Domain Name System Security Extensions
RFC 2535

• Status
• IESG evaluation record
• IESG writeups
• Email expansions
• History

• Versions
• 07

Document	Type		RFC - Proposed Standard (March 1999; No errata) Obsoleted by RFC 4033, RFC 4035, RFC 4034 Updated by RFC 3445, RFC 2931, RFC 3008, RFC 3226, RFC 3090, RFC 3597, RFC 3007, RFC 3658, RFC 3757, RFC 3655, RFC 3755, RFC 3845 Obsoletes RFC 2065 Updates RFC 1034, RFC 1035, RFC 2181 Was draft-ietf-dnssec-secext2 (dnssec WG)
	Last updated		2013-03-02
	Stream		IETF
	Formats		plain text pdf html bibtex
Stream	WG state		(None)
	Document shepherd		No shepherd assigned
IESG	IESG state		RFC 2535 (Proposed Standard)
	Consensus Boilerplate		Unknown
	Telechat date
	Responsible AD		(None)
	Send notices to		(None)

Network Working Group                                         D. Eastlake
Request for Comments: 2535                                            IBM
Obsoletes: 2065                                                March 1999
Updates: 2181, 1035, 1034
Category: Standards Track

                 Domain Name System Security Extensions

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   Extensions to the Domain Name System (DNS) are described that provide
   data integrity and authentication to security aware resolvers and
   applications through the use of cryptographic digital signatures.
   These digital signatures are included in secured zones as resource
   records.  Security can also be provided through non-security aware
   DNS servers in some cases.

   The extensions provide for the storage of authenticated public keys
   in the DNS.  This storage of keys can support general public key
   distribution services as well as DNS security.  The stored keys
   enable security aware resolvers to learn the authenticating key of
   zones in addition to those for which they are initially configured.
   Keys associated with DNS names can be retrieved to support other
   protocols.  Provision is made for a variety of key types and
   algorithms.

   In addition, the security extensions provide for the optional
   authentication of DNS protocol transactions and requests.

   This document incorporates feedback on RFC 2065 from early
   implementers and potential users.

Eastlake                    Standards Track                     [Page 1]
RFC 2535                DNS Security Extensions               March 1999

Acknowledgments

   The significant contributions and suggestions of the following
   persons (in alphabetic order) to DNS security are gratefully
   acknowledged:

      James M. Galvin
      John Gilmore
      Olafur Gudmundsson
      Charlie Kaufman
      Edward Lewis
      Thomas Narten
      Radia J. Perlman
      Jeffrey I. Schiller
      Steven (Xunhua) Wang
      Brian Wellington

Table of Contents

   Abstract...................................................1
   Acknowledgments............................................2
   1. Overview of Contents....................................4
   2. Overview of the DNS Extensions..........................5
   2.1 Services Not Provided..................................5
   2.2 Key Distribution.......................................5
   2.3 Data Origin Authentication and Integrity...............6
   2.3.1 The SIG Resource Record..............................7
   2.3.2 Authenticating Name and Type Non-existence...........7
   2.3.3 Special Considerations With Time-to-Live.............7
   2.3.4 Special Considerations at Delegation Points..........8
   2.3.5 Special Considerations with CNAME....................8
   2.3.6 Signers Other Than The Zone..........................9
   2.4 DNS Transaction and Request Authentication.............9
   3. The KEY Resource Record................................10
   3.1 KEY RDATA format......................................10
   3.1.1 Object Types, DNS Names, and Keys...................11
   3.1.2 The KEY RR Flag Field...............................11
   3.1.3 The Protocol Octet..................................13
   3.2 The KEY Algorithm Number Specification................14
   3.3 Interaction of Flags, Algorithm, and Protocol Bytes...15
   3.4 Determination of Zone Secure/Unsecured Status.........15
   3.5 KEY RRs in the Construction of Responses..............17
   4. The SIG Resource Record................................17
   4.1 SIG RDATA Format......................................17
   4.1.1 Type Covered Field..................................18
   4.1.2 Algorithm Number Field..............................18
   4.1.3 Labels Field........................................18
   4.1.4 Original TTL Field..................................19

Eastlake                    Standards Track                     [Page 2]
RFC 2535                DNS Security Extensions               March 1999

   4.1.5 Signature Expiration and Inception Fields...........19
   4.1.6 Key Tag Field.......................................20
   4.1.7 Signer's Name Field.................................20
   4.1.8 Signature Field.....................................20
   4.1.8.1 Calculating Transaction and Request SIGs..........21

Show full document text