DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
draft-ietf-dnsext-nsec3-13

Remaining issue is this, from Sam. The text in the document can be misinterpreted, and needs to be clarified. This should happen in -12, and then we ask Sam to clear his discuss after the rewrite.

Section 12.1.3 surprises me.  It sketches a transition strategy to new
hashes different than the one I would expect to have worked.  I'm not
sure the strategy described in 12.1.3 is sufficiently well explained
that I can evaluate it and confirm that it can be implemented.  Please
expand this sketch until it can be evaluated.

Sam Weiler has new text as well to be incorporated in -12

[Ballot discuss]
I don't understand the extensibility and incremental deployment model
for nsec3.  There is a flags field in both the nsec3 RR and the
nsec3params RR.  However validators are required to discard records
with unknown flags set.  In effect these flags are all critical.  Why
is that the right approach?  Couldn't you more easily get that
behavior by having a record other than nsec3 if you wanted to break
interoperability?  When would a critical flag be useful in this
protocol?

Section 10.4 is written with the assumption that people want to break
the interoperability of existing secure zones when they transition to
nsec3.  I guess that's OK if we assume that people only want to use
NSEC3 if they want opt-out or no enumeration.  That is if NSEC3 is
intended to continue along NSEC f rather than to eventually replace
it.  If that's so then perhaps section 2 needs to be updated to make
this clear.  If that's not the case then don't you want a transition
strategy that allows both NSEC and NSEC3 keys to exist at the same time?

Section 12.1.3 surprises me.  It sketches a transition strategy to new
hashes different than the one I would expect to have worked.  I'm not
sure the strategy described in 12.1.3 is sufficiently well explained
that I can evaluate it and confirm that it can be implemented.  Please
expand this sketch until it can be evaluated.


Section c.2.3 provides a protocol extension with insufficient detail
to provide interoperable implementation.  Please either expand this
definition sufficiently and work it into the body of the document that
it is required for a validator to support or otherwise render it
harmless.  In particular, I don't see anything in the body of a
document that tells a validator that it needs to accept truncated
names for NSEC3.  If this was an option that was considered and
rejected clearly mark it that way.

[Ballot comment]
From the Gen-ART Review by Pasi Eronen:

  1) This document creates a new registry for NSEC3 RR hash algorithms.
  Is there a reason why the existing registry for DS RR hash algorithms
  can't be used?

  2) Section 10.1: it would be useful to give a numerical example of
  what the maximum length is (for say, "foo.example.com" zone and SHA-1),
  instead of just saying "it depends".

  3) Appendix A: it would be useful if the example zone contained
  a list of hashes-vs-names as comments (they're included later
  in the example queries/answers, but wouldn't hurt repeating them...).

  4) Section C.1 seems to be in wrong place. Given its location, I
  would expect to find only some background information, not sentences
  containing MUST or SHOULD keywords. Probably this should be somewhere
  earlier in the document?

  5) I found Section C.2.3 very confusing. It's not clear whether this
  section describes a feature of the protocol, or a feature that was
  proposed but was not included (and design rationale why not). Either
  way, this section needs clarification.

[Ballot comment]
1) This document creates a new registry for NSEC3 RR hash algorithms.
  Is there a reason why the existing registry for DS RR hash algorithms
  can't be used?

  2) Section 10.1: it would be useful to give a numerical example of
  what the maximum length is (for say, "foo.example.com" zone and SHA-1),
  instead of just saying "it depends".

  3) Appendix A: it would be useful if the example zone contained
  a list of hashes-vs-names as comments (they're included later
  in the example queries/answers, but wouldn't hurt repeating them...).

  4) Section C.1 seems to be in wrong place. Given its location, I
  would expect to find only some background information, not sentences
  containing MUST or SHOULD keywords. Probably this should be somewhere
  earlier in the document?

  5) I found Section C.2.3 very confusing. It's not clear whether this
  section describes a feature of the protocol, or a feature that was
  proposed but was not included (and design rationale why not). Either
  way, this section needs clarification.

[Ballot discuss]
(1) Section 10.3 provides tables with a maximum number of hash iterations
based on the signing algorithm and key size employed by the server.
If a higher number of iterations is employed, hashing the name will
be more costly than computing the signature.  In this case, the resolver
MAY choose to validate the signature (but not compute the hash) and
treat the result as insecure.

I am okay with the concept that hashing a name should not take more
time than verifying the signature.  That is a sensible starting point,
but using this criteria in isolation has odd security and performance
implications.  This table limits the protection against dictionary
attacks in RSA-signed zones to 10% of the maximum protection
against dictionary attacks in DSA-signed zones. The table encourages use of
high iteration counts (degrading performance) when a zone uses DSA,
which is already more expensive to verify.

Given that RSA 1024 and DSA 1024 provide comparable security, I would
assume that we would be looking for the same level of protection
against attacks.  I would prefer to see the maximum iteration counts
for RSA used for both algorithms.

(2) in the Security Considerations:

Section 12.1.1 states that pre-calculated dictionary attacks are
prevented by changing the salt regularly.  This is only true if
salts are unpredictable (e.g., randomly generated) and large.  That
is, if a use a counter for my salt, the attacker can prepare for
some future date.  If the salts are small, the attacker can still
generate all possible dictionaries.  I could not find any requirements
or guidance regarding generation of the salt.

[Ballot comment]
Appendix C.1 begins with the statement:

"Augmenting original owner names with salt before hashing increases
the cost of a dictionary of pre-generated hash-values."

It would be helpful if this section explained that including a salt,
regardless of size, does not affect the cost of constructing the
NSEC3 RRs using the method outlined in section 7.1.  (It does,
however, increase the size of the NSEC3 RR.  That should also be
noted.)

[Ballot discuss]
(1) Section 10.3 provides tables with a maximum number of hash iterations
based on the signing algorithm and key size employed by the server.
If a higher number of iterations is employed, hashing the name will
be more costly than computing the signature.  In this case, the resolver
MAY choose to validate the signature (but not compute the hash) and
treat the result as insecure.

I am okay with the concept that hashing a name should not take more
time than verifying the signature.  That is a sensible starting point,
but using this criteria in isolation has odd security and performance
implications.  This table limits the protection against dictionary
attacks in RSA-signed zones to 10% of the maximum protection
against dictionary attacks in DSA-signed zones. The table encourages use of
high iteration counts (degrading performance) when a zone uses DSA,
which is already more expensive to verify.

Given that RSA 1024 and DSA 1024 provide comparable security, I would
assume that we would be looking for the same level of protection
against attacks.  I would prefer to see the maximum iteration counts
for RSA used for both algorithms.

(2) in the Security Considerations:

Section 12.1.1 states that pre-calculated dictionary attacks are
prevented by changing the salt regularly.  This is only true if
salts are unpredictable (e.g., randomly generated) and large.  That
is, if a use a counter for my salt, the attacker can prepare for
some future date.  If the salts are small, the attacker can still
generate all possible dictionaries.  I could not find any requirements
or guidance regarding generation of the salt.

IANA Last Call Comments:

[ Questions:
- Does the NSEC Flags Field (3.1.2, 4.1.2) need a registry?
- Can you verify that the key flags in the new DNS Security
Algorithm Numbers are correct? You don't explain how you
want the registry filled in the document, but by saying
"alias" we assume that you want the flags copied.
]

Upon approval of this document, the IANA will take the
following Actions:

Action 1:

Upon approval of this document, the IANA will make the
following assignments in the "DOMAIN NAME SYSTEM
PARAMETERS" registry located at

http://www.iana.org/assignments/dns-parameters

sub-registry "In the Internet (IN) class the following
Resource Record (RR) TYPEs and QTYPEs"

TYPE value and meaning Reference
---------- -------------------------------------- ---------
NSEC3 [tbd (50 suggested)] NSEC3 [RFC-dnsext-nsec3-10]
NSEC3PARAM [tbd (51 suggested)] NSEC3PARAM [RFC-dnsext-nsec3-10]


Action 2:

Upon approval of this document, the IANA will make
the following assignments in the "DNS SECURITY
ALGORITHM NUMBERS" registry located at

http://www.iana.org/assignments/dns-sec-alg-numbers

Zone Trans.
Number Description Mnemonic Signing Sec.
Reference
------ ------------------------------ -------- ------- ------
---------
[tbd] DSA-NSEC3 DSA-NSEC3 Y Y
[RFC-dnsext-nsec3-10]
[tbd] RSASHA1-NSEC3 RSASHA1-NSEC3 Y Y
[RFC-dnsext-nsec3-10]


Action 3:

Upon approval of this document, the IANA will create
the following registry "DNSSEC NSEC3 Hash Algorithms"
located at

http://www.iana.org/assignments/TBD

Assignment of additional NSEC3 hash algorithms in
this registry requires IETF Standards Action [RFC2434].

Initial contents of this registry will be:

Number Description Reference
------ -------------------------------- ---------
0 Reserved [RFC-dnsext-nsec3-10]
1 SHA-1 [RFC-dnsext-nsec3-10]
2-255 Reserved to IANA [RFC-dnsext-nsec3-10]


We understand the above to be the only IANA Actions
for this document.

PROTO Write-up

    (1.a)  Who is the Document Shepherd for this document?  Has the
          Document Shepherd personally reviewed this version of the
          document and, in particular, does he or she believe this
          version is ready for forwarding to the IESG for publication?

Olaf Kolkman will shepherd this document.


Both chairs reviewed the document and believe this document is ready for publication.


    (1.b)  Has the document had adequate review both from key WG members
          and from key non-WG members?  Does the Document Shepherd have
          any concerns about the depth or breadth of the reviews that
          have been performed?

The document has been reviewed by key working group members. During the development of the protocol several groups implemented it and there were two protocol and interoperability testing workshops.

Among the respondents to the WGLC were:

    o Matt Larson
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/
msg00114.html)

    o Wouter Wijngaards
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/
msg00072.html)

    o Marcos Sanz
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/
msg00116.html)

    o Suresh Krishnaswamy
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/
msg00107.html)

    o Scott Rose
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/
msg00082.html)

    o Peter Koch
    (http://ops.ietf.org/lists/namedroppers/namedroppers.2007/
msg00127.html)


    (1.c)  Does the Document Shepherd have concerns that the document
          needs more review from a particular or broader perspective,
          e.g., security, operational complexity, someone familiar with
          AAA, internationalization or XML?

The document specifies a mechanism to obfuscate zone content while
supplying authenticated proof on non-existence of names and contains a
fair amount of 'security related' material.


    (1.d)  Does the Document Shepherd have any specific concerns or
          issues with this document that the Responsible Area Director
          and/or the IESG should be aware of?  For example, perhaps he
          or she is uncomfortable with certain parts of the 
document, or
          has concerns whether there really is a need for it.  In any
          event, if the WG has discussed those issues and has indicated
          that it still wishes to advance the document, detail those
          concerns here.  Has an IPR disclosure related to this 
document
          been filed?  If so, please include a reference to the
          disclosure and summarize the WG discussion and conclusion on
          this issue.

This document addresses introduces two features that are considered
to be imperative for deployment in a number of TLDs and some
corporate environments.

    o The obfuscation of the NSEC span through supplying a span of
      hashed owner names.

    o The ability to signal a semantic change from "no names are
      existing in the span" to "no secure delegations exist in the span"

The latter feature is flagged with the opt-out flag field and was
currently known as "opt-in" (cf. draft-ietf-dnsext-dnssec-opt-in). The
opt-in feature used to be contentious but it is clear that the
consensus in the working group has shifted over the years.


    (1.e)  How solid is the WG consensus behind this document?  Does it
          represent the strong concurrence of a few individuals, with
          others being silent, or does the WG as a whole understand and
          agree with it?


The working group consensus is solid.

    (1.f)  Has anyone threatened an appeal or otherwise indicated 
extreme
          discontent?  If so, please summarize the areas of conflict in
          separate email messages to the Responsible Area Director. 
(It
          should be in a separate email because this questionnaire is
          entered into the ID Tracker.)

No.

    (1.g)  Has the Document Shepherd personally verified that the
          document satisfies all ID nits?  (See
          http://www.ietf.org/ID-Checklist.html and
          http://tools.ietf.org/tools/idnits/).  Boilerplate checks are
          not enough; this check needs to be thorough.  Has the 
document
          met all formal review criteria it needs to, such as the MIB
          Doctor, media type and URI type reviews?

Yes.


    (1.h)  Has the document split its references into normative and
          informative?  Are there normative references to documents 
that
          are not ready for advancement or are otherwise in an unclear
          state?  If such normative references exist, what is the
          strategy for their completion?  Are there normative 
references
          that are downward references, as described in [RFC3967]?  If
          so, list these downward references to support the Area
          Director in the Last Call procedure for them [RFC3967].


The references are split and there are no downward refs.



    (1.i)  Has the Document Shepherd verified that the document IANA
          consideration section exists and is consistent with the body
          of the document?  If the document specifies protocol
          extensions, are reservations requested in appropriate IANA
          registries?  Are the IANA registries clearly identified?  If
          the document creates a new registry, does it define the
          proposed initial contents of the registry and an allocation
          procedure for future registrations?  Does it suggest a
          reasonable name for the new registry?  See [RFC2434].  If the
          document describes an Expert Review process has Shepherd
          conferred with the Responsible Area Director so that the IESG
          can appoint the needed Expert during the IESG Evaluation?


The IANA are unambiguous.

However there is an important rfc editor instruction:

After the IANA allocation has been done the examples in the Appendix
will need to be regenerated because the signature generation algorithm
uses also includes RR types as input.

The RFC editor should not edit the Appendices before the IANA type-code
has been assigned and the examples have been regenerated by the editor.



    (1.j)  Has the Document Shepherd verified that sections of the
          document that are written in a formal language, such as XML
          code, BNF rules, MIB definitions, etc., validate correctly in
          an automated checker?

There is no such language.

But on this note: While implementing parts of the functionality into a
perl library the examples where used as test cases (Coincidentally
this shepherd maintains a Perl Library for DNS code). See note above 
about
regenerating the examples.


    (1.k)  The IESG approval announcement includes a Document
          Announcement Write-Up.  Please provide such a Document
          Announcement Write-Up?  Recent examples can be found in the
          "Action" announcements for approved documents.  The approval
          announcement contains the following sections:

          Technical Summary
              Relevant content can frequently be found in the abstract
              and/or introduction of the document.  If not, this may be
              an indication that there are deficiencies in the abstract
              or introduction.

The Domain Name System Security Extensions (DNSSEC) introduced the
NSEC resource record (RR) for authenticated denial of existence.
Though the NSEC RR meets the requirements for authenticated denial of
existence, it introduces a side-effect in that the contents of a zone
can be enumerated.  This property introduces undesired policy issues.

A second problem is that the cost to cryptographically secure
delegations to unsigned zones is high for large delegation-centric
zones and zones where insecure delegations will be updated rapidly.
(Typically these are top level domains). For these zones, the costs of
maintaining the NSEC record chain may be extremely high relative to
the gain of cryptographically authenticating existence of unsecured
zones.

This document presents the NSEC3 Resource Record which can be used as
an alternative to NSEC to mitigate these issues.

This document introduces an alternative resource record, NSEC3, which
similarly provides authenticated denial of existence.  However, it
also provides measures against zone enumeration and permits gradual
expansion of delegation-centric zones.

This specification is intended to be published on the standards track.


          Working Group Summary
              Was there anything in WG process that is worth noting? 
For
              example, was there controversy about particular points or
              were there decisions where the consensus was particularly
              rough?

The OPT out feature of NSEC3 used to be a point of contention in the
DNSEXT working group. The working group did not bring OPT-OUT up as an
issue during the development of the draft or during last call. The
chairs are convinced that the feature was not introduced under the
radar and that the working group consents with the feature being
introduced.

The iterations count has been subject to discussion because it may be
used to  trigger DOS attacks on resolvers. The WG consensus is to
recommend a limitation  on the number of iterations that a resolver is
supposed to carry out.


          Document Quality
              Are there existing implementations of the protocol? 
Have a
              significant number of vendors indicated their plan to
              implement the specification?  Are there any reviewers that
              merit special mention as having done a thorough review,
              e.g., one that resulted in important changes or a
              conclusion that the document had no substantive 
issues?  If
              there was a MIB Doctor, Media Type or other expert review,
              what was its course (briefly)?  In the case of a Media 
Type
              review, on what date was the request posted?

During the development of the specification there were two workshops
organized in which, among others, 3 operators (Nominet, Verisign and
DENIC) and two Developers (ISC and NLnet) participated. During the
workshops serious signaling issues were discovered which lead to the
NSEC3PARAM RR.

The specification has been implemented, albeit not in production code,
in: BIND (authoritative server, validating resolver, caching name 
server), NSD
(authoritative only), LDNS (library and troubleshooting tools),
UNBOUND Java (validating resolver), Sparta's library (validating 
resolver),
Net::DNS (Library, only parsing functions and helper methods) and about
4 different zone signers.

Operators have indicated this specification to be imperative for
DNSSEC deployment.



          Personnel
              Who is the Document Shepherd for this document?  Who is 
the
              Responsible Area Director? Is an IANA expert needed?

Shepherd: Olaf Kolkman (olaf@nlnetlabs.nl)
AD: Mark Townsley
No specific IANA expertise is needed.


Kind regards,

--Olaf