Paper 7
RFC 2535
Domain Name System Security Extensions
Why?
To continue understanding DNS Security.
This seems to be the 'overview' RFC
Quick Assessment
Long, really is the defining document, so there is lots
of detail.
Main Point:
This storage of keys can support general public key distribution
services as well as DNS security.
The stored keys enable security aware resolvers to learn the
authenticating key of zones in addition to those for which they
are initially configured.
...
In addition, the security extensions provide for the optional
authentication of DNS protocol transactions and requests.
Introduction
-
Section 2 - provides an overview of the extensions and key
distribution, data origin authentication,
-
Section 3 - discusses the KEY resource record - represent
the public keys of entities named in the DNS and are used for
key distribution
-
Section 4 - discusses the SIG digital signature resource record -
used to authenticate other resource records in the DNS and
optionally to authenticate DNS transactions and requests.
-
Section 5 - discusses the NXT resource record (NN) -
permits authenticated denial of the existence of a name or of an
RR type for an existing name.
-
Section 6 - discusses how a resolver can be configured with a
starting key or keys and proceed to securely resolved DNS requests.
-
Section 7 - describes the ASCII representation of the security
resource records
-
Section 8 - describes canonical form and order of RRs for DNS
-
Section 9 - defines levels of conformance for resolvers and servers.
-
Section 10 - few security considerations
Section 2
Provide 3 security services:
-
key distribution
-
data original authentication
-
transaction and request authentication
No access control lists, No confidentiality for queries or responses
Key distribution
Resource record format is defined to associate keys with DNS names,
therefore DNS can distribute public keys.
KEY RR - algorithm id, actual public key, and bunch of flags
Data Origin Authentication and Integrity
Authentication provided by associating crypto digital signatures
with RRsets -
there will be a SINGLE private key that authenticates the entire zone,
but there might be multiple keys for different algorithms, signers,
etc.
Data origin authentication keys are associated with the zone and
NOT the servers storing the data.
resolver can either read a key or have it staticly configured.
resolver must be configured with at least a public key which
authenticates one zone as a starting point
SIG Resource Record - cryptographically binds the RRset being
signed to the signer and a validity interval.
Issues - TTL in signature vs Ticking down of TTL in caching servers.
Special issues with subzones - leaf in one DNS table, and the primary
in another DNS table, e.g., cs.hmc.edu
DNS transaction and request authentication
data origin authentication service does
protect retrieved resource records and the non-existence of resource
records, but provides NO protection for DNS requests or for
message hearders.
Can add a special SIG RR at the end of the reply which digitally
signs the concatenation of the server's response and the
resolver's query.
These keys belong to the entity composing the reply NOT to the Zone....
Mike Erlinger
Last Modified Tuesday, 04-Apr-2006 12:48:22 PDT