Internet-Draft Private DS Digest Types July 2024
Andrews Expires 23 January 2025 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-andrews-private-ds-digest-types-00
Published:
Intended Status:
Standards Track
Expires:
Author:
M. Andrews
ISC

Private DS Digest Types

Abstract

When DS records where defined the ability to fully identify the DNSSEC algorithms using PRIVATEDNS and PRIVATEOID was overlooked.

This documents specifies 2 DS Algorithm Types which allow the DNSSEC algorithm sub type to be encoded in the DS record.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 23 January 2025.

Table of Contents

1. Introduction

When DS [RFC4034] records where defined the ability to fully identify the DNSSEC algorithms using PRIVATEDNS and PRIVATEOID was overlooked.

This document specifies 2 DS Algorithm Types, DIGESTDNS and DIGESTOID, which allow the DNSSEC algorithm sub types of PRIVATEDNS and PRIVATEOID respectively to be encoded in the DS record.

This allow validators which support private DNSSEC algorithms to properly identify the DNSKEY record the DS record matches. Currently if there are two or more entities using PRIVATEDNS or PRIVATEOID there is no way to differentiate the use and as such determine if the delegated zone is treated as secure or not.

2. DIGESTDNS

The DS digest type "DIGESTDNS" (TBA recommended 253) is used to identify the PRIVATEDNS algorithm used in the corresponding DNSKEY. The original digest field of the DS records is further broken down into 3 fields, the Sub Digest Type, the DNS NAME from the PRIVATEDNS DNSKEY record and digest of the DNSKEY record as identified by the Sub Digest Type field. The values of the Sub Digest Type field are drawn from the same table as the Digest Type.

                    1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Key Tag             |  PRIVATEDNS   |   DIGESTDNS   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Sub Digest Type|                                               /
+-+-+-+-+-+-+-+-+                                               /
/                            Name                               /
/                                                               /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/                                                               /
/                            Digest                             /
/                                                               /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

3. DIGESTOID

The DS digest type "DIGESTOID" (TBA recommended 254) is used to identify the PRIVATEOID algorithm used in the corresponding DNSKEY. The original digest field of the DS records is further broken down into 3 fields, the Sub Digest Type, the OID from the PRIVATEOID DNSKEY record and digest of the DNSKEY record as identified by the Sub Digest Type field. The values of the Sub Digest Type field are drawn from the same table as the Digest Type.

                    1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Key Tag             |  PRIVATEOID   |   DIGESTOID   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Sub Digest Type|                                               /
+-+-+-+-+-+-+-+-+                                               /
/                            OID                                /
/                                                               /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/                                                               /
/                            Digest                             /
/                                                               /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

4. Validation

When validating tha DNSKEY RRset using a private algorithm, in addition to matching the DNS Algorithm fields in the DS and DNSKEY records the corresponding NAME or OID from the DS and DNSKEY records also need to match. This is an extention to RFC 4033 and is backwards compatible. Validators that are unaware of DIGESTDNS or DIGESTOID will treat the zone as insecure if those are the only Digest Types present.

5. IANA Considerations

This document be the reference document for DIGESTDNS and DIGESTOID. That DIGESTDNS be assigned the value 253 and that DIGESTOID be assigned the value 254 in the DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms registry to be consistent with the values for PRIVATEDNS (253) and PRIVATEOID (254) from DNS Security Algorithm Numbers. Both DIGESTDNS and DIGESTOID have status OPTIONAL.

6. Security Considerations

This document allows PRIVATEDNS and PRIVATEOID DNSKEYS to be used for secure delegations in DNSSEC.

7. Normative References

[RFC4034]
Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, , <https://www.rfc-editor.org/info/rfc4034>.

Appendix A. Design Choices

Why not just add Name or OID to the start of the existing digests for PRIVATEDNS and PRIVATEOID? This would break existing software that checks the length of the digest field against the digest type for known values. The existing checks are not conditional on the DNS Algorithm.

Why not use a single Digest Type Value and use the DNS Algorithm to identify whether the second field is a DNS name or an OID? This was definitely possible but I felt it was cleaner to use two values.

What about RRSIG? RRSIG strictly doesn't need to fully identify the signing key but it would be advantages to also identify the the DNSKEY algorithm along with the keyid. Whether the private key identifier is added to the RRSIG can be specfied as part of the signature specification.

Author's Address

M. Andrews
Internet Systems Consortium
PO Box 360
Newmarket, NH 03857
United States of America