Protocol Modifications for the DNS Security Extensions
RFC 4035
Document Type RFC - Proposed Standard (March 2005; Errata)
Authors Scott Rose  , Matt Larson  , Dan Massey  , Rob Austein  , Roy Arends 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4035 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Thomas Narten
Send notices to olaf@ripe.net
Email authors Email WG IPR 2 References Referenced by Nits 
Network Working Group                                          R. Arends
Request for Comments: 4035                          Telematica Instituut
Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658,                R. Austein
           3755, 3757, 3845                                          ISC
Updates: 1034, 1035, 2136, 2181, 2308, 3225,                   M. Larson
         3007, 3597, 3226                                       VeriSign
Category: Standards Track                                      D. Massey
                                               Colorado State University
                                                                 S. Rose
                                                                    NIST
                                                              March 2005

         Protocol Modifications for the DNS Security Extensions

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document is part of a family of documents that describe the DNS
   Security Extensions (DNSSEC).  The DNS Security Extensions are a
   collection of new resource records and protocol modifications that
   add data origin authentication and data integrity to the DNS.  This
   document describes the DNSSEC protocol modifications.  This document
   defines the concept of a signed zone, along with the requirements for
   serving and resolving by using DNSSEC.  These techniques allow a
   security-aware resolver to authenticate both DNS resource records and
   authoritative DNS error indications.

   This document obsoletes RFC 2535 and incorporates changes from all
   updates to RFC 2535.

Arends, et al.              Standards Track                     [Page 1]
RFC 4035             DNSSEC Protocol Modifications            March 2005

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
       1.1.  Background and Related Documents . . . . . . . . . . . .  4
       1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . . .  4
   2.  Zone Signing . . . . . . . . . . . . . . . . . . . . . . . . .  4
       2.1.  Including DNSKEY RRs in a Zone . . . . . . . . . . . . .  5
       2.2.  Including RRSIG RRs in a Zone  . . . . . . . . . . . . .  5
       2.3.  Including NSEC RRs in a Zone . . . . . . . . . . . . . .  6
       2.4.  Including DS RRs in a Zone . . . . . . . . . . . . . . .  7
       2.5.  Changes to the CNAME Resource Record.  . . . . . . . . .  7
       2.6.  DNSSEC RR Types Appearing at Zone Cuts.  . . . . . . . .  8
       2.7.  Example of a Secure Zone . . . . . . . . . . . . . . . .  8
   3.  Serving  . . . . . . . . . . . . . . . . . . . . . . . . . . .  8
       3.1.  Authoritative Name Servers . . . . . . . . . . . . . . .  9
             3.1.1.  Including RRSIG RRs in a Response  . . . . . . . 10
             3.1.2.  Including DNSKEY RRs in a Response . . . . . . . 11
             3.1.3.  Including NSEC RRs in a Response . . . . . . . . 11
             3.1.4.  Including DS RRs in a Response . . . . . . . . . 14
             3.1.5.  Responding to Queries for Type AXFR or IXFR  . . 15
             3.1.6.  The AD and CD Bits in an Authoritative Response. 16
       3.2.  Recursive Name Servers . . . . . . . . . . . . . . . . . 17
             3.2.1.  The DO Bit . . . . . . . . . . . . . . . . . . . 17
             3.2.2.  The CD Bit . . . . . . . . . . . . . . . . . . . 17
             3.2.3.  The AD Bit . . . . . . . . . . . . . . . . . . . 18
       3.3.  Example DNSSEC Responses . . . . . . . . . . . . . . . . 19
   4.  Resolving  . . . . . . . . . . . . . . . . . . . . . . . . . . 19
       4.1.  EDNS Support . . . . . . . . . . . . . . . . . . . . . . 19
       4.2.  Signature Verification Support . . . . . . . . . . . . . 19
       4.3.  Determining Security Status of Data  . . . . . . . . . . 20
       4.4.  Configured Trust Anchors . . . . . . . . . . . . . . . . 21
       4.5.  Response Caching . . . . . . . . . . . . . . . . . . . . 21
       4.6.  Handling of the CD and AD Bits . . . . . . . . . . . . . 22
       4.7.  Caching BAD Data . . . . . . . . . . . . . . . . . . . . 22
       4.8.  Synthesized CNAMEs . . . . . . . . . . . . . . . . . . . 23
       4.9.  Stub Resolvers . . . . . . . . . . . . . . . . . . . . . 23
             4.9.1.  Handling of the DO Bit . . . . . . . . . . . . . 24
             4.9.2.  Handling of the CD Bit . . . . . . . . . . . . . 24
             4.9.3.  Handling of the AD Bit . . . . . . . . . . . . . 24
   5.  Authenticating DNS Responses . . . . . . . . . . . . . . . . . 25
       5.1.  Special Considerations for Islands of Security . . . . . 26
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools