DNS Request and Transaction Signatures ( SIG(0)s )
RFC 2931
| Document | Type |
RFC - Proposed Standard
(September 2000; No errata)
Updates RFC 2535
|
|
|---|---|---|---|
| Author | Donald Eastlake | ||
| Last updated | 2013-03-02 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Stream | WG state | WG Document | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 2931 (Proposed Standard) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group D. Eastlake 3rd
Request for Comments: 2931 Motorola
Updates: 2535 September 2000
Category: Standards Track
DNS Request and Transaction Signatures ( SIG(0)s )
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
Extensions to the Domain Name System (DNS) are described in [RFC
2535] that can provide data origin and transaction integrity and
authentication to security aware resolvers and applications through
the use of cryptographic digital signatures.
Implementation experience has indicated the need for minor but non-
interoperable changes in Request and Transaction signature resource
records ( SIG(0)s ). These changes are documented herein.
Acknowledgments
The contributions and suggestions of the following persons (in
alphabetic order) to this memo are gratefully acknowledged:
Olafur Gudmundsson
Ed Lewis
Erik Nordmark
Brian Wellington
Eastlake Standards Track [Page 1]
RFC 2931 DNS SIG(0) September 2000
Table of Contents
1. Introduction................................................. 2
2. SIG(0) Design Rationale...................................... 3
2.1 Transaction Authentication.................................. 3
2.2 Request Authentication...................................... 3
2.3 Keying...................................................... 3
2.4 Differences Between TSIG and SIG(0)......................... 4
3. The SIG(0) Resource Record................................... 4
3.1 Calculating Request and Transaction SIGs.................... 5
3.2 Processing Responses and SIG(0) RRs......................... 6
3.3 SIG(0) Lifetime and Expiration.............................. 7
4. Security Considerations...................................... 7
5. IANA Considerations.......................................... 7
References...................................................... 7
Author's Address................................................ 8
Appendix: SIG(0) Changes from RFC 2535.......................... 9
Full Copyright Statement........................................ 10
1. Introduction
This document makes minor but non-interoperable changes to part of
[RFC 2535], familiarity with which is assumed, and includes
additional explanatory text. These changes concern SIG Resource
Records (RRs) that are used to digitally sign DNS requests and
transactions / responses. Such a resource record, because it has a
type covered field of zero, is frequently called a SIG(0). The
changes are based on implementation and attempted implementation
experience with TSIG [RFC 2845] and the [RFC 2535] specification for
SIG(0).
Sections of [RFC 2535] updated are all of 4.1.8.1 and parts of 4.2
and 4.3. No changes are made herein related to the KEY or NXT RRs or
to the processing involved with data origin and denial authentication
for DNS data.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC 2119].
Eastlake Standards Track [Page 2]
RFC 2931 DNS SIG(0) September 2000
2. SIG(0) Design Rationale
SIG(0) provides protection for DNS transactions and requests that is
not provided by the regular SIG, KEY, and NXT RRs specified in [RFC
2535]. The authenticated data origin services of secure DNS either
provide protected data resource records (RRs) or authenticatably deny
their nonexistence. These services provide no protection for glue
records, DNS requests, no protection for message headers on requests
or responses, and no protection of the overall integrity of a
response.
2.1 Transaction Authentication
Transaction authentication means that a requester can be sure it is
at least getting the messages from the server it queried and that the
received messages are in response to the query it sent. This is
accomplished by optionally adding either a TSIG RR [RFC 2845] or, as
described herein, a SIG(0) resource record at the end of the response
which digitally signs the concatenation of the server's response and
the corresponding resolver query.
Show full document text