summaryrefslogtreecommitdiff
path: root/doc/draft/draft-baba-dnsext-acl-reqts-01.txt
blob: 1030e5782ef90060ef589e1d73070f1d0b8a13ba (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336




Internet-Draft                                                   T. Baba
Expires: March 11, 2004                                         NTT Data
                                                      September 11, 2003


         Requirements for Access Control in Domain Name Systems
                   draft-baba-dnsext-acl-reqts-01.txt

Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   Distribution of this memo is unlimited.

   This Internet-Draft will expire on March 11, 2004.

Abstract

   This document describes the requirements for access control
   mechanisms in the Domain Name System (DNS), which authenticate
   clients and then allow or deny access to resource records in the
   zone according to the access control list (ACL).

1. Introduction

   The Domain Name System (DNS) is a hierarchical, distributed, highly
   available database used for bi-directional mapping between domain
   names and IP addresses, for email routing, and for other information
   [RFC1034, 1035].  DNS security extensions (DNSSEC) have been defined
   to authenticate the data in DNS and provide key distribution services
   using SIG, KEY, and NXT resource records (RRs) [RFC2535].



Baba                     Expires March 11, 2004                 [Page 1]

Internet-Draft       DNS Access Control Requirements      September 2003


   At the 28th IETF Meeting in Houston in 1993, DNS security design team
   started a discussion about DNSSEC and agreed to accept the assumption
   that "DNS data is public".  Accordingly, confidentiality for queries
   or responses is not provided by DNSSEC, nor are any sort of access
   control lists or other means to differentiate inquirers.  However,
   about ten years has passed, access control in DNS has been more
   important than before.  Currently, new RRs are proposed to add new
   functionality to DNS such as ENUM [RFC2916].  Such new RRs may
   contain private information.  Thus, DNS access control will be
   needed.

   Furthermore, with DNS access control mechanism, access from
   unauthorized clients can be blocked when they perform DNS name
   resolution.  Thus, for example, Denial of Service (DoS) attacks
   against a server used by a closed user group can be prevented using
   this mechanism if IP address of the server is not revealed by other
   sources.

   This document describes the requirements for access control
   mechanisms in DNS.

2. Terminology

   AC-aware client
      This is the client that understands the DNS access control
      extensions. This client may be an end host which has a stub
      resolver, or a cashing/recursive name server which has a
      full-service resolver.

   AC-aware server
      This is the authoritative name server that understands the DNS
      access control extensions.

   ACE
      An Access Control Entry.  This is the smallest unit of access
      control policy.  It grants or denies a given set of access
      rights to a set of principals.  An ACE is a component of an ACL,
      which is associated with a resource.

   ACL
      An Access Control List.  This contains all of the access control
      policies which are directly associated with a particular
      resource.  These policies are expressed as ACEs.

   Client
      A program or host which issues DNS requests and accepts its
      responses. A client may be an end host or a cashing/recursive name
      server.



Baba                     Expires March 11, 2004                 [Page 2]

Internet-Draft       DNS Access Control Requirements      September 2003


   RRset
      All resource records (RRs) having the same NAME, CLASS and TYPE
      are called a Resource Record Set (RRset).

3. Requirements

   This section describes the requirements for access control in DNS.

3.1 Authentication

3.1.1 Client Authentication Mechanism

   The AC-aware server must identify AC-aware clients based on IP
   address and/or domain name (user ID or host name), and must
   authenticate them using strong authentication mechanism such as
   digital signature or message authentication code (MAC).

   SIG(0) RR [RFC2931] contains a domain name associated with sender's
   public key in its signer's name field, and TSIG RR [RFC2845] also
   contains a domain name associated with shared secret key in its key
   name field.  Each of these domain names can be a host name or a user
   name, and can be used as a sender's identifier for access control.
   Furthermore, SIG(0) uses digital signatures, and TSIG uses MACs for
   message authentication.  These mechanisms can be used to authenticate
   AC-aware clients.

   Server authentication may be also provided.

3.1.2 End-to-End Authentication

   In current DNS model, caching/recursive name servers are deployed
   between end hosts and authoritative name servers.  Although
   authoritative servers can authenticate caching/recursive name servers
   using SIG(0) or TSIG, they cannot authenticate end hosts behind them.
   For end-to-end authentication, the mechanism for an end host to
   discover the target authoritative name server and directly access to
   it bypassing caching/recursive name servers is needed.  For example,
   an end host can get the IP addresses of the authoritative name
   servers by retrieving NS RRs for the zone via local caching/recursive
   name server.

   In many enterprise networks, however, there are firewalls that block
   all DNS packets other than those going to/from the particular
   caching/recursive servers.  To deal with this problem, one can
   implement packet forwarding function on the caching/recursive servers
   and enable end-to-end authentication via the caching/recursive
   servers.




Baba                     Expires March 11, 2004                 [Page 3]

Internet-Draft       DNS Access Control Requirements      September 2003


3.1.3 Authentication Key Retrieval

   Keys which are used to authenticate clients should be able to be
   automatically retrieved.  The KEY RR is used to store a public key
   for a zone or a host that is associated with a domain name.  SIG(0)
   RR uses a public key in KEY RR for verifying the signature.  If
   DNSSEC is available, the KEY RR would be protected by the SIG RR.
   KEY RR or newly defined RR can be used to automatic key retrieval.

3.2 Confidentiality

3.2.1 Data Encryption

   To avoid disclosure to eavesdroppers, the response containing the
   RRsets which are restricted to access from particular users should be
   encrypted.  Currently, no encryption mechanism is specified in DNS.
   Therefore, new RRs should be defined for DNS message encryption.
   Instead, IPsec [RFC2401] can be used to provide confidentiality if
   name server and resolver can set up security associations dynamically
   using IPsec API [IPSECAPI] when encryption is required.

   In case encryption is applied, entire DNS message including DNS
   header should be encrypted to hide information including error code.

   Query encryption may be also provided for hiding query information.

3.2.2 Key Exchange

   If DNS message encryption is provided, automatic key exchange
   mechanism should be also provided.  [RFC2930] specifies a TKEY RR
   that can be used to establish and delete shared secret keys used by
   TSIG between a client and a server.  With minor extensions, TKEY can
   be used to establish shared secret keys used for message encryption.

3.2.3 Caching

   The RRset that is restricted to access from particular users must not
   be cached.  To avoid caching, the TTL of the RR that is restricted to
   access should be set to zero during transit.

3.3 Access Control

3.3.1 Granularity of Access Control

   Control of access on a per-user/per-host granularity must be
   supported.  Control of access to individual RRset (not just the
   entire zone) must be also supported.  However, SOA, NS, SIG, NXT,
   KEY, and DS RRs must be publicly accessible to avoid unexpected
   results.
   

Baba                     Expires March 11, 2004                 [Page 4]

Internet-Draft       DNS Access Control Requirements      September 2003


3.3.2 ACL Representation

   Access Control List (ACL) format must be standardized so that both
   the primary and secondary AC-aware servers can recognize the same
   ACL.  Although ACL may appear in or out of zone data, it must be
   transferred to the secondary AC-aware server with associated zone
   data.  It is a good idea to contain ACL in zone data, because ACL can
   be transferred with zone data using existing zone transfer mechanisms
   automatically.  However, ACL must not be published except for
   authorized secondary master servers.
   
   In zone data master files, ACL should be specified using TXT RRs or
   newly defined RRs.  In each access control entry (ACE), authorized
   entities (host or user) must be described using domain name (host
   name, user name, or IP address in in-addr.arpa/ip6.arpa format).
   There may be other access control attributes such as access time.

   It must be possible to create publicly readable entries, which may be
   read even by unauthenticated clients.

3.3.3 Zone/ACL Transfer

   As mentioned above, ACL should be transferred from a primary AC-aware
   server to a secondary AC-aware server with associated zone data.
   When an AC-aware server receives a zone/ACL transfer request, the
   server must authenticate the client, and should encrypt the zone
   data and associated ACL during transfer.

3.4 Backward/co-existence Compatibility

   Any new protocols to be defined for access control in DNS must be
   backward compatible with existing DNS protocol.  AC-aware servers
   must be able to process normal DNS query without authentication, and
   must respond if retrieving RRset is publicly accessible.
   
   Modifications to root/gTLD/ccTLD name servers are not allowed.

4. Security Considerations

   This document discusses the requirements for access control
   mechanisms in DNS.

5. Acknowledgements

   This work is funded by the Telecommunications Advancement
   Organization of Japan (TAO).

   The author would like to thank the members of the NTT DATA network
   security team for their important contribution to this work.


Baba                     Expires March 11, 2004                 [Page 5]

Internet-Draft       DNS Access Control Requirements      September 2003


6. References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, November 1987.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC2401]  Kent, S. and R. Atkinson, "Security Architecture for the
              Internet Protocol", RFC 2401, November 1998.

   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
              RFC 2535, March 1999.

   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
              "Secret Key Transaction Authentication for DNS (TSIG)", 
              RFC 2845, May 2000.

   [RFC2916]  Faltstrom, P., "E.164 number and DNS", RFC 2916,
              September 2000.

   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)",
              RFC 2930, September 2000.

   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures
              (SIG(0)s)", RFC 2931, September 2000.

   [IPSECAPI] Sommerfeld, W., "Requirements for an IPsec API",
              draft-ietf-ipsp-ipsec-apireq-00.txt, June 2003, Work in
              Progress.


Author's Address

   Tatsuya Baba
   NTT Data Corporation
   Research and Development Headquarters
   Kayabacho Tower, 1-21-2, Shinkawa, Chuo-ku,
   Tokyo 104-0033, Japan
   
   Tel: +81 3 3523 8081
   Fax: +81 3 3523 8090
   Email: babatt@nttdata.co.jp








Baba                     Expires March 11, 2004                 [Page 6]