| Internet-Draft | parent-side-auth-types | December 2024 |
| van Dijk & Spacek | Expires 13 June 2025 | [Page] |
DNS RR types with numbers in the range 0xFA00-0xFDFF are now included in special treatment like DS RR type specified in [RFC4035]. Authoritative servers, DNSSEC signers, and recursive resolvers need to extend the conditions for DS special handling to also include this range. This means: being authoritative on the parent side of a delegation; being signed by the parent; being provided along with delegations by the parent. DNSSEC validators also need to implement downgrade protection described in Section 5.3.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 13 June 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
[RFC4035] defines the DS Resource Record, as a type with the special property that it lives at the parent side of a delegation, unlike any other record (if we can briefly ignore NSEC living on both sides of a delegation as an extra special case). In various conversations and posted drafts over the last five years in DPRIVE, DNSOP, and DELEG, a potential desire to publish other kinds of data parent-side has been identified. Some drafts simply proposed a new type, assuming that authoritative DNS servers and registry operations would eventually follow along; other drafts have tried to shoehorn new kinds of data into the DS record. If, when DS was defined, or at any time since then, a range of RRtype numbers would have been specified to have the same behaviour as DS, those drafts, and the experiments that need to go with figuring out the exact definition of a protocol, would have been much more feasible. This document requests that IANA reserve such a range and defines behavior of DNS implementations.¶
This document lives on GitHub; proposed text and editorial changes are very much welcomed there, but any functional changes should always first be discussed on the IETF DNSOP WG mailing list.¶
The term "Parent-Side Types" refers to set of RR types which contains exactly:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A RR type range reservation in [#iana] is now open for allocation of future Parent-Side Types, but none such types are allocated by this document.¶
Special processing for DS record type related to its inclusion in DNS messages, zone files, DNSSEC signing, etc. is extended to all Parent-Side Types. The only exception are rules which pertain to content of DS resource records, which are not applicable to other Parent-Side Types.¶
In short, authoritative servers serve the types from the parent side of a delegation and resolvers know to ask the parent side of a delegation.¶
Having these type numbers reserved with defined processing rules allows for future extension of parent-side publication of data, without having to wait for implementations to catch up.¶
'Implementation' is understood to mean both 'code changes' and 'operational changes' here.¶
This specification extends special handling previously defined exclusively to DS RR type to apply to all Parent-Side Types. In short, implementations need to modify their hardcoded condition (if RRTYPE equals DS) to (if RRTYPE is Parent-Side Type) as defined in Section 3.¶
Section 8 of [RFC5155]: References to DS RR type are replaced by All Parent-Side Types.¶
Section 4.1 of [RFC6840]: Reference to DS RR type is replaced by all Parent-Side Types.¶
Section 4.4 of [RFC6840]:¶
This specification defines changes to query processing in resolvers.¶
FIXME DNSKEY flag for downgrade resistance¶
A flag in the DNSKEY record signing the delegation is used as a backwards compatible, secure signal to indicate to a resolver that Parent Side Types (other than DS) MAY be present or that there is an authenticated denial of parent side types. Legacy resolvers will ignore this flag and use the DNSKEY as is.¶
Without this secure signal an on-path adversary can remove Parent Side records and their RRSIGs from a response and effectively downgrade this to a legacy DNSSEC signed response.¶
This specification defines changes to zone validation in zone validators.¶
RR types from the new parent-side range in Section 8 must conform to the same signing rules as DS RR type. See [RFC4035]¶
This specification defines no changes to query processing in stub resolvers.¶
FIXME¶
Domain registries MAY decide to allow children to publish records of any type from the range defined in this document in the parent zone. Alternatively, they MAY decide to only allow such publication for types that actually get allocated a name and a semantic. Ideally, domain registries would allow anything in the experimental subrange.¶
TODO: definitely need words about the downgrade protection here.¶
[RFC Editor: please remove this section before publication]¶
IANA is requested to change reservations in the DNS Parameters RR TYPEs registry, with this document as the Reference.¶
IANA is further requested to assign bit TBD (suggested value: 9) to "Must sign parent types (MSPT)" in the DNSKEY RR Flags registry, with this document as the Reference.¶
This idea was initially proposed by Petr Spacek. His contribution is rewarded by listing him as an author so he can take equal parts credit and blame.¶