Secret Key Establishment for DNS (TKEY RR)
RFC 2930
| Document | Type |
RFC - Proposed Standard
(September 2000; No errata)
Updated by RFC 6895
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 2930 (Proposed Standard) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group D. Eastlake, 3rd
Request for Comments: 2930 Motorola
Category: Standards Track September 2000
Secret Key Establishment for DNS (TKEY RR)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
[RFC 2845] provides a means of authenticating Domain Name System
(DNS) queries and responses using shared secret keys via the
Transaction Signature (TSIG) resource record (RR). However, it
provides no mechanism for setting up such keys other than manual
exchange. This document describes a Transaction Key (TKEY) RR that
can be used in a number of different modes to establish shared secret
keys between a DNS resolver and server.
Acknowledgments
The comments and ideas of the following persons (listed in alphabetic
order) have been incorporated herein and are gratefully acknowledged:
Olafur Gudmundsson (TIS)
Stuart Kwan (Microsoft)
Ed Lewis (TIS)
Erik Nordmark (SUN)
Brian Wellington (Nominum)
Eastlake Standards Track [Page 1]
RFC 2930 The DNS TKEY RR September 2000
Table of Contents
1. Introduction............................................... 2
1.1 Overview of Contents...................................... 3
2. The TKEY Resource Record................................... 4
2.1 The Name Field............................................ 4
2.2 The TTL Field............................................. 5
2.3 The Algorithm Field....................................... 5
2.4 The Inception and Expiration Fields....................... 5
2.5 The Mode Field............................................ 5
2.6 The Error Field........................................... 6
2.7 The Key Size and Data Fields.............................. 6
2.8 The Other Size and Data Fields............................ 6
3. General TKEY Considerations................................ 7
4. Exchange via Resolver Query................................ 8
4.1 Query for Diffie-Hellman Exchanged Keying................. 8
4.2 Query for TKEY Deletion................................... 9
4.3 Query for GSS-API Establishment........................... 10
4.4 Query for Server Assigned Keying.......................... 10
4.5 Query for Resolver Assigned Keying........................ 11
5. Spontaneous Server Inclusion............................... 12
5.1 Spontaneous Server Key Deletion........................... 12
6. Methods of Encryption...................................... 12
7. IANA Considerations........................................ 13
8. Security Considerations.................................... 13
References.................................................... 14
Author's Address.............................................. 15
Full Copyright Statement...................................... 16
1. Introduction
The Domain Name System (DNS) is a hierarchical, distributed, highly
available database used for bi-directional mapping between domain
names and addresses, for email routing, and for other information
[RFC 1034, 1035]. It has been extended to provide for public key
security and dynamic update [RFC 2535, RFC 2136]. Familiarity with
these RFCs is assumed.
[RFC 2845] provides a means of efficiently authenticating DNS
messages using shared secret keys via the TSIG resource record (RR)
but provides no mechanism for setting up such keys other than manual
exchange. This document specifies a TKEY RR that can be used in a
number of different modes to establish and delete such shared secret
keys between a DNS resolver and server.
Eastlake Standards Track [Page 2]
RFC 2930 The DNS TKEY RR September 2000
Note that TKEY established keying material and TSIGs that use it are
associated with DNS servers or resolvers. They are not associated
with zones. They may be used to authenticate queries and responses
but they do not provide zone based DNS data origin or denial
authentication [RFC 2535].
Certain modes of TKEY perform encryption which may affect their
export or import status for some countries. The affected modes
specified in this document are the server assigned mode and the
resolver assigned mode.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
Show full document text