Secret Key Establishment for DNS (TKEY RR)
RFC 2930
Document | Type |
RFC - Proposed Standard
(September 2000; No errata)
Updated by RFC 6895
|
|
---|---|---|---|
Author | Donald Eastlake | ||
Last updated | 2013-03-02 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 2930 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group D. Eastlake, 3rd Request for Comments: 2930 Motorola Category: Standards Track September 2000 Secret Key Establishment for DNS (TKEY RR) Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract [RFC 2845] provides a means of authenticating Domain Name System (DNS) queries and responses using shared secret keys via the Transaction Signature (TSIG) resource record (RR). However, it provides no mechanism for setting up such keys other than manual exchange. This document describes a Transaction Key (TKEY) RR that can be used in a number of different modes to establish shared secret keys between a DNS resolver and server. Acknowledgments The comments and ideas of the following persons (listed in alphabetic order) have been incorporated herein and are gratefully acknowledged: Olafur Gudmundsson (TIS) Stuart Kwan (Microsoft) Ed Lewis (TIS) Erik Nordmark (SUN) Brian Wellington (Nominum) Eastlake Standards Track [Page 1] RFC 2930 The DNS TKEY RR September 2000 Table of Contents 1. Introduction............................................... 2 1.1 Overview of Contents...................................... 3 2. The TKEY Resource Record................................... 4 2.1 The Name Field............................................ 4 2.2 The TTL Field............................................. 5 2.3 The Algorithm Field....................................... 5 2.4 The Inception and Expiration Fields....................... 5 2.5 The Mode Field............................................ 5 2.6 The Error Field........................................... 6 2.7 The Key Size and Data Fields.............................. 6 2.8 The Other Size and Data Fields............................ 6 3. General TKEY Considerations................................ 7 4. Exchange via Resolver Query................................ 8 4.1 Query for Diffie-Hellman Exchanged Keying................. 8 4.2 Query for TKEY Deletion................................... 9 4.3 Query for GSS-API Establishment........................... 10 4.4 Query for Server Assigned Keying.......................... 10 4.5 Query for Resolver Assigned Keying........................ 11 5. Spontaneous Server Inclusion............................... 12 5.1 Spontaneous Server Key Deletion........................... 12 6. Methods of Encryption...................................... 12 7. IANA Considerations........................................ 13 8. Security Considerations.................................... 13 References.................................................... 14 Author's Address.............................................. 15 Full Copyright Statement...................................... 16 1. Introduction The Domain Name System (DNS) is a hierarchical, distributed, highly available database used for bi-directional mapping between domain names and addresses, for email routing, and for other information [RFC 1034, 1035]. It has been extended to provide for public key security and dynamic update [RFC 2535, RFC 2136]. Familiarity with these RFCs is assumed. [RFC 2845] provides a means of efficiently authenticating DNS messages using shared secret keys via the TSIG resource record (RR) but provides no mechanism for setting up such keys other than manual exchange. This document specifies a TKEY RR that can be used in a number of different modes to establish and delete such shared secret keys between a DNS resolver and server. Eastlake Standards Track [Page 2] RFC 2930 The DNS TKEY RR September 2000 Note that TKEY established keying material and TSIGs that use it are associated with DNS servers or resolvers. They are not associated with zones. They may be used to authenticate queries and responses but they do not provide zone based DNS data origin or denial authentication [RFC 2535]. Certain modes of TKEY perform encryption which may affect their export or import status for some countries. The affected modes specified in this document are the server assigned mode and the resolver assigned mode. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",Show full document text