DNS Security Extensions (DNSSEC)ICANNpaul.hoffman@icann.org
ops
dnsopDNSSECDNS Security ExtensionsDNSThis document describes the DNS Security Extensions (commonly called "DNSSEC") that are
specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce
all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC.
This document does not update any of those RFCs.
A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice.
A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.Status of This Memo
This memo documents an Internet Best Current Practice.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further information
on BCPs is available in Section 2 of RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
Table of Contents
. Introduction
. DNSSEC as a Best Current Practice
. Implementing DNSSEC
. DNSSEC Core Documents
. Addition to the DNSSEC Core
. Additional Cryptographic Algorithms and DNSSEC
. Extensions to DNSSEC
. Additional Documents of Interest
. IANA Considerations
. Security Considerations
. References
. Normative References
. Informative References
Acknowledgements
Author's Address
IntroductionThe core specification for what we know as DNSSEC (the combination of ,
, and ) describes a set of protocols that provide origin
authentication of DNS data. updates and extends those core RFCs
but does not fundamentally change the way that DNSSEC works.This document lists RFCs that should be considered by someone
creating an implementation of, or someone deploying, DNSSEC as it is currently standardized.
Although an effort was made to be thorough, the reader should not assume this list is comprehensive.
It uses terminology from those documents without defining that terminology.
It also points to the relevant IANA registry groups that relate to DNSSEC.
It does not, however, point to standards that rely on zones needing to be signed by DNSSEC,
such as DNS-Based Authentication of Named Entities (DANE) .DNSSEC as a Best Current PracticeUsing the DNSSEC set of protocols is the best current practice for adding
origin authentication of DNS data. To date, no Standards Track RFCs offer any other
method for such origin authentication of data in the DNS.More than 15 years after the DNSSEC specification was published,
it is still not widely deployed. Recent estimates are that fewer than 10% of the domain names
used for websites are signed, and only around a third of queries to recursive resolvers
are validated. However, this low level of deployment does not affect whether using DNSSEC
is a best current practice; it just indicates that the value of deploying DNSSEC is often
considered lower than the cost.
Nonetheless, the significant deployment of DNSSEC beneath some top-level domains (TLDs)
and the near-universal deployment of DNSSEC for the TLDs in the DNS root zone
demonstrate that DNSSEC is applicable for implementation by both ordinary and highly sophisticated domain owners.Implementing DNSSECDevelopers of validating resolvers and authoritative servers,
as well as operators of validating resolvers and authoritative servers,
need to know the parts of the DNSSEC protocol that would affect them.
They should read the DNSSEC core documents and probably at least be familiar
with the extensions.
Developers will probably need to be very familiar with the algorithm documents as well.As a side note, some of the DNSSEC-related RFCs have significant errata, so reading the
RFCs should also include looking for the related errata.DNSSEC Core DocumentsWhat we refer to as "DNSSEC" is the third iteration of the DNSSEC specification;
was the first, and was the second.
Earlier iterations have not been deployed on a significant scale.
Throughout this document, "DNSSEC" means the protocol initially defined in , , and .The three initial core documents generally cover different topics:
is an overview of DNSSEC, including how it might change the resolution of DNS queries.
specifies the DNS resource records used in DNSSEC.
It obsoletes many RFCs about earlier versions of DNSSEC.
covers the modifications to the DNS protocol incurred by DNSSEC.
These include signing zones, serving signed zones, resolving in light of
DNSSEC, and authenticating DNSSEC-signed data.
At the time this set of core documents was published, someone could create a DNSSEC
implementation of signing software, of a DNSSEC-aware authoritative server, and/or of
a DNSSEC-aware recursive resolver from the three core documents, plus a few older
RFCs specifying the cryptography used. Those two older documents are the following:
defines how to use the DSA signature algorithm (although it refers to other
documents for the details).
DSA was thinly implemented and can safely be ignored by DNSSEC implementations.
defines how to use the RSA signature algorithm (although refers to other
documents for the details).
RSA is still among the most popular signing algorithms for DNSSEC.
It is important to note that later RFCs update the core documents. As just one example,
changes how TTL values are calculated in DNSSEC processing.Addition to the DNSSEC CoreAs with any major protocol, developers and operators discovered issues with the original
core documents over the years.
is an omnibus update to the original core documents and thus itself has
become a core document.
In addition to covering new requirements from new DNSSEC RFCs, it describes many important
security and interoperability issues that arose during the deployment of the initial
specifications, particularly after the DNS root was signed in 2010.
It also lists some errors in the examples of the core specifications. brings a few additions into the core of DNSSEC.
It makes NSEC3 as much a part of DNSSEC as NSEC is.
It also makes the SHA-256 and SHA-512 hash functions defined in and part of the core.Additional Cryptographic Algorithms and DNSSECCurrent cryptographic algorithms typically weaken over time as computing power improves and new cryptoanalysis emerges.
Two new signing algorithms have been adopted by the DNSSEC community: Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards-curve Digital Signature Algorithm (EdDSA) .
ECDSA and EdDSA have become very popular signing algorithms in recent years.
The GOST signing algorithm was also adopted but has seen very limited use, likely
because it is a national algorithm specific to a very small number of countries.Implementation developers who want to know which algorithms to implement in DNSSEC software
should refer to .
Note that
this specification is only about what algorithms should and should
not be included in implementations, i.e., it is not advice about which
algorithms zone operators should or should not use for signing, nor
which algorithms recursive resolver operators should or should not use
for validation.Extensions to DNSSECThe DNSSEC community has extended the DNSSEC core and the cryptographic algorithms, both
in terms of describing good operational practices and in new protocols. Some of the
RFCs that describe these extensions include the following:
describes a method to help resolvers update their DNSSEC trust anchors in an
automated fashion. This method was used in 2018 to update the DNS root trust anchor.
is a compendium of operational practices that may not be obvious from reading
just the core specifications.
describes using the CDS and CDNSKEY resource records to help automate the maintenance
of DS records in the parents of signed zones.
extends by showing how to do initial setup of trusted relationships
between signed parent and child zones.
describes how a validating resolver can emit fewer queries in signed zones that
use NSEC and NSEC3 for negative caching.
updates with respect to the TTL fields in signed records.
Additional Documents of InterestThe documents listed above constitute the core of DNSSEC, the additional cryptographic algorithms,
and the major extensions to DNSSEC.
This section lists some additional documents that someone interested in implementing or operating
DNSSEC might find of value:
"describes how to construct DNSSEC NSEC resource records that cover a smaller range of
names than called for by . By generating and signing these records on demand, authoritative name
servers can effectively stop the disclosure of zone contents otherwise made possible by walking the chain of NSEC records in a
signed zone".
"specifies a way for validating end-system resolvers to signal to a server which digital signature
and hash algorithms they support".
"provides additional background commentary and some context for the NSEC and NSEC3
mechanisms used by DNSSEC to provide authenticated denial-of-existence responses".
This background is particularly important for understanding NSEC and NSEC3 usage.
"describes the issues surrounding the timing of events in the rolling of a key in a DNSSEC-secured zone".
"defines Negative Trust Anchors (NTAs), which can be used to mitigate DNSSEC validation failures by disabling
DNSSEC validation at specified domains".
"describes the format and publication mechanisms IANA has used to distribute the DNSSEC trust anchors".
"describes problems that a Validating DNS resolver, stub-resolver, or application might run into within
a non-compliant infrastructure".
"specifies two different ways for validating resolvers to signal to a server which keys are
referenced in their chain of trust".
contains lists of terminology used when talking about DNS; Sections and cover DNSSEC.
"specifies a mechanism that will allow an end user and third parties to determine the trusted key
state for the root key of the resolvers that handle that user's DNS queries".
"presents deployment models that accommodate this scenario [when each DNS
provider independently signs zone data with their own keys] and describes these key-management requirements".
"provides guidance on setting NSEC3 parameters based on recent operational
deployment experience".
There will certainly be other RFCs related to DNSSEC that are published after this one.IANA ConsiderationsIANA already has three registry groups that relate to DNSSEC:
DNSSEC algorithm numbers
DNSSEC NSEC3 parameters
DNSSEC DS RRtype digest algorithms
The rules for the DNSSEC algorithm registry were set in the core RFCs and
updated by , , and .This document does not update or create any registry groups or registries.Security ConsiderationsAll of the security considerations from all of the RFCs referenced in this document
apply here.ReferencesNormative ReferencesRSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)This document describes how to produce RSA/SHA1 SIG resource records (RRs) in Section 3 and, so as to completely replace RFC 2537, describes how to produce RSA KEY RRs in Section 2. [STANDARDS-TRACK]DNS Security Introduction and RequirementsThe Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS-TRACK]Resource Records for the DNS Security ExtensionsThis document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given.This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]Protocol Modifications for the DNS Security ExtensionsThis document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications.This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)This document specifies how to use the SHA-256 digest type in DNS Delegation Signer (DS) Resource Records (RRs). DS records, when stored in a parent zone, point to DNSKEYs in a child zone. [STANDARDS-TRACK]DNS Security (DNSSEC) Hashed Authenticated Denial of ExistenceThe Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones. [STANDARDS-TRACK]Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSECThis document describes how to produce RSA/SHA-256 and RSA/SHA-512 DNSKEY and RRSIG resource records for use in the Domain Name System Security Extensions (RFC 4033, RFC 4034, and RFC 4035). [STANDARDS TRACK]Clarifications and Implementation Notes for DNS Security (DNSSEC)This document is a collection of technical clarifications to the DNS Security (DNSSEC) document set. It is meant to serve as a resource to implementors as well as a collection of DNSSEC errata that existed at the time of writing.This document updates the core DNSSEC documents (RFC 4033, RFC 4034, and RFC 4035) as well as the NSEC3 specification (RFC 5155). It also defines NSEC3 and SHA-2 (RFC 4509 and RFC 5702) as core parts of the DNSSEC specification.Informative ReferencesUse of GOST 2012 Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSECTCINETJSC "NPK Kryptonite"The Technical center of Internet, LLCWork in ProgressDomain Name System Security ExtensionsThe Domain Name System (DNS) has become a critical operational part of the Internet infrastructure yet it has no strong security mechanisms to assure data integrity or authentication. Extensions to the DNS are described that provide these services to security aware resolvers or applications through the use of cryptographic digital signatures. [STANDARDS-TRACK]Domain Name System Security ExtensionsThis document incorporates feedback on RFC 2065 from early implementers and potential users. [STANDARDS-TRACK]DSA KEYs and SIGs in the Domain Name System (DNS)A standard method for storing US Government Digital Signature Algorithm keys and signatures in the Domain Name System is described which utilizes DNS KEY and SIG resource records. [STANDARDS-TRACK]Minimally Covering NSEC Records and DNSSEC On-line SigningThis document describes how to construct DNSSEC NSEC resource records that cover a smaller range of names than called for by RFC 4034. By generating and signing these records on demand, authoritative name servers can effectively stop the disclosure of zone contents otherwise made possible by walking the chain of NSEC records in a signed zone. [STANDARDS-TRACK]Automated Updates of DNS Security (DNSSEC) Trust AnchorsThis document describes a means for automated, authenticated, and authorized updating of DNSSEC "trust anchors". The method provides protection against N-1 key compromises of N keys in the trust point key set. Based on the trust established by the presence of a current anchor, other anchors may be added at the same place in the hierarchy, and, ultimately, supplant the existing anchor(s).This mechanism will require changes to resolver management behavior (but not resolver resolution behavior), and the addition of a single flag bit to the DNSKEY record. [STANDARDS-TRACK]Cryptographic Algorithm Identifier Allocation for DNSSECThis document specifies how DNSSEC cryptographic algorithm identifiers in the IANA registries are allocated. It changes the requirement from "standard required" to "RFC Required". It does not change the list of algorithms that are recommended or required for DNSSEC implementations. [STANDARDS-TRACK]Elliptic Curve Digital Signature Algorithm (DSA) for DNSSECThis document describes how to specify Elliptic Curve Digital Signature Algorithm (DSA) keys and signatures in DNS Security (DNSSEC). It lists curves of different sizes and uses the SHA-2 family of hashes for signatures. [STANDARDS-TRACK]The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSAEncrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain's TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software. [STANDARDS-TRACK]DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry UpdatesThe DNS Security Extensions (DNSSEC) require the use of cryptographic algorithm suites for generating digital signatures over DNS data. The algorithms specified for use with DNSSEC are reflected in an IANA-maintained registry. This document presents a set of changes for some entries of the registry. [STANDARDS-TRACK]DNSSEC Operational Practices, Version 2This document describes a set of practices for operating the DNS with security extensions (DNSSEC). The target audience is zone administrators deploying DNSSEC.The document discusses operational aspects of using keys and signatures in the DNS. It discusses issues of key generation, key storage, signature generation, key rollover, and related policies.This document obsoletes RFC 4641, as it covers more operational ground and gives more up-to-date requirements with respect to key sizes and the DNSSEC operations.Signaling Cryptographic Algorithm Understanding in DNS Security Extensions (DNSSEC)The DNS Security Extensions (DNSSEC) were developed to provide origin authentication and integrity protection for DNS data by using digital signatures. These digital signatures can be generated using different algorithms. This document specifies a way for validating end-system resolvers to signal to a server which digital signature and hash algorithms they support. The extensions allow the signaling of new algorithm uptake in client code to allow zone administrators to know when it is possible to complete an algorithm rollover in a DNSSEC-signed zone.Authenticated Denial of Existence in the DNSAuthenticated denial of existence allows a resolver to validate that a certain domain name does not exist. It is also used to signal that a domain name exists but does not have the specific resource record (RR) type you were asking for. When returning a negative DNS Security Extensions (DNSSEC) response, a name server usually includes up to two NSEC records. With NSEC version 3 (NSEC3), this amount is three.This document provides additional background commentary and some context for the NSEC and NSEC3 mechanisms used by DNSSEC to provide authenticated denial-of-existence responses.Automating DNSSEC Delegation Trust MaintenanceThis document describes a method to allow DNS Operators to more easily update DNSSEC Key Signing Keys using the DNS as a communication channel. The technique described is aimed at delegations in which it is currently hard to move information from the Child to Parent.DNSSEC Key Rollover Timing ConsiderationsThis document describes the issues surrounding the timing of events in the rolling of a key in a DNSSEC-secured zone. It presents timelines for the key rollover and explicitly identifies the relationships between the various parameters affecting the process.Definition and Use of DNSSEC Negative Trust AnchorsDNS Security Extensions (DNSSEC) is now entering widespread deployment. However, domain signing tools and processes are not yet as mature and reliable as those for non-DNSSEC-related domain administration tools and processes. This document defines Negative Trust Anchors (NTAs), which can be used to mitigate DNSSEC validation failures by disabling DNSSEC validation at specified domains.DNSSEC Trust Anchor Publication for the Root ZoneThe root zone of the Domain Name System (DNS) has been cryptographically signed using DNS Security Extensions (DNSSEC).In order to obtain secure answers from the root zone of the DNS using DNSSEC, a client must configure a suitable trust anchor. This document describes the format and publication mechanisms IANA has used to distribute the DNSSEC trust anchors.DNSSEC Roadblock AvoidanceThis document describes problems that a Validating DNS resolver, stub-resolver, or application might run into within a non-compliant infrastructure. It outlines potential detection and mitigation techniques. The scope of the document is to create a shared approach to detect and overcome network issues that a DNSSEC software/system may face.Managing DS Records from the Parent via CDS/CDNSKEYRFC 7344 specifies how DNS trust can be maintained across key rollovers in-band between parent and child. This document elevates RFC 7344 from Informational to Standards Track. It also adds a method for initial trust setup and removal of a secure entry point.Changing a domain's DNSSEC status can be a complicated matter involving multiple unrelated parties. Some of these parties, such as the DNS operator, might not even be known by all the organizations involved. The inability to disable DNSSEC via in-band signaling is seen as a problem or liability that prevents some DNSSEC adoption at a large scale. This document adds a method for in-band signaling of these DNSSEC status changes.This document describes reasonable policies to ease deployment of the initial acceptance of new secure entry points (DS records).It is preferable that operators collaborate on the transfer or move of a domain. The best method is to perform a Key Signing Key (KSK) plus Zone Signing Key (ZSK) rollover. If that is not possible, the method using an unsigned intermediate state described in this document can be used to move the domain between two parties. This leaves the domain temporarily unsigned and vulnerable to DNS spoofing, but that is preferred over the alternative of validation failures due to a mismatched DS and DNSKEY record.Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSECThis document describes how to specify Edwards-curve Digital Security Algorithm (EdDSA) keys and signatures in DNS Security (DNSSEC). It uses EdDSA with the choice of two curves: Ed25519 and Ed448.Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)The DNS Security Extensions (DNSSEC) were developed to provide origin authentication and integrity protection for DNS data by using digital signatures. These digital signatures can be verified by building a chain of trust starting from a trust anchor and proceeding down to a particular node in the DNS. This document specifies two different ways for validating resolvers to signal to a server which keys are referenced in their chain of trust. The data from such signaling allow zone administrators to monitor the progress of rollovers in a DNSSEC-signed zone.Aggressive Use of DNSSEC-Validated CacheThe DNS relies upon caching to scale; however, the cache lookup generally requires an exact match. This document specifies the use of NSEC/NSEC3 resource records to allow DNSSEC-validating resolvers to generate negative answers within a range and positive answers from wildcards. This increases performance, decreases latency, decreases resource utilization on both authoritative and recursive servers, and increases privacy. Also, it may help increase resilience to certain DoS attacks in some circumstances.This document updates RFC 4035 by allowing validating resolvers to generate negative answers based upon NSEC/NSEC3 records and positive answers in the presence of wildcards.DNS TerminologyThe Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.This document obsoletes RFC 7719 and updates RFC 2308.A Root Key Trust Anchor Sentinel for DNSSECThe DNS Security Extensions (DNSSEC) were developed to provide origin authentication and integrity protection for DNS data by using digital signatures. These digital signatures can be verified by building a chain of trust starting from a trust anchor and proceeding down to a particular node in the DNS. This document specifies a mechanism that will allow an end user and third parties to determine the trusted key state for the root key of the resolvers that handle that user's DNS queries. Note that this method is only applicable for determining which keys are in the trust store for the root key.Algorithm Implementation Requirements and Usage Guidance for DNSSECThe DNSSEC protocol makes use of various cryptographic algorithms in order to provide authentication of DNS data and proof of nonexistence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document defines the current algorithm implementation requirements and usage guidance for DNSSEC. This document obsoletes RFC 6944.Multi-Signer DNSSEC ModelsMany enterprises today employ the service of multiple DNS providers to distribute their authoritative DNS service. Deploying DNSSEC in such an environment may present some challenges, depending on the configuration and feature set in use. In particular, when each DNS provider independently signs zone data with their own keys, additional key-management mechanisms are necessary. This document presents deployment models that accommodate this scenario and describes these key-management requirements. These models do not require any changes to the behavior of validating resolvers, nor do they impose the new key-management requirements on authoritative servers not involved in multi-signer configurations.NSEC and NSEC3: TTLs and Aggressive UseDue to a combination of unfortunate wording in earlier documents, aggressive use of NSEC and NSEC3 records may deny the existence of names far beyond the intended lifetime of a denial. This document changes the definition of the NSEC and NSEC3 TTL to correct that situation. This document updates RFCs 4034, 4035, 5155, and 8198.Revised IANA Considerations for DNSSECThis document changes the review requirements needed to get DNSSEC algorithms and resource records added to IANA registries. It updates RFC 6014 to include hash algorithms for Delegation Signer (DS) records and NextSECure version 3 (NSEC3) parameters (for Hashed Authenticated Denial of Existence). It also updates RFCs 5155 and 6014, which have requirements for DNSSEC algorithms, and updates RFC 8624 to clarify the implementation recommendation related to the algorithms described in RFCs that are not on the standards track. The rationale for these changes is to bring the requirements for DS records and hash algorithms used in NSEC3 in line with the requirements for all other DNSSEC algorithms.Guidance for NSEC3 Parameter SettingsNSEC3 is a DNSSEC mechanism providing proof of nonexistence by asserting that there are no names that exist between two domain names within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly disclosing the bounding domain name pairs. This document provides guidance on setting NSEC3 parameters based on recent operational deployment experience. This document updates RFC 5155 with guidance about selecting NSEC3 iteration and salt parameters.AcknowledgementsThe DNS world owes a depth of gratitude to the authors and other contributors
to the core DNSSEC documents and to the notable DNSSEC extensions.In addition, the following people made significant contributions to early draft versions
of this document: and .Author's AddressICANNpaul.hoffman@icann.org