Secret Key Establishment for DNS (TKEY RR)
RFC 2930
Document Type RFC - Proposed Standard (September 2000; No errata)
Updated by RFC 6895
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2930 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                   D. Eastlake, 3rd
Request for Comments: 2930                                      Motorola
Category: Standards Track                                 September 2000

               Secret Key Establishment for DNS (TKEY RR)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   [RFC 2845] provides a means of authenticating Domain Name System
   (DNS) queries and responses using shared secret keys via the
   Transaction Signature (TSIG) resource record (RR).  However, it
   provides no mechanism for setting up such keys other than manual
   exchange. This document describes a Transaction Key (TKEY) RR that
   can be used in a number of different modes to establish shared secret
   keys between a DNS resolver and server.

Acknowledgments

   The comments and ideas of the following persons (listed in alphabetic
   order) have been incorporated herein and are gratefully acknowledged:

         Olafur Gudmundsson (TIS)

         Stuart Kwan (Microsoft)

         Ed Lewis (TIS)

         Erik Nordmark (SUN)

         Brian Wellington (Nominum)

Eastlake                    Standards Track                     [Page 1]
RFC 2930                    The DNS TKEY RR               September 2000

Table of Contents

   1. Introduction...............................................  2
   1.1 Overview of Contents......................................  3
   2. The TKEY Resource Record...................................  4
   2.1 The Name Field............................................  4
   2.2 The TTL Field.............................................  5
   2.3 The Algorithm Field.......................................  5
   2.4 The Inception and Expiration Fields.......................  5
   2.5 The Mode Field............................................  5
   2.6 The Error Field...........................................  6
   2.7 The Key Size and Data Fields..............................  6
   2.8 The Other Size and Data Fields............................  6
   3. General TKEY Considerations................................  7
   4. Exchange via Resolver Query................................  8
   4.1 Query for Diffie-Hellman Exchanged Keying.................  8
   4.2 Query for TKEY Deletion...................................  9
   4.3 Query for GSS-API Establishment........................... 10
   4.4 Query for Server Assigned Keying.......................... 10
   4.5 Query for Resolver Assigned Keying........................ 11
   5. Spontaneous Server Inclusion............................... 12
   5.1 Spontaneous Server Key Deletion........................... 12
   6. Methods of Encryption...................................... 12
   7. IANA Considerations........................................ 13
   8. Security Considerations.................................... 13
   References.................................................... 14
   Author's Address.............................................. 15
   Full Copyright Statement...................................... 16

1. Introduction

   The Domain Name System (DNS) is a hierarchical, distributed, highly
   available database used for bi-directional mapping between domain
   names and addresses, for email routing, and for other information
   [RFC 1034, 1035].  It has been extended to provide for public key
   security and dynamic update [RFC 2535, RFC 2136].  Familiarity with
   these RFCs is assumed.

   [RFC 2845] provides a means of efficiently authenticating DNS
   messages using shared secret keys via the TSIG resource record (RR)
   but provides no mechanism for setting up such keys other than manual
   exchange. This document specifies a TKEY RR that can be used in a
   number of different modes to establish and delete such shared secret
   keys between a DNS resolver and server.

Eastlake                    Standards Track                     [Page 2]
RFC 2930                    The DNS TKEY RR               September 2000

   Note that TKEY established keying material and TSIGs that use it are
   associated with DNS servers or resolvers.  They are not associated
   with zones.  They may be used to authenticate queries and responses
   but they do not provide zone based DNS data origin or denial
   authentication [RFC 2535].

   Certain modes of TKEY perform encryption which may affect their
   export or import status for some countries.  The affected modes
   specified in this document are the server assigned mode and the
   resolver assigned mode.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools