
a given NSEC5 proof corresponds to a given domain name.
2. The NSEC5 proof is then processed using a publicly-computable VRF
VRF_proof_to_hash function to obtain the NSEC5 hash. The NSEC5
hash can be computed by anyone who knows the input NSEC5 proof.
The NSEC5 hash determines the position of a domain name in an NSEC5
chain.
To sign a zone, the private NSEC5 key is used to compute the NSEC5
hashes for each name in the zone. These NSEC5 hashes are sorted in
canonical order [RFC4034], and each consecutive pair forms an NSEC5
RR. Each NSEC5 RR is signed offline using the private zone-signing
key. The resulting signed chain of NSEC5 RRs is provided to all
authoritative servers for the zone, along with the private NSEC5 key.
To prove non-existence of a particular domain name in response to a
query, the server uses the private NSEC5 key to compute the NSEC5
proof and NSEC5 hash corresponding to the queried name. The server
then identifies the NSEC5 RR that covers the NSEC5 hash, and responds
with this NSEC5 RR and its corresponding RRSIG signature RRset, as
well as a synthesized NSEC5PROOF RR that contains the NSEC5 proof
corresponding to the queried name.
To validate the response, the client verifies the following items:
o The client uses the public NSEC5 key, normally acquired from the
NSEC5KEY RR, to verify that the NSEC5 proof in the NSEC5PROOF RR
corresponds to the queried name.
o The client uses the VRF_proof_to_hash function to compute the
NSEC5 hash from the NSEC5 proof in the NSEC5PROOF RR. The client
verifies that the NSEC5 hash is covered by the NSEC5 RR.
Vcelak, et al. Expires August 12, 2019 [Page 7]
Internet-Draft NSEC5 February 2019
o The client verifies that the NSEC5 RR is validly signed by the
RRSIG RRset.
4. NSEC5 Algorithms
The algorithms used for NSEC5 authenticated denial are independent of
the algorithms used for DNSSEC signing. An NSEC5 algorithm defines
how the NSEC5 proof and the NSEC5 hash are computed and validated.
The NSEC5 proof corresponding to a name is computed using
ECVRF_prove(), as specified in [I-D.irtf-cfrg-vrf]. The input to
ECVRF_prove() is a private NSEC5 key and the RR owner name in
[RFC4034] canonical wire format. The output of ECVRF_prove() is an
octet string.
An NSEC5 hash corresponding to a name is computed from its NSEC5
proof using ECVRF_proof_to_hash(), as specified in
[I-D.irtf-cfrg-vrf]. The input to ECVRF_proof_to_hash() is an NSEC5
proof as an octet string. The output NSEC5 hash is either an octet
string, or INVALID.
An NSEC5 proof for a name is verified using ECVRF_verify(), as
specified in [I-D.irtf-cfrg-vrf]. The input is the NSEC5 public key,
followed by an NSEC5 proof as an octet string, followed by an RR
owner name in [RFC4034] canonical wire format. The output is either
VALID or INVALID.
This document defines the EC-P256-SHA256 NSEC5 algorithm as follows:
o The VRF is the ECVRF algorithm using the ECVRF-P256-SHA256
ciphersuite specified in [I-D.irtf-cfrg-vrf].
o The public key format to be used in the NSEC5KEY RR is defined in
Section 4 of [RFC6605] and thus is the same as the format used to
store ECDSA public keys in DNSKEY RRs.
[NOTE: This specification does not compress the elliptic curve
point used for the public key, but we do compress curve points in
every other place we use them. The NSEC5KEY record can be shrunk
by 31 additional octets by encoding the public key with point
compression.]
This document defines the EC-ED25519-SHA512 NSEC5 algorithm as
follows:
o The VRF is the EC-VRF algorithm using the ECVRF-ED25519-SHA512
ciphersuite specified in [I-D.irtf-cfrg-vrf].
Vcelak, et al. Expires August 12, 2019 [Page 8]
Internet-Draft NSEC5 February 2019
o The public key format to be used in the NSEC5KEY RR is defined in
Section 3 of [RFC8080] and thus is the same as the format used to
store Ed25519 public keys in DNSKEY RRs.
[NOTE: Could alternatively have the EC-ED25519-SHA512 NSEC5
ciphersuite use the EC-VRF-ED25519-SHA512-ELLIGATOR2 ciphersuite
specified in [I-D.irtf-cfrg-vrf].]
5. The NSEC5KEY Resource Record
The NSEC5KEY RR stores a public NSEC5 key. The key allows clients to
validate an NSEC5 proof sent by a server.
5.1. NSEC5KEY RDATA Wire Format
The RDATA for the NSEC5KEY RR is as shown below:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Algorithm | Public Key /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Algorithm is a single octet identifying the NSEC5 algorithm.
Public Key is a variable-sized field holding public key material for
NSEC5 proof verification.
5.2. NSEC5KEY RDATA Presentation Format
The presentation format of the NSEC5KEY RDATA is as follows:
The Algorithm field is represented as an unsigned decimal integer.
The Public Key field is represented in Base64 encoding. Whitespace
is allowed within the Base64 text.
6. The NSEC5 Resource Record
The NSEC5 RR provides authenticated denial of existence for an RRset
or domain name. One NSEC5 RR represents one piece of an NSEC5 chain,
proving existence of the owner name and non-existence of other domain
names in the part of the hashed domain space that is covered until
the next owner name hashed in the RDATA.
Vcelak, et al. Expires August 12, 2019 [Page 9]
Internet-Draft NSEC5 February 2019
6.1. NSEC5 RDATA Wire Format
The RDATA for the NSEC5 RR is as shown below:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Tag | Flags | Next Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Hashed Owner Name /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ Type Bit Maps /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Key Tag field contains the key tag value of the NSEC5KEY RR that
validates the NSEC5 RR, in network byte order. The value is computed
from the NSEC5KEY RDATA using the same algorithm used to compute key
tag values for DNSKEY RRs. This algorithm is defined in [RFC4034].
The Flags field is a single octet. The meaning of individual bits of
the field is defined in Section 6.2.
The Next Length field is an unsigned single octet specifying the
length of the Next Hashed Owner Name field in octets.
The Next Hashed Owner Name field is a sequence of binary octets. It
contains an NSEC5 hash of the next domain name in the NSEC5 chain.
Type Bit Maps is a variable-sized field encoding RR types present at
the original owner name matching the NSEC5 RR. The format of the
field is equivalent to the format used in the NSEC3 RR, described in
[RFC5155].
6.2. NSEC5 Flags Field
The following one-bit NSEC5 flags are defined:
0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+
| |W|O|
+-+-+-+-+-+-+-+-+
O - Opt-Out flag
W - Wildcard flag
All the other flags are reserved for future use and MUST be zero.
Vcelak, et al. Expires August 12, 2019 [Page 10]
Internet-Draft NSEC5 February 2019
The Opt-Out flag has the same semantics as in NSEC3. The definition
and considerations in [RFC5155] are valid, except that NSEC3 is
replaced by NSEC5.
The Wildcard flag indicates that a wildcard synthesis is possible at
the original domain name level (i.e., there is a wildcard node
immediately descending from the immediate ancestor of the original
domain name). The purpose of the Wildcard flag is to reduce the
maximum number of RRs required for an authenticated denial of
existence proof from (at most) three to (at most) two, as originally
described in [I-D.gieben-nsec4] Section 7.2.1.
6.3. NSEC5 RDATA Presentation Format
The presentation format of the NSEC5 RDATA is as follows:
The Key Tag field is represented as an unsigned decimal integer.
The Flags field is represented as an unsigned decimal integer.
The Next Length field is not represented.
The Next Hashed Owner Name field is represented as a sequence of
case-insensitive Base32hex digits without any whitespace and without
padding.
The Type Bit Maps representation is equivalent to the representation
used in NSEC3 RR, described in [RFC5155].
7. The NSEC5PROOF Resource Record
The NSEC5PROOF record is not to be included in the zone file. The
NSEC5PROOF record contains the NSEC5 proof, proving the position of
the owner name in an NSEC5 chain.
7.1. NSEC5PROOF RDATA Wire Format
The RDATA for the NSEC5PROOF RR is shown below:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Tag | Owner Name Hash /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Key Tag field contains the key tag value of the NSEC5KEY RR that
validates the NSEC5PROOF RR, in network byte order.
Vcelak, et al. Expires August 12, 2019 [Page 11]
Internet-Draft NSEC5 February 2019
Owner Name Hash is a variable-sized sequence of binary octets
encoding the NSEC5 proof of the owner name of the RR.
7.2. NSEC5PROOF RDATA Presentation Format
The presentation format of the NSEC5PROOF RDATA is as follows:
The Key Tag field is represented as an unsigned decimal integer.
The Owner Name Hash is represented in Base64 encoding. Whitespace is
allowed within the Base64 text.
8. Types of Authenticated Denial of Existence with NSEC5
This section summarizes all possible types of authenticated denial of
existence. For each type the following lists are included:
1. Facts to prove: the minimum amount of information that an
authoritative server must provide to a client to assure the
client that the response content is valid.
2. Authoritative server proofs: the names for which the NSEC5PROOF
RRs are synthesized and added into the response along with the
NSEC5 RRs matching or covering each such name. These records
together prove the listed facts.
3. Validator checks: the individual checks that a validating server
is required to perform on a response. The response content is
considered valid only if all of the checks pass.
If NSEC5 is said to match a domain name, the owner name of the NSEC5
RR has to be equivalent to an NSEC5 hash of that domain name. If an
NSEC5 RR is said to cover a domain name, the NSEC5 hash of the domain
name must sort in canonical order between that NSEC5 RR's Owner Name
and Next Hashed Owner Name.
8.1. Name Error Responses
Facts to prove:
Non-existence of the domain name that explictly matches the QNAME.
Non-existence of the wildcard that matches the QNAME.
Authoritative server proofs:
NSEC5PROOF for closest encloser and matching NSEC5 RR.
Vcelak, et al. Expires August 12, 2019 [Page 12]
Internet-Draft NSEC5 February 2019
NSEC5PROOF for next closer name and covering NSEC5 RR.
Validator checks:
Closest encloser is in the zone.
The NSEC5 RR matching the closest encloser has its Wildcard flag
cleared.
The NSEC5 RR matching the closest encloser does not have NS
without SOA in the Type Bit Map.
The NSEC5 RR matching the closest encloser does not have DNAME in
the Type Bit Map.
Next closer name is not in the zone.
8.2. No Data Responses
The processing of a No Data response for DS QTYPE differs if the Opt-
Out is in effect. For DS QTYPE queries, the validator has two
possible checking paths. The correct path can be simply decided by
inspecting if the NSEC5 RR in the response matches the QNAME.
Note that the Opt-Out is valid only for DS QTYPE queries.
8.2.1. No Data Response, Opt-Out Not In Effect
Facts to prove:
Existence of an RRset explicitly matching the QNAME.
Non-existence of QTYPE RRset matching the QNAME.
Non-existence of CNAME RRset matching the QNAME.
Authoritative server proofs:
NSEC5PROOF for the QNAME and matching NSEC5 RR.
Validator checks:
QNAME is in the zone.
NSEC5 RR matching the QNAME does not have QTYPE in Type Bit Map.
NSEC5 RR matching the QNAME does not have CNAME in Type Bit Map.
Vcelak, et al. Expires August 12, 2019 [Page 13]
Internet-Draft NSEC5 February 2019
8.2.2. No Data Response, Opt-Out In Effect
Facts to prove:
The delegation is not covered by the NSEC5 chain.
Authoritative server proofs:
NSEC5PROOF for closest provable encloser and matching NSEC5 RR.
Validator checks:
Closest provable encloser is in zone.
Closest provable encloser covers (not matches) the QNAME.
NSEC5 RR matching the closest provable encloser has Opt-Out flag
set.
8.3. Wildcard Responses
Facts to prove:
A signed positive response to the QNAME demonstrating the
existence of the wildcard (label count in RRSIG is less than in
QNAME), and also providing closest encloser name.
Non-existence of the domain name matching the QNAME.
Authoritative server proofs:
A signed positive response for the wildcard expansion of the
QNAME.
NSEC5PROOF for next closer name and covering NSEC5 RR.
Validator checks:
Next closer name is not in the zone.
8.4. Wildcard No Data Responses
Facts to prove:
The existence of the wildcard at the closest encloser to the
QNAME.
Vcelak, et al. Expires August 12, 2019 [Page 14]
Internet-Draft NSEC5 February 2019
Non-existence of both the QTYPE and of the CNAME type that matches
QNAME via wildcard expansion.
Authoritative server proofs:
NSEC5PROOF for source of synthesis (i.e., wildcard at closest
encloser) and matching NSEC5 RR.
NSEC5PROOF for next closer name and covering NSEC5 RR.
Validator checks:
Closest encloser to the QNAME exists.
NSEC5 RR matching the wildcard label prepended to the closest
encloser, and which does not have the bits corresponding to the
QTYPE and CNAME types set it the type bitmap.
9. Authoritative Server Considerations
9.1. Zone Signing
Zones using NSEC5 MUST satisfy the same properties as described in
Section 7.1 of [RFC5155], with NSEC3 replaced by NSEC5. In addition,
the following conditions MUST be satisfied as well:
o If the original owner name has a wildcard label immediately
descending from the original owner name, the corresponding NSEC5
RR MUST have the Wildcard flag set in the Flags field. Otherwise,
the flag MUST be cleared.
o The zone apex MUST include an NSEC5KEY RRset containing a NSEC5
public key allowing verification of the current NSEC5 chain.
The following steps describe one possible method to properly add
required NSEC5 related records into a zone. This is not the only
such existing method.
1. Select an algorithm for NSEC5 and generate the public and private
NSEC5 keys.
2. Add an NSEC5KEY RR into the zone apex containing the public NSEC5
key.
3. For each unique original domain name in the zone and each empty
non-terminal, add an NSEC5 RR. If Opt-Out is used, owner names
of unsigned delegations MAY be excluded.
Vcelak, et al. Expires August 12, 2019 [Page 15]
Internet-Draft NSEC5 February 2019
A. The owner name of the NSEC5 RR is the NSEC5 hash of the
original owner name encoded in Base32hex without padding,
prepended as a single label to the zone name.
B. Set the Key Tag field to be the key tag corresponding to the
public NSEC5 key.
C. Clear the Flags field. If Opt-Out is being used, set the
Opt-Out flag. If there is a wildcard label directly descending
from the original domain name, set the Wildcard flag. Note that
the wildcard can be an empty non-terminal (i.e., the wildcard
synthesis does not take effect and therefore the flag is not to
be set).
D. Set the Next Length field to a value determined by the used
NSEC5 algorithm. Leave the Next Hashed Owner Name field blank.
E. Set the Type Bit Maps field based on the RRsets present at
the original owner name.
4. Sort the set of NSEC5 RRs into canonical order.
5. For each NSEC5 RR, set the Next Hashed Owner Name field by using
the owner name of the next NSEC5 RR in the canonical order. If
the updated NSEC5 is the last NSEC5 RR in the chain, the owner
name of the first NSEC5 RR in the chain is used instead.
The NSEC5KEY and NSEC5 RRs MUST have the same class as the zone SOA
RR. Also the NSEC5 RRs SHOULD have the same TTL value as the SOA
minimum TTL field.
Notice that a use of Opt-Out is not indicated in the zone. This does
not affect the ability of a server to prove insecure delegations.
The Opt-Out MAY be part of the zone-signing tool configuration.
9.1.1. Precomputing Closest Provable Encloser Proofs
Per Section 8, the worst-case scenario when answering a negative
query with NSEC5 requires the authoritative server to respond with
two NSEC5PROOF RRs and two NSEC5 RRs. One pair of NSEC5PROOF and
NSEC5 RRs corresponds to the closest provable encloser, and the other
pair corresponds to the next closer name. The NSEC5PROOF
corresponding to the next closer name MUST be computed on the fly by
the authoritative server when responding to the query. However, the
NSEC5PROOF corresponding to the closest provable encloser MAY be
precomputed and stored as part of zone signing.
Vcelak, et al. Expires August 12, 2019 [Page 16]
Internet-Draft NSEC5 February 2019
Precomputing NSEC5PROOF RRs can halve the number of online
cryptographic computations required when responding to a negative
query. NSEC5PROOF RRs MAY be precomputed as part of zone signing as
follows: For each NSEC5 RR, compute an NSEC5PROOF RR corresponding to
the original owner name of the NSEC5 RR. The content of the
precomputed NSEC5PROOF record MUST be the same as if the record was
computed on the fly when serving the zone. NSEC5PROOF records are
not part of the zone and SHOULD be stored separately from the zone
file.
9.2. Zone Serving
This specification modifies DNSSEC-enabled DNS responses generated by
authoritative servers. In particular, it replaces use of NSEC or
NSEC3 RRs in such responses with NSEC5 RRs and adds NSEC5PROOF RRs.
According to the type of a response, an authoritative server MUST
include NSEC5 RRs in the response, as defined in Section 8. For each
NSEC5 RR in the response, a corresponding RRSIG RRset and an
NSEC5PROOF MUST be added as well. The NSEC5PROOF RR has its owner
name set to the domain name required according to the description in
Section 8. The class and TTL of the NSEC5PROOF RR MUST be the same
as the class and TTL value of the corresponding NSEC5 RR. The RDATA
payload of the NSEC5PROOF is set according to the description in
Section 7.1.
Notice that the NSEC5PROOF owner name can be a wildcard (e.g., source
of synthesis proof in wildcard No Data responses). The name also
always matches the domain name required for the proof while the NSEC5
RR may only cover (not match) the name in the proof (e.g., closest
encloser in Name Error responses).
If NSEC5 is used, an answering server MUST use exactly one NSEC5
chain for one signed zone.
NSEC5 MUST NOT be used in parallel with NSEC, NSEC3, or any other
authenticated denial of existence mechanism that allows for
enumeration of zone contents, as this would defeat a principal
security goal of NSEC5.
Similarly to NSEC3, the owner names of NSEC5 RRs are not represented
in the NSEC5 chain and therefore NSEC5 records deny their own
existence. The desired behavior caused by this paradox is the same
as described in Section 7.2.8 of [RFC5155].
Vcelak, et al. Expires August 12, 2019 [Page 17]
Internet-Draft NSEC5 February 2019
9.3. NSEC5KEY Rollover Mechanism
Replacement of the NSEC5 key implies generating a new NSEC5 chain.
The NSEC5KEY rollover mechanism is similar to "Pre-Publish Zone
Signing Key Rollover" as specified in [RFC6781]. The NSEC5KEY
rollover MUST be performed as a sequence of the following steps:
1. A new public NSEC5 key is added into the NSEC5KEY RRset in the
zone apex.
2. The old NSEC5 chain is replaced by a new NSEC5 chain constructed
using the new key. This replacement MUST happen as a single
atomic operation; the server MUST NOT be responding with RRs from
both the new and old chain at the same time.
3. The old public key is removed from the NSEC5KEY RRset in the zone
apex.
The minimum delay between steps 1 and 2 MUST be the time it takes for
the data to propagate to the authoritative servers, plus the TTL
value of the old NSEC5KEY RRset.
The minimum delay between steps 2 and 3 MUST be the time it takes for
the data to propagate to the authoritative servers, plus the maximum
zone TTL value of any of the data in the previous version of the
zone.
9.4. Secondary Servers
This document does not define mechanism to distribute private NSEC5
keys. See Section 15.2 for security considerations for private NSEC5
keys.
9.5. Zones Using Unknown NSEC5 Algorithms
Zones that are signed with an unknown NSEC5 algorithm or with an
unavailable private NSEC5 key cannot be effectively served. Such
zones SHOULD be rejected when loading and servers SHOULD respond with
RCODE=2 (Server failure) when handling queries that would fall under
such zones.
9.6. Dynamic Updates
A zone signed using NSEC5 MAY accept dynamic updates [RFC2136]. The