WikiStart: draft-ietf-dnsext-nsec3-13.txt

Line
1
2
3
4	Network Working Group B. Laurie
5	Internet-Draft G. Sisson
6	Intended status: Standards Track R. Arends
7	Expires: June 2, 2008 Nominet
8	D. Blacka
9	VeriSign, Inc.
10	November 30, 2007
11
12
13	DNSSEC Hashed Authenticated Denial of Existence
14	draft-ietf-dnsext-nsec3-13
15
16	Status of this Memo
17
18	By submitting this Internet-Draft, each author represents that any
19	applicable patent or other IPR claims of which he or she is aware
20	have been or will be disclosed, and any of which he or she becomes
21	aware will be disclosed, in accordance with Section 6 of BCP 79.
22
23	Internet-Drafts are working documents of the Internet Engineering
24	Task Force (IETF), its areas, and its working groups. Note that
25	other groups may also distribute working documents as Internet-
26	Drafts.
27
28	Internet-Drafts are draft documents valid for a maximum of six months
29	and may be updated, replaced, or obsoleted by other documents at any
30	time. It is inappropriate to use Internet-Drafts as reference
31	material or to cite them other than as "work in progress."
32
33	The list of current Internet-Drafts can be accessed at
34	http://www.ietf.org/ietf/1id-abstracts.txt.
35
36	The list of Internet-Draft Shadow Directories can be accessed at
37	http://www.ietf.org/shadow.html.
38
39	This Internet-Draft will expire on June 2, 2008.
40
41	Copyright Notice
42
43	Copyright (C) The IETF Trust (2007).
44
45	Abstract
46
47	The Domain Name System Security Extensions (DNSSEC) introduced the
48	NSEC resource record (RR) for authenticated denial of existence.
49	This document introduces an alternative resource record, NSEC3, which
50	similarly provides authenticated denial of existence. However, it
51	also provides measures against zone enumeration and permits gradual
52
53
54
55	Laurie, et al. Expires June 2, 2008 [Page 1]
56
57	Internet-Draft nsec3 November 2007
58
59
60	expansion of delegation-centric zones.
61
62
63	Table of Contents
64
65	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
66	1.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 4
67	1.2. Reserved Words . . . . . . . . . . . . . . . . . . . . . . 4
68	1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
69	2. Backwards Compatibility . . . . . . . . . . . . . . . . . . . 6
70	3. The NSEC3 Resource Record . . . . . . . . . . . . . . . . . . 7
71	3.1. RDATA Fields . . . . . . . . . . . . . . . . . . . . . . . 8
72	3.1.1. Hash Algorithm . . . . . . . . . . . . . . . . . . . . 8
73	3.1.2. Flags . . . . . . . . . . . . . . . . . . . . . . . . 8
74	3.1.3. Iterations . . . . . . . . . . . . . . . . . . . . . . 8
75	3.1.4. Salt Length . . . . . . . . . . . . . . . . . . . . . 8
76	3.1.5. Salt . . . . . . . . . . . . . . . . . . . . . . . . . 8
77	3.1.6. Hash Length . . . . . . . . . . . . . . . . . . . . . 9
78	3.1.7. Next Hashed Owner Name . . . . . . . . . . . . . . . . 9
79	3.1.8. Type Bit Maps . . . . . . . . . . . . . . . . . . . . 9
80	3.2. NSEC3 RDATA Wire Format . . . . . . . . . . . . . . . . . 9
81	3.2.1. Type Bit Maps Encoding . . . . . . . . . . . . . . . . 10
82	3.3. Presentation Format . . . . . . . . . . . . . . . . . . . 11
83	4. The NSEC3PARAM Record . . . . . . . . . . . . . . . . . . . . 12
84	4.1. RDATA Fields . . . . . . . . . . . . . . . . . . . . . . . 12
85	4.1.1. Hash Algorithm . . . . . . . . . . . . . . . . . . . . 12
86	4.1.2. Flag Fields . . . . . . . . . . . . . . . . . . . . . 12
87	4.1.3. Iterations . . . . . . . . . . . . . . . . . . . . . . 13
88	4.1.4. Salt Length . . . . . . . . . . . . . . . . . . . . . 13
89	4.1.5. Salt . . . . . . . . . . . . . . . . . . . . . . . . . 13
90	4.2. NSEC3PARAM RDATA Wire Format . . . . . . . . . . . . . . . 13
91	4.3. Presentation Format . . . . . . . . . . . . . . . . . . . 13
92	5. Calculation of the Hash . . . . . . . . . . . . . . . . . . . 14
93	6. Opt-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
94	7. Authoritative Server Considerations . . . . . . . . . . . . . 15
95	7.1. Zone Signing . . . . . . . . . . . . . . . . . . . . . . . 15
96	7.2. Zone Serving . . . . . . . . . . . . . . . . . . . . . . . 17
97	7.2.1. Closest Encloser Proof . . . . . . . . . . . . . . . . 18
98	7.2.2. Name Error Responses . . . . . . . . . . . . . . . . . 18
99	7.2.3. No Data Responses, QTYPE is not DS . . . . . . . . . . 19
100	7.2.4. No Data Responses, QTYPE is DS . . . . . . . . . . . . 19
101	7.2.5. Wildcard No Data Responses . . . . . . . . . . . . . . 19
102	7.2.6. Wildcard Answer Responses . . . . . . . . . . . . . . 19
103	7.2.7. Referrals to Unsigned Subzones . . . . . . . . . . . . 20
104	7.2.8. Responding to Queries for NSEC3 Owner Names . . . . . 20
105	7.2.9. Server Response to a Run-time Collision . . . . . . . 20
106	7.3. Secondary Servers . . . . . . . . . . . . . . . . . . . . 20
107	7.4. Zones Using Unknown Hash Algorithms . . . . . . . . . . . 21
108
109
110
111	Laurie, et al. Expires June 2, 2008 [Page 2]
112
113	Internet-Draft nsec3 November 2007
114
115
116	7.5. Dynamic Update . . . . . . . . . . . . . . . . . . . . . . 21
117	8. Validator Considerations . . . . . . . . . . . . . . . . . . . 22
118	8.1. Responses with Unknown Hash Types . . . . . . . . . . . . 22
119	8.2. Verifying NSEC3 RRs . . . . . . . . . . . . . . . . . . . 22
120	8.3. Closest Encloser Proof . . . . . . . . . . . . . . . . . . 23
121	8.4. Validating Name Error Responses . . . . . . . . . . . . . 24
122	8.5. Validating No Data Responses, QTYPE is not DS . . . . . . 24
123	8.6. Validating No Data Responses, QTYPE is DS . . . . . . . . 24
124	8.7. Validating Wildcard No Data Responses . . . . . . . . . . 24
125	8.8. Validating Wildcard Answer Responses . . . . . . . . . . . 24
126	8.9. Validating Referrals to Unsigned Subzones . . . . . . . . 25
127	9. Resolver Considerations . . . . . . . . . . . . . . . . . . . 25
128	9.1. NSEC3 Resource Record Caching . . . . . . . . . . . . . . 25
129	9.2. Use of the AD Bit . . . . . . . . . . . . . . . . . . . . 25
130	10. Special Considerations . . . . . . . . . . . . . . . . . . . . 26
131	10.1. Domain Name Length Restrictions . . . . . . . . . . . . . 26
132	10.2. DNAME at the Zone Apex . . . . . . . . . . . . . . . . . . 26
133	10.3. Iterations . . . . . . . . . . . . . . . . . . . . . . . . 26
134	10.4. Transitioning a Signed Zone from NSEC to NSEC3 . . . . . . 27
135	10.5. Transitioning a Signed Zone From NSEC3 to NSEC . . . . . . 28
136	11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28
137	12. Security Considerations . . . . . . . . . . . . . . . . . . . 30
138	12.1. Hashing Considerations . . . . . . . . . . . . . . . . . . 30
139	12.1.1. Dictionary Attacks . . . . . . . . . . . . . . . . . . 30
140	12.1.2. Collisions . . . . . . . . . . . . . . . . . . . . . . 30
141	12.1.3. Transitioning to a New Hash Algorithm . . . . . . . . 30
142	12.1.4. Using High Iteration Values . . . . . . . . . . . . . 31
143	12.2. Opt-Out Considerations . . . . . . . . . . . . . . . . . . 31
144	12.3. Other Considerations . . . . . . . . . . . . . . . . . . . 32
145	13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32
146	13.1. Normative References . . . . . . . . . . . . . . . . . . . 32
147	13.2. Informative References . . . . . . . . . . . . . . . . . . 33
148	Appendix A. Example Zone . . . . . . . . . . . . . . . . . . . . 34
149	Appendix B. Example Responses . . . . . . . . . . . . . . . . . . 39
150	B.1. Name Error . . . . . . . . . . . . . . . . . . . . . . . . 39
151	B.2. No Data Error . . . . . . . . . . . . . . . . . . . . . . 41
152	B.2.1. No Data Error, Empty Non-Terminal . . . . . . . . . . 41
153	B.3. Referral to an Opt-Out Unsigned Zone . . . . . . . . . . . 42
154	B.4. Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 44
155	B.5. Wildcard No Data Error . . . . . . . . . . . . . . . . . . 46
156	B.6. DS Child Zone No Data Error . . . . . . . . . . . . . . . 47
157	Appendix C. Special Considerations . . . . . . . . . . . . . . . 48
158	C.1. Salting . . . . . . . . . . . . . . . . . . . . . . . . . 48
159	C.2. Hash Collision . . . . . . . . . . . . . . . . . . . . . . 49
160	C.2.1. Avoiding Hash Collisions During Generation . . . . . . 49
161	C.2.2. Second Preimage Requirement Analysis . . . . . . . . . 50
162	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 50
163	Intellectual Property and Copyright Statements . . . . . . . . . . 52
164
165
166
167	Laurie, et al. Expires June 2, 2008 [Page 3]
168
169	Internet-Draft nsec3 November 2007
170
171
172	1. Introduction
173
174	1.1. Rationale
175
176	The DNS Security Extensions included the NSEC RR to provide
177	authenticated denial of existence. Though the NSEC RR meets the
178	requirements for authenticated denial of existence, it introduces a
179	side-effect in that the contents of a zone can be enumerated. This
180	property introduces undesired policy issues.
181
182	The enumeration is enabled by the set of NSEC records that exists
183	inside a signed zone. An NSEC record lists two names that are
184	ordered canonically, in order to show that nothing exists between the
185	two names. The complete set of NSEC records lists all the names in a
186	zone. It is trivial to enumerate the content of a zone by querying
187	for names that do not exist.
188
189	An enumerated zone can be used, for example, as a source of probable
190	e-mail addresses for spam, or as a key for multiple WHOIS queries to
191	reveal registrant data which many registries may have legal
192	obligations to protect. Many registries therefore prohibit copying
193	of their zone data; however, the use of NSEC RRs renders these
194	policies unenforceable.
195
196	A second problem is that the cost to cryptographically secure
197	delegations to unsigned zones is high, relative to the perceived
198	security benefit, in two cases: large, delegation-centric zones, and
199	zones where insecure delegations will be updated rapidly. In these
200	cases, the costs of maintaining the NSEC RR chain may be extremely
201	high and use of the "Opt-Out" convention may be more appropriate (for
202	these unsecured zones).
203
204	This document presents the NSEC3 Resource Record which can be used as
205	an alternative to NSEC to mitigate these issues.
206
207	Earlier work to address these issues include [I-D.jas-dnsext-no],
208	[RFC4956] and [I-D.laurie-dnsext-nsec2v2].
209
210	1.2. Reserved Words
211
212	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
213	"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
214	document are to be interpreted as described in [RFC2119].
215
216	1.3. Terminology
217
218	The reader is assumed to be familiar with the basic DNS and DNSSEC
219	concepts described in [RFC1034], [RFC1035], [RFC4033], [RFC4034],
220
221
222
223	Laurie, et al. Expires June 2, 2008 [Page 4]
224
225	Internet-Draft nsec3 November 2007
226
227
228	[RFC4035] and subsequent RFCs that update them: [RFC2136], [RFC2181]
229	and [RFC2308].
230
231	The following terminology is used throughout this document:
232
233	Zone enumeration: the practice of discovering the full content of a
234	zone via successive queries. Zone enumeration was non-trivial
235	prior to the introduction of DNSSEC.
236
237	Original owner name: the owner name corresponding to a hashed owner
238	name.
239
240	Hashed owner name: the owner name created after applying the hash
241	function to an owner name.
242
243	Hash order: the order in which hashed owner names are arranged
244	according to their numerical value, treating the leftmost (lowest
245	numbered) octet as the most significant octet. Note that this
246	order is the same as the canonical DNS name order specified in
247	[RFC4034] when the hashed owner names are in base32 encoded with
248	Extended Hex Alphabet [RFC4648].
249
250	Empty non-terminal: a domain name that owns no resource records, but
251	has one or more subdomains that do.
252
253	Delegation: an NS RRSet with a name different from the current zone
254	apex (non-zone-apex), signifying a delegation to a child zone.
255
256	Secure delegation: a name containing a delegation (NS RRSet), and a
257	signed DS RRSet, signifying a delegation to a signed child zone.
258
259	Insecure delegation: a name containing a delegation (NS RRSet), but
260	lacking a DS RRSet, signifying a delegation to an unsigned child
261	zone.
262
263	Opt-Out NSEC3 resource record: an NSEC3 resource record which has
264	the Opt-Out flag set to 1.
265
266	Opt-Out zone: a zone with at least one Opt-Out NSEC3 RR.
267
268	Closest encloser: the longest existing ancestor of a name. See also
269	section 3.3.1 of [RFC4592].
270
271	Closest provable encloser: the longest ancestor of a name that can
272	be proven to exist. Note that this is only different from the
273	closest encloser in an Opt-Out zone.
274
275
276
277
278
279	Laurie, et al. Expires June 2, 2008 [Page 5]
280
281	Internet-Draft nsec3 November 2007
282
283
284	Next closer name: the name one label longer than the closest
285	provable encloser of a name.
286
287	Base32: the "Base 32 Encoding with Extended Hex Alphabet" as
288	specified in [RFC4648]. Note that trailing padding characters
289	("=") are not used in the NSEC3 specification.
290
291	To cover: An NSEC3 RR is said to "cover" a name if the hash of the
292	name or "next closer" name falls between the owner name and the
293	next hashed owner name of the NSEC3. In other words, if it proves
294	the nonexistence of the name, either directly or by proving the
295	nonexistence of an ancestor of the name.
296
297	To match: An NSEC3 RR is said to "match" a name if the owner name of
298	the NSEC3 RR is the same as the hashed owner name of that name.
299
300
301	2. Backwards Compatibility
302
303	This specification describes a protocol change that is not generally
304	backwards compatible with [RFC4033], [RFC4034] and [RFC4035]. In
305	particular, security-aware resolvers that are unaware of this
306	specification (NSEC3-unaware resolvers) may fail to validate the
307	responses introduced by this document.
308
309	In order to aid deployment, this specification uses a signaling
310	technique to prevent NSEC3-unaware resolvers from attempting to
311	validate responses from NSEC3-signed zones.
312
313	This specification allocates two new DNSKEY algorithm identifiers for
314	this purpose. Algorithm XX, DSA-NSEC3-SHA1 [### RFC-editor update
315	required, temporarily, XX=131] is an alias for algorithm 3, DSA.
316	Algorithm YY, RSASHA1-NSEC3-SHA1 [### RFC-editor update required,
317	temporarily, YY=133] is an alias for algorithm 5, RSASHA1. These are
318	not new algorithms, they are additional identifiers for the existing
319	algorithms.
320
321	Zones signed according to this specification MUST only use these
322	algorithm identifiers for their DNSKEY RRs. Because these new
323	identifiers will be unknown algorithms to existing, NSEC3-unaware
324	resolvers, those resolvers will then treat responses from the NSEC3
325	signed zone as insecure, as detailed in [RFC4035], section 5.2.
326
327	These algorithm identifiers are used with the NSEC3 hash algorithm
328	SHA1. Using other NSEC3 hash algorithms requires allocation of a new
329	alias (see Section 12.1.3).
330
331	Security aware resolvers that are aware of this specification MUST
332
333
334
335	Laurie, et al. Expires June 2, 2008 [Page 6]
336
337	Internet-Draft nsec3 November 2007
338
339
340	recognize the new algorithm identifiers and treat them as equivalent
341	to the algorithms that they alias.
342
343	A methodology for transitioning from a DNSSEC signed zone to a zone
344	signed using NSEC3 is discussed in Section 10.4.
345
346
347	3. The NSEC3 Resource Record
348
349	The NSEC3 Resource Record (RR) provides authenticated denial of
350	existence for DNS Resource Record Sets.
351
352	The NSEC3 RR lists RR types present at the original owner name of the
353	NSEC3 RR. It includes the next hashed owner name in the hash order
354	of the zone. The complete set of NSEC3 RRs in a zone indicates which
355	RRSets exist for the original owner name of the RR and form a chain
356	of hashed owner names in the zone. This information is used to
357	provide authenticated denial of existence for DNS data. To provide
358	protection against zone enumeration, the owner names used in the
359	NSEC3 RR are cryptographic hashes of the original owner name
360	prepended as a single label to the name of the zone. The NSEC3 RR
361	indicates which hash function is used to construct the hash, which
362	salt is used, and how many iterations of the hash function are
363	performed over the original owner name. The hashing technique is
364	described fully in Section 5.
365
366	Hashed owner names of unsigned delegations may be excluded from the
367	chain. An NSEC3 RR whose span covers the hash of an owner name or
368	"next closer" name of an unsigned delegation is referred to as an
369	Opt-Out NSEC3 RR and is indicated by the presence of a flag.
370
371	The owner name for the NSEC3 RR is the base32 encoding of the hashed
372	owner name prepended as a single label to the name of the zone.
373
374	The type value for the NSEC3 RR is NN. [### RFC-editor update
375	required, the examples assume NN=50]
376
377	The NSEC3 RR RDATA format is class independent and is described
378	below.
379
380	The class MUST be the same as the class of the original owner name.
381
382	The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL
383	field. This is in the spirit of negative caching [RFC2308].
384
385
386
387
388
389
390
391	Laurie, et al. Expires June 2, 2008 [Page 7]
392
393	Internet-Draft nsec3 November 2007
394
395
396	3.1. RDATA Fields
397
398	3.1.1. Hash Algorithm
399
400	The Hash Algorithm field identifies the cryptographic hash algorithm
401	used to construct the hash-value.
402
403	The values for this field are defined in the NSEC3 hash algorithm
404	registry, described in Section 11.
405
406	3.1.2. Flags
407
408	The Flags field contains 8 one-bit flags that can be used to indicate
409	different processing. All undefined flags must be zero. The only
410	flag defined by this specification is the Opt-Out flag.
411
412	3.1.2.1. Opt-Out Flag
413
414	If the Opt-Out flag is set, the NSEC3 record covers zero or more
415	unsigned delegations.
416
417	If the Opt-Out flag is clear, the NSEC3 record covers zero unsigned
418	delegations.
419
420	The Opt-Out Flag indicates whether this NSEC3 RR may cover unsigned
421	delegations. It is the least significant bit in the Flags field.
422	See Section 6 for details about the use of this flag.
423
424	3.1.3. Iterations
425
426	The Iterations field defines the number of additional times the hash
427	function has been performed. More iterations result in greater
428	resiliency of the hash value against dictionary attacks, but at a
429	higher computational cost for both the server and resolver. See
430	Section 5 for details of the use of this field, and Section 10.3 for
431	limitations on the value.
432
433	3.1.4. Salt Length
434
435	The Salt Length field defines the length of the Salt field in octets,
436	ranging in value from 0 to 255.
437
438	3.1.5. Salt
439
440	The Salt field is appended to the original owner name before hashing
441	in order to defend against pre-calculated dictionary attacks. See
442	Section 5 for details on how the salt is used.
443
444
445
446
447	Laurie, et al. Expires June 2, 2008 [Page 8]
448
449	Internet-Draft nsec3 November 2007
450
451
452	3.1.6. Hash Length
453
454	The Hash Length field defines the length of the Next Hashed Owner
455	Name field, ranging in value from 1 to 255 octets.
456
457	3.1.7. Next Hashed Owner Name
458
459	The Next Hashed Owner Name field contains the next hashed owner name
460	in hash order. This value is in binary format. Given the ordered
461	set of all hashed owner names, the Next Hashed Owner Name field
462	contains the hash of an owner name that immediately follows the owner
463	name of the given NSEC3 RR. The value of the Next Hashed Owner Name
464	field in the last NSEC3 RR in the zone is the same as the hashed
465	owner name of the first NSEC3 RR in the zone in hash order. Note
466	that, unlike the owner name of the NSEC3 RR, the value of this field
467	does not contain the appended zone name.
468
469	3.1.8. Type Bit Maps
470
471	The Type Bit Maps field identifies the RRSet types which exist at the
472	original owner name of the NSEC3 RR.
473
474	3.2. NSEC3 RDATA Wire Format
475
476	The RDATA of the NSEC3 RR is as shown below:
477
478	1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
479	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
480	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
481	\| Hash Alg. \| Flags \| Iterations \|
482	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
483	\| Salt Length \| Salt /
484	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
485	\| Hash Length \| Next Hashed Owner Name /
486	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
487	/ Type Bit Maps /
488	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
489
490	Hash Algorithm is a single octet.
491
492	Flags field is a single octet, the Opt-Out flag is the least
493	significant bit, as shown below:
494
495	0 1 2 3 4 5 6 7
496	+-+-+-+-+-+-+-+-+
497	\| \|O\|
498	+-+-+-+-+-+-+-+-+
499
500
501
502
503	Laurie, et al. Expires June 2, 2008 [Page 9]
504
505	Internet-Draft nsec3 November 2007
506
507
508	Iterations is represented as a 16-bit unsigned integer, with the most
509	significant bit first.
510
511	Salt Length is represented as an unsigned octet. Salt Length
512	represents the length of the Salt field in octets. If the value is
513	zero, the following Salt field is omitted.
514
515	Salt, if present, is encoded as a sequence of binary octets. The
516	length of this field is determined by the preceding Salt Length
517	field.
518
519	Hash Length is represented as an unsigned octet. Hash Length
520	represents the length of the Next Hashed Owner Name field in octets.
521
522	The next hashed owner name is not base32 encoded, unlike the owner
523	name of the NSEC3 RR. It is the unmodified binary hash value. It
524	does not include the name of the containing zone. The length of this
525	field is determined by the preceding Hash Length field.
526
527	3.2.1. Type Bit Maps Encoding
528
529	The encoding of the Type Bit Maps field is the same as that used by
530	the NSEC RR, described in [RFC4034]. It is explained and clarified
531	here for clarity.
532
533	The RR type space is split into 256 window blocks, each representing
534	the low-order 8 bits of the 16-bit RR type space. Each block that
535	has at least one active RR type is encoded using a single octet
536	window number (from 0 to 255), a single octet bitmap length (from 1
537	to 32) indicating the number of octets used for the bitmap of the
538	window block, and up to 32 octets (256 bits) of bitmap.
539
540	Blocks are present in the NSEC3 RR RDATA in increasing numerical
541	order.
542
543	Type Bit Maps Field = ( Window Block # \| Bitmap Length \| Bitmap )+
544
545	where "\|" denotes concatenation.
546
547	Each bitmap encodes the low-order 8 bits of RR types within the
548	window block, in network bit order. The first bit is bit 0. For
549	window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
550	to RR type 2 (NS), and so forth. For window block 1, bit 1
551	corresponds to RR type 257, bit 2 to RR type 258. If a bit is set to
552	1, it indicates that an RRSet of that type is present for the
553	original owner name of the NSEC3 RR. If a bit is set to 0, it
554	indicates that no RRSet of that type is present for the original
555	owner name of the NSEC3 RR.
556
557
558
559	Laurie, et al. Expires June 2, 2008 [Page 10]
560
561	Internet-Draft nsec3 November 2007
562
563
564	Since bit 0 in window block 0 refers to the non-existing RR type 0,
565	it MUST be set to 0. After verification, the validator MUST ignore
566	the value of bit 0 in window block 0.
567
568	Bits representing Meta-TYPEs or QTYPEs as specified in [RFC2929]
569	(section 3.1) or within the range reserved for assignment only to
570	QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
571	zone data. If encountered, they must be ignored upon reading.
572
573	Blocks with no types present MUST NOT be included. Trailing zero
574	octets in the bitmap MUST be omitted. The length of the bitmap of
575	each block is determined by the type code with the largest numerical
576	value, within that block, among the set of RR types present at the
577	original owner name of the NSEC3 RR. Trailing octets not specified
578	MUST be interpreted as zero octets.
579
580	3.3. Presentation Format
581
582	The presentation format of the RDATA portion is as follows:
583
584	o The Hash Algorithm field is represented as an unsigned decimal
585	integer. The value has a maximum of 255.
586
587	o The Flags field is represented as an unsigned decimal integer.
588	The value has a maximum of 255.
589
590	o The Iterations field is represented as an unsigned decimal
591	integer. The value is between 0 and 65535, inclusive.
592
593	o The Salt Length field is not represented.
594
595	o The Salt field is represented as a sequence of case-insensitive
596	hexadecimal digits. Whitespace is not allowed within the
597	sequence. The Salt field is represented as "-" (without the
598	quotes) when the Salt Length field has value 0.
599
600	o The Hash Length field is not represented.
601
602	o The Next Hashed Owner Name field is represented as an unpadded
603	sequence of case-insensitive base32 digits, without whitespace.
604
605	o The Type Bit Maps field is represented as a sequence of RR type
606	mnemonics. When the mnemonic is not known, the TYPE
607	representation as described in [RFC3597] (section 5) MUST be used.
608
609
610
611
612
613
614
615	Laurie, et al. Expires June 2, 2008 [Page 11]
616
617	Internet-Draft nsec3 November 2007
618
619
620	4. The NSEC3PARAM Record
621
622	The NSEC3PARAM RR contains the NSEC3 parameters (hash algorithm,
623	flags, iterations and salt) needed by authoritative servers to
624	calculate hashed owner names. The presence of an NSEC3PARAM RR at a
625	zone apex indicates that the specified parameters may be used by
626	authoritative servers to choose an appropriate set of NSEC3 RRs for
627	negative responses. The NSEC3PARAM RR is not used by validators or
628	resolvers.
629
630	If an NSEC3PARAM RR is present at the apex of a zone with a Flags
631	field value of zero, then there MUST be an NSEC3 RR using the same
632	hash algorithm, iterations and salt parameters present at every
633	hashed owner name in the zone. That is, the zone MUST contain a
634	complete set of NSEC3 RRs with the same hash algorithm, iterations
635	and salt parameters.
636
637	The owner name for the NSEC3PARAM RR is the name of the zone apex.
638
639	The type value for the NSEC3PARAM RR is MM. [### RFC-editor update
640	required, the examples assume MM=51]
641
642	The NSEC3PARAM RR RDATA format is class independent and is described
643	below.
644
645	The class MUST be the same as the NSEC3 RRs to which this RR refers.
646
647	4.1. RDATA Fields
648
649	The RDATA for this RR mirrors the first four fields in the NSEC3 RR.
650
651	4.1.1. Hash Algorithm
652
653	The Hash Algorithm field identifies the cryptographic hash algorithm
654	used to construct the hash-value.
655
656	The acceptable values are the same as the corresponding field in the
657	NSEC3 RR.
658
659	4.1.2. Flag Fields
660
661	The Opt-Out flag is not used and is set to zero.
662
663	All other flags are reserved for future use, and must be zero.
664
665	NSEC3PARAM RRs with a Flags field value other than zero MUST be
666	ignored.
667
668
669
670
671	Laurie, et al. Expires June 2, 2008 [Page 12]
672
673	Internet-Draft nsec3 November 2007
674
675
676	4.1.3. Iterations
677
678	The Iterations field defines the number of additional times the hash
679	is performed.
680
681	Its acceptable values are the same as the corresponding field in the
682	NSEC3 RR.
683
684	4.1.4. Salt Length
685
686	The Salt Length field defines the length of the salt in octets,
687	ranging in value from 0 to 255.
688
689	4.1.5. Salt
690
691	The Salt field is appended to the original owner name before hashing.
692
693	4.2. NSEC3PARAM RDATA Wire Format
694
695	The RDATA of the NSEC3PARAM RR is as shown below:
696
697	1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
698	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
699	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
700	\| Hash Alg. \| Flags \| Iterations \|
701	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
702	\| Salt Length \| Salt /
703	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
704
705	Hash Algorithm is a single octet.
706
707	Flags field is a single octet.
708
709	Iterations is represented as a 16-bit unsigned integer, with the most
710	significant bit first.
711
712	Salt Length is represented as an unsigned octet. Salt Length
713	represents the length of the following Salt field in octets. If the
714	value is zero, the Salt field is omitted.
715
716	Salt, if present, is encoded as a sequence of binary octets. The
717	length of this field is determined by the preceding Salt Length
718	field.
719
720	4.3. Presentation Format
721
722	The presentation format of the RDATA portion is as follows:
723
724
725
726
727	Laurie, et al. Expires June 2, 2008 [Page 13]
728
729	Internet-Draft nsec3 November 2007
730
731
732	o The Hash Algorithm field is represented as an unsigned decimal
733	integer. The value has a maximum of 255.
734
735	o The Flags field is represented as an unsigned decimal integer.
736	The value has a maximum value of 255.
737
738	o The Iterations field is represented as an unsigned decimal
739	integer. The value is between 0 and 65535, inclusive.
740
741	o The Salt Length field is not represented.
742
743	o The Salt field is represented as a sequence of case-insensitive
744	hexadecimal digits. Whitespace is not allowed within the
745	sequence. This field is represented as "-" (without the quotes)
746	when the Salt Length field is zero.
747
748
749	5. Calculation of the Hash
750
751	The hash calculation uses three of the NSEC3 RDATA fields: Hash
752	Algorithm, Salt, and Iterations.
753
754	Define H(x) to be the hash of x using the Hash Algorithm selected by
755	the NSEC3 RR, k to be the number of Iterations, and \|\| to indicate
756	concatenation. Then define:
757
758	IH(salt, x, 0) = H(x \|\| salt), and
759
760	IH(salt, x, k) = H(IH(salt, x, k-1) \|\| salt), if k > 0
761
762	Then the calculated hash of an owner name is
763
764	IH(salt, owner name, iterations),
765
766	where the owner name is in the canonical form, defined as:
767
768	The wire format of the owner name where:
769
770	1. The owner name is fully expanded (no DNS name compression) and
771	fully qualified;
772
773	2. All uppercase US-ASCII letters are replaced by the corresponding
774	lowercase US-ASCII letters;
775
776	3. If the owner name is a wildcard name, the owner name is in its
777	original unexpanded form, including the "*" label (no wildcard
778	substitution);
779
780
781
782
783	Laurie, et al. Expires June 2, 2008 [Page 14]
784
785	Internet-Draft nsec3 November 2007
786
787
788	This form is as defined in section 6.2 of [RFC4034].
789
790	The method to calculate the Hash is based on [RFC2898].
791
792
793	6. Opt-Out
794
795	In this specification, as in [RFC4033], [RFC4034] and [RFC4035], NS
796	RRSets at delegation points are not signed and may be accompanied by
797	a DS RRSet. With the Opt-Out bit clear, the security status of the
798	child zone is determined by the presence or absence of this DS RRSet,
799	cryptographically proven by the signed NSEC3 RR at the hashed owner
800	name of the delegation. Setting the Opt-Out flag modifies this by
801	allowing insecure delegations to exist within the signed zone without
802	a corresponding NSEC3 RR at the hashed owner name of the delegation.
803
804	An Opt-Out NSEC3 RR is said to cover a delegation if the hash of the
805	owner name or "next closer" name of the delegation is between the
806	owner name of the NSEC3 RR and the next hashed owner name.
807
808	An Opt-Out NSEC3 RR does not assert the existence or non-existence of
809	the insecure delegations that it may cover. This allows for the
810	addition or removal of these delegations without recalculating or re-
811	signing RRs in the NSEC3 RR chain. However, Opt-Out NSEC3 RRs do
812	assert the (non)existence of other, authoritative RRSets.
813
814	An Opt-Out NSEC3 RR MAY have the same original owner name as an
815	insecure delegation. In this case, the delegation is proven insecure
816	by the lack of a DS bit in the type map and the signed NSEC3 RR does
817	assert the existence of the delegation.
818
819	Zones using Opt-Out MAY contain a mixture of Opt-Out NSEC3 RRs and
820	non-Opt-Out NSEC3 RRs. If an NSEC3 RR is not Opt-Out, there MUST NOT
821	be any hashed owner names of insecure delegations (nor any other RRs)
822	between it and the name indicated by the next hashed owner name in
823	the NSEC3 RDATA. If it is Opt-Out, it MUST only cover hashed owner
824	names or hashed "next closer" names of insecure delegations.
825
826	The effects of the Opt-Out flag on signing, serving, and validating
827	responses are covered in following sections.
828
829
830	7. Authoritative Server Considerations
831
832	7.1. Zone Signing
833
834	Zones using NSEC3 must satisfy the following properties:
835
836
837
838
839	Laurie, et al. Expires June 2, 2008 [Page 15]
840
841	Internet-Draft nsec3 November 2007
842
843
844	o Each owner name within the zone that owns authoritative RRSets
845	MUST have a corresponding NSEC3 RR. Owner names that correspond
846	to unsigned delegations MAY have a corresponding NSEC3 RR.
847	However, if there is not a corresponding NSEC3 RR, there MUST be
848	an Opt-Out NSEC3 RR that covers the "next closer" name to the
849	delegation. Other non-authoritative RRs are not represented by
850	NSEC3 RRs.
851
852	o Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
853	the empty non-terminal is only derived from an insecure delegation
854	covered by an Opt-Out NSEC3 RR.
855
856	o The TTL value for any NSEC3 RR SHOULD be the same as the minimum
857	TTL value field in the zone SOA RR.
858
859	o The Type Bit Maps field of every NSEC3 RR in a signed zone MUST
860	indicate the presence of all types present at the original owner
861	name, except for the types solely contributed by an NSEC3 RR
862	itself. Note that this means that the NSEC3 type itself will
863	never be present in the Type Bit Maps.
864
865	The following steps describe a method of proper construction of NSEC3
866	RRs. This is not the only such possible method.
867
868	1. Select the hash algorithm and the values for salt and iterations.
869
870	2. For each unique original owner name in the zone add an NSEC3 RR.
871
872	* If Opt-Out is being used, owner names of unsigned delegations
873	MAY be excluded.
874
875	* The owner name of the NSEC3 RR is the hash of the original
876	owner name, prepended as a single label to the zone name.
877
878	* The Next Hashed Owner Name field is left blank for the moment.
879
880	* If Opt-Out is being used, set the Opt-Out bit to one.
881
882	* For collision detection purposes, optionally keep track of the
883	original owner name with the NSEC3 RR.
884
885	* Additionally, for collision detection purposes, optionally
886	create an additional NSEC3 RR corresponding to the original
887	owner name with the asterisk label prepended (i.e., as if a
888	wildcard existed as a child of this owner name) and keep track
889	of this original owner name. Mark this NSEC3 RR as temporary.
890
891
892
893
894
895	Laurie, et al. Expires June 2, 2008 [Page 16]
896
897	Internet-Draft nsec3 November 2007
898
899
900	3. For each RRSet at the original owner name, set the corresponding
901	bit in the Type Bit Maps field.
902
903	4. If the difference in number of labels between the apex and the
904	original owner name is greater than 1, additional NSEC3 RRs need
905	to be added for every empty non-terminal between the apex and the
906	original owner name. This process may generate NSEC3 RRs with
907	duplicate hashed owner names. Optionally, for collision
908	detection, track the original owner names of these NSEC3 RRs and
909	create temporary NSEC3 RRs for wildcard collisions in a similar
910	fashion to step 1.
911
912	5. Sort the set of NSEC3 RRs into hash order.
913
914	6. Combine NSEC3 RRs with identical hashed owner names by replacing
915	them with a single NSEC3 RR with the Type Bit Maps field
916	consisting of the union of the types represented by the set of
917	NSEC3 RRs. If the original owner name was tracked, then
918	collisions may be detected when combining, as all of the matching
919	NSEC3 RRs should have the same original owner name. Discard any
920	possible temporary NSEC3 RRs.
921
922	7. In each NSEC3 RR, insert the next hashed owner name by using the
923	value of the next NSEC3 RR in hash order. The next hashed owner
924	name of the last NSEC3 RR in the zone contains the value of the
925	hashed owner name of the first NSEC3 RR in the hash order.
926
927	8. Finally, add an NSEC3PARAM RR with the same Hash Algorithm,
928	Iterations and Salt fields to the zone apex.
929
930	If a hash collision is detected, then a new salt has to be chosen and
931	the signing process restarted.
932
933	7.2. Zone Serving
934
935	This specification modifies DNSSEC-enabled DNS responses generated by
936	authoritative servers. In particular, it replaces the use of NSEC
937	RRs in such responses with NSEC3 RRs.
938
939	In the following response cases, the NSEC RRs dictated by DNSSEC
940	[RFC4035] are replaced with NSEC3 RRs that prove the same facts.
941	Responses that would not contain NSEC RRs are unchanged by this
942	specification.
943
944	When returning responses containing multiple NSEC3 RRs, all of the
945	NSEC3 RRs MUST use the same hash algorithm, iteration, and salt
946	values. The Flags field value MUST be either zero or one.
947
948
949
950
951	Laurie, et al. Expires June 2, 2008 [Page 17]
952
953	Internet-Draft nsec3 November 2007
954
955
956	7.2.1. Closest Encloser Proof
957
958	For many NSEC3 responses a proof of the closest encloser is required.
959	This is a proof that some ancestor of the QNAME is the closest
960	encloser of QNAME.
961
962	This proof consists of (up to) two different NSEC3 RRs:
963
964	o An NSEC3 RR that matches the closest (provable) encloser.
965
966	o An NSEC3 RR that covers the "next closer" name to the closest
967	encloser.
968
969	The first NSEC3 RR essentially proposes a possible closest encloser,
970	and proves that the particular encloser does, in fact, exist. The
971	second NSEC3 RR proves that the possible closest encloser is the
972	closest, and proves that QNAME (and any ancestors between QNAME and
973	the closest encloser) do not exist.
974
975	These NSEC3 RRs are collectively referred to as the "closest encloser
976	proof" in the subsequent descriptions.
977
978	For example, the closest encloser proof for the nonexistent
979	"alpha.beta.gamma.example." owner name might prove that
980	"gamma.example." is the closest encloser. This response would
981	contain the NSEC3 RR that matches "gamma.example.", and would also
982	contain the NSEC3 RR that covers "beta.gamma.example." (which is the
983	"next closer" name.)
984
985	It is possible, when using Opt-Out (Section 6), to not be able to
986	prove the actual closest encloser because it is, or is part of an
987	insecure delegation covered by an Opt-Out span. In this case,
988	instead of proving the actual closest encloser, the closest provable
989	encloser is used. That is, the closest enclosing authoritative name
990	is used instead. In this case, the set of NSEC3 RRs used for this
991	proof is referred to as the "closest provable encloser proof."
992
993	7.2.2. Name Error Responses
994
995	To prove the nonexistence of QNAME a closest encloser proof and an
996	NSEC3 RR covering the (nonexistent) wildcard RR at the closest
997	encloser MUST be included in the response. This collection of (up
998	to) three NSEC3 RRs proves both that QNAME does not exist and that a
999	wildcard that could have matched QNAME also does not exist.
1000
1001	For example, if "gamma.example." is the closest provable encloser to
1002	QNAME, then a NSEC3 RR covering "*.gamma.example." is included in the
1003	authority section of the response.
1004
1005
1006
1007	Laurie, et al. Expires June 2, 2008 [Page 18]
1008
1009	Internet-Draft nsec3 November 2007
1010
1011
1012	7.2.3. No Data Responses, QTYPE is not DS
1013
1014	The server MUST include the NSEC3 RR that matches QNAME. This NSEC3
1015	RR MUST NOT have the bits corresponding to either the QTYPE or CNAME
1016	set in its Type Bit Maps field.
1017
1018	7.2.4. No Data Responses, QTYPE is DS
1019
1020	If there is an NSEC3 RR that matches QNAME, the server MUST return it
1021	in the response. The bits corresponding with DS and CNAME MUST NOT
1022	be set in the Type Bit Maps field of this NSEC3 RR.
1023
1024	If no NSEC3 RR matches QNAME, the server MUST return a closest
1025	provable encloser proof for QNAME. The NSEC3 RR that covers the
1026	"next closer" name MUST have the Opt-Out bit set (note that this is
1027	true by definition - if the Opt-Out bit is not set, something has
1028	gone wrong).
1029
1030	If a server is authoritative for both sides of a zone cut at QNAME,
1031	the server MUST return the proof from the parent side of the zone
1032	cut.
1033
1034	7.2.5. Wildcard No Data Responses
1035
1036	If there is a wildcard match for QNAME, but QTYPE is not present at
1037	that name, the response MUST include a closest encloser proof for
1038	QNAME and MUST include the NSEC3 RR that matches the wildcard. This
1039	combination proves both that QNAME itself does not exist and that a
1040	wildcard that matches QNAME does exist. Note that the closest
1041	encloser to QNAME MUST be the immediate ancestor of the wildcard RR
1042	(if this is not the case, then something has gone wrong).
1043
1044	7.2.6. Wildcard Answer Responses
1045
1046	If there is a wildcard match for QNAME and QTYPE, then, in addition
1047	to the expanded wildcard RRSet returned in the answer section of the
1048	response, proof that the wildcard match was valid must be returned.
1049
1050	This proof is accomplished by proving that both QNAME does not exist,
1051	and that the closest encloser of the QNAME and the immediate ancestor
1052	of the wildcard are the same (i.e., the correct wildcard matched).
1053
1054	To this end, the NSEC3 RR that covers the "next closer" name of the
1055	immediate ancestor of the wildcard MUST be returned. It is not
1056	necessary to return an NSEC3 RR that matches the closest encloser, as
1057	the existence of this closest encloser is proven by the presence of
1058	the expanded wildcard in the response.
1059
1060
1061
1062
1063	Laurie, et al. Expires June 2, 2008 [Page 19]
1064
1065	Internet-Draft nsec3 November 2007
1066
1067
1068	7.2.7. Referrals to Unsigned Subzones
1069
1070	If there is an NSEC3 RR that matches the delegation name, then that
1071	NSEC3 RR MUST be included in the response. The DS bit in the type
1072	bit maps of the NSEC3 RR MUST NOT be set.
1073
1074	If the zone is Opt-Out, then there may not be an NSEC3 RR
1075	corresponding to the delegation. In this case, the closest provable
1076	encloser proof MUST be included in the response. The included NSEC3
1077	RR that covers the "next closer" name for the delegation MUST have
1078	the Opt-Out flag set to one. (Note that this will be the case unless
1079	something has gone wrong).
1080
1081	7.2.8. Responding to Queries for NSEC3 Owner Names
1082
1083	The owner names of NSEC3 RRs are not represented in the NSEC3 RR
1084	chain like other owner names. As a result, each NSEC3 owner name is
1085	covered by another NSEC3 RR, effectively negating the existence of
1086	the NSEC3 RR. This is a paradox, since the existence of an NSEC3 RR
1087	can be proven by its RRSIG RRSet.
1088
1089	If the following conditions are all true:
1090
1091	o The QNAME equals the owner name of an existing NSEC3 RR, and
1092
1093	o No RR types exist at the QNAME, nor at any descendant of QNAME.
1094
1095	Then the response MUST be constructed as a Name Error response
1096	(Section 7.2.2). Or, in other words, the authoritative name server
1097	will act, as if the owner name of the NSEC3 RR did not exist.
1098
1099	Note that NSEC3 RRs are returned as a result of an AXFR or IXFR
1100	query.
1101
1102	7.2.9. Server Response to a Run-time Collision
1103
1104	If the hash of a non-existing QNAME collides with the owner name of