Domain Name System Security Extensions
RFC 2535
Document | Type |
RFC - Proposed Standard
(March 1999; No errata)
Updated by RFC 3090, RFC 3597, RFC 2931, RFC 3445, RFC 3226, RFC 3845, RFC 3755, RFC 3658, RFC 3008, RFC 3757, RFC 3007, RFC 3655
Obsoletes RFC 2065
|
|
---|---|---|---|
Last updated | 2013-03-02 | ||
Stream | IETF | ||
Formats | plain text pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 2535 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group D. Eastlake Request for Comments: 2535 IBM Obsoletes: 2065 March 1999 Updates: 2181, 1035, 1034 Category: Standards Track Domain Name System Security Extensions Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract Extensions to the Domain Name System (DNS) are described that provide data integrity and authentication to security aware resolvers and applications through the use of cryptographic digital signatures. These digital signatures are included in secured zones as resource records. Security can also be provided through non-security aware DNS servers in some cases. The extensions provide for the storage of authenticated public keys in the DNS. This storage of keys can support general public key distribution services as well as DNS security. The stored keys enable security aware resolvers to learn the authenticating key of zones in addition to those for which they are initially configured. Keys associated with DNS names can be retrieved to support other protocols. Provision is made for a variety of key types and algorithms. In addition, the security extensions provide for the optional authentication of DNS protocol transactions and requests. This document incorporates feedback on RFC 2065 from early implementers and potential users. Eastlake Standards Track [Page 1] RFC 2535 DNS Security Extensions March 1999 Acknowledgments The significant contributions and suggestions of the following persons (in alphabetic order) to DNS security are gratefully acknowledged: James M. Galvin John Gilmore Olafur Gudmundsson Charlie Kaufman Edward Lewis Thomas Narten Radia J. Perlman Jeffrey I. Schiller Steven (Xunhua) Wang Brian Wellington Table of Contents Abstract...................................................1 Acknowledgments............................................2 1. Overview of Contents....................................4 2. Overview of the DNS Extensions..........................5 2.1 Services Not Provided..................................5 2.2 Key Distribution.......................................5 2.3 Data Origin Authentication and Integrity...............6 2.3.1 The SIG Resource Record..............................7 2.3.2 Authenticating Name and Type Non-existence...........7 2.3.3 Special Considerations With Time-to-Live.............7 2.3.4 Special Considerations at Delegation Points..........8 2.3.5 Special Considerations with CNAME....................8 2.3.6 Signers Other Than The Zone..........................9 2.4 DNS Transaction and Request Authentication.............9 3. The KEY Resource Record................................10 3.1 KEY RDATA format......................................10 3.1.1 Object Types, DNS Names, and Keys...................11 3.1.2 The KEY RR Flag Field...............................11 3.1.3 The Protocol Octet..................................13 3.2 The KEY Algorithm Number Specification................14 3.3 Interaction of Flags, Algorithm, and Protocol Bytes...15 3.4 Determination of Zone Secure/Unsecured Status.........15 3.5 KEY RRs in the Construction of Responses..............17 4. The SIG Resource Record................................17 4.1 SIG RDATA Format......................................17 4.1.1 Type Covered Field..................................18 4.1.2 Algorithm Number Field..............................18 4.1.3 Labels Field........................................18 4.1.4 Original TTL Field..................................19 Eastlake Standards Track [Page 2] RFC 2535 DNS Security Extensions March 1999 4.1.5 Signature Expiration and Inception Fields...........19 4.1.6 Key Tag Field.......................................20 4.1.7 Signer's Name Field.................................20 4.1.8 Signature Field.....................................20 4.1.8.1 Calculating Transaction and Request SIGs..........21 4.2 SIG RRs in the Construction of Responses..............21 4.3 Processing Responses and SIG RRs......................22 4.4 Signature Lifetime, Expiration, TTLs, and Validity....23Show full document text