Storing Certificates in the Domain Name System (DNS)
RFC 2538
| Document | Type |
RFC - Proposed Standard
(March 1999; No errata)
Obsoleted by RFC 4398
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 2538 (Proposed Standard) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group D. Eastlake
Request for Comments: 2538 IBM
Category: Standards Track O. Gudmundsson
TIS Labs
March 1999
Storing Certificates in the Domain Name System (DNS)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
Cryptographic public key are frequently published and their
authenticity demonstrated by certificates. A CERT resource record
(RR) is defined so that such certificates and related certificate
revocation lists can be stored in the Domain Name System (DNS).
Table of Contents
Abstract...................................................1
1. Introduction............................................2
2. The CERT Resource Record................................2
2.1 Certificate Type Values................................3
2.2 Text Representation of CERT RRs........................4
2.3 X.509 OIDs.............................................4
3. Appropriate Owner Names for CERT RRs....................5
3.1 X.509 CERT RR Names....................................5
3.2 PGP CERT RR Names......................................6
4. Performance Considerations..............................6
5. IANA Considerations.....................................7
6. Security Considerations.................................7
References.................................................8
Authors' Addresses.........................................9
Full Copyright Notice.....................................10
Eastlake & Gudmundsson Standards Track [Page 1]
RFC 2538 Storing Certificates in the DNS March 1999
1. Introduction
Public keys are frequently published in the form of a certificate and
their authenticity is commonly demonstrated by certificates and
related certificate revocation lists (CRLs). A certificate is a
binding, through a cryptographic digital signature, of a public key,
a validity interval and/or conditions, and identity, authorization,
or other information. A certificate revocation list is a list of
certificates that are revoked, and incidental information, all signed
by the signer (issuer) of the revoked certificates. Examples are
X.509 certificates/CRLs in the X.500 directory system or PGP
certificates/revocations used by PGP software.
Section 2 below specifies a CERT resource record (RR) for the storage
of certificates in the Domain Name System.
Section 3 discusses appropriate owner names for CERT RRs.
Sections 4, 5, and 6 below cover performance, IANA, and security
considerations, respectively.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. The CERT Resource Record
The CERT resource record (RR) has the structure given below. Its RR
type code is 37.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| type | key tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| algorithm | /
+---------------+ certificate or CRL /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
The type field is the certificate type as define in section 2.1
below.
The algorithm field has the same meaning as the algorithm field in
KEY and SIG RRs [RFC 2535] except that a zero algorithm field
indicates the algorithm is unknown to a secure DNS, which may simply
be the result of the algorithm not having been standardized for
secure DNS.
Eastlake & Gudmundsson Standards Track [Page 2]
RFC 2538 Storing Certificates in the DNS March 1999
The key tag field is the 16 bit value computed for the key embedded
in the certificate as specified in the DNSSEC Standard [RFC 2535].
This field is used as an efficiency measure to pick which CERT RRs
may be applicable to a particular key. The key tag can be calculated
Show full document text