datatracker.ietf.org
Sign In
Version 4.51.p2, 2013-06-11
Report a bug

HMAC SHA (Hashed Message Authentication Code, Secure Hash Algorithm) TSIG Algorithm Identifiers
RFC 4635

Document type:RFC - Proposed Standard (IETF Stream)
Updates RFC 2845
Was draft-ietf-dnsext-tsig-sha
Errata
Published: 2006-08
Other versions: plain text, pdf, html 
Network Working Group                                    D. Eastlake 3rd
Request for Comments: 4635                         Motorola Laboratories
Category: Standards Track                                    August 2006

                  HMAC SHA TSIG Algorithm Identifiers

                          Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   Use of the Domain Name System TSIG resource record requires
   specification of a cryptographic message authentication code.
   Currently, identifiers have been specified only for HMAC MD5 (Hashed
   Message Authentication Code, Message Digest 5) and GSS (Generic
   Security Service) TSIG algorithms.  This document standardizes
   identifiers and implementation requirements for additional HMAC SHA
   (Secure Hash Algorithm) TSIG algorithms and standardizes how to
   specify and handle the truncation of HMAC values in TSIG.

Table of Contents

   1. Introduction ....................................................2
   2. Algorithms and Identifiers ......................................2
   3. Specifying Truncation ...........................................3
      3.1. Truncation Specification ...................................4
   4. TSIG Truncation Policy and Error Provisions .....................4
   5. IANA Considerations .............................................5
   6. Security Considerations .........................................5
   7. Normative References ............................................6
   8. Informative References. .........................................7

Eastlake 3rd                Standards Track                     [Page 1]
RFC 4635          HMAC SHA TSIG Algorithm Identifiers        August 2006

1.  Introduction

   [RFC2845] specifies a TSIG Resource Record (RR) that can be used to
   authenticate DNS (Domain Name System [STD13]) queries and responses.
   This RR contains a domain name syntax data item that names the
   authentication algorithm used.  [RFC2845] defines the
   HMAC-MD5.SIG-ALG.REG.INT name for authentication codes using the HMAC
   (Hashed Message Authentication Code) [RFC2104] algorithm with the MD5
   (Message Digest 5) [RFC1321] hash algorithm.  IANA has also
   registered "gss-tsig" as an identifier for TSIG authentication where
   the cryptographic operations are delegated to the Generic Security
   Service (GSS) [RFC3645].

   Note that use of TSIG presumes prior agreement, between the resolver
   and server involved, as to the algorithm and key to be used.

   In Section 2, this document specifies additional names for TSIG
   authentication algorithms based on US NIST SHA (United States,
   National Institute of Science and Technology, Secure Hash Algorithm)
   algorithms and HMAC and specifies the implementation requirements for
   those algorithms.

   In Section 3, this document specifies the effect of inequality
   between the normal output size of the specified hash function and the
   length of MAC (Message Authentication Code) data given in the TSIG
   RR.  In particular, it specifies that a shorter-length field value
   specifies truncation and that a longer-length field is an error.

   In Section 4, policy restrictions and implications related to
   truncation are described and specified, as is a new error code to
   indicate truncation shorter than that permitted by policy.

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY", in
   this document are to be interpreted as described in [RFC2119].

2.  Algorithms and Identifiers

   TSIG Resource Records (RRs) [RFC2845] are used to authenticate DNS
   queries and responses.  They are intended to be efficient symmetric
   authentication codes based on a shared secret.  (Asymmetric
   signatures can be provided using the SIG RR [RFC2931].  In
   particular, SIG(0) can be used for transaction signatures.)  Used
   with a strong hash function, HMAC [RFC2104] provides a way to
   calculate such symmetric authentication codes.  The only specified
   HMAC-based TSIG algorithm identifier has been HMAC-MD5.SIG-
   ALG.REG.INT, based on MD5 [RFC1321].

Eastlake 3rd                Standards Track                     [Page 2]
RFC 4635          HMAC SHA TSIG Algorithm Identifiers        August 2006

   The use of SHA-1 [FIPS180-2, RFC3174], which is a 160-bit hash, as