datatracker.ietf.org
Sign in
Version 5.9.0, 2014-12-18
Report a bug

Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)
RFC 3645

Document type: RFC - Proposed Standard (October 2003; No errata)
Updates RFC 2845
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 3645 (Proposed Standard)
Responsible AD: Erik Nordmark
IESG Note: published.
Send notices to: <ogud@ogud.com>, <okolkman@ripe.net>

Network Working Group                                            S. Kwan
Request for Comments: 3645                                       P. Garg
Updates: 2845                                                  J. Gilroy
Category: Standards Track                                      L. Esibov
                                                             J. Westhead
                                                         Microsoft Corp.
                                                                 R. Hall
                                                     Lucent Technologies
                                                            October 2003

                 Generic Security Service Algorithm for
        Secret Key Transaction Authentication for DNS (GSS-TSIG)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   The Secret Key Transaction Authentication for DNS (TSIG) protocol
   provides transaction level authentication for DNS.  TSIG is
   extensible through the definition of new algorithms.  This document
   specifies an algorithm based on the Generic Security Service
   Application Program Interface (GSS-API) (RFC2743).  This document
   updates RFC 2845.

Kwan, et al.                Standards Track                     [Page 1]
RFC 3645                        GSS-TSIG                    October 2003

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Algorithm Overview . . . . . . . . . . . . . . . . . . . . . .  3
       2.1.  GSS Details. . . . . . . . . . . . . . . . . . . . . . .  4
       2.2.  Modifications to the TSIG protocol (RFC 2845). . . . . .  4
   3.  Client Protocol Details. . . . . . . . . . . . . . . . . . . .  5
       3.1.  Negotiating Context. . . . . . . . . . . . . . . . . . .  5
           3.1.1.  Call GSS_Init_sec_context. . . . . . . . . . . . .  6
           3.1.2.  Send TKEY Query to Server. . . . . . . . . . . . .  8
           3.1.3.  Receive TKEY Query-Response from Server. . . . . .  8
       3.2.  Context Established. . . . . . . . . . . . . . . . . . . 11
           3.2.1.  Terminating a Context. . . . . . . . . . . . . . . 11
   4.  Server Protocol Details. . . . . . . . . . . . . . . . . . . . 12
       4.1.  Negotiating Context. . . . . . . . . . . . . . . . . . . 12
           4.1.1.  Receive TKEY Query from Client . . . . . . . . . . 12
           4.1.2.  Call GSS_Accept_sec_context. . . . . . . . . . . . 12
           4.1.3.  Send TKEY Query-Response to Client . . . . . . . . 13
       4.2.  Context Established. . . . . . . . . . . . . . . . . . . 15
           4.2.1.  Terminating a Context. . . . . . . . . . . . . . . 15
   5.  Sending and Verifying Signed Messages. . . . . . . . . . . . . 15
       5.1.  Sending a Signed Message - Call GSS_GetMIC . . . . . . . 15
       5.2.  Verifying a Signed Message - Call GSS_VerifyMIC. . . . . 16
   6.  Example usage of GSS-TSIG algorithm. . . . . . . . . . . . . . 18
   7.  Security Considerations. . . . . . . . . . . . . . . . . . . . 22
   8.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 22
   9.  Conformance. . . . . . . . . . . . . . . . . . . . . . . . . . 22
   10. Intellectual Property Statement. . . . . . . . . . . . . . . . 23
   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
       12.1.  Normative References. . . . . . . . . . . . . . . . . . 24
       12.2.  Informative References. . . . . . . . . . . . . . . . . 24
   13. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
   14. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 26

1.  Introduction

   The Secret Key Transaction Authentication for DNS (TSIG) [RFC2845]
   protocol was developed to provide a lightweight authentication and
   integrity of messages between two DNS entities, such as client and
   server or server and server.  TSIG can be used to protect dynamic
   update messages, authenticate regular message or to off-load
   complicated DNSSEC [RFC2535] processing from a client to a server and
   still allow the client to be assured of the integrity of the answers.

Kwan, et al.                Standards Track                     [Page 2]
RFC 3645                        GSS-TSIG                    October 2003

[include full document text]