DNS Extensions Yuji Kamite Internet-Draft NTT Communications Expires: April 15, 2005 Masaya Nakayama The University of Tokyo October 14, 2004 TKEY Secret Key Renewal Mode draft-ietf-dnsext-tkey-renewal-mode-05 Status of this Memo This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 15, 2005. Copyright Notice Copyright (C) The Internet Society (2004). Abstract This document defines a new mode in TKEY and proposes an atomic method for changing secret keys used for TSIG periodically. Originally, TKEY provides methods of setting up shared secrets other Kamite, et. al. Expires April 15, 2005 [Page 1] INTERNET-DRAFT October 2004 than manual exchange, but it cannot control timing of key renewal very well though it can add or delete shared keys separately. This proposal is a systematical key renewal procedure intended for preventing signing DNS messages with old and non-safe keys permanently. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Defined Words . . . . . . . . . . . . . . . . . . . . . . 3 1.2 New Format and Assigned Numbers . . . . . . . . . . . . . 4 1.3 Overview of Secret Key Renewal Mode . . . . . . . . . . . 4 2. Shared Secret Key Renewal . . . . . . . . . . . . . . . . . . 5 2.1 Key Usage Time Check . . . . . . . . . . . . . . . . . . . 5 2.2 Partial Revocation . . . . . . . . . . . . . . . . . . . . 6 2.3 Key Renewal Message Exchange . . . . . . . . . . . . . . . 7 2.3.1 Query for Key Renewal . . . . . . . . . . . . . . . . 7 2.3.2 Response for Key Renewal . . . . . . . . . . . . . . . 7 2.3.3 Attributes of Generated Key . . . . . . . . . . . . . 8 2.3.4 TKEY RR structure . . . . . . . . . . . . . . . . . . 8 2.4 Key Adoption . . . . . . . . . . . . . . . . . . . . . . . 10 2.4.1 Query for Key Adoption . . . . . . . . . . . . . . . . 10 2.4.2 Response for Key Adoption . . . . . . . . . . . . . . 10 2.5 Keying Schemes . . . . . . . . . . . . . . . . . . . . . . 11 2.5.1 DH Exchange for Key Renewal . . . . . . . . . . . . . 11 2.5.2 Server Assigned Keying for Key Renewal . . . . . . . . 12 2.5.3 Resolver Assigned Keying for Key Renewal . . . . . . . 13 2.6 Considerations about Non-compliant Hosts . . . . . . . . . 14 3. Secret Storage . . . . . . . . . . . . . . . . . . . . . . . . 15 4. Compulsory Key Revocation . . . . . . . . . . . . . . . . . . 15 4.1 Compulsory Key Revocation by Server . . . . . . . . . . . 15 4.2 Authentication Methods Considerations . . . . . . . . . . 15 5. Special Considerations for Two Servers' Case . . . . . . . . 16 5.1 To Cope with Collisions of Renewal Requests . . . . . . . 16 6. Key Name Considerations . . . . . . . . . . . . . . . . . . . 17 7. Example Usage of Secret Key Renewal Mode . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 20 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 11.1 Normative References . . . . . . . . . . . . . . . . . . . 21 11.2 Informative References . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 22 Intellectual Property and Copyright Statements . . . . . . . . 23 Kamite, et. al. Expires April 15, 2005 [Page 2] INTERNET-DRAFT October 2004 1. Introduction TSIG [RFC2845] provides DNS message integrity and the request/transaction authentication by means of message authentication codes (MAC). TSIG is a practical solution in view of calculation speed and availability. However, TSIG does not have exchanging mechanism of shared secret keys between server and resolver, and administrators might have to exchange secret keys manually. TKEY [RFC2930] is introduced to solve such problem and it can exchange secrets for TSIG via networks. In various modes of TKEY, a server and a resolver can add or delete a secret key be means of TKEY message exchange. However, the existing TKEY does not care fully about the management of keys which became too old, or dangerous after long time usage. It is ideal that the number of secret which a pair of hosts share should be limited only one, because having too many keys for the same purpose might not only be a burden to resolvers for managing and distinguishing according to servers to query, but also does not seem to be safe in terms of storage and protection against attackers. Moreover, perhaps holding old keys long time might give attackers chances to compromise by scrupulous calculation. Therefore, when a new shared secret is established by TKEY, the previous old secret should be revoked immediately. To accomplish this, DNS servers must support a protocol for key renewal. This document specifies procedure to refresh secret keys between two hosts which is defined within the framework of TKEY, and it is called "TKEY Secret Key Renewal Mode". The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY" and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.1. Defined Words * Inception Time: Beginning of the shared secret key lifetime. This value is determined when the key is generated. * Expiry Limit: Time limit of the key's validity. This value is determined when a new key is generated. After Expiry Limit, server and client (resolver) must not authenticate TSIG signed with the key. Therefore, Renewal to the next key should be carried out before Expiry Limit. * Partial Revocation Time: Time when server judges the key is too old Kamite, et. al. Expires April 15, 2005 [Page 3] INTERNET-DRAFT October 2004 and must be updated. It must be between Inception Time and Expiry Limit. This value is determined by server freely following its security policy. e.g., If the time from Inception to Partial Revocation is short, renewal will be carried out more often, which might be safer. * Revocation Time: Time when the key becomes invalid and can be removed. This value is not determined in advance because it is the actual time when revocation is completed. * Adoption Time: Time when the new key is adopted as the next key formally. After Adoption, the key is valid and server and client can generate or verify TSIG making use of it. Adoption Time also means the time when it becomes possible to remove the previous key, so Revocation and Adoption are usually done at the same time. Partial Inception Revocation Revocation Expiry Limit | | | | |----------------|- - - - - - >>|- (revoked) -| | | | | previous key | | | |- - - -|-------------------->> time | | new key Inception Adoption 1.2. New Format and Assigned Numbers TSIG ERROR = (PartialRevoke), TBD TKEY Mode = (server assignment for key renewal), TBD Mode = (Diffie-Hellman exchange for key renewal), TBD Mode = (resolver assignment for key renewal), TBD Mode = (key adoption), TBD 1.3. Overview of Secret Key Renewal Mode When a server receives a query from a client signed with a TSIG key, It always checks if the present time is within the range of usage duration it considers safe. If it is judged that the key is too old, i.e., after Partial Revocation Time, the server comes to be in Partial Revocation state about the key, and this key is called partially revoked. Kamite, et. al. Expires April 15, 2005 [Page 4] INTERNET-DRAFT October 2004 In this state, if a client sends a normal query (e.g., question about A RR) other than TKEY Renewal request with TSIG signed with the old key, the server returns an error message to notify that the time to renew has come. This is called "PartialRevoke" error message. It is server's choice whether it returns PartialRevoke or not. If and only if the server is ready for changing its own key, it decides to return PartialRevoke. The client which got this error is able to notice that it is necessary to refresh the secret. To make a new shared secret, it sends a TKEY Renewal request, in which several keying methods are available. It can make use of TSIG authentication signed with the partially revoked key mentioned above. After new secret establishment, the client sends a TKEY Adoption request for renewal confirmation. This can also be authenticated with the partially revoked key. If this is admitted by the server, the new key is formally adopted, and at the same time the corresponding old secret is invalidated. Then the client can send the first query again signed with the new key. Key renewal procedure is executed based on two-phase commit mechanism. The first phase is the TKEY Renewal request and its response, which means preparatory confirmation for key update. The second phase is Adoption request and its response. If the server gets request and client receives the response successfully, they can finish renewal process. If any error happens and renewal process fails during these phases, client should roll back to the beginning of the first phase, and send TKEY Renewal request again. This rollback can be done until the Expiry Limit of the key. 2. Shared Secret Key Renewal Suppose a server and a client agree to change their TSIG keys periodically. Key renewal procedure is defined between two hosts. 2.1. Key Usage Time Check Whenever a server receives a query with TSIG and can find a key that is used for signing it, the server checks its Inception Time, Partial Revocation Time and Expiry Limit (this information is usually memorized by the server). When the present time is before Inception Time, the server MUST NOT verify TSIG with the key, and server acts the same way as when the key used by the client is not recognized. It follows [RFC2845] 4.5.1. Kamite, et. al. Expires April 15, 2005 [Page 5] INTERNET-DRAFT October 2004 When the present time is equal to Inception Time, or between Inception Time and Partial Revocation Time, the behavior of the server is the same as when a valid key is found. It follows [RFC2845] 4.5.2 and 4.5.3. When the present time is the same as the Partial Revocation Time, or between the Partial Revocation Time and Expiry Limit, the server comes to be in Partial Revocation state about the TSIG key and behaves according to the next section. When the present time is the same as the Expiry Time or after it, the server MUST NOT verify TSIG with the key, and returns error messages in the same way as when the key used by the client is not recognized. It follows [RFC2845] 4.5.1. 2.2. Partial Revocation In Partial Revocation state, we say the server has partially revoked the key and the key has become a "partially revoked key". If server has received a query signed with the partially revoked key for TKEY Renewal request (See section 2.3.) or Key Adoption request (See section 2.4.), then server does proper process following each specification. If it is for TKEY key deletion request ([RFC2930] 4.2), server MAY process usual deletion operation defined therein. If server receives other types of query signed with the partially revoked key, and both the corresponding MAC and signed TIME are verified, then server begins returning answer whose TSIG error code is "PartialRevoke" (See section 9.). Server MUST randomly but with increasing frequency return PartialRevoke when in the Partial Revocation state. Server can decide when it actually sends PartialRevoke, checking if it is appropriate time for renewal. Server MUST NOT return PartialRevoke if this is apart long lived TSIG transaction (such as AXFR) that started before the Partial Revocation Time. If the client receives PartialRevoke and understands it, then it MUST retry the query with the old key unless a new key has been adopted. Client SHOULD start the process to renew the TSIG key. For key renewal procedure, see details in Section 2.3 and 2.4. PartialRevoke period (i.e., time while server returns PartialRevoke randomely) SHOULD be small, say 2-5% of key lifetime. This is server's choice. Kamite, et. al. Expires April 15, 2005 [Page 6] INTERNET-DRAFT October 2004 Server MUST keep track of clients ignoring PartialRevoke, thus indicating ignorance of this TKEY mode. PartialRevoke error messages have the role to inform clients of the keys' partial revocation and urge them to send TKEY Renewal requests. These error responses MUST be signed with those partial revoked keys if the queries are signed with them. They are sent only when the signing keys are found to be partially revoked. If the MAC of TSIG cannot be verified with the partially revoked keys, servers MUST NOT return PartialRevoke error with MAC, but MUST return another error such as "BADSIG" without MAC (following [RFC2845] 4.5.3); in other words, a server informs its key's partial revocation only when the MAC in the received query is valid. 2.3. Key Renewal Message Exchange 2.3.1. Query for Key Renewal If a client has received a PartialRevoke error and authenticated the response based on TSIG MAC, it sends a TKEY query for Key Renewal (in this document, we call it Renewal request, too.) to the server. The request MUST be signed with TSIG or SIG(0) [RFC2931] for authentication. If TSIG is selected, the client can sign it with the partial revoked key. Key Renewal can use one of several keying methods which is indicated in "Mode" field of TKEY RR, and its message structure is dependent on that method. 2.3.2. Response for Key Renewal The server which has received Key Renewal request first tries to verify TSIG or SIG(0) accompanying it. If the TSIG is signed and verified with the partially revoked key, the request MUST be authenticated. After authentication, server must check existing old key's validity. If the partially revoked key indicated in the request TKEY's OldName and OldAlgorithm field (See section 2.3.4.) does not exist at the server, "BADKEY" [RFC2845] is given in Error field for response. If any other error happens, server returns appropriate error messages following the specification described in section 2.5. If there are no errors, server returns a Key Renewal answer. This answer MUST be signed with TSIG or SIG(0) for authentication. When this answer is successfully returned and no error is detected by Kamite, et. al. Expires April 15, 2005 [Page 7] INTERNET-DRAFT October 2004 client, a new shared secret can be established. The details of concrete keying procedure are given in the section 2.5. Note: Sometimes Adoption message and new Renewal request will cross on the wire. In this case the newly generated key Adoption message is resent. 2.3.3. Attributes of Generated Key As a result of this message exchange, client comes to know the newly generated key's attributes such as key's name, Inception Time and Expiry Limit. They are decided by the server and told to the client; in particular, however, once the server has decided Expiry Limit and returned a response, it should obey the decision as far as it can. In other words, they SHOULD NOT change time values for checking Expiry Limit in the future without any special reason, such as security issue like "Emergency Compulsory Revocation" described in section 8. On the other hand, Partial Revocation Time of this generated key is not decided based on the request, and not informed to the client. The server can determine any value as long as it is between Inception Time and Expiry Limit. However, the period from Inception to Partial Revocation SHOULD be fixed as the server side's configuration or be set the same as the corresponding old key's one. Note: Even if client sends Key Renewal request though the key described in OldName has not been partially revoked yet, server does renewal processes. At the moment when the server accepts such requests with valid authentication, it MUST forcibly consider the key is already partially revoked, that is, the key's Partial Revocation Time must be changed into the present time (i.e., the time when the server receives the request). 2.3.4. TKEY RR structure TKEY RR for Key Renewal message has the structure given below. In principle, format and definition for each field follows [RFC2930]. Note that each keying scheme sometimes needs different interpretation of RDATA field; for detail, see section 2.5. Field Type Comment ------- ------ ------- NAME domain used for a new key, see below TYPE u_int16_t (defined in [RFC2930]) Kamite, et. al. Expires April 15, 2005 [Page 8] INTERNET-DRAFT October 2004 CLASS u_int16_t (defined in [RFC2930]) TTL u_int32_t (defined in [RFC2930]) RDLEN u_int16_t (defined in [RFC2930]) RDATA: Algorithm: domain algorithm for a new key Inception: u_int32_t about the keying material Expiration: u_int32_t about the keying material Mode: u_int16_t scheme for key agreement see section 9. Error: u_int16_t see description below Key Size: u_int16_t see description below Key Data: octet-stream Other Size: u_int16_t (defined in [RFC2930]) size of other data Other Data: newly defined: see description below For "NAME" field, both non-root and root name are allowed. It may be used for a new key's name in the same manner as [RFC2930] 2.1. "Algorithm" specifies which algorithm is used for agreed keying material, which is used for identification of the next key. "Inception" and "Expiration" are used for the valid period of keying material. The meanings differ somewhat according to whether the message is request or answer, and its keying scheme. "Key Data" has different meanings according to keying schemes. "Mode" field stores the value in accordance with the keying method, and see section 2.5. Servers and clients supporting TKEY Renewal method MUST implement "Diffie-Hellman exchange for key renewal" scheme. All other modes are OPTIONAL. "Error" is an extended RCODE which includes "PartialRevoke" value too. See section 9. "Other Data" field has the structure given below. They describe attributes of the key to be renewed. in Other Data filed: Field Type Comment ------- ------ ------- OldNAME domain name of the old key OldAlgorithm domain algorithm of the old key Kamite, et. al. Expires April 15, 2005 [Page 9] INTERNET-DRAFT October 2004 "OldName" indicates the name of the previous key (usually, this is partially revoked key's name that client noticed by PartialRevoke answer from server), and "OldAlogirthm" indicates its algorithm. 2.4. Key Adoption 2.4.1. Query for Key Adoption After receiving a TKEY Renewal answer, the client gets the same secret as the server. Then, it sends a TKEY Adoption request. The request's question section's QNAME field is the same as the NAME filed of TKEY written below. In additional section, there is one TKEY RR that has the structure and values described below. "NAME" field is the new key's name to be adopted which was already generated by Renewal message exchange. "Algorithm" is its algorithm. "Inception" means the key's Inception Time, and "Expiration" means Expiry Limit. "Mode" field is the value of "key adoption". See section 9. "Other Data" field in Adoption has the same structure as that of Renewal request message. "OldName" means the previous old key, and "OldAlogirthm" means its algorithm. Key Adoption request MUST be signed with TSIG or SIG(0) for authentication. The client can sign TSIG with the previous key. Note that until Adoption is finished, the new key is treated as invalid, thus it cannot be used for authentication immediately. 2.4.2. Response for Key Adoption The server which has received Adoption request, it verifies TSIG or SIG(0) accompanying it. If the TSIG is signed with the partially revoked key and can be verified, the message MUST be authenticated. If the next new key indicated by the request TKEY's "NAME" is not present at the server, BADNAME [RFC2845] is given in Error field and the error message is returned. If the next key exists but it has not been adopted formally yet, the server confirms the previous key's existence indicated by the "OldName" and "OldAlgorithm" field. If it succeeds, the server executes Adoption of the next key and Revocation of the previous key. Response message duplicates the request's TKEY RR with NOERROR, Kamite, et. al. Expires April 15, 2005 [Page 10] INTERNET-DRAFT October 2004 including "OldName" and "OldAlgorithm" that indicate the revoked key. If the next key exists but it is already adopted, the server returns a response message regardless of the substance of the request TKEY's "OldName". In this response, Response TKEY RR has the same data as the request's one except as to its "Other Data" that is changed into null (i.e., "Other Size" is zero), which is intended for telling the client that the previous key name was ignored, and the new key is already available. Client sometimes has to retry Adoption request. Suppose the client sent request signed with the partially revoked key, but its response did not return successfully (e.g., due to the drop of UDP packet). Client will probably retry Adoption request; however, the request will be refused in the form of TSIG "BADKEY" error because the previous key was already revoked. In this case, client will retransmit Adoption request signed with the next key, and expect a response which has null "Other Data" for confirming the completion of renewal. 2.5. Keying Schemes In Renewal message exchanges, there are no limitations as to which keying method is actually used. The specification of keying algorithms is independent of the general procedure of Renewal that is described in section 2.3. Now this document specifies three algorithms in this section, but other future documents can make extensions defining other methods. 2.5.1. DH Exchange for Key Renewal This scheme is defined as an extended method of [RFC2930] 4.1. This specification only describes the difference from it and special notice; assume that all other points, such as keying material computation, are the exactly same as the specification of [RFC2930] 4.1. Query In Renewal request for type TKEY with this mode, there is one TKEY RR and one KEY RR in the additional information section. KEY RR is the client's Diffie-Hellman public key [RFC2539]. QNAME in question section is the same as that of "NAME" field in TKEY RR, i.e., it means the requested new key's name. Kamite, et. al. Expires April 15, 2005 [Page 11] INTERNET-DRAFT October 2004 TKEY "Mode" field stores the value of "DH exchange for key renewal". See section 9. TKEY "Inception" and "Expiration" are those requested for the keying material, that is, requested usage period of a new key. TKEY "Key Data" is used as a random, following [RFC2930] 4.1. Response The server which received this request first verifies the TSIG, SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the old key's existence validity is checked, following section 2.3. If any incompatible DH key is found in the request, "BADKEY" [RFC2845] is given in Error field for response. "FORMERR" is given if the query included no DH KEY. If there are no errors, the server processes a response according to Diffie-Hellman algorithm and returns the answer. In this answer, there is one TKEY RR in answer section and KEY RR(s) in additional section. As long as no error has occurred, all values of TKEY are equal to that of the request message except TKEY NAME, TKEY RDLEN, RDATA's Inception, Expiration, Key Size and Key Data. TKEY "NAME" field in the answer specifies the name of newly produced key which the client MUST use. TKEY "Inception" and "Expiration" mean the periods of the produced key usage. "Inception" is set to be the time when the new key is actually generated or the time before it, and it will be regarded as Inception Time. "Expiration" is determined by the server, and it will be regarded as Expiry Limit. TKEY "Key Data" is used as an additional nonce, following [RFC2930] 4.1. The resolver supplied Diffie-Hellman KEY RR SHOULD be echoed in the additional section and a server Diffie-Hellman KEY RR will also be present in the answer section, following [RFC2930] 4.1. 2.5.2. Server Assigned Keying for Key Renewal This scheme is defined as an extended method of [RFC2930] 4.4. This specification only describes the difference from it and special notice; assume that all other points, such as secret encrypting method, are the exactly same as the specification of [RFC2930] 4.4. Kamite, et. al. Expires April 15, 2005 [Page 12] INTERNET-DRAFT October 2004 Query In Renewal request for type TKEY with this mode, there is one TKEY RR and one KEY RR in the additional information section. KEY RR is used in encrypting the response. QNAME in question section is the same as that of "NAME" field in TKEY RR, i.e., it means the requested new key's name. TKEY "Mode" field stores the value of "server assignment for key renewal". See section 9. TKEY "Inception" and "Expiration" are those requested for the keying material, that is, requested usage period of a new key. TKEY "Key Data" is provided following the specification of [RFC2930] 4.4. Response The server which received this request first verifies the TSIG, SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the old key's existence validity is checked, following section 2.3. "FORMERR" is given if the query specified no encryption key. If there are no errors, the server response contains one TKEY RR in the answer section, and echoes the KEY RR provided in the query in the additional information section. TKEY "NAME" field in the answer specifies the name of newly produced key which the client MUST use. TKEY "Inception" and "Expiration" mean the periods of the produced key usage. "Inception" is set to be the time when the new key is actually generated or the time before it, and it will be regarded as Inception Time. "Expiration" is determined by the server, and it will be regarded as Expiry Limit. TKEY "Key Data" is the assigned keying data encrypted under the public key in the resolver provided KEY RR, which is the same as [RFC2930] 4.4. 2.5.3. Resolver Assigned Keying for Key Renewal This scheme is defined as an extended method of [RFC2930] 4.5. This specification only describes the difference from it and special notice; assume that all other points, such as secret encrypting method, are the exactly same as the specification of [RFC2930] 4.5. Kamite, et. al. Expires April 15, 2005 [Page 13] INTERNET-DRAFT October 2004 Query In Renewal request for type TKEY with this mode, there is one TKEY RR and one KEY RR in the additional information section. TKEY RR has the encrypted keying material and KEY RR is the server public key used to encrypt the data. QNAME in question section is the same as that of "NAME" field in TKEY RR, i.e., it means the requested new key's name. TKEY "Mode" field stores the value of "resolver assignment for key renewal". See section 9. TKEY "Inception" and "Expiration" are those requested for the keying material, that is, requested usage period of a new key. TKEY "Key Data" is the encrypted keying material. Response The server which received this request first verifies the TSIG, SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the old key's existence validity is checked, following section 2.3. "FORMERR" is given if the server does not have the corresponding private key for the KEY RR that was shown sin the request. If there are no errors, the server returns a response. The response contains a TKEY RR in the answer section to tell the shared key's name and its usage time values. TKEY "NAME" field in the answer specifies the name of newly produced key which the client MUST use. TKEY "Inception" and "Expiration" mean the periods of the produced key usage. "Inception" is set to be the time when the new key is actually generated or the time before it, and it will be regarded as Inception Time. "Expiration" is determined by the server, and it will be regarded as Expiry Limit. 2.6. Considerations about Non-compliant Hosts Key Renewal requests and responses must be exchanged between hosts which can understand them and do proper processes. PartialRevoke error messages will be only ignored if they should be returned to non-compliant hosts. Note that server does not inform actively the necessity of renewal to clients, but inform it as responses invoked by client's query. Server needs not care whether the PartialRevoke errors has reached Kamite, et. al. Expires April 15, 2005 [Page 14] INTERNET-DRAFT October 2004 client or not. If client has not received yet because of any reasons such as packet drops, it will resend the queries, and finally will be able to get PartialRevoke information. 3. Secret Storage Every server keeps all secrets and attached information, e.g., Inception Time, Expiry Limit, etc. safely to be able to recover from unexpected stop. To accomplish this, formally adopted keys SHOULD be memorized not only on memory, but also be stored in the form of some files. It will become more secure if they are stored in ecrypted form. 4. Compulsory Key Revocation 4.1. Compulsory Key Revocation by Server There is a rare but possible case that although servers have already partially revoked keys, clients do not try to send any Renewal requests. If this state continues, in the future it will become the time of Expiry Limit. After Expiry Limit, the keys will be expired and completely removed, so this is called Compulsory Key Revocation by server. If Expiry Limit is too distant from the Partial Revocation Time, then even though very long time passes, clients will be able to refresh secrets only if they add TSIG signed with those old partially revoked keys into requests, which is not safe. On the other hand, if Expiry Limit is too close to Partial Revocation Time, perhaps clients might not be able to notice their keys' Partial Revocation by getting "PartialRevoke" errors. Therefore, servers should set proper Expiry Limit to their keys, considering both their keys' safety, and enough time for clients to send requests and process renewal. 4.2. Authentication Methods Considerations It might be ideal to provide both SIG(0) and TSIG as authentication methods. For example: A client and a server start SIG(0) authentication at first, to establish TSIG shared keys by means of "Query for Diffie-Hellman Exchanged Keying" as described in [RFC2930] 4.1. Once they get Kamite, et. al. Expires April 15, 2005 [Page 15] INTERNET-DRAFT October 2004 shared secret, they keep using TSIG for queries and responses. After a while the server returns a "ParitalRevoke" error and they begin a key renewal process. Both TSIG signed with partially revoked keys and SIG(0) are okay for authentication, but TSIG would be easier to use considering calculation efficiency. Suppose now client is halted for long time with some reason. Because server does not execute any renewal process, it will finally do Compulsory Revocation. Even if client restarts and sends a key Renewal request, it will fail because old key is already deleted at server. At this moment, however, if client also uses SIG(0) as another authentication method, it can make a new shared key again and recover successfully by sending "Query for Diffie-Hellman Exchanged Keying" with SIG(0). 5. Special Considerations for Two servers' Case This section refers to the case where both hosts are DNS servers which can act as full resolvers as well and using one shared key only. If one server (called Server A) wants to refresh a shared key (called "Key A-B"), it will await a TKEY Renewal request from the other server (called Server B). However, perhaps Server A wants to refresh the key right now. In this case, Server A is allowed to send a Renewal request to Server B, if Server A knows the Key A-B is too old and wants to renew it immediately. Note that the initiative in key renewal belongs to Server A because it can notice the Partial Revocation Time and decide key renewal. If Server B has information about Partial Revocation Time as well, it can also decide for itself to send Renewal request to Server A. However, it is not essential for both two servers have information about key renewal timing. 5.1. To Cope with Collisions of Renewal Requests At least one of two hosts which use Key Renewal must know their key renewal information such as Partial Revocation Time. It is okay that both hosts have it. Provided that both two servers know key renewal timing information, there is possibility for them to begin partial revocation and sending Renewal requests to each other at the same time. Such collisions will not happen so often because Renewal requests are usually invoked when Kamite, et. al. Expires April 15, 2005 [Page 16] INTERNET-DRAFT October 2004 hosts want to send queries, but it is possible. When one of two servers tries to send Renewal requests, it MUST protect old secrets that it has partially revoked and prevent it from being refreshed by any requests from the other server (i.e., it must lock the old secret during the process of renewal). While the server is sending Renewal requests and waiting responses, it ignores the other server's Renewal requests. Therefore, servers might fail to change secrets by means of their own requests to others. After failure they will try to resend, but they should wait for random delays by the next retries. If they get any Renewal requests from others while they are waiting, their shared keys may be refreshed, then they do not need to send any Renewal requests now for themselves. 6. Key Name Considerations Since both servers and clients have only to distinguish new secrets and old ones, keys' names do not need to be specified strictly. However, it is recommended that some serial number or key generation time be added to the name and that the names of keys between the same pair of hosts should have some common labels among their keys. For example, suppose A.example.com. and B.example.com. share the key ".A.example.com.B.example.com." such as "10010.A.example.com.B.example.com.". After key renewal, they change their secret and name into "10011.A.example.com.B.example.com." Servers and clients must be able to use keys properly for each query. Because TSIG secret keys themselves do not have any particular IDs to be distinguished and would be identified by their names and algorithm, it must be understood correctly what keys are refreshed. 7. Example Usage of Secret Key Renewal Mode This is an example of Renewal mode usage where a Server, server.example.com, and a Client, client.exmple.com have an initial shared secret key named "00.client.example.com.server.example.com". (1) The time values for key "00.client.example.com.server.example.com" was set as follows: Inception Time is at 1:00, Expiry Limit is at 21:00. (2) At Server, renewal time has been set: Partial Revocation Time is at 20:00. Kamite, et. al. Expires April 15, 2005 [Page 17] INTERNET-DRAFT October 2004 (3) Suppose the present time is 19:55. If Client sends a query signed with key "00.client.example.com.server.example.com" to ask the IP address of "www.example.com", finally it will get a proper answer from Server with valid TSIG (NOERROR). (4) At 20:05. Client sends a query to ask the IP address of "www2.example.com". It is signed with key "00.client.example.com.server.example.com". Server returns an answer for the IP address. However, server has begun retuning PartialRevoke Error randomely. This answer includes valid TSIG MAC signed with "00.client.example.com.server.example.com", and its Error Code indicates PartialRevoke. Client understands that the current key is partially revoked. (5) At 20:06. Client sends a Renewal request to Server. This request is signed with key "00.client.example.com.server.example.com". It includes data such as: Question Section: QNAME = 01.client.example.com. (Client can set this freely) TYPE = TKEY Additional Section: 01.client.example.com. TKEY Algorithm = hmac-md5-sig-alg.reg.int. Inception = (value meaning 20:00) Expiration = (value meaning next day's 16:00) Mode = (DH exchange for key renewal) OldName = 00.client.example.com.server.example.com. OldAlgorithm = hmac-md5-sig-alg.reg.int. Additional Section also contains a KEY RR for DH and a TSIG RR. (6) As soon as Server receives this request, it verifies TSIG. It is signed with the partially revoked key "00.client.example.com.server.example.com". and Server accepts the request. It creates a new key by Diffie-Hellman calculation and returns an answer which includes data such as: Answer Section: 01.client.example.com.server.example.com. TKEY Algorithm = hmac-md5-sig-alg.reg.int. Inception = (value meaning 20:00) Expiration = (value meaning next day's 16:00) Mode = (DH exchange for key renewal) OldName = 00.client.example.com.server.example.com. OldAlgorithm = hmac-md5-sig-alg.reg.int. Kamite, et. al. Expires April 15, 2005 [Page 18] INTERNET-DRAFT October 2004 Answer Section also contains KEY RRs for DH. Additional Section also contains a TSIG RR. This response is signed with key "00.client.example.com.server.example.com" without error. At the same time, Server decides to set the Partial Revocation Time of this new key "01.client.example.com.server.example.com." as next day's 15:00. (7) Client gets the response and checks TSIG MAC, and calculates Diffie-Hellman. It will get a new key, and it has been named "01.client.example.com.server.example.com" by Server. (8) At 20:07. Client sends an Adoption request to Server. This request is signed with the previous key "00.client.example.com.server.example.com". It includes: Question Section: QNAME = 01.client.example.com.server.example.com. TYPE = TKEY Additional Section: 01.client.example.com.server.example.com. TKEY Algorithm = hmac-md5-sig-alg.reg.int. Inception = (value meaning 20:00) Expiration = (value meaning next day's 16:00) Mode = (key adoption) OldName = 00.client.example.com.server.example.com. OldAlgorithm = hmac-md5-sig-alg.reg.int. Additional Section also contains a TSIG RR. (9) Server verifies the query's TSIG. It is signed with the previous key and authenticated. It returns a response whose TKEY RR is the same as the request's one. The response is signed with key "00.client.example.com.server.example.com.". As soon as the response is sent, Server revokes and removes the previous key. At the same time, key "01.client.example.com.server.example.com." is validated. (10) Client acknowledges the success of Adoption by receiving the response. Then, it retries to send an original question about "www2.example.com". It is signed with the adopted key "01.client.example.com.server.example.com", so Server authenticates it and returns an answer. Kamite, et. al. Expires April 15, 2005 [Page 19] INTERNET-DRAFT October 2004 (11) This key is used until next day's 15:00. After that, it will be partially revoked again. 8. Security Considerations This document considers about how to refresh shared secret. Secret changed by this method is used at servers in support of TSIG [RFC2845]. [RFC2104] says that current attacks to HMAC do not indicate a specific recommended frequency for key changes but periodic key refreshment is a fundamental security practice that helps against potential weaknesses of the function and keys, and limits the damage of an exposed key. TKEY Secret Key Renewal provides the method of periodical key refreshment. In TKEY Secret Key Renewal, clients need to send two requests (Renewal and Adoption) and spend time to finish their key renewal processes. Thus the usage period of secrets should be considered carefully based on both TKEY processing performance and security. This document specifies the procedure of periodical key renewal, but actually there is possibility for servers to have no choice other than revoking their secret keys immediately especially when the keys are found to be compromised by attackers. This is called "Emergency Compulsory Revocation". For example, suppose the original Expiry Limit was set at 21:00, Partial Revocation Time at 20:00 and Inception Time at 1:00. if at 11:00 the key is found to be compromised, the server sets Expiry Limit forcibly to be 11:00 or before it. Consequently, once Compulsory Revocation (See section 4.) is carried out, normal renewal process described in this document cannot be done any more as far as the key is concerned. However, after such accidents happened, the two hosts are able to establish secret keys and begin renewal procedure only if they have other (non-compromised) shared TSIG keys or safe SIG(0) keys for the authentication of initial secret establishment such as Diffie-Hellman Exchanged Keying. 9. IANA Considerations IANA needs to allocate a value for "DH exchange for key renewal", "server assignment for key renewal", "resolver assignment for key renewal" and "key adoption" in the mode filed of TKEY. It also needs to allocate a value for "PartialRevoke" from the extended RCODE space. Kamite, et. al. Expires April 15, 2005 [Page 20] INTERNET-DRAFT October 2004 10. Acknowledgements The authors would like to thank Olafur Gudmundsson, whose helpful input and comments contributed greatly to this document. 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC2539] D. Eastlake 3rd, "Storage of Diffie-Hellman Keys in the Domain Name System (DNS)", RFC 2539, March 1999. [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845, May 2000. [RFC2930] D. Eastlake 3rd, ``Secret Key Establishment for DNS (TKEY RR)'', RFC 2930, September 2000. [RFC2931] D. Eastlake 3rd, "DNS Request and Transaction Signatures (SIG(0)s )", RFC 2931, September 2000. 11.2. Informative References [RFC2104] H. Krawczyk, M.Bellare, R. Canetti, "Keyed-Hashing for Message Authentication", RFC2104, February 1997. Kamite, et. al. Expires April 15, 2005 [Page 21] INTERNET-DRAFT October 2004 Authors' Addresses Yuji Kamite NTT Communications Corporation Tokyo Opera City Tower 3-20-2 Nishi Shinjuku, Shinjuku-ku, Tokyo 163-1421, Japan EMail: y.kamite@ntt.com Masaya Nakayama Information Technology Center, The University of Tokyo 2-11-16 Yayoi, Bunkyo-ku, Tokyo 113-8658, Japan EMail: nakayama@nc.u-tokyo.ac.jp Kamite, et. al. Expires April 15, 2005 [Page 22] INTERNET-DRAFT October 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Kamite, et. al. Expires April 15, 2005 [Page 23]