RFC 4034 - Resource Records for the DNS Security Extensions

Resource Records for the DNS Security Extensions
RFC 4034

Versions
11


Document	Type	RFC - Proposed Standard (March 2005; Errata) Updated by RFC 6840, RFC 6014, RFC 4470, RFC 6944 Obsoletes RFC 2535, RFC 3090, RFC 3658, RFC 3445, RFC 3845, RFC 3008, RFC 3757, RFC 3755, RFC 3655 Updates RFC 3597, RFC 3226, RFC 2136, RFC 1034, RFC 1035, RFC 2181, RFC 2308, RFC 3007, RFC 3225 Was draft-ietf-dnsext-dnssec-records (dnsext WG)
	Last updated	2018-12-20
	Stream	IETF
	Formats	plain text pdf htmlized with errata bibtex
Stream	WG state	(None)
	Document shepherd	No shepherd assigned
IESG	IESG state	RFC 4034 (Proposed Standard)
	Consensus Boilerplate	Unknown
	Telechat date
	Responsible AD	Thomas Narten
	Send notices to	olaf@ripe.net

Email authors Email WG IPR 3 References Referenced by Nits

Network Working Group                                          R. Arends
Request for Comments: 4034                          Telematica Instituut
Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658,                R. Austein
           3755, 3757, 3845                                          ISC
Updates: 1034, 1035, 2136, 2181, 2308, 3225,                   M. Larson
         3007, 3597, 3226                                       VeriSign
Category: Standards Track                                      D. Massey
                                               Colorado State University
                                                                 S. Rose
                                                                    NIST
                                                              March 2005

            Resource Records for the DNS Security Extensions

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document is part of a family of documents that describe the DNS
   Security Extensions (DNSSEC).  The DNS Security Extensions are a
   collection of resource records and protocol modifications that
   provide source authentication for the DNS.  This document defines the
   public key (DNSKEY), delegation signer (DS), resource record digital
   signature (RRSIG), and authenticated denial of existence (NSEC)
   resource records.  The purpose and format of each resource record is
   described in detail, and an example of each resource record is given.

   This document obsoletes RFC 2535 and incorporates changes from all
   updates to RFC 2535.

Arends, et al.              Standards Track                     [Page 1]
RFC 4034                DNSSEC Resource Records               March 2005

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
       1.1.  Background and Related Documents . . . . . . . . . . .  3
       1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . .  3
   2.  The DNSKEY Resource Record . . . . . . . . . . . . . . . . .  4
       2.1.  DNSKEY RDATA Wire Format . . . . . . . . . . . . . . .  4
             2.1.1.  The Flags Field. . . . . . . . . . . . . . . .  4
             2.1.2.  The Protocol Field . . . . . . . . . . . . . .  5
             2.1.3.  The Algorithm Field. . . . . . . . . . . . . .  5
             2.1.4.  The Public Key Field . . . . . . . . . . . . .  5
             2.1.5.  Notes on DNSKEY RDATA Design . . . . . . . . .  5
       2.2.  The DNSKEY RR Presentation Format. . . . . . . . . . .  5
       2.3.  DNSKEY RR Example  . . . . . . . . . . . . . . . . . .  6
   3.  The RRSIG Resource Record  . . . . . . . . . . . . . . . . .  6
       3.1.  RRSIG RDATA Wire Format. . . . . . . . . . . . . . . .  7
             3.1.1.  The Type Covered Field . . . . . . . . . . . .  7
             3.1.2.  The Algorithm Number Field . . . . . . . . . .  8
             3.1.3.  The Labels Field . . . . . . . . . . . . . . .  8
             3.1.4.  Original TTL Field . . . . . . . . . . . . . .  8
             3.1.5.  Signature Expiration and Inception Fields. . .  9
             3.1.6.  The Key Tag Field. . . . . . . . . . . . . . .  9
             3.1.7.  The Signer's Name Field. . . . . . . . . . . .  9
             3.1.8.  The Signature Field. . . . . . . . . . . . . .  9
       3.2.  The RRSIG RR Presentation Format . . . . . . . . . . . 10
       3.3.  RRSIG RR Example . . . . . . . . . . . . . . . . . . . 11
   4.  The NSEC Resource Record . . . . . . . . . . . . . . . . . . 12
       4.1.  NSEC RDATA Wire Format . . . . . . . . . . . . . . . . 13
             4.1.1.  The Next Domain Name Field . . . . . . . . . . 13
             4.1.2.  The Type Bit Maps Field. . . . . . . . . . . . 13
             4.1.3.  Inclusion of Wildcard Names in NSEC RDATA. . . 14
       4.2.  The NSEC RR Presentation Format. . . . . . . . . . . . 14
       4.3.  NSEC RR Example. . . . . . . . . . . . . . . . . . . . 15
   5.  The DS Resource Record . . . . . . . . . . . . . . . . . . . 15
       5.1.  DS RDATA Wire Format . . . . . . . . . . . . . . . . . 16
             5.1.1.  The Key Tag Field. . . . . . . . . . . . . . . 16
             5.1.2.  The Algorithm Field. . . . . . . . . . . . . . 16
             5.1.3.  The Digest Type Field. . . . . . . . . . . . . 17
             5.1.4.  The Digest Field . . . . . . . . . . . . . . . 17
       5.2.  Processing of DS RRs When Validating Responses . . . . 17
       5.3.  The DS RR Presentation Format. . . . . . . . . . . . . 17
       5.4.  DS RR Example. . . . . . . . . . . . . . . . . . . . . 18

Show full document text

Resource Records for the DNS Security ExtensionsRFC 4034

Resource Records for the DNS Security Extensions
RFC 4034