Domain Name System Security Extensions
RFC 2065

 
Document Type RFC - Proposed Standard (January 1997; No errata)
Obsoleted by RFC 2535
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2065 (Proposed Standard)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                   D. Eastlake, 3rd
Request for Comments: 2065                                     CyberCash
Updates: 1034, 1035                                           C. Kaufman
Category: Standards Track                                           Iris
                                                            January 1997

                 Domain Name System Security Extensions

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   The Domain Name System (DNS) has become a critical operational part
   of the Internet infrastructure yet it has no strong security
   mechanisms to assure data integrity or authentication.  Extensions to
   the DNS are described that provide these services to security aware
   resolvers or applications through the use of cryptographic digital
   signatures.  These digital signatures are included in secured zones
   as resource records.  Security can still be provided even through
   non-security aware DNS servers in many cases.

   The extensions also provide for the storage of authenticated public
   keys in the DNS.  This storage of keys can support general public key
   distribution service as well as DNS security.  The stored keys enable
   security aware resolvers to learn the authenticating key of zones in
   addition to those for which they are initially configured.  Keys
   associated with DNS names can be retrieved to support other
   protocols.  Provision is made for a variety of key types and
   algorithms.

   In addition, the security extensions provide for the optional
   authentication of DNS protocol transactions.

Eastlake & Kaufman          Standards Track                     [Page 1]
RFC 2065                DNS Security Extensions             January 1997

Acknowledgments

   The significant contributions of the following persons (in alphabetic
   order) to this document are gratefully acknowledged:

           Harald T. Alvestrand
           Madelyn Badger
           Scott Bradner
           Matt Crawford
           James M. Galvin
           Olafur Gudmundsson
           Edie Gunter
           Sandy Murphy
           Masataka Ohta
           Michael A. Patton
           Jeffrey I. Schiller

Table of Contents

   1. Overview of Contents....................................3
   2.  Overview of the DNS Extensions.........................4
   2.1 Services Not Provided..................................4
   2.2 Key Distribution.......................................5
   2.3 Data Origin Authentication and Integrity...............5
   2.3.1 The SIG Resource Record..............................6
   2.3.2 Authenticating Name and Type Non-existence...........7
   2.3.3 Special Considerations With Time-to-Live.............7
   2.3.4 Special Considerations at Delegation Points..........7
   2.3.5 Special Considerations with CNAME RRs................8
   2.3.6 Signers Other Than The Zone..........................8
   2.4 DNS Transaction and Request Authentication.............8
   3. The KEY Resource Record.................................9
   3.1 KEY RDATA format......................................10
   3.2 Object Types, DNS Names, and Keys.....................10
   3.3 The KEY RR Flag Field.................................11
   3.4 The Protocol Octet....................................13
   3.5 The KEY Algorithm Number and the MD5/RSA Algorithm....13
   3.6 Interaction of Flags, Algorithm, and Protocol Bytes...14
   3.7 KEY RRs in the Construction of Responses..............15
   3.8 File Representation of KEY RRs........................16
   4. The SIG Resource Record................................16
   4.1 SIG RDATA Format......................................17
   4.1.1 Signature Data......................................19
   4.1.2 MD5/RSA Algorithm Signature Calculation.............20
   4.1.3 Zone Transfer (AXFR) SIG............................21
   4.1.4 Transaction and Request SIGs........................22
   4.2 SIG RRs in the Construction of Responses..............23
   4.3 Processing Responses and SIG RRs......................24

Eastlake & Kaufman          Standards Track                     [Page 2]
RFC 2065                DNS Security Extensions             January 1997

   4.4 Signature Expiration, TTLs, and Validity..............24
   4.5 File Representation of SIG RRs........................25
   5. Non-existent Names and Types...........................26
   5.1 The NXT Resource Record...............................26
Show full document text