datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

A Method for Storing IPsec Keying Material in DNS
RFC 4025

Document type: RFC - Proposed Standard (March 2005)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4025 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: sra@hactrn.net, weiler@tislabs.com

Network Working Group                                      M. Richardson
Request for Comments: 4025                                           SSW
Category: Standards Track                                   February 2005

           A Method for Storing IPsec Keying Material in DNS

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes a new resource record for the Domain Name
   System (DNS).  This record may be used to store public keys for use
   in IP security (IPsec) systems.  The record also includes provisions
   for indicating what system should be contacted when an IPsec tunnel
   is established with the entity in question.

   This record replaces the functionality of the sub-type #4 of the KEY
   Resource Record, which has been obsoleted by RFC 3445.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.2.  Use of DNS Address-to-Name Maps (IN-ADDR.ARPA and
             IP6.ARPA)  . . . . . . . . . . . . . . . . . . . . . . .  3
       1.3.  Usage Criteria . . . . . . . . . . . . . . . . . . . . .  3
   2.  Storage Formats  . . . . . . . . . . . . . . . . . . . . . . .  3
       2.1.  IPSECKEY RDATA Format  . . . . . . . . . . . . . . . . .  3
       2.2.  RDATA Format - Precedence  . . . . . . . . . . . . . . .  4
       2.3.  RDATA Format - Gateway Type  . . . . . . . . . . . . . .  4
       2.4.  RDATA Format - Algorithm Type  . . . . . . . . . . . . .  4
       2.5.  RDATA Format - Gateway . . . . . . . . . . . . . . . . .  5
       2.6.  RDATA Format - Public Keys . . . . . . . . . . . . . . .  5
   3.  Presentation Formats . . . . . . . . . . . . . . . . . . . . .  6
       3.1.  Representation of IPSECKEY RRs . . . . . . . . . . . . .  6
       3.2.  Examples . . . . . . . . . . . . . . . . . . . . . . . .  6
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7

Richardson                  Standards Track                     [Page 1]
RFC 4025          Storing IPsec Keying Material in DNS     February 2005

       4.1.  Active Attacks Against Unsecured IPSECKEY Resource
             Records  . . . . . . . . . . . . . . . . . . . . . . . .  8
             4.1.1.  Active Attacks Against IPSECKEY Keying
                     Materials. . . . . . . . . . . . . . . . . . . .  8
             4.1.2.  Active Attacks Against IPSECKEY Gateway
                     Material. . . . . . . . . . . . . . . . . . . .   8
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
       7.1.  Normative References . . . . . . . . . . . . . . . . . . 10
       7.2.  Informative References . . . . . . . . . . . . . . . . . 10
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 12

1.  Introduction

   Suppose a host wishes (or is required by policy) to establish an
   IPsec tunnel with some remote entity on the network prior to allowing
   normal communication to take place.  In many cases, this end system
   will be able to determine the DNS name for the remote entity (either
   by having the DNS name given explicitly, by performing a DNS PTR
   query for a particular IP address, or through some other means, e.g.,
   by extracting the DNS portion of a "user@FQDN" name for a remote
   entity).  In these cases, the host will need to obtain a public key
   to authenticate the remote entity, and may also need some guidance
   about whether it should contact the entity directly or use another
   node as a gateway to the target entity.  The IPSECKEY RR provides a
   mechanism for storing such information.

   The type number for the IPSECKEY RR is 45.

   This record replaces the functionality of the sub-type #4 of the KEY
   Resource Record, which has been obsoleted by RFC 3445 [11].

1.1.  Overview

   The IPSECKEY resource record (RR) is used to publish a public key
   that is to be associated with a Domain Name System (DNS) [1] name for
   use with the IPsec protocol suite.  This can be the public key of a
   host, network, or application (in the case of per-port keying).

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",

[include full document text]