Limiting the Scope of the KEY Resource Record (RR)
RFC 3445

Document Type RFC - Proposed Standard (December 2002; Errata)
Obsoleted by RFC 4035, RFC 4033, RFC 4034
Updates RFC 2535
Authors Scott Rose  , Dan Massey 
Last updated 2020-01-21
Stream Internent Engineering Task Force (IETF)
Formats plain text html pdf htmlized (tools) htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3445 (Proposed Standard)
Action Holders
Consensus Boilerplate Unknown
Telechat date
Responsible AD Erik Nordmark
IESG note appears
Send notices to <>
Network Working Group                                          D. Massey
Request for Comments: 3445                                       USC/ISI
Updates: 2535                                                    S. Rose
Category: Standards Track                                           NIST
                                                           December 2002

           Limiting the Scope of the KEY Resource Record (RR)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.


   This document limits the Domain Name System (DNS) KEY Resource Record
   (RR) to only keys used by the Domain Name System Security Extensions
   (DNSSEC).  The original KEY RR used sub-typing to store both DNSSEC
   keys and arbitrary application keys.  Storing both DNSSEC and
   application keys with the same record type is a mistake.  This
   document removes application keys from the KEY record by redefining
   the Protocol Octet field in the KEY RR Data.  As a result of removing
   application keys, all but one of the flags in the KEY record become
   unnecessary and are redefined.  Three existing application key sub-
   types are changed to reserved, but the format of the KEY record is
   not changed.  This document updates RFC 2535.

1. Introduction

   This document limits the scope of the KEY Resource Record (RR).  The
   KEY RR was defined in [3] and used resource record sub-typing to hold
   arbitrary public keys such as Email, IPSEC, DNSSEC, and TLS keys.
   This document eliminates the existing Email, IPSEC, and TLS sub-types
   and prohibits the introduction of new sub-types.  DNSSEC will be the
   only allowable sub-type for the KEY RR (hence sub-typing is
   essentially eliminated) and all but one of the KEY RR flags are also

Massey & Rose               Standards Track                     [Page 1]
RFC 3445         Limiting the KEY Resource Record (RR)     December 2002

   Section 2 presents the motivation for restricting the KEY record and
   Section 3 defines the revised KEY RR.  Sections 4 and 5 summarize the
   changes from RFC 2535 and discuss backwards compatibility.  It is
   important to note that this document restricts the use of the KEY RR
   and simplifies the flags, but does not change the definition or use
   of DNSSEC keys.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [1].

2. Motivation for Restricting the KEY RR

   The KEY RR RDATA [3] consists of Flags, a Protocol Octet, an
   Algorithm type, and a Public Key.  The Protocol Octet identifies the
   KEY RR sub-type.  DNSSEC public keys are stored in the KEY RR using a
   Protocol Octet value of 3.  Email, IPSEC, and TLS keys were also
   stored in the KEY RR and used Protocol Octet values of 1,2, and 4
   (respectively).  Protocol Octet values 5-254 were available for
   assignment by IANA and values were requested (but not assigned) for
   applications such as SSH.

   Any use of sub-typing has inherent limitations.  A resolver can not
   specify the desired sub-type in a DNS query and most DNS operations
   apply only to resource records sets.  For example, a resolver can not
   directly request the DNSSEC subtype KEY RRs.  Instead, the resolver
   has to request all KEY RRs associated with a DNS name and then search
   the set for the desired DNSSEC sub-type.  DNSSEC signatures also
   apply to the set of all KEY RRs associated with the DNS name,
   regardless of sub-type.

   In the case of the KEY RR, the inherent sub-type limitations are
   exacerbated since the sub-type is used to distinguish between DNSSEC
   keys and application keys.  DNSSEC keys and application keys differ
   in virtually every respect and Section 2.1 discusses these
   differences in more detail.  Combining these very different types of
   keys into a single sub-typed resource record adds unnecessary
   complexity and increases the potential for implementation and
   deployment errors.  Limited experimental deployment has shown that
   application keys stored in KEY RRs are problematic.

   This document addresses these issues by removing all application keys
   from the KEY RR.  Note that the scope of this document is strictly
   limited to the KEY RR and this document does not endorse or restrict
   the storage of application keys in other, yet undefined, resource

Massey & Rose               Standards Track                     [Page 2]
RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
Show full document text