Network Working Group D. Massey
Request for Comments: 3445 USC/ISI
Updates: 2535 S. Rose
Category: Standards Track NIST
Limiting the Scope of the KEY Resource Record (RR)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document limits the Domain Name System (DNS) KEY Resource Record
(RR) to only keys used by the Domain Name System Security Extensions
(DNSSEC). The original KEY RR used sub-typing to store both DNSSEC
keys and arbitrary application keys. Storing both DNSSEC and
application keys with the same record type is a mistake. This
document removes application keys from the KEY record by redefining
the Protocol Octet field in the KEY RR Data. As a result of removing
application keys, all but one of the flags in the KEY record become
unnecessary and are redefined. Three existing application key sub-
types are changed to reserved, but the format of the KEY record is
not changed. This document updates RFC 2535.
This document limits the scope of the KEY Resource Record (RR). The
KEY RR was defined in  and used resource record sub-typing to hold
arbitrary public keys such as Email, IPSEC, DNSSEC, and TLS keys.
This document eliminates the existing Email, IPSEC, and TLS sub-types
and prohibits the introduction of new sub-types. DNSSEC will be the
only allowable sub-type for the KEY RR (hence sub-typing is
essentially eliminated) and all but one of the KEY RR flags are also
Massey & Rose Standards Track [Page 1]RFC 3445 Limiting the KEY Resource Record (RR) December 2002
Section 2 presents the motivation for restricting the KEY record and
Section 3 defines the revised KEY RR. Sections 4 and 5 summarize the
changes from RFC 2535 and discuss backwards compatibility. It is
important to note that this document restricts the use of the KEY RR
and simplifies the flags, but does not change the definition or use
of DNSSEC keys.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 .
2. Motivation for Restricting the KEY RR
The KEY RR RDATA  consists of Flags, a Protocol Octet, an
Algorithm type, and a Public Key. The Protocol Octet identifies the
KEY RR sub-type. DNSSEC public keys are stored in the KEY RR using a
Protocol Octet value of 3. Email, IPSEC, and TLS keys were also
stored in the KEY RR and used Protocol Octet values of 1,2, and 4
(respectively). Protocol Octet values 5-254 were available for
assignment by IANA and values were requested (but not assigned) for
applications such as SSH.
Any use of sub-typing has inherent limitations. A resolver can not
specify the desired sub-type in a DNS query and most DNS operations
apply only to resource records sets. For example, a resolver can not
directly request the DNSSEC subtype KEY RRs. Instead, the resolver
has to request all KEY RRs associated with a DNS name and then search
the set for the desired DNSSEC sub-type. DNSSEC signatures also
apply to the set of all KEY RRs associated with the DNS name,
regardless of sub-type.
In the case of the KEY RR, the inherent sub-type limitations are
exacerbated since the sub-type is used to distinguish between DNSSEC
keys and application keys. DNSSEC keys and application keys differ
in virtually every respect and Section 2.1 discusses these
differences in more detail. Combining these very different types of
keys into a single sub-typed resource record adds unnecessary
complexity and increases the potential for implementation and
deployment errors. Limited experimental deployment has shown that
application keys stored in KEY RRs are problematic.
This document addresses these issues by removing all application keys
from the KEY RR. Note that the scope of this document is strictly