Domain Name System Security Extensions
RFC 2535
| Document | Type |
RFC - Proposed Standard
(March 1999; No errata)
Updated by RFC 3090, RFC 3658, RFC 3757, RFC 2931, RFC 3445, RFC 3226, RFC 3597, RFC 3845, RFC 3008, RFC 3007, RFC 3755, RFC 3655
Obsoletes RFC 2065
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 2535 (Proposed Standard) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group D. Eastlake
Request for Comments: 2535 IBM
Obsoletes: 2065 March 1999
Updates: 2181, 1035, 1034
Category: Standards Track
Domain Name System Security Extensions
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
Extensions to the Domain Name System (DNS) are described that provide
data integrity and authentication to security aware resolvers and
applications through the use of cryptographic digital signatures.
These digital signatures are included in secured zones as resource
records. Security can also be provided through non-security aware
DNS servers in some cases.
The extensions provide for the storage of authenticated public keys
in the DNS. This storage of keys can support general public key
distribution services as well as DNS security. The stored keys
enable security aware resolvers to learn the authenticating key of
zones in addition to those for which they are initially configured.
Keys associated with DNS names can be retrieved to support other
protocols. Provision is made for a variety of key types and
algorithms.
In addition, the security extensions provide for the optional
authentication of DNS protocol transactions and requests.
This document incorporates feedback on RFC 2065 from early
implementers and potential users.
Eastlake Standards Track [Page 1]
RFC 2535 DNS Security Extensions March 1999
Acknowledgments
The significant contributions and suggestions of the following
persons (in alphabetic order) to DNS security are gratefully
acknowledged:
James M. Galvin
John Gilmore
Olafur Gudmundsson
Charlie Kaufman
Edward Lewis
Thomas Narten
Radia J. Perlman
Jeffrey I. Schiller
Steven (Xunhua) Wang
Brian Wellington
Table of Contents
Abstract...................................................1
Acknowledgments............................................2
1. Overview of Contents....................................4
2. Overview of the DNS Extensions..........................5
2.1 Services Not Provided..................................5
2.2 Key Distribution.......................................5
2.3 Data Origin Authentication and Integrity...............6
2.3.1 The SIG Resource Record..............................7
2.3.2 Authenticating Name and Type Non-existence...........7
2.3.3 Special Considerations With Time-to-Live.............7
2.3.4 Special Considerations at Delegation Points..........8
2.3.5 Special Considerations with CNAME....................8
2.3.6 Signers Other Than The Zone..........................9
2.4 DNS Transaction and Request Authentication.............9
3. The KEY Resource Record................................10
3.1 KEY RDATA format......................................10
3.1.1 Object Types, DNS Names, and Keys...................11
3.1.2 The KEY RR Flag Field...............................11
3.1.3 The Protocol Octet..................................13
3.2 The KEY Algorithm Number Specification................14
3.3 Interaction of Flags, Algorithm, and Protocol Bytes...15
3.4 Determination of Zone Secure/Unsecured Status.........15
3.5 KEY RRs in the Construction of Responses..............17
4. The SIG Resource Record................................17
4.1 SIG RDATA Format......................................17
4.1.1 Type Covered Field..................................18
4.1.2 Algorithm Number Field..............................18
4.1.3 Labels Field........................................18
4.1.4 Original TTL Field..................................19
Eastlake Standards Track [Page 2]
RFC 2535 DNS Security Extensions March 1999
4.1.5 Signature Expiration and Inception Fields...........19
4.1.6 Key Tag Field.......................................20
4.1.7 Signer's Name Field.................................20
4.1.8 Signature Field.....................................20
4.1.8.1 Calculating Transaction and Request SIGs..........21
4.2 SIG RRs in the Construction of Responses..............21
4.3 Processing Responses and SIG RRs......................22
4.4 Signature Lifetime, Expiration, TTLs, and Validity....23
Show full document text