| < draft-ietf-dnsext-dnssec-records-10.txt | draft-ietf-dnsext-dnssec-records-11.txt > | |||
|---|---|---|---|---|
| DNS Extensions R. Arends | DNS Extensions R. Arends | |||
| Internet-Draft Telematica Instituut | Internet-Draft Telematica Instituut | |||
| Expires: March 21, 2005 R. Austein | Expires: April 10, 2005 R. Austein | |||
| ISC | ISC | |||
| M. Larson | M. Larson | |||
| VeriSign | VeriSign | |||
| D. Massey | D. Massey | |||
| USC/ISI | USC/ISI | |||
| S. Rose | S. Rose | |||
| NIST | NIST | |||
| September 20, 2004 | October 10, 2004 | |||
| Resource Records for the DNS Security Extensions | Resource Records for the DNS Security Extensions | |||
| draft-ietf-dnsext-dnssec-records-10 | draft-ietf-dnsext-dnssec-records-11 | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is subject to all provisions | This document is an Internet-Draft and is subject to all provisions | |||
| of section 3 of RFC 3667. By submitting this Internet-Draft, each | of section 3 of RFC 3667. By submitting this Internet-Draft, each | |||
| author represents that any applicable patent or other IPR claims of | author represents that any applicable patent or other IPR claims of | |||
| which he or she is aware have been or will be disclosed, and any of | which he or she is aware have been or will be disclosed, and any of | |||
| which he or she become aware will be disclosed, in accordance with | which he or she become aware will be disclosed, in accordance with | |||
| RFC 3668. | RFC 3668. | |||
| skipping to change at page 1, line 43 ¶ | skipping to change at page 1, line 43 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on March 21, 2005. | This Internet-Draft will expire on April 10, 2005. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2004). | Copyright (C) The Internet Society (2004). | |||
| Abstract | Abstract | |||
| This document is part of a family of documents that describes the DNS | This document is part of a family of documents that describes the DNS | |||
| Security Extensions (DNSSEC). The DNS Security Extensions are a | Security Extensions (DNSSEC). The DNS Security Extensions are a | |||
| collection of resource records and protocol modifications that | collection of resource records and protocol modifications that | |||
| provide source authentication for the DNS. This document defines the | provide source authentication for the DNS. This document defines the | |||
| skipping to change at page 2, line 41 ¶ | skipping to change at page 2, line 41 ¶ | |||
| 3.1 RRSIG RDATA Wire Format . . . . . . . . . . . . . . . . . 8 | 3.1 RRSIG RDATA Wire Format . . . . . . . . . . . . . . . . . 8 | |||
| 3.1.1 The Type Covered Field . . . . . . . . . . . . . . . . 9 | 3.1.1 The Type Covered Field . . . . . . . . . . . . . . . . 9 | |||
| 3.1.2 The Algorithm Number Field . . . . . . . . . . . . . . 9 | 3.1.2 The Algorithm Number Field . . . . . . . . . . . . . . 9 | |||
| 3.1.3 The Labels Field . . . . . . . . . . . . . . . . . . . 9 | 3.1.3 The Labels Field . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.1.4 Original TTL Field . . . . . . . . . . . . . . . . . . 10 | 3.1.4 Original TTL Field . . . . . . . . . . . . . . . . . . 10 | |||
| 3.1.5 Signature Expiration and Inception Fields . . . . . . 10 | 3.1.5 Signature Expiration and Inception Fields . . . . . . 10 | |||
| 3.1.6 The Key Tag Field . . . . . . . . . . . . . . . . . . 10 | 3.1.6 The Key Tag Field . . . . . . . . . . . . . . . . . . 10 | |||
| 3.1.7 The Signer's Name Field . . . . . . . . . . . . . . . 11 | 3.1.7 The Signer's Name Field . . . . . . . . . . . . . . . 11 | |||
| 3.1.8 The Signature Field . . . . . . . . . . . . . . . . . 11 | 3.1.8 The Signature Field . . . . . . . . . . . . . . . . . 11 | |||
| 3.2 The RRSIG RR Presentation Format . . . . . . . . . . . . . 12 | 3.2 The RRSIG RR Presentation Format . . . . . . . . . . . . . 12 | |||
| 3.3 RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . 12 | 3.3 RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4. The NSEC Resource Record . . . . . . . . . . . . . . . . . . . 14 | 4. The NSEC Resource Record . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.1 NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . 14 | 4.1 NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . 14 | |||
| 4.1.1 The Next Domain Name Field . . . . . . . . . . . . . . 14 | 4.1.1 The Next Domain Name Field . . . . . . . . . . . . . . 14 | |||
| 4.1.2 The Type Bit Maps Field . . . . . . . . . . . . . . . 15 | 4.1.2 The Type Bit Maps Field . . . . . . . . . . . . . . . 15 | |||
| 4.1.3 Inclusion of Wildcard Names in NSEC RDATA . . . . . . 16 | 4.1.3 Inclusion of Wildcard Names in NSEC RDATA . . . . . . 16 | |||
| 4.2 The NSEC RR Presentation Format . . . . . . . . . . . . . 16 | 4.2 The NSEC RR Presentation Format . . . . . . . . . . . . . 16 | |||
| 4.3 NSEC RR Example . . . . . . . . . . . . . . . . . . . . . 16 | 4.3 NSEC RR Example . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5. The DS Resource Record . . . . . . . . . . . . . . . . . . . . 18 | 5. The DS Resource Record . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.1 DS RDATA Wire Format . . . . . . . . . . . . . . . . . . . 18 | 5.1 DS RDATA Wire Format . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.1.1 The Key Tag Field . . . . . . . . . . . . . . . . . . 19 | 5.1.1 The Key Tag Field . . . . . . . . . . . . . . . . . . 19 | |||
| skipping to change at page 4, line 8 ¶ | skipping to change at page 4, line 8 ¶ | |||
| A.1 DNSSEC Algorithm Types . . . . . . . . . . . . . . . . . . 29 | A.1 DNSSEC Algorithm Types . . . . . . . . . . . . . . . . . . 29 | |||
| A.1.1 Private Algorithm Types . . . . . . . . . . . . . . . 29 | A.1.1 Private Algorithm Types . . . . . . . . . . . . . . . 29 | |||
| A.2 DNSSEC Digest Types . . . . . . . . . . . . . . . . . . . 30 | A.2 DNSSEC Digest Types . . . . . . . . . . . . . . . . . . . 30 | |||
| B. Key Tag Calculation . . . . . . . . . . . . . . . . . . . . . 31 | B. Key Tag Calculation . . . . . . . . . . . . . . . . . . . . . 31 | |||
| B.1 Key Tag for Algorithm 1 (RSA/MD5) . . . . . . . . . . . . 32 | B.1 Key Tag for Algorithm 1 (RSA/MD5) . . . . . . . . . . . . 32 | |||
| Intellectual Property and Copyright Statements . . . . . . . . 33 | Intellectual Property and Copyright Statements . . . . . . . . 33 | |||
| 1. Introduction | 1. Introduction | |||
| The DNS Security Extensions (DNSSEC) introduce four new DNS resource | The DNS Security Extensions (DNSSEC) introduce four new DNS resource | |||
| record types: DNSKEY, RRSIG, NSEC, and DS. This document defines the | record types: DNS Public Key (DNSKEY), Resource Record Signature | |||
| purpose of each resource record (RR), the RR's RDATA format, and its | (RRSIG), Next Secure (NSEC), and Delegation Signer (DS). This | |||
| presentation format (ASCII representation). | document defines the purpose of each resource record (RR), the RR's | |||
| RDATA format, and its presentation format (ASCII representation). | ||||
| 1.1 Background and Related Documents | 1.1 Background and Related Documents | |||
| This document is part of a family of documents that define DNSSEC, | This document is part of a family of documents that define DNSSEC, | |||
| which should be read together as a set. | which should be read together as a set. | |||
| [I-D.ietf-dnsext-dnssec-intro] contains an introduction to DNSSEC and | [I-D.ietf-dnsext-dnssec-intro] contains an introduction to DNSSEC and | |||
| definition of common terms; the reader is assumed to be familiar with | definition of common terms; the reader is assumed to be familiar with | |||
| this document. [I-D.ietf-dnsext-dnssec-intro] also contains a list | this document. [I-D.ietf-dnsext-dnssec-intro] also contains a list | |||
| of other documents updated by and obsoleted by this document set. | of other documents updated by and obsoleted by this document set. | |||
| [I-D.ietf-dnsext-dnssec-protocol] defines the DNSSEC protocol | [I-D.ietf-dnsext-dnssec-protocol] defines the DNSSEC protocol | |||
| operations. | operations. | |||
| The reader is also assumed to be familiar with the basic DNS concepts | The reader is also assumed to be familiar with the basic DNS concepts | |||
| described in [RFC1034], [RFC1035], and the subsequent documents that | described in [RFC1034], [RFC1035], and the subsequent documents that | |||
| update them, particularly [RFC2181] and [RFC2308]. | update them, particularly [RFC2181] and [RFC2308]. | |||
| This document defines the DNSSEC resource records. | This document defines the DNSSEC resource records. | |||
| All numeric DNS type codes given in this document are decimal | ||||
| integers. | ||||
| 1.2 Reserved Words | 1.2 Reserved Words | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. The DNSKEY Resource Record | 2. The DNSKEY Resource Record | |||
| DNSSEC uses public key cryptography to sign and authenticate DNS | DNSSEC uses public key cryptography to sign and authenticate DNS | |||
| resource record sets (RRsets). The public keys are stored in DNSKEY | resource record sets (RRsets). The public keys are stored in DNSKEY | |||
| resource records and are used in the DNSSEC authentication process | resource records and are used in the DNSSEC authentication process | |||
| described in [I-D.ietf-dnsext-dnssec-protocol]: A zone signs its | described in [I-D.ietf-dnsext-dnssec-protocol]: A zone signs its | |||
| authoritative RRsets using a private key and stores the corresponding | authoritative RRsets using a private key and stores the corresponding | |||
| public key in a DNSKEY RR. A resolver can then use the public key to | public key in a DNSKEY RR. A resolver can then use the public key to | |||
| authenticate signatures covering the RRsets in the zone. | validate signatures covering the RRsets in the zone, and thus | |||
| authenticate them. | ||||
| The DNSKEY RR is not intended as a record for storing arbitrary | The DNSKEY RR is not intended as a record for storing arbitrary | |||
| public keys and MUST NOT be used to store certificates or public keys | public keys and MUST NOT be used to store certificates or public keys | |||
| that do not directly relate to the DNS infrastructure. | that do not directly relate to the DNS infrastructure. | |||
| The Type value for the DNSKEY RR type is 48. | The Type value for the DNSKEY RR type is 48. | |||
| The DNSKEY RR is class independent. | The DNSKEY RR is class independent. | |||
| The DNSKEY RR has no special TTL requirements. | The DNSKEY RR has no special TTL requirements. | |||
| skipping to change at page 12, line 30 ¶ | skipping to change at page 12, line 30 ¶ | |||
| decimal integer or as an algorithm mnemonic as specified in Appendix | decimal integer or as an algorithm mnemonic as specified in Appendix | |||
| A.1. | A.1. | |||
| The Labels field value MUST be represented as an unsigned decimal | The Labels field value MUST be represented as an unsigned decimal | |||
| integer. | integer. | |||
| The Original TTL field value MUST be represented as an unsigned | The Original TTL field value MUST be represented as an unsigned | |||
| decimal integer. | decimal integer. | |||
| The Signature Expiration Time and Inception Time field values MUST be | The Signature Expiration Time and Inception Time field values MUST be | |||
| represented either as seconds since 1 January 1970 00:00:00 UTC or in | represented either as an unsigned decimal integer indicating seconds | |||
| the form YYYYMMDDHHmmSS in UTC, where: | since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in | |||
| UTC, where: | ||||
| YYYY is the year (0001-9999, but see Section 3.1.5); | YYYY is the year (0001-9999, but see Section 3.1.5); | |||
| MM is the month number (01-12); | MM is the month number (01-12); | |||
| DD is the day of the month (01-31); | DD is the day of the month (01-31); | |||
| HH is the hour in 24 hours notation (00-23); | HH is the hour in 24 hours notation (00-23); | |||
| mm is the minute (00-59); and | mm is the minute (00-59); and | |||
| SS is the second (00-59). | SS is the second (00-59). | |||
| Note that it is always be possible to distinguish between these two | ||||
| formats, because the YYYYMMDDHHmmSS format will always be exactly 14 | ||||
| digits, while the decimal representation of a 32-bit unsigned integer | ||||
| can never be longer than 10 digits. | ||||
| The Key Tag field MUST be represented as an unsigned decimal integer. | The Key Tag field MUST be represented as an unsigned decimal integer. | |||
| The Signer's Name field value MUST be represented as a domain name. | The Signer's Name field value MUST be represented as a domain name. | |||
| The Signature field is represented as a Base64 encoding of the | The Signature field is represented as a Base64 encoding of the | |||
| signature. Whitespace is allowed within the Base64 text. See | signature. Whitespace is allowed within the Base64 text. See | |||
| Section 2.2. | Section 2.2. | |||
| 3.3 RRSIG RR Example | 3.3 RRSIG RR Example | |||
| skipping to change at page 14, line 32 ¶ | skipping to change at page 14, line 32 ¶ | |||
| See [I-D.ietf-dnsext-dnssec-protocol] for discussion of how a zone | See [I-D.ietf-dnsext-dnssec-protocol] for discussion of how a zone | |||
| signer determines precisely which NSEC RRs it needs to include in a | signer determines precisely which NSEC RRs it needs to include in a | |||
| zone. | zone. | |||
| The type value for the NSEC RR is 47. | The type value for the NSEC RR is 47. | |||
| The NSEC RR is class independent. | The NSEC RR is class independent. | |||
| The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL | The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL | |||
| field. This is in the spirit of negative caching [RFC2308]. | field. This is in the spirit of negative caching ([RFC2308]). | |||
| 4.1 NSEC RDATA Wire Format | 4.1 NSEC RDATA Wire Format | |||
| The RDATA of the NSEC RR is as shown below: | The RDATA of the NSEC RR is as shown below: | |||
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| / Next Domain Name / | / Next Domain Name / | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| skipping to change at page 23, line 33 ¶ | skipping to change at page 23, line 33 ¶ | |||
| security protocol described in [RFC2931] and the transaction KEY | security protocol described in [RFC2931] and the transaction KEY | |||
| Resource Record described in [RFC2930]. | Resource Record described in [RFC2930]. | |||
| DNS Security Algorithm Numbers: [RFC2535] created an IANA registry | DNS Security Algorithm Numbers: [RFC2535] created an IANA registry | |||
| for DNSSEC Resource Record Algorithm field numbers, and assigned | for DNSSEC Resource Record Algorithm field numbers, and assigned | |||
| values 1-4 and 252-255. [RFC3110] assigned value 5. [RFC3755] | values 1-4 and 252-255. [RFC3110] assigned value 5. [RFC3755] | |||
| altered this registry to include flags for each entry regarding | altered this registry to include flags for each entry regarding | |||
| its use with the DNS security extensions. Each algorithm entry | its use with the DNS security extensions. Each algorithm entry | |||
| could refer to an algorithm that can be used for zone signing, | could refer to an algorithm that can be used for zone signing, | |||
| transaction security (see [RFC2931]) or both. Values 6-251 are | transaction security (see [RFC2931]) or both. Values 6-251 are | |||
| available for assignment by IETF standards action [RFC3755]. See | available for assignment by IETF standards action ([RFC3755]). | |||
| Appendix A for a full listing of the DNS Security Algorithm | See Appendix A for a full listing of the DNS Security Algorithm | |||
| Numbers entries at the time of writing and their status of use in | Numbers entries at the time of writing and their status of use in | |||
| DNSSEC. | DNSSEC. | |||
| [RFC3658] created an IANA registry for DNSSEC DS Digest Types, and | [RFC3658] created an IANA registry for DNSSEC DS Digest Types, and | |||
| assigned value 0 to reserved and value 1 to SHA-1. | assigned value 0 to reserved and value 1 to SHA-1. | |||
| KEY Protocol Values: [RFC2535] created an IANA Registry for KEY | KEY Protocol Values: [RFC2535] created an IANA Registry for KEY | |||
| Protocol Values, but [RFC3445] re-assigned all values other than 3 | Protocol Values, but [RFC3445] re-assigned all values other than 3 | |||
| to reserved and closed this IANA registry. The registry remains | to reserved and closed this IANA registry. The registry remains | |||
| closed, and all KEY and DNSKEY records are required to have | closed, and all KEY and DNSKEY records are required to have | |||
| Protocol Octet value of 3. | Protocol Octet value of 3. | |||
| Flag bits in the KEY and DNSKEY RRs: [RFC3755] created an IANA | Flag bits in the KEY and DNSKEY RRs: [RFC3755] created an IANA | |||
| registry for the DNSSEC KEY and DNSKEY RR flag bits. Initially, | registry for the DNSSEC KEY and DNSKEY RR flag bits. Initially, | |||
| this registry only contains an assignment for bit 7 (the ZONE bit) | this registry only contains assignments for bit 7 (the ZONE bit) | |||
| and a reservation for bit 15 for the Secure Entry Point flag (SEP | and bit 15 (the Secure Entry Point flag (SEP) bit, see [RFC3757]). | |||
| bit) [RFC3757]. As also stated in [RFC3755], bits 0-6 and 8-14 | As also stated in [RFC3755], bits 0-6 and 8-14 are available for | |||
| are available for assignment by IETF Standards Action. | assignment by IETF Standards Action. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| This document describes the format of four DNS resource records used | This document describes the format of four DNS resource records used | |||
| by the DNS security extensions, and presents an algorithm for | by the DNS security extensions, and presents an algorithm for | |||
| calculating a key tag for a public key. Other than the items | calculating a key tag for a public key. Other than the items | |||
| described below, the resource records themselves introduce no | described below, the resource records themselves introduce no | |||
| security considerations. Please see [I-D.ietf-dnsext-dnssec-intro] | security considerations. Please see [I-D.ietf-dnsext-dnssec-intro] | |||
| and [I-D.ietf-dnsext-dnssec-protocol] for additional security | and [I-D.ietf-dnsext-dnssec-protocol] for additional security | |||
| considerations related to the use of these records. | considerations related to the use of these records. | |||
| skipping to change at page 24, line 31 ¶ | skipping to change at page 24, line 31 ¶ | |||
| algorithm is SHA-1, and the working group believes that constructing | algorithm is SHA-1, and the working group believes that constructing | |||
| a public key which would match the algorithm, key tag, and SHA-1 | a public key which would match the algorithm, key tag, and SHA-1 | |||
| digest given in a DS record would be a sufficiently difficult problem | digest given in a DS record would be a sufficiently difficult problem | |||
| that such an attack is not a serious threat at this time. | that such an attack is not a serious threat at this time. | |||
| The key tag is used to help select DNSKEY resource records | The key tag is used to help select DNSKEY resource records | |||
| efficiently, but it does not uniquely identify a single DNSKEY | efficiently, but it does not uniquely identify a single DNSKEY | |||
| resource record. It is possible for two distinct DNSKEY RRs to have | resource record. It is possible for two distinct DNSKEY RRs to have | |||
| the same owner name, the same algorithm type, and the same key tag. | the same owner name, the same algorithm type, and the same key tag. | |||
| An implementation which uses only the key tag to select a DNSKEY RR | An implementation which uses only the key tag to select a DNSKEY RR | |||
| might select the wrong public key in some circumstances. | might select the wrong public key in some circumstances. Please see | |||
| Appendix B for further details. | ||||
| The table of algorithms in Appendix A and the key tag calculation | The table of algorithms in Appendix A and the key tag calculation | |||
| algorithms in Appendix B include the RSA/MD5 algorithm for | algorithms in Appendix B include the RSA/MD5 algorithm for | |||
| completeness, but the RSA/MD5 algorithm is NOT RECOMMENDED, as | completeness, but the RSA/MD5 algorithm is NOT RECOMMENDED, as | |||
| explained in [RFC3110]. | explained in [RFC3110]. | |||
| 9. Acknowledgments | 9. Acknowledgments | |||
| This document was created from the input and ideas of the members of | This document was created from the input and ideas of the members of | |||
| the DNS Extensions Working Group and working group mailing list. The | the DNS Extensions Working Group and working group mailing list. The | |||
| End of changes. 14 change blocks. | ||||
| 19 lines changed or deleted | 30 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||