Secure Domain Name System Dynamic Update
RFC 2137
| Document | Type |
RFC - Proposed Standard
(April 1997; No errata)
Obsoleted by RFC 3007
Updates RFC 1035
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 2137 (Proposed Standard) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group D. Eastlake 3rd
Request for Comments: 2137 CyberCash, Inc.
Updates: 1035 April 1997
Category: Standards Track
Secure Domain Name System Dynamic Update
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
Domain Name System (DNS) protocol extensions have been defined to
authenticate the data in DNS and provide key distribution services
[RFC2065]. DNS Dynamic Update operations have also been defined
[RFC2136], but without a detailed description of security for the
update operation. This memo describes how to use DNSSEC digital
signatures covering requests and data to secure updates and restrict
updates to those authorized to perform them as indicated by the
updater's possession of cryptographic keys.
Acknowledgements
The contributions of the following persons (who are listed in
alphabetic order) to this memo are gratefully acknowledged:
Olafur Gudmundsson (ogud@tis.com>
Charlie Kaufman <Charlie_Kaufman@iris.com>
Stuart Kwan <skwan@microsoft.com>
Edward Lewis <lewis@tis.com>
Table of Contents
1. Introduction............................................2
1.1 Overview of DNS Dynamic Update.........................2
1.2 Overview of DNS Security...............................2
2. Two Basic Modes.........................................3
3. Keys....................................................5
3.1 Update Keys............................................6
3.1.1 Update Key Name Scope................................6
3.1.2 Update Key Class Scope...............................6
3.1.3 Update Key Signatory Field...........................6
Eastlake Standards Track [Page 1]
RFC 2137 SDNSDU April 1997
3.2 Zone Keys and Update Modes.............................8
3.3 Wildcard Key Punch Through.............................9
4. Update Signatures.......................................9
4.1 Update Request Signatures..............................9
4.2 Update Data Signatures................................10
5. Security Considerations................................10
References................................................10
Author's Address..........................................11
1. Introduction
Dynamic update operations have been defined for the Domain Name
System (DNS) in RFC 2136, but without a detailed description of
security for those updates. Means of securing the DNS and using it
for key distribution have been defined in RFC 2065.
This memo proposes techniques based on the defined DNS security
mechanisms to authenticate DNS updates.
Familiarity with the DNS system [RFC 1034, 1035] is assumed.
Familiarity with the DNS security and dynamic update proposals will
be helpful.
1.1 Overview of DNS Dynamic Update
DNS dynamic update defines a new DNS opcode, new DNS request and
response structure if that opcode is used, and new error codes. An
update can specify complex combinations of deletion and insertion
(with or without pre-existence testing) of resource records (RRs)
with one or more owner names; however, all testing and changes for
any particular DNS update request are restricted to a single zone.
Updates occur at the primary server for a zone.
The primary server for a secure dynamic zone must increment the zone
SOA serial number when an update occurs or the next time the SOA is
retrieved if one or more updates have occurred since the previous SOA
retrieval and the updates themselves did not update the SOA.
1.2 Overview of DNS Security
DNS security authenticates data in the DNS by also storing digital
signatures in the DNS as SIG resource records (RRs). A SIG RR
provides a digital signature on the set of all RRs with the same
owner name and class as the SIG and whose type is the type covered by
the SIG. The SIG RR cryptographically binds the covered RR set to
the signer, time signed, signature expiration date, etc. There are
one or more keys associated with every secure zone and all data in
the secure zone is signed either by a zone key or by a dynamic update
Eastlake Standards Track [Page 2]
RFC 2137 SDNSDU April 1997
key tracing its authority to a zone key.
DNS security also defines transaction SIGs and request SIGs.
Show full document text