Enhancements to DNSSEC validation for the DNS Root Zone change requests
Summary: We propose to enhance the validation procedure for top-level domains operators who wish to list DS records in the root zone. We will soon start testing for valid RRSIG records, in addition to testing the DS records match DNSKEYs listed in the top-level domain.
On 2010-07-15, the DNS root zone completely transitioned to its DNSSEC-signed state, signalling the end of the progressive launch program. As we now reach the six month anniversary of reaching full production, an increasing number of top-level domain operators have taken advantage of the signed root zone by listing their delegation signer records. These records allow their zones to validate using the chain-of-trust from the single root trust anchor key.
As with all root zone changes, ICANN, Verisign and the US Department of Commerce have worked together to accept listing requests from top-level domain managers, evaluate them to ensure they meet technical and operational requirements, and then list them in the root zone.
During the first half a year of experience with a signed root zone, we have been actively monitoring and gaining experience from TLD operators on how they have rolled out DNSSEC. While the majority of requests have been performed smoothly, we have observed in some cases we have received DS listing requests that pass our validation criteria, yet have issues with their name servers that can impact successful deployment of DNSSEC for the TLD concerned.
Specifically, in some cases, the DNSKEY is correctly listed in the zone, and the zone is signed, however the authoritative name server software is not deployed and configured correctly to return the correct RRSIG records when the DO-flag is set. The DO-flag is used to signal to a name server that the querier understands and wants a DNSSEC-signed response.
Such situations indicate a misconfiguration or problem within the top-level domain, whereby if the DS record was to be listed, would likely result in DNSSEC validation failures within that top-level domain for some users.
Proposed Updated to the DS Record Evaluation Procedure
In order to enhance stability of the global domain name system by identifying this issue, we propose to alter the technical requirements for listing delegation signer records in the DNS root zone.
- The current test, validating that for each DS record that is proposed to be listed in the DNS root zone, that each authoritative name server serves a matching DNSKEY, will be preserved.
- A new validation will be performed, whereby the DO-flag is set on the query for the DNSKEYs from each authoritative name service. We will check that (a) RRSIG records are returned, and that (b) the RRSIGs validate using one of the returned DNSKEY records that has the SEP-bit set.
In effect, this new test will not just check that the DS record is correct, but that basic DNSSEC functionality is correctly enabled in each of the authoritative servers.
As today, in the case where these validations fail, the TLD operator will be consulted by ICANN. Should the TLD operator still wish to proceed by understanding and accepting any risks associated with listing DS records that do not pass these tests, the root zone management partners will continue to process the request.
ICANN proposes to introduce this process into its operational workflow in March 2011. From this time, ICANN will perform the new validation and notify top-level domain operators during the technical check phase of root zone processing. VeriSign will perform the same check just prior to implementation in the root zone.
We welcome your comments and feedback on this to firstname.lastname@example.org.