< draft-ietf-dnsext-dnssec-records-10.txt   draft-ietf-dnsext-dnssec-records-11.txt >
DNS Extensions R. Arends DNS Extensions R. Arends
Internet-Draft Telematica Instituut Internet-Draft Telematica Instituut
Expires: March 21, 2005 R. Austein Expires: April 10, 2005 R. Austein
ISC ISC
M. Larson M. Larson
VeriSign VeriSign
D. Massey D. Massey
USC/ISI USC/ISI
S. Rose S. Rose
NIST NIST
September 20, 2004 October 10, 2004
Resource Records for the DNS Security Extensions Resource Records for the DNS Security Extensions
draft-ietf-dnsext-dnssec-records-10 draft-ietf-dnsext-dnssec-records-11
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
skipping to change at page 1, line 43 skipping to change at page 1, line 43
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 21, 2005. This Internet-Draft will expire on April 10, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). Copyright (C) The Internet Society (2004).
Abstract Abstract
This document is part of a family of documents that describes the DNS This document is part of a family of documents that describes the DNS
Security Extensions (DNSSEC). The DNS Security Extensions are a Security Extensions (DNSSEC). The DNS Security Extensions are a
collection of resource records and protocol modifications that collection of resource records and protocol modifications that
provide source authentication for the DNS. This document defines the provide source authentication for the DNS. This document defines the
skipping to change at page 2, line 41 skipping to change at page 2, line 41
3.1 RRSIG RDATA Wire Format . . . . . . . . . . . . . . . . . 8 3.1 RRSIG RDATA Wire Format . . . . . . . . . . . . . . . . . 8
3.1.1 The Type Covered Field . . . . . . . . . . . . . . . . 9 3.1.1 The Type Covered Field . . . . . . . . . . . . . . . . 9
3.1.2 The Algorithm Number Field . . . . . . . . . . . . . . 9 3.1.2 The Algorithm Number Field . . . . . . . . . . . . . . 9
3.1.3 The Labels Field . . . . . . . . . . . . . . . . . . . 9 3.1.3 The Labels Field . . . . . . . . . . . . . . . . . . . 9
3.1.4 Original TTL Field . . . . . . . . . . . . . . . . . . 10 3.1.4 Original TTL Field . . . . . . . . . . . . . . . . . . 10
3.1.5 Signature Expiration and Inception Fields . . . . . . 10 3.1.5 Signature Expiration and Inception Fields . . . . . . 10
3.1.6 The Key Tag Field . . . . . . . . . . . . . . . . . . 10 3.1.6 The Key Tag Field . . . . . . . . . . . . . . . . . . 10
3.1.7 The Signer's Name Field . . . . . . . . . . . . . . . 11 3.1.7 The Signer's Name Field . . . . . . . . . . . . . . . 11
3.1.8 The Signature Field . . . . . . . . . . . . . . . . . 11 3.1.8 The Signature Field . . . . . . . . . . . . . . . . . 11
3.2 The RRSIG RR Presentation Format . . . . . . . . . . . . . 12 3.2 The RRSIG RR Presentation Format . . . . . . . . . . . . . 12
3.3 RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . 12 3.3 RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . 13
4. The NSEC Resource Record . . . . . . . . . . . . . . . . . . . 14 4. The NSEC Resource Record . . . . . . . . . . . . . . . . . . . 14
4.1 NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . 14 4.1 NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . 14
4.1.1 The Next Domain Name Field . . . . . . . . . . . . . . 14 4.1.1 The Next Domain Name Field . . . . . . . . . . . . . . 14
4.1.2 The Type Bit Maps Field . . . . . . . . . . . . . . . 15 4.1.2 The Type Bit Maps Field . . . . . . . . . . . . . . . 15
4.1.3 Inclusion of Wildcard Names in NSEC RDATA . . . . . . 16 4.1.3 Inclusion of Wildcard Names in NSEC RDATA . . . . . . 16
4.2 The NSEC RR Presentation Format . . . . . . . . . . . . . 16 4.2 The NSEC RR Presentation Format . . . . . . . . . . . . . 16
4.3 NSEC RR Example . . . . . . . . . . . . . . . . . . . . . 16 4.3 NSEC RR Example . . . . . . . . . . . . . . . . . . . . . 16
5. The DS Resource Record . . . . . . . . . . . . . . . . . . . . 18 5. The DS Resource Record . . . . . . . . . . . . . . . . . . . . 18
5.1 DS RDATA Wire Format . . . . . . . . . . . . . . . . . . . 18 5.1 DS RDATA Wire Format . . . . . . . . . . . . . . . . . . . 18
5.1.1 The Key Tag Field . . . . . . . . . . . . . . . . . . 19 5.1.1 The Key Tag Field . . . . . . . . . . . . . . . . . . 19
skipping to change at page 4, line 8 skipping to change at page 4, line 8
A.1 DNSSEC Algorithm Types . . . . . . . . . . . . . . . . . . 29 A.1 DNSSEC Algorithm Types . . . . . . . . . . . . . . . . . . 29
A.1.1 Private Algorithm Types . . . . . . . . . . . . . . . 29 A.1.1 Private Algorithm Types . . . . . . . . . . . . . . . 29
A.2 DNSSEC Digest Types . . . . . . . . . . . . . . . . . . . 30 A.2 DNSSEC Digest Types . . . . . . . . . . . . . . . . . . . 30
B. Key Tag Calculation . . . . . . . . . . . . . . . . . . . . . 31 B. Key Tag Calculation . . . . . . . . . . . . . . . . . . . . . 31
B.1 Key Tag for Algorithm 1 (RSA/MD5) . . . . . . . . . . . . 32 B.1 Key Tag for Algorithm 1 (RSA/MD5) . . . . . . . . . . . . 32
Intellectual Property and Copyright Statements . . . . . . . . 33 Intellectual Property and Copyright Statements . . . . . . . . 33
1. Introduction 1. Introduction
The DNS Security Extensions (DNSSEC) introduce four new DNS resource The DNS Security Extensions (DNSSEC) introduce four new DNS resource
record types: DNSKEY, RRSIG, NSEC, and DS. This document defines the record types: DNS Public Key (DNSKEY), Resource Record Signature
purpose of each resource record (RR), the RR's RDATA format, and its (RRSIG), Next Secure (NSEC), and Delegation Signer (DS). This
presentation format (ASCII representation). document defines the purpose of each resource record (RR), the RR's
RDATA format, and its presentation format (ASCII representation).
1.1 Background and Related Documents 1.1 Background and Related Documents
This document is part of a family of documents that define DNSSEC, This document is part of a family of documents that define DNSSEC,
which should be read together as a set. which should be read together as a set.
[I-D.ietf-dnsext-dnssec-intro] contains an introduction to DNSSEC and [I-D.ietf-dnsext-dnssec-intro] contains an introduction to DNSSEC and
definition of common terms; the reader is assumed to be familiar with definition of common terms; the reader is assumed to be familiar with
this document. [I-D.ietf-dnsext-dnssec-intro] also contains a list this document. [I-D.ietf-dnsext-dnssec-intro] also contains a list
of other documents updated by and obsoleted by this document set. of other documents updated by and obsoleted by this document set.
[I-D.ietf-dnsext-dnssec-protocol] defines the DNSSEC protocol [I-D.ietf-dnsext-dnssec-protocol] defines the DNSSEC protocol
operations. operations.
The reader is also assumed to be familiar with the basic DNS concepts The reader is also assumed to be familiar with the basic DNS concepts
described in [RFC1034], [RFC1035], and the subsequent documents that described in [RFC1034], [RFC1035], and the subsequent documents that
update them, particularly [RFC2181] and [RFC2308]. update them, particularly [RFC2181] and [RFC2308].
This document defines the DNSSEC resource records. This document defines the DNSSEC resource records.
All numeric DNS type codes given in this document are decimal
integers.
1.2 Reserved Words 1.2 Reserved Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. The DNSKEY Resource Record 2. The DNSKEY Resource Record
DNSSEC uses public key cryptography to sign and authenticate DNS DNSSEC uses public key cryptography to sign and authenticate DNS
resource record sets (RRsets). The public keys are stored in DNSKEY resource record sets (RRsets). The public keys are stored in DNSKEY
resource records and are used in the DNSSEC authentication process resource records and are used in the DNSSEC authentication process
described in [I-D.ietf-dnsext-dnssec-protocol]: A zone signs its described in [I-D.ietf-dnsext-dnssec-protocol]: A zone signs its
authoritative RRsets using a private key and stores the corresponding authoritative RRsets using a private key and stores the corresponding
public key in a DNSKEY RR. A resolver can then use the public key to public key in a DNSKEY RR. A resolver can then use the public key to
authenticate signatures covering the RRsets in the zone. validate signatures covering the RRsets in the zone, and thus
authenticate them.
The DNSKEY RR is not intended as a record for storing arbitrary The DNSKEY RR is not intended as a record for storing arbitrary
public keys and MUST NOT be used to store certificates or public keys public keys and MUST NOT be used to store certificates or public keys
that do not directly relate to the DNS infrastructure. that do not directly relate to the DNS infrastructure.
The Type value for the DNSKEY RR type is 48. The Type value for the DNSKEY RR type is 48.
The DNSKEY RR is class independent. The DNSKEY RR is class independent.
The DNSKEY RR has no special TTL requirements. The DNSKEY RR has no special TTL requirements.
skipping to change at page 12, line 30 skipping to change at page 12, line 30
decimal integer or as an algorithm mnemonic as specified in Appendix decimal integer or as an algorithm mnemonic as specified in Appendix
A.1. A.1.
The Labels field value MUST be represented as an unsigned decimal The Labels field value MUST be represented as an unsigned decimal
integer. integer.
The Original TTL field value MUST be represented as an unsigned The Original TTL field value MUST be represented as an unsigned
decimal integer. decimal integer.
The Signature Expiration Time and Inception Time field values MUST be The Signature Expiration Time and Inception Time field values MUST be
represented either as seconds since 1 January 1970 00:00:00 UTC or in represented either as an unsigned decimal integer indicating seconds
the form YYYYMMDDHHmmSS in UTC, where: since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in
UTC, where:
YYYY is the year (0001-9999, but see Section 3.1.5); YYYY is the year (0001-9999, but see Section 3.1.5);
MM is the month number (01-12); MM is the month number (01-12);
DD is the day of the month (01-31); DD is the day of the month (01-31);
HH is the hour in 24 hours notation (00-23); HH is the hour in 24 hours notation (00-23);
mm is the minute (00-59); and mm is the minute (00-59); and
SS is the second (00-59). SS is the second (00-59).
Note that it is always be possible to distinguish between these two
formats, because the YYYYMMDDHHmmSS format will always be exactly 14
digits, while the decimal representation of a 32-bit unsigned integer
can never be longer than 10 digits.
The Key Tag field MUST be represented as an unsigned decimal integer. The Key Tag field MUST be represented as an unsigned decimal integer.
The Signer's Name field value MUST be represented as a domain name. The Signer's Name field value MUST be represented as a domain name.
The Signature field is represented as a Base64 encoding of the The Signature field is represented as a Base64 encoding of the
signature. Whitespace is allowed within the Base64 text. See signature. Whitespace is allowed within the Base64 text. See
Section 2.2. Section 2.2.
3.3 RRSIG RR Example 3.3 RRSIG RR Example
skipping to change at page 14, line 32 skipping to change at page 14, line 32
See [I-D.ietf-dnsext-dnssec-protocol] for discussion of how a zone See [I-D.ietf-dnsext-dnssec-protocol] for discussion of how a zone
signer determines precisely which NSEC RRs it needs to include in a signer determines precisely which NSEC RRs it needs to include in a
zone. zone.
The type value for the NSEC RR is 47. The type value for the NSEC RR is 47.
The NSEC RR is class independent. The NSEC RR is class independent.
The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL
field. This is in the spirit of negative caching [RFC2308]. field. This is in the spirit of negative caching ([RFC2308]).
4.1 NSEC RDATA Wire Format 4.1 NSEC RDATA Wire Format
The RDATA of the NSEC RR is as shown below: The RDATA of the NSEC RR is as shown below:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ Next Domain Name / / Next Domain Name /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 23, line 33 skipping to change at page 23, line 33
security protocol described in [RFC2931] and the transaction KEY security protocol described in [RFC2931] and the transaction KEY
Resource Record described in [RFC2930]. Resource Record described in [RFC2930].
DNS Security Algorithm Numbers: [RFC2535] created an IANA registry DNS Security Algorithm Numbers: [RFC2535] created an IANA registry
for DNSSEC Resource Record Algorithm field numbers, and assigned for DNSSEC Resource Record Algorithm field numbers, and assigned
values 1-4 and 252-255. [RFC3110] assigned value 5. [RFC3755] values 1-4 and 252-255. [RFC3110] assigned value 5. [RFC3755]
altered this registry to include flags for each entry regarding altered this registry to include flags for each entry regarding
its use with the DNS security extensions. Each algorithm entry its use with the DNS security extensions. Each algorithm entry
could refer to an algorithm that can be used for zone signing, could refer to an algorithm that can be used for zone signing,
transaction security (see [RFC2931]) or both. Values 6-251 are transaction security (see [RFC2931]) or both. Values 6-251 are
available for assignment by IETF standards action [RFC3755]. See available for assignment by IETF standards action ([RFC3755]).
Appendix A for a full listing of the DNS Security Algorithm See Appendix A for a full listing of the DNS Security Algorithm
Numbers entries at the time of writing and their status of use in Numbers entries at the time of writing and their status of use in
DNSSEC. DNSSEC.
[RFC3658] created an IANA registry for DNSSEC DS Digest Types, and [RFC3658] created an IANA registry for DNSSEC DS Digest Types, and
assigned value 0 to reserved and value 1 to SHA-1. assigned value 0 to reserved and value 1 to SHA-1.
KEY Protocol Values: [RFC2535] created an IANA Registry for KEY KEY Protocol Values: [RFC2535] created an IANA Registry for KEY
Protocol Values, but [RFC3445] re-assigned all values other than 3 Protocol Values, but [RFC3445] re-assigned all values other than 3
to reserved and closed this IANA registry. The registry remains to reserved and closed this IANA registry. The registry remains
closed, and all KEY and DNSKEY records are required to have closed, and all KEY and DNSKEY records are required to have
Protocol Octet value of 3. Protocol Octet value of 3.
Flag bits in the KEY and DNSKEY RRs: [RFC3755] created an IANA Flag bits in the KEY and DNSKEY RRs: [RFC3755] created an IANA
registry for the DNSSEC KEY and DNSKEY RR flag bits. Initially, registry for the DNSSEC KEY and DNSKEY RR flag bits. Initially,
this registry only contains an assignment for bit 7 (the ZONE bit) this registry only contains assignments for bit 7 (the ZONE bit)
and a reservation for bit 15 for the Secure Entry Point flag (SEP and bit 15 (the Secure Entry Point flag (SEP) bit, see [RFC3757]).
bit) [RFC3757]. As also stated in [RFC3755], bits 0-6 and 8-14 As also stated in [RFC3755], bits 0-6 and 8-14 are available for
are available for assignment by IETF Standards Action. assignment by IETF Standards Action.
8. Security Considerations 8. Security Considerations
This document describes the format of four DNS resource records used This document describes the format of four DNS resource records used
by the DNS security extensions, and presents an algorithm for by the DNS security extensions, and presents an algorithm for
calculating a key tag for a public key. Other than the items calculating a key tag for a public key. Other than the items
described below, the resource records themselves introduce no described below, the resource records themselves introduce no
security considerations. Please see [I-D.ietf-dnsext-dnssec-intro] security considerations. Please see [I-D.ietf-dnsext-dnssec-intro]
and [I-D.ietf-dnsext-dnssec-protocol] for additional security and [I-D.ietf-dnsext-dnssec-protocol] for additional security
considerations related to the use of these records. considerations related to the use of these records.
skipping to change at page 24, line 31 skipping to change at page 24, line 31
algorithm is SHA-1, and the working group believes that constructing algorithm is SHA-1, and the working group believes that constructing
a public key which would match the algorithm, key tag, and SHA-1 a public key which would match the algorithm, key tag, and SHA-1
digest given in a DS record would be a sufficiently difficult problem digest given in a DS record would be a sufficiently difficult problem
that such an attack is not a serious threat at this time. that such an attack is not a serious threat at this time.
The key tag is used to help select DNSKEY resource records The key tag is used to help select DNSKEY resource records
efficiently, but it does not uniquely identify a single DNSKEY efficiently, but it does not uniquely identify a single DNSKEY
resource record. It is possible for two distinct DNSKEY RRs to have resource record. It is possible for two distinct DNSKEY RRs to have
the same owner name, the same algorithm type, and the same key tag. the same owner name, the same algorithm type, and the same key tag.
An implementation which uses only the key tag to select a DNSKEY RR An implementation which uses only the key tag to select a DNSKEY RR
might select the wrong public key in some circumstances. might select the wrong public key in some circumstances. Please see
Appendix B for further details.
The table of algorithms in Appendix A and the key tag calculation The table of algorithms in Appendix A and the key tag calculation
algorithms in Appendix B include the RSA/MD5 algorithm for algorithms in Appendix B include the RSA/MD5 algorithm for
completeness, but the RSA/MD5 algorithm is NOT RECOMMENDED, as completeness, but the RSA/MD5 algorithm is NOT RECOMMENDED, as
explained in [RFC3110]. explained in [RFC3110].
9. Acknowledgments 9. Acknowledgments
This document was created from the input and ideas of the members of This document was created from the input and ideas of the members of
the DNS Extensions Working Group and working group mailing list. The the DNS Extensions Working Group and working group mailing list. The
 End of changes. 14 change blocks. 
19 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/