Storage of Diffie-Hellman Keys in the Domain Name System (DNS)
RFC 2539
Document | Type |
RFC - Proposed Standard
(March 1999; No errata)
Updated by RFC 6944
|
|
---|---|---|---|
Last updated | 2013-03-02 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 2539 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group D. Eastlake Request for Comments: 2539 IBM Category: Standards Track March 1999 Storage of Diffie-Hellman Keys in the Domain Name System (DNS) Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract A standard method for storing Diffie-Hellman keys in the Domain Name System is described which utilizes DNS KEY resource records. Acknowledgements Part of the format for Diffie-Hellman keys and the description thereof was taken from a work in progress by: Ashar Aziz <ashar.aziz@eng.sun.com> Tom Markson <markson@incog.com> Hemma Prafullchandra <hemma@eng.sun.com> In addition, the following person provided useful comments that have been incorporated: Ran Atkinson <rja@inet.org> Thomas Narten <narten@raleigh.ibm.com> Eastlake Standards Track [Page 1] RFC 2539 Diffie-Hellman Keys in the DNS March 1999 Table of Contents Abstract...................................................1 Acknowledgements...........................................1 1. Introduction............................................2 1.1 About This Document....................................2 1.2 About Diffie-Hellman...................................2 2. Diffie-Hellman KEY Resource Records.....................3 3. Performance Considerations..............................4 4. IANA Considerations.....................................4 5. Security Considerations.................................4 References.................................................5 Author's Address...........................................5 Appendix A: Well known prime/generator pairs...............6 A.1. Well-Known Group 1: A 768 bit prime..................6 A.2. Well-Known Group 2: A 1024 bit prime.................6 Full Copyright Notice......................................7 1. Introduction The Domain Name System (DNS) is the current global hierarchical replicated distributed database system for Internet addressing, mail proxy, and similar information. The DNS has been extended to include digital signatures and cryptographic keys as described in [RFC 2535]. Thus the DNS can now be used for secure key distribution. 1.1 About This Document This document describes how to store Diffie-Hellman keys in the DNS. Familiarity with the Diffie-Hellman key exchange algorithm is assumed [Schneier]. 1.2 About Diffie-Hellman Diffie-Hellman requires two parties to interact to derive keying information which can then be used for authentication. Since DNS SIG RRs are primarily used as stored authenticators of zone information for many different resolvers, no Diffie-Hellman algorithm SIG RR is defined. For example, assume that two parties have local secrets "i" and "j". Assume they each respectively calculate X and Y as follows: X = g**i ( mod p ) Y = g**j ( mod p ) They exchange these quantities and then each calculates a Z as follows: Zi = Y**i ( mod p ) Zj = X**j ( mod p ) Eastlake Standards Track [Page 2] RFC 2539 Diffie-Hellman Keys in the DNS March 1999 shared secret between the two parties that an adversary who does not know i or j will not be able to learn from the exchanged messages (unless the adversary can derive i or j by performing a discrete logarithm mod p which is hard for strong p and g). The private key for each party is their secret i (or j). The public key is the pair p and g, which must be the same for the parties, and their individual X (or Y). 2. Diffie-Hellman KEY Resource Records Diffie-Hellman keys are stored in the DNS as KEY RRs using algorithm number 2. The structure of the RDATA portion of this RR is as shown below. The first 4 octets, including the flags, protocol, and algorithm fields are common to all KEY RRs as described in [RFC 2535]. The remainder, from prime length through public value is the "public key" part of the KEY RR. The period of key validity is not in the KEY RR but is indicated by the SIG RR(s) which signs and authenticates the KEY RR(s) at that domain name. 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Show full document text