datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

DNS Request and Transaction Signatures ( SIG(0)s )
RFC 2931

Document type: RFC - Proposed Standard (September 2000)
Updates RFC 2535
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: WG Document
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 2931 (Proposed Standard)
Responsible AD: (None)
Send notices to: No addresses provided

Network Working Group                                    D. Eastlake 3rd
Request for Comments: 2931                                      Motorola
Updates: 2535                                             September 2000
Category: Standards Track

           DNS Request and Transaction Signatures ( SIG(0)s )

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   Extensions to the Domain Name System (DNS) are described in [RFC
   2535] that can provide data origin and transaction integrity and
   authentication to security aware resolvers and applications through
   the use of cryptographic digital signatures.

   Implementation experience has indicated the need for minor but non-
   interoperable changes in Request and Transaction signature resource
   records ( SIG(0)s ).  These changes are documented herein.

Acknowledgments

   The contributions and suggestions of the following persons (in
   alphabetic order) to this memo are gratefully acknowledged:

         Olafur Gudmundsson

         Ed Lewis

         Erik Nordmark

         Brian Wellington

Eastlake                    Standards Track                     [Page 1]
RFC 2931                       DNS SIG(0)                 September 2000

Table of Contents

   1. Introduction.................................................  2
   2. SIG(0) Design Rationale......................................  3
   2.1 Transaction Authentication..................................  3
   2.2 Request Authentication......................................  3
   2.3 Keying......................................................  3
   2.4 Differences Between TSIG and SIG(0).........................  4
   3. The SIG(0) Resource Record...................................  4
   3.1 Calculating Request and Transaction SIGs....................  5
   3.2 Processing Responses and SIG(0) RRs.........................  6
   3.3 SIG(0) Lifetime and Expiration..............................  7
   4. Security Considerations......................................  7
   5. IANA Considerations..........................................  7
   References......................................................  7
   Author's Address................................................  8
   Appendix: SIG(0) Changes from RFC 2535..........................  9
   Full Copyright Statement........................................ 10

1. Introduction

   This document makes minor but non-interoperable changes to part of
   [RFC 2535], familiarity with which is assumed, and includes
   additional explanatory text.  These changes concern SIG Resource
   Records (RRs) that are used to digitally sign DNS requests and
   transactions / responses.  Such a resource record, because it has a
   type covered field of zero, is frequently called a SIG(0). The
   changes are based on implementation and attempted implementation
   experience with TSIG [RFC 2845] and the [RFC 2535] specification for
   SIG(0).

   Sections of [RFC 2535] updated are all of 4.1.8.1 and parts of 4.2
   and 4.3.  No changes are made herein related to the KEY or NXT RRs or
   to the processing involved with data origin and denial authentication
   for DNS data.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC 2119].

Eastlake                    Standards Track                     [Page 2]
RFC 2931                       DNS SIG(0)                 September 2000

2. SIG(0) Design Rationale

   SIG(0) provides protection for DNS transactions and requests that is
   not provided by the regular SIG, KEY, and NXT RRs specified in [RFC
   2535].  The authenticated data origin services of secure DNS either
   provide protected data resource records (RRs) or authenticatably deny
   their nonexistence.  These services provide no protection for glue
   records, DNS requests, no protection for message headers on requests
   or responses, and no protection of the overall integrity of a
   response.

2.1 Transaction Authentication

   Transaction authentication means that a requester can be sure it is

[include full document text]