1.1 Scope of the System
As envisaged, the signing system sits between a private master nameserver and a public master. The system receives data from the public master, signs it, and sends the signed data to the public master.
The scope of this document covers the first phase of development, a system that will be able to sign whole zones. It does not cover the intended subsequent phase that will allow for incremental zone updates.
2. Requirements for 1.0.0
2.1 Basic Requirements
- The system MUST be able to deal with configurations containing zero or more zones.
- The system MUST be able to handle zone sizes ranging from a few RRs to millions of RRs.
- The system MUST accept zone data in the form of a zone file in standard presentation format
- The system MUST output signed zone data as a zone file in standard presentation format.
- The system SHOULD be able to send a notify command to the local nameserver upon changed output signed zones.
- The system MUST be able to accept input zone data via an AXFR:
- The system MUST be able to request an AXFR from an authoritative server.
- The system MUST be able to process NOTIFY messages received from an authoritative server.
- In the case of AXFR transfers, the system MUST support TSIG authentication with the upstream authoritative server.
- The system MUST NOT depend on the BIND tools for signing.
2.2 Normal Operations
- A start-up script SHOULD be supplied that allows the software to be started when the system starts up.
- The system MUST be able to drop privileges upon start up.
- It MUST be possible to shutdown all long-running software cleanly.
- If the software is not cleanly shutdown, it MUST be possible to restart it with no loss of data.
Note: if this provides difficult/impossible to implement automatically, it is allowable for written instructions to be supplied describing how to manually recover from a failure.
- It MUST be possible to specify a list of zones to be signed.
- It MUST be possible to specify a policy for each zone that specifies how the zone should be signed.
- Sensible default values MUST be provided for all configuration parameters.
Note: This is likely to be in the form of a default policy.
- For each zone, at intervals specified by the policy, the system MUST retrieve the zone data, sign it, and output signed zone.
- It MUST be possible for an operator to be able to manually sign a zone.
Note: this may be done for various reasons, e.g. a zone has changed and the change must be propagated as soon as possible.
- It MUST be possible to update the polices and zone data, without taking the system down.
- syslog() MUST be used as the logging mechanism.
- The choice of which operations to log SHOULD be configurable.
- The syslog() facility under which messages are logged SHOULD be configurable
- Components of the system should use the following log levels:
- Info - for informational messages. (System has worked, this is possibly useful information.)
- Warning - for warning messages. (System has worked, but this condition was sufficiently unusual to remark upon.)
- Error - for error messages. (System has encountered a problem.)
- Alert - for messages where the operator needs to be notified immediately.
Note: if something goes wrong, the system might log multiple error messages as a result. However, only one alert message is required.
- All errors MUST be logged.
2.3 Signing Process
2.3.1 Signing Policy
- The system MUST sign each zone according to a pre-defined policy. (This determines parameters such as signing interval, key length, signature lifetime etc.)
- It MUST be possible for each zone to have its own policy.
- The policy for the zone MUST allow values for the following signing parameters to be set:
- Inception offset. (This is the time before the present at which the signatures first become valid. It allows for clock skew, a difference in times between two systems on a network.)
- The signature re-sign interval. The period of which the Signer runs.
- The signature refresh interval. The Signer will reuse a signature until it has this amount of time remaining in its validity period. After this will a new signature be generated.
- The default signature validity period of RRSIGs. (Note: this is the time from signing for which the records are valid.)
- Jitter. (Note: This is a value, uniformly distributed between zero and some maximum, added to the signature validity period to prevent all records signature expiring at once.)
- The TTL for DNSKEY records. (Note: this is the TTL for the DNSKEY records generated by the system. It also overrides the TTL associated with any DNSKEY records in the input file (as all DNSKEY records in an RRset should have the TTL).)
- Signature scheme:
- RSA/SHA1 MUST be supported for signatures.
- RSA/SHA-256 MUST be supported for signatures.
- RSA/SHA-512 MUST be supported for signatures.
- The policy MUST allow a choice of authenticated denial scheme:
- NSEC MUST be supported.
- NSEC3 without opt-out MUST be supported.
- NSEC3 with opt-out MUST be supported.
- The policy for the zone SHOULD allow values for the following to be set:
- The signature lifetime of the RRSIG for NSEC/NSEC3 records.
Note: If not specified, the signature lifetime of NSEC/NSEC3 records should be that of other RRSIG records in the zone.
- The parameters for the NSEC3PARAM record: hash algorithm, flags, iterations and salt.
- The parameters for the SOA record: serial, minimum, ttl.
2.3.2 Signing Process
- The signer MUST discard all DNSSEC RRs (except DNSKEY RRs) from the input data.
Note: DNSKEY RRs may be in the input zone file if the zone is in the process of moving between DNS operators.
2.4 Key Management
2.4.1 Key Generation
- The system MUST generate keys as required according to the policy for the zone.
- The system MUST allow additional keys to be manually generated by the operator.
- The policy for the zone MUST allow the following key parameters to be set:
- The key algorithm:
- RSA MUST be supported as a key algorithm.
- RSA key lengths between 1024 and 4096 bits MUST be supported.
- The MUST have an option that will system not allow keys to be used until they have been backed up.
Note: this means that there must be some way of notifying to the system that the backup has been done.
2.4.2 Key Storage
- All access to key material MUST be via the PKCS#11 API
Note: This requirement is to allow use of any compliant HSM.
- The system MUST be capable of working with multiple PKCS#11 providers simultaneously.
Note: this is to allow migration to new HSMs as the old ones reach the end of their life.
- If multiple PKCS#11 providers are in use:
- It MUST be possible to select which provider to use for new KSKs.
- It MUST be possible to select which provider to use for new ZSKs.
- The system MUST be able to access all existing keys, regardless of which connected provider they are stored in.
2.4.3. Key Rollovers
- The system MUST be able to roll ZSKs automatically with no operator intervention.
- The rolling of the keys MUST be done according to the algorithm in draft-morris-dnsop-dnssec-key-timing (or its successor documents). In particular, it MUST be possible to roll a ZSK without requiring multiple signatures per RRset.
- It MUST be possible to manually roll the ZSK for a zone.
- It MUST be possible to manually roll the KSK for a zone.
- It MUST be able to supply a DS record or a DNSKEY RR for every KSK.
- Where the KSK rolling process removes a key from the zone, the system SHOULD cause the generation of a notification that the corresponding DS record be removed from the parent zone.
- The system MUST be able to supply the operator with an advance warning of the the production of a new KSK for a zone if such notifications are enabled.
Note: this requirement aids installations where the generation of a KSK is a manual operation.
- The production of a new KSK for a zone SHOULD be notified to the operator if such notifications are enabled.
Note: this requirement aids installations where the passing of trust anchor information to an external organisation is a manual operation.
2.5 Integrity Requirements
Since the loading of incorrect DNSSEC data into a zone could have serious consequences, e.g. a zone being perceived as bogus, the system must take steps to verify that the data it is outputting is correct.
- The system SHOULD have an independent check that the output zone data is correct.
Note: This is handled by the KASP Auditor, which has its own set of requirements.
2.6 Performance Requirements
For large zones, or for large numbers of small zones, it is important that the signing is completed in a reasonable time. The figures given here are an estimate of acceptable performance, and need to be refined.
- With appropriate hardware, it SHOULD be possible to sign a one-million name zone in one hour.
Note: Verification is not included in this time period
2.7 Standards Conformance
- The signatures created by the system and operation of the system MUST conform to the following standards:
- RFC 4033
- RFC 4034
- RFC 4035
- RFC 5155
- RFC 5702
2. Requirements for 1.1.0
- The Signer SHOULD be able to sign RRs with multiple threads.
- With appropriate hardware, it MUST be possible to sign a zone in 30 minutes. 5M name zone, 10M NS, 25000 glue. Using NSEC3 with opt-out. With 8GB RAM.
- The system MUST handle 50.000 zones. (Please add more information)
- A newly added zone MUST be signed as soon as possible.
Note: A newly added zone must be prioritized.
2.2 Hooks and commands
- It MUST be possible to select an auditor program that will be used by the Signer.
- It MUST be possible to configure a command that will accept the zone name and the current set of keys that should be at the parent. Used for sending DS and/or DNSKEY RR to the parent.
- There MUST be a way of notifying the system that the current set of KSKs has been sent to the parent.
- There MUST be a way of notifying the system that a particular DS RR has been seen at the parent.
- It MUST possible to configure the auditing level.
- The system MUST only save the private key object in order to save space in the provider (and improves performance).
- The system SHOULD have a per provider flag, indicating whether the security module needs to be activated before starting the system.
3. Requirements for 2.0.0
3.1 Basic Requirements
- The system SHOULD be able to output signed zone data via an AXFR:
- The system SHOULD be able to send the data as an AXFR in response to a request from a slave server.
- The system SHOULD be able to send NOTIFY messages to all configured slave servers when new zone data is available.
- In the case of AXFR transfers, the system MUST support TSIG authentication with the downstream authoritative server.
3.2 Normal Operations
- A utility to check the policy for consistency SHOULD be provided:
- It MUST be possible to run the utility independently of the rest of the system.
- The utility (or a variant) MUST be run automatically before the policy is loaded into the database.
- The utility SHOULD compare parameter values against the limits for that parameter and warn when the value lies outside the allowable range.
- The utility SHOULD check the values of all the parameters and warn if the combination is inconsistent.
- The utility SHOULD check the values of all the parameters and check that they form a policy that conforms to accepted practice.
Note: In practice, this means checking that the policy is not obviously absurd.
- The system SHOULD have a GUI that simplifies the configuration process.
Note: the GUI will be specified in a separate document.
- The system SHOULD have an alternative method (e.g. email) of notifying the operator of urgent conditions.
- The signer MUST channel all traffic to providers through a session proxy, which keeps open a single session.
- The signer MUST support PKCS#11 standard external authentication pads, to replace a filesystem-stored PIN.
- The Signer MUST be able to sign RRs with multiple threads.
3.7 Standards Conformance
- The signatures created by the system and operation of the system MUST conform to the following standards:
- RFC 5011