idnits 2.17.1 draft-ietf-dnsop-rfc2845bis-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 4 instances of lines with non-RFC2606-compliant FQDNs in the document. -- The draft header indicates that this document obsoletes RFC4635, but the abstract doesn't seem to directly say this. It does mention RFC4635 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 410 has weird spacing: '... Signed in ...' == Line 443 has weird spacing: '...AC Data octe...' == Line 715 has weird spacing: '...ptional gss...' == Line 716 has weird spacing: '...ndatory hmac...' == Line 717 has weird spacing: '...ptional hma...' == (3 more instances...) == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 7, 2019) is 1877 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS180-4' ** Obsolete normative reference: RFC 2845 (Obsoleted by RFC 8945) ** Obsolete normative reference: RFC 4635 (Obsoleted by RFC 8945) Summary: 2 errors (**), 0 flaws (~~), 9 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force F. Dupont 3 Internet-Draft S. Morris 4 Obsoletes: 2845, 4635 (if approved) ISC 5 Intended status: Standards Track P. Vixie 6 Expires: September 8, 2019 Farsight 7 D. Eastlake 3rd 8 Huawei 9 O. Gudmundsson 10 CloudFlare 11 B. Wellington 12 Akamai 13 March 7, 2019 15 Secret Key Transaction Authentication for DNS (TSIG) 16 draft-ietf-dnsop-rfc2845bis-03 18 Abstract 20 This document describes a protocol for transaction level 21 authentication using shared secrets and one way hashing. It can be 22 used to authenticate dynamic updates as coming from an approved 23 client, or to authenticate responses as coming from an approved name 24 server. 26 No recommendation is made here for distributing the shared secrets: 27 it is expected that a network administrator will statically configure 28 name servers and clients using some out of band mechanism. 30 This document obsoletes RFC2845 and RFC4635. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at https://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on September 8, 2019. 49 Copyright Notice 51 Copyright (c) 2019 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (https://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 This document may contain material from IETF Documents or IETF 65 Contributions published or made publicly available before November 66 10, 2008. The person(s) controlling the copyright in some of this 67 material may not have granted the IETF Trust the right to allow 68 modifications of such material outside the IETF Standards Process. 69 Without obtaining an adequate license from the person(s) controlling 70 the copyright in such materials, this document may not be modified 71 outside the IETF Standards Process, and derivative works of it may 72 not be created outside the IETF Standards Process, except to format 73 it for publication as an RFC or to translate it into languages other 74 than English. 76 Table of Contents 78 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 79 2. Key Words . . . . . . . . . . . . . . . . . . . . . . . . . . 4 80 3. New Assigned Numbers . . . . . . . . . . . . . . . . . . . . 4 81 4. TSIG RR Format . . . . . . . . . . . . . . . . . . . . . . . 5 82 4.1. TSIG RR Type . . . . . . . . . . . . . . . . . . . . . . 5 83 4.2. TSIG Calculation . . . . . . . . . . . . . . . . . . . . 5 84 4.3. TSIG Record Format . . . . . . . . . . . . . . . . . . . 5 85 4.4. Example . . . . . . . . . . . . . . . . . . . . . . . . . 7 86 5. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7 87 5.1. Effects of Adding TSIG to Outgoing Messages . . . . . . . 8 88 5.2. TSIG Processing on Incoming Messages . . . . . . . . . . 8 89 5.3. Time Values Used in TSIG Calculations . . . . . . . . . . 8 90 5.4. TSIG Variables and Coverage . . . . . . . . . . . . . . . 9 91 5.4.1. DNS Message . . . . . . . . . . . . . . . . . . . . . 9 92 5.4.2. TSIG Variables . . . . . . . . . . . . . . . . . . . 9 93 5.4.3. Request MAC . . . . . . . . . . . . . . . . . . . . . 10 94 5.5. Component Padding . . . . . . . . . . . . . . . . . . . . 10 95 6. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10 96 6.1. TSIG Generation on Requests . . . . . . . . . . . . . . . 10 97 6.2. TSIG on Answers . . . . . . . . . . . . . . . . . . . . . 10 98 6.3. TSIG on TSIG Error Returns . . . . . . . . . . . . . . . 11 99 6.4. TSIG on Zone Transfer Over a TCP Connection . . . . . . . 11 100 6.5. Server TSIG checks . . . . . . . . . . . . . . . . . . . 12 101 6.5.1. Key Check and Error Handling . . . . . . . . . . . . 12 102 6.5.2. MAC Check and Error Handling . . . . . . . . . . . . 12 103 6.5.3. Time Check and Error Handling . . . . . . . . . . . . 13 104 6.5.4. Truncation Check and Error Handling . . . . . . . . . 13 105 6.6. Client Processing of Answer . . . . . . . . . . . . . . . 14 106 6.6.1. Key Error Handling . . . . . . . . . . . . . . . . . 14 107 6.6.2. MAC Error Handling . . . . . . . . . . . . . . . . . 14 108 6.6.3. Time Error Handling . . . . . . . . . . . . . . . . . 14 109 6.6.4. Truncation Error Handling . . . . . . . . . . . . . . 14 110 6.7. Special Considerations for Forwarding Servers . . . . . . 15 111 7. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 15 112 8. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 16 113 9. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 17 114 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 115 11. Security Considerations . . . . . . . . . . . . . . . . . . . 18 116 11.1. Issue Fixed in this Document . . . . . . . . . . . . . . 19 117 11.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 19 118 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 119 12.1. Normative References . . . . . . . . . . . . . . . . . . 20 120 12.2. Informative References . . . . . . . . . . . . . . . . . 20 121 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 22 122 Appendix B. Change History (to be removed before publication) . 23 123 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 125 1. Introduction 127 The Domain Name System (DNS) [RFC1034], [RFC1035] is a replicated 128 hierarchical distributed database system that provides information 129 fundamental to Internet operations, such as name <=> address 130 translation and mail handling information. 132 In 2017, two nameservers strictly following [RFC2845] and [RFC4635] 133 (i.e., TSIG and its HMAC-SHA extension) specifications were 134 discovered to have security problems related to this feature. The 135 implementations were fixed but, to avoid similar problems in the 136 future, the two documents were updated and merged, producing this 137 revised specification for TSIG. 139 This document specifies use of a message authentication code (MAC), 140 generated using certain keyed hash functions, to provide an efficient 141 means of point-to-point authentication and integrity checking for DNS 142 transactions. Such transactions include DNS update requests and 143 responses for which this can provide a lightweight alternative to the 144 protocol described by [RFC3007]. 146 A further use of this mechanism is to protect zone transfers. In 147 this case the data covered would be the whole zone transfer including 148 any glue records sent. The protocol described by DNSSEC does not 149 protect glue records and unsigned records unless SIG(0) (transaction 150 signature) is used. 152 The authentication mechanism proposed in this document uses shared 153 secret keys to establish a trust relationship between two entities. 154 Such keys must be protected in a manner similar to private keys, lest 155 a third party masquerade as one of the intended parties (by forging 156 the MAC). There is an urgent need to provide simple and efficient 157 authentication between clients and local servers and this proposal 158 addresses that need. The proposal is unsuitable for general server 159 to server authentication for servers which speak with many other 160 servers, since key management would become unwieldy with the number 161 of shared keys going up quadratically. But it is suitable for many 162 resolvers on hosts that only talk to a few recursive servers. 164 A server acting as an indirect caching resolver -- a "forwarder" in 165 common usage -- might use transaction-based authentication when 166 communicating with its small number of preconfigured "upstream" 167 servers. Other uses of DNS secret key authentication and possible 168 systems for automatic secret key distribution may be proposed in 169 separate future documents. 171 Note that use of TSIG presumes prior agreement between the two 172 parties involved (e.g., resolver and server) as to any algorithm and 173 key to be used. 175 Since the publication of first version of this document ([RFC2845]) a 176 mechanism based on asymmetric signatures using the SIG RR was 177 specified (SIG(0) [RFC2931]) whereas this document uses symmetric 178 authentication codes calculated by HMAC [RFC2104] using strong hash 179 functions. 181 2. Key Words 183 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 184 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 185 "OPTIONAL" in this document are to be interpreted as described in BCP 186 14 [RFC2119] [RFC8174] when, and only when, they appear in all 187 capitals, as shown here. 189 3. New Assigned Numbers 191 RRTYPE = TSIG (250) 192 ERROR = 0..15 (a DNS RCODE) 193 ERROR = 16 (BADSIG) 194 ERROR = 17 (BADKEY) 195 ERROR = 18 (BADTIME) 196 ERROR = 22 (BADTRUNC) 198 (See [RFC6895] Section 2.3 concerning the assignment of the value 16 199 to BADSIG.) 201 4. TSIG RR Format 203 4.1. TSIG RR Type 205 To provide secret key authentication, we use a new RR type whose 206 mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and 207 MUST NOT be cached. TSIG RRs are used for authentication between DNS 208 entities that have established a shared secret key. TSIG RRs are 209 dynamically computed to cover a particular DNS transaction and are 210 not DNS RRs in the usual sense. 212 4.2. TSIG Calculation 214 As the TSIG RRs are related to one DNS request/response, there is no 215 value in storing or retransmitting them, thus the TSIG RR is 216 discarded once it has been used to authenticate a DNS message. 217 Recommendations concerning the message digest algorithm can be found 218 in Section 7. All multi-octet integers in the TSIG record are sent 219 in network byte order (see [RFC1035] 2.3.2). 221 4.3. TSIG Record Format 223 NAME The name of the key used in domain name syntax. The name 224 should reflect the names of the hosts and uniquely identify the 225 key among a set of keys these two hosts may share at any given 226 time. If hosts A.site.example and B.example.net share a key, 227 possibilities for the key name include .A.site.example, 228 .B.example.net, and .A.site.example.B.example.net. It 229 should be possible for more than one key to be in simultaneous 230 use among a set of interacting hosts. The name only needs to 231 be meaningful to the communicating hosts but a meaningful 232 mnemonic name as above is strongly recommended. 234 The name may be used as a local index to the key involved and 235 it is recommended that it be globally unique. Where a key is 236 just shared between two hosts, its name actually need only be 237 meaningful to them but it is recommended that the key name be 238 mnemonic and incorporates the names of participating agents or 239 resources. 241 TYPE This MUST be TSIG (250: Transaction SIGnature) 242 CLASS This MUST be ANY 244 TTL This MUST be 0 246 RdLen (variable) 248 RDATA The RDATA for a TSIG RR consists of an octet stream Algorithm 249 Name field, a uint48_t Time Signed field, a uint16_t Fudge 250 field, a uint16_t MAC Size field, a octet stream MAC field, a 251 uint16_t Original ID, a uint16_t Error field, a uint16_t Other 252 Len field and an octet stream of Other Data. 254 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 255 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 256 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 257 / Algorithm Name / 258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 259 | | 260 | Time Signed +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 261 | | Fudge | 262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 263 | MAC Size | / 264 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MAC / 265 / / 266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 267 | Original ID | Error | 268 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 269 | Other Len | / 270 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data / 271 / / 272 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 274 The contents of the RDATA fields are: 276 * Algorithm Name - identifies the TSIG algorithm name in the 277 domain name syntax. (Allowed names are listed in Table 1.) 278 The name is stored in the DNS name wire format as described 279 in [RFC1034]. As per [RFC3597], this name MUST NOT be 280 compressed. 282 * Time Signed - time signed as seconds since 00:00 on 283 1970-01-01 UTC ignoring leap seconds. 285 * Fudge - specifies the allowed time difference in seconds 286 permitted in the Time Signed field. 288 * MAC Size - the length of MAC field in octets. Truncation is 289 indicated by a MAC size less than the size of the keyed hash 290 produced by the algorithm specified by the Algorithm Name. 292 * MAC - the contents of this field are defined by the TSIG 293 algorithm used, possibly truncated as specified by MAC Size. 295 * Error - contains the expanded RCODE covering TSIG 296 processing. 298 * Other Len - specifies the length of the "Other Data" field 299 in octets. 301 * Other Data - this field will be empty unless the content of 302 the Error field is BADTIME, in which case it will contain 303 the server's current time (see Section 6.5.3). 305 4.4. Example 307 NAME HOST.EXAMPLE. 309 TYPE TSIG 311 CLASS ANY 313 TTL 0 315 RdLen As appropriate 317 RDATA 319 Field Name Contents 320 -------------- ------------------------ 321 Algorithm Name HMAC-MD5.SIG-ALG.REG.INT 322 Time Signed 853804800 323 Fudge 300 324 MAC Size As appropriate 325 MAC As appropriate 326 Original ID As appropriate 327 Error 0 (NOERROR) 328 Other Len 0 329 Other Data Empty 331 5. Protocol Operation 332 5.1. Effects of Adding TSIG to Outgoing Messages 334 Once the outgoing message has been constructed, the HMAC computation 335 can be performed. The resulting MAC will then be stored in a TSIG 336 which is appended to the additional data section (the ARCOUNT is 337 incremented to reflect the extra RR). If the TSIG record cannot be 338 added without causing the message to be truncated, the server MUST 339 alter the response so that a TSIG can be included. This response 340 consists of only the question and a TSIG record, and has the TC bit 341 set and RCODE 0 (NOERROR). The client SHOULD at this point retry the 342 request using TCP (per [RFC1035] 4.2.2). 344 5.2. TSIG Processing on Incoming Messages 346 If an incoming message contains a TSIG record, it MUST be the last 347 record in the additional section. Multiple TSIG records are not 348 allowed. If a TSIG record is present in any other position, the DNS 349 message is dropped and a response with RCODE 1 (FORMERR) MUST be 350 returned. Upon receipt of a message with exactly one correctly 351 placed TSIG RR, the TSIG RR is copied to a safe location, removed 352 from the DNS Message, and decremented out of the DNS message header's 353 ARCOUNT. At this point the keyed hash (HMAC) computation is 354 performed. 356 If the algorithm name or key name is unknown to the recipient, or if 357 the MACs do not match, the whole DNS message MUST be discarded. If 358 the message is a query, a response with RCODE 9 (NOTAUTH) MUST be 359 sent back to the originator with TSIG ERROR 17 (BADKEY) or TSIG ERROR 360 16 (BADSIG). If no key is available to sign this message it MUST be 361 sent unsigned (MAC size == 0 and empty MAC). The algorithm name, 362 time signed, and fudge fields SHOULD be copied to the response to 363 provide off path spoof protection. A message to the system 364 operations log SHOULD be generated, to warn the operations staff of a 365 possible security incident in progress. Care should be taken to 366 ensure that logging of this type of event does not open the system to 367 a denial of service attack. 369 Until these error checks are successfully passed, concluding that the 370 signature is valid, the signature MUST be considered to be invalid. 372 5.3. Time Values Used in TSIG Calculations 374 The data digested includes the two timer values in the TSIG header in 375 order to defend against replay attacks. If this were not done, an 376 attacker could replay old messages but update the "Time Signed" and 377 "Fudge" fields to make the message look new. This data is named 378 "TSIG Timers", and for the purpose of MAC calculation, they are 379 hashed in their "on the wire" format, in the following order: first 380 Time Signed, then Fudge. For example: 382 Field Name Value Wire Format Meaning 383 ----------- --------- ----------------- ------------------------ 384 Time Signed 853804800 00 00 32 e4 07 00 Tue Jan 21 00:00:00 1997 385 Fudge 300 01 2C 5 minutes 387 5.4. TSIG Variables and Coverage 389 When generating or verifying the contents of a TSIG record, the 390 following data are passed as input to MAC computation, in network 391 byte order or wire format, as appropriate: 393 5.4.1. DNS Message 395 A whole and complete DNS message in wire format, before the TSIG RR 396 has been added to the additional data section and before the DNS 397 Message Header's ARCOUNT field has been incremented to contain the 398 TSIG RR. If the message ID differs from the original message ID, the 399 original message ID is substituted for the message ID. This could 400 happen when forwarding a dynamic update request, for example. 402 5.4.2. TSIG Variables 404 Source Field Name Notes 405 ---------- -------------- ----------------------------------------- 406 TSIG RR NAME Key name, in canonical wire format 407 TSIG RR CLASS (Always ANY in the current specification) 408 TSIG RR TTL (Always 0 in the current specification) 409 TSIG RDATA Algorithm Name in canonical wire format 410 TSIG RDATA Time Signed in network byte order 411 TSIG RDATA Fudge in network byte order 412 TSIG RDATA Error in network byte order 413 TSIG RDATA Other Len in network byte order 414 TSIG RDATA Other Data exactly as transmitted 416 The RR RDLEN and RDATA MAC Length are not included in the input to 417 MAC computation since they are not guaranteed to be knowable before 418 the MAC is generated. 420 The Original ID field is not included in this section, as it has 421 already been substituted for the message ID in the DNS header and 422 hashed. 424 For each label type, there must be a defined "Canonical wire format" 425 that specifies how to express a label in an unambiguous way. For 426 label type 00, this is defined in [RFC4034], for label type 01, this 427 is defined in [RFC6891]. The use of label types other than 00 and 01 428 is not defined for this specification. 430 5.4.3. Request MAC 432 When generating the MAC to be included in a response, the validated 433 request MAC MUST be included in the MAC computation. If the request 434 MAC failed to validate, an unsigned error message MUST be returned 435 instead. (Section 6.3). 437 The request's MAC is digested in wire format, including the following 438 fields: 440 Field Type Description 441 ---------- ------------ ---------------------- 442 MAC Length uint16_t in network byte order 443 MAC Data octet stream exactly as transmitted 445 5.5. Component Padding 447 Digested components (i.e., inputs to the keyed hash computation) are 448 fed into the hashing function as a continuous octet stream with no 449 interfield separator or padding. 451 6. Protocol Details 453 6.1. TSIG Generation on Requests 455 The client performs the keyed hash (HMAC) computation and appends a 456 TSIG record to the additional data section and transmits the request 457 to the server. The client MUST store the MAC from the request while 458 awaiting an answer. The digest components for a request are: 460 DNS Message (request) 461 TSIG Variables (request) 463 Note that some older name servers will not accept requests with a 464 nonempty additional data section. Clients SHOULD only attempt signed 465 transactions with servers who are known to support TSIG and share 466 some algorithm and secret key with the client -- so, this is not a 467 problem in practice. 469 6.2. TSIG on Answers 471 When a server has generated a response to a signed request, it signs 472 the response using the same algorithm and key. The server MUST NOT 473 generate a signed response to a request if either the KEY is invalid 474 or the MAC fails validation. It also MUST NOT not generate a signed 475 response to an unsigned request, except in the case of a response to 476 a client's unsigned TKEY request if the secret key is established on 477 the server side after the server processed the client's request. 478 Signing responses to unsigned TKEY requests MUST be explicitly 479 specified in the description of an individual secret key 480 establishment algorithm [RFC3645]. 482 The digest components are: 484 Request MAC 485 DNS Message (response) 486 TSIG Variables (response) 488 6.3. TSIG on TSIG Error Returns 490 When a server detects an error relating to the key or MAC, the server 491 SHOULD send back an unsigned error message (MAC size == 0 and empty 492 MAC). It MUST NOT send back a signed error message. 494 If an error is detected relating to the TSIG validity period or the 495 MAC is too short for the local policy, the server SHOULD send back a 496 signed error message. The digest components are: 498 Request MAC (if the request MAC validated) 499 DNS Message (response) 500 TSIG Variables (response) 502 The reason that the request is not included in this MAC in some cases 503 is to make it possible for the client to verify the error. If the 504 error is not a TSIG error the response MUST be generated as specified 505 in Section 6.2. 507 6.4. TSIG on Zone Transfer Over a TCP Connection 509 A zone transfer over a DNS TCP session can include multiple DNS 510 messages. Using TSIG on such a connection can protect the connection 511 from hijacking and provide data integrity. The TSIG MUST be included 512 on the first and last DNS messages, and SHOULD be placed on all 513 intermediary messages. For backward compatibility, a client which 514 receives DNS messages and verifies TSIG MUST accept up to 99 515 intermediary messages without a TSIG. The first message is processed 516 as a standard answer (see Section 6.2) and subsequent messages have 517 the following digest components: 519 Prior MAC (running) 520 DNS Messages (any unsigned messages since the last TSIG) 521 TSIG Timers (current message) 523 This allows the client to rapidly detect when the session has been 524 altered; at which point it can close the connection and retry. If a 525 client TSIG verification fails, the client MUST close the connection. 526 If the client does not receive TSIG records frequently enough (as 527 specified above) it SHOULD assume the connection has been hijacked 528 and it SHOULD close the connection. The client SHOULD treat this the 529 same way as they would any other interrupted transfer (although the 530 exact behavior is not specified here). 532 6.5. Server TSIG checks 534 Upon receipt of a message, server will check if there is a TSIG RR. 535 If one exists, the server is REQUIRED to return a TSIG RR in the 536 response. The server MUST perform the following checks in the 537 following order, check KEY, check MAC, check TIME values, check 538 Truncation policy. 540 6.5.1. Key Check and Error Handling 542 If a non-forwarding server does not recognize the key used by the 543 client, the server MUST generate an error response with RCODE 9 544 (NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be unsigned 545 as specified in Section 6.3. The server SHOULD log the error. 546 (Special considerations apply to forwarding servers, see 547 Section 6.7.) 549 6.5.2. MAC Check and Error Handling 551 If a TSIG fails to verify, the server MUST generate an error response 552 as specified in Section 6.3 with RCODE 9 (NOTAUTH) and TSIG ERROR 16 553 (BADSIG). This response MUST be unsigned as specified in 554 Section 6.3. The server SHOULD log the error. 556 6.5.2.1. Specifying Truncation 558 When space is at a premium and the strength of the full length of a 559 MAC is not needed, it is reasonable to truncate the keyed hash and 560 use the truncated value for authentication. HMAC SHA-1 truncated to 561 96 bits is an option available in several IETF protocols, including 562 IPsec and TLS. 564 Processing of a truncated MAC follows these rules 566 1. If "MAC size" field is greater than keyed hash output length: 568 This case MUST NOT be generated and, if received, MUST cause the 569 DNS message to be dropped and RCODE 1 (FORMERR) to be returned. 571 2. If "MAC size" field equals keyed hash output length: 573 The entire output keyed hash output is present and used. 575 3. "MAC size" field is less than keyed hash output length but 576 greater than that specified in case 4, below: 578 This is sent when the signer has truncated the keyed hash output 579 to an allowable length, as described in [RFC2104], taking initial 580 octets and discarding trailing octets. TSIG truncation can only 581 be to an integral number of octets. On receipt of a DNS message 582 with truncation thus indicated, the locally calculated MAC is 583 similarly truncated and only the truncated values are compared 584 for authentication. The request MAC used when calculating the 585 TSIG MAC for a reply is the truncated request MAC. 587 4. "MAC size" field is less than the larger of 10 (octets) and half 588 the length of the hash function in use: 590 With the exception of certain TSIG error messages described in 591 Section 6.3, where it is permitted that the MAC size be zero, 592 this case MUST NOT be generated and, if received, MUST cause the 593 DNS message to be dropped and RCODE 1 (FORMERR) to be returned. 595 6.5.3. Time Check and Error Handling 597 If the server time is outside the time interval specified by the 598 request (which is: Time Signed, plus/minus Fudge), the server MUST 599 generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18 600 (BADTIME). The server SHOULD also cache the most recent time signed 601 value in a message generated by a key, and SHOULD return BADTIME if a 602 message received later has an earlier time signed value. A response 603 indicating a BADTIME error MUST be signed by the same key as the 604 request. It MUST include the client's current time in the time 605 signed field, the server's current time (a uint48_t) in the other 606 data field, and 6 in the other data length field. This is done so 607 that the client can verify a message with a BADTIME error without the 608 verification failing due to another BADTIME error. The data signed 609 is specified in Section 6.3. The server SHOULD log the error. 611 6.5.4. Truncation Check and Error Handling 613 If a TSIG is received with truncation that is permitted under 614 Section 6.5.2.1 above but the MAC is too short for the local policy 615 in force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be 616 returned. The server SHOULD log the error. 618 6.6. Client Processing of Answer 620 When a client receives a response from a server and expects to see a 621 TSIG, it first checks if the TSIG RR is present in the response. 622 Otherwise, the response is treated as having a format error and 623 discarded. The client then extracts the TSIG, adjusts the ARCOUNT, 624 and calculates the MAC in the same way as the server, applying the 625 same rules to decide if truncated MAC is valid. If the TSIG does not 626 validate, that response MUST be discarded, unless the RCODE is 9 627 (NOTAUTH), in which case the client SHOULD attempt to verify the 628 response as if it were a TSIG Error response, as specified in 629 Section 6.3. A message containing an unsigned TSIG record or a TSIG 630 record which fails verification SHOULD NOT be considered an 631 acceptable response; the client SHOULD log an error and continue to 632 wait for a signed response until the request times out. 634 6.6.1. Key Error Handling 636 If an RCODE on a response is 9 (NOTAUTH), and the response TSIG 637 validates, and the TSIG key is different from the key used on the 638 request, then this is a Key error. The client MAY retry the request 639 using the key specified by the server. This should never occur, as a 640 server MUST NOT sign a response with a different key than signed the 641 request. 643 6.6.2. MAC Error Handling 645 If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG), 646 this is a MAC error, and client MAY retry the request with a new 647 request ID but it would be better to try a different shared key if 648 one is available. Clients SHOULD keep track of how many MAC errors 649 are associated with each key. Clients SHOULD log this event. 651 6.6.3. Time Error Handling 653 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18 654 (BADTIME), or the current time does not fall in the range specified 655 in the TSIG record, then this is a Time error. This is an indication 656 that the client and server clocks are not synchronized. In this case 657 the client SHOULD log the event. DNS resolvers MUST NOT adjust any 658 clocks in the client based on BADTIME errors, but the server's time 659 in the other data field SHOULD be logged. 661 6.6.4. Truncation Error Handling 663 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22 664 (BADTRUNC) then this is a Truncation error. The client MAY retry 665 with a lesser truncation up to the full HMAC output (no truncation), 666 using the truncation used in the response as a hint for what the 667 server policy allowed (Section 8). Clients SHOULD log this event. 669 6.7. Special Considerations for Forwarding Servers 671 A server acting as a forwarding server of a DNS message SHOULD check 672 for the existence of a TSIG record. If the name on the TSIG is not 673 of a secret that the server shares with the originator the server 674 MUST forward the message unchanged including the TSIG. If the name 675 of the TSIG is of a key this server shares with the originator, it 676 MUST process the TSIG. If the TSIG passes all checks, the forwarding 677 server MUST, if possible, include a TSIG of its own, to the 678 destination or the next forwarder. If no transaction security is 679 available to the destination and the message is a query then, if the 680 corresponding response has the AD flag (see [RFC4035]) set, the 681 forwarder MUST clear the AD flag before adding the TSIG to the 682 response and returning the result to the system from which it 683 received the query. 685 7. Algorithms and Identifiers 687 The only message digest algorithm specified in the first version of 688 these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321], 689 [RFC2104]). The "HMAC-MD5" algorithm is mandatory to implement for 690 interoperability. 692 The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as 693 compared to the 128 bits for MD5), and additional hash algorithms in 694 the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384, 695 and 512 bits may be preferred in some cases. This is because 696 increasingly successful cryptanalytic attacks are being made on the 697 shorter hashes. 699 Use of TSIG between two DNS agents is by mutual agreement. That 700 agreement can include the support of additional algorithms and 701 criteria as to which algorithms and truncations are acceptable, 702 subject to the restriction and guidelines in Section 6.5.2.1 above. 703 Key agreement can be by the TKEY mechanism [RFC2930] or some other 704 mutually agreeable method. 706 The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig [RFC3645] 707 identifiers are included in the table below for convenience. 708 Implementations that support TSIG MUST also implement HMAC SHA1 and 709 HMAC SHA256 and MAY implement gss-tsig and the other algorithms 710 listed below. 712 Requirement Name 713 ----------- ------------------------ 714 Mandatory HMAC-MD5.SIG-ALG.REG.INT 715 Optional gss-tsig 716 Mandatory hmac-sha1 717 Optional hmac-sha224 718 Mandatory hmac-sha256 719 Optional hmac-sha384 720 Optional hmac-sha512 722 Table 1 724 SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented. 726 8. TSIG Truncation Policy 728 As noted above, two DNS agents (e.g., resolver and server) must 729 mutually agree to use TSIG. Implicit in such an "agreement" are 730 criteria as to acceptable keys and algorithms and, with the 731 extensions in this document, truncations. Note that it is common for 732 implementations to bind the TSIG secret key or keys that may be in 733 place at two parties to particular algorithms. Thus, such 734 implementations only permit the use of an algorithm if there is an 735 associated key in place. Receipt of an unknown, unimplemented, or 736 disabled algorithm typically results in a BADKEY error. 738 Local policies MAY require the rejection of TSIGs, even though they 739 use an algorithm for which implementation is mandatory. 741 When a local policy permits acceptance of a TSIG with a particular 742 algorithm and a particular non-zero amount of truncation, it SHOULD 743 also permit the use of that algorithm with lesser truncation (a 744 longer MAC) up to the full keyed hash output. 746 Regardless of a lower acceptable truncated MAC length specified by 747 local policy, a reply SHOULD be sent with a MAC at least as long as 748 that in the corresponding request. Note if the request specified a 749 MAC length longer than the keyed hash output it will be rejected by 750 processing rules Section 6.5.2.1 case 1. 752 Implementations permitting multiple acceptable algorithms and/or 753 truncations SHOULD permit this list to be ordered by presumed 754 strength and SHOULD allow different truncations for the same 755 algorithm to be treated as separate entities in this list. When so 756 implemented, policies SHOULD accept a presumed stronger algorithm and 757 truncation than the minimum strength required by the policy. 759 9. Shared Secrets 761 Secret keys are very sensitive information and all available steps 762 should be taken to protect them on every host on which they are 763 stored. Generally such hosts need to be physically protected. If 764 they are multi-user machines, great care should be taken that 765 unprivileged users have no access to keying material. Resolvers 766 often run unprivileged, which means all users of a host would be able 767 to see whatever configuration data is used by the resolver. 769 A name server usually runs privileged, which means its configuration 770 data need not be visible to all users of the host. For this reason, 771 a host that implements transaction-based authentication should 772 probably be configured with a "stub resolver" and a local caching and 773 forwarding name server. This presents a special problem for 774 [RFC2136] which otherwise depends on clients to communicate only with 775 a zone's authoritative name servers. 777 Use of strong random shared secrets is essential to the security of 778 TSIG. See [RFC4086] for a discussion of this issue. The secret 779 SHOULD be at least as long as the keyed hash output [RFC2104]. 781 10. IANA Considerations 783 IANA maintains a registry of algorithm names to be used as "Algorithm 784 Names" as defined in Section 4.3. Algorithm names are text strings 785 encoded using the syntax of a domain name. There is no structure 786 required other than names for different algorithms must be unique 787 when compared as DNS names, i.e., comparison is case insensitive. 788 Previous specifications [RFC2845] and [RFC4635] defined values for 789 HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an 790 identifier for TSIG authentication where the cryptographic operations 791 are delegated to the Generic Security Service (GSS) [RFC3645]. 793 New algorithms are assigned using the IETF Consensus policy defined 794 in [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like 795 a fully-qualified domain name for historical reasons; other algorithm 796 names are simple (i.e., single-component) names. 798 IANA maintains a registry of RCODES (error codes), including "TSIG 799 Error values" to be used for "Error" values as defined in 800 Section 4.3. New error codes are assigned and specified as in 801 [RFC6895]. 803 11. Security Considerations 805 The approach specified here is computationally much less expensive 806 than the signatures specified in DNSSEC. As long as the shared 807 secret key is not compromised, strong authentication is provided 808 between two DNS systems, e.g., for the last hop from a local name 809 server to the user resolver, or between primary and secondary 810 nameservers. 812 Recommendations for choosing and maintaining secret keys can be found 813 in [RFC2104]. If the client host has been compromised, the server 814 should suspend the use of all secrets known to that client. If 815 possible, secrets should be stored in encrypted form. Secrets should 816 never be transmitted in the clear over any network. This document 817 does not address the issue on how to distribute secrets except that 818 it mentions the possibilities of manual configuration and the use of 819 TKEY [RFC2930]. Secrets SHOULD NOT be shared by more than two 820 entities. 822 This mechanism does not authenticate source data, only its 823 transmission between two parties who share some secret. The original 824 source data can come from a compromised zone master or can be 825 corrupted during transit from an authentic zone master to some 826 "caching forwarder." However, if the server is faithfully performing 827 the full DNSSEC security checks, then only security checked data will 828 be available to the client. 830 A fudge value that is too large may leave the server open to replay 831 attacks. A fudge value that is too small may cause failures if 832 machines are not time synchronized or there are unexpected network 833 delays. The RECOMMENDED value in most situations is 300 seconds. 835 For all of the message authentication code algorithms listed in this 836 document, those producing longer values are believed to be stronger; 837 however, while there have been some arguments that mild truncation 838 can strengthen a MAC by reducing the information available to an 839 attacker, excessive truncation clearly weakens authentication by 840 reducing the number of bits an attacker has to try to break the 841 authentication by brute force [RFC2104]. 843 Significant progress has been made recently in cryptanalysis of hash 844 functions of the types used here. While the results so far should 845 not affect HMAC, the stronger SHA-1 and SHA-256 algorithms are being 846 made mandatory as a precaution. 848 See also the Security Considerations section of [RFC2104] from which 849 the limits on truncation in this RFC were taken. 851 11.1. Issue Fixed in this Document 853 When signing a DNS reply message using TSIG, the MAC computation uses 854 the request message's MAC as an input to cryptographically relate the 855 reply to the request. The original TSIG specification [RFC2845] 856 required that the TIME values be checked before the request's MAC. 857 If the TIME was invalid, some implementations failed to carry out 858 further checks and could use an invalid request MAC in the signed 859 reply. 861 This document makes it a madatory that the request MAC is considered 862 to be invalid until it has been validated: until then, any answer 863 must be unsigned. For this reason, the request MAC is now checked 864 before the TIME value. 866 11.2. Why not DNSSEC? 868 This section from the original document [RFC2845] analyzes DNSSEC in 869 order to justify the introduction of TSIG. 871 DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and 872 [RFC4035]) to provide for data origin authentication, and public key 873 distribution, all based on public key cryptography and public key 874 based digital signatures. To be practical, this form of security 875 generally requires extensive local caching of keys and tracing of 876 authentication through multiple keys and signatures to a pre-trusted 877 locally configured key. 879 One difficulty with the DNSSEC scheme is that common DNS 880 implementations include simple "stub" resolvers which do not have 881 caches. Such resolvers typically rely on a caching DNS server on 882 another host. It is impractical for these stub resolvers to perform 883 general DNSSEC authentication and they would naturally depend on 884 their caching DNS server to perform such services for them. To do so 885 securely requires secure communication of queries and responses. 886 DNSSEC provides public key transaction signatures to support this, 887 but such signatures are very expensive computationally to generate. 888 In general, these require the same complex public key logic that is 889 impractical for stubs. 891 A second area where use of straight DNSSEC public key based 892 mechanisms may be impractical is authenticating dynamic update 893 [RFC2136] requests. DNSSEC provides for request signatures but with 894 DNSSEC they, like transaction signatures, require computationally 895 expensive public key cryptography and complex authentication logic. 896 Secure Domain Name System Dynamic Update ([RFC3007]) describes how 897 different keys are used in dynamically updated zones. 899 12. References 901 12.1. Normative References 903 [FIPS180-4] 904 National Institute of Standards and Technology, "Secure 905 Hash Standard (SHS)", FIPS PUB 180-4, August 2015. 907 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 908 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 909 . 911 [RFC1035] Mockapetris, P., "Domain names - implementation and 912 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 913 November 1987, . 915 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 916 Requirement Levels", BCP 14, RFC 2119, 917 DOI 10.17487/RFC2119, March 1997, 918 . 920 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. 921 Wellington, "Secret Key Transaction Authentication for DNS 922 (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000, 923 . 925 [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record 926 (RR) Types", RFC 3597, DOI 10.17487/RFC3597, September 927 2003, . 929 [RFC4635] Eastlake 3rd, D., "HMAC SHA (Hashed Message Authentication 930 Code, Secure Hash Algorithm) TSIG Algorithm Identifiers", 931 RFC 4635, DOI 10.17487/RFC4635, August 2006, 932 . 934 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 935 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 936 May 2017, . 938 12.2. Informative References 940 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 941 DOI 10.17487/RFC1321, April 1992, 942 . 944 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 945 Hashing for Message Authentication", RFC 2104, 946 DOI 10.17487/RFC2104, February 1997, 947 . 949 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 950 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 951 RFC 2136, DOI 10.17487/RFC2136, April 1997, 952 . 954 [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY 955 RR)", RFC 2930, DOI 10.17487/RFC2930, September 2000, 956 . 958 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures 959 ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September 960 2000, . 962 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 963 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 964 . 966 [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 967 (SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001, 968 . 970 [RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J., 971 and R. Hall, "Generic Security Service Algorithm for 972 Secret Key Transaction Authentication for DNS (GSS-TSIG)", 973 RFC 3645, DOI 10.17487/RFC3645, October 2003, 974 . 976 [RFC3874] Housley, R., "A 224-bit One-way Hash Function: SHA-224", 977 RFC 3874, DOI 10.17487/RFC3874, September 2004, 978 . 980 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 981 Rose, "DNS Security Introduction and Requirements", 982 RFC 4033, DOI 10.17487/RFC4033, March 2005, 983 . 985 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 986 Rose, "Resource Records for the DNS Security Extensions", 987 RFC 4034, DOI 10.17487/RFC4034, March 2005, 988 . 990 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 991 Rose, "Protocol Modifications for the DNS Security 992 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 993 . 995 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 996 "Randomness Requirements for Security", BCP 106, RFC 4086, 997 DOI 10.17487/RFC4086, June 2005, 998 . 1000 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 1001 (SHA and SHA-based HMAC and HKDF)", RFC 6234, 1002 DOI 10.17487/RFC6234, May 2011, 1003 . 1005 [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms 1006 for DNS (EDNS(0))", STD 75, RFC 6891, 1007 DOI 10.17487/RFC6891, April 2013, 1008 . 1010 [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA 1011 Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, 1012 April 2013, . 1014 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1015 Writing an IANA Considerations Section in RFCs", BCP 26, 1016 RFC 8126, DOI 10.17487/RFC8126, June 2017, 1017 . 1019 Appendix A. Acknowledgments 1021 This document consolidates and updates the earlier documents by the 1022 authors of [RFC2845] (Paul Vixie, Olafur Gudmundsson, Donald E. 1023 Eastlake 3rd and Brian Wellington) and [RFC4635] (Donald E. Eastlake 1024 3rd). 1026 The security problem addressed by this document was reported by 1027 Clement Berthaux from Synacktiv. 1029 Note for the RFC Editor (to be removed before publication): the first 1030 'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9. 1031 I do not know if xml2rfc supports non ASCII characters so I prefer to 1032 not experiment with it. BTW I am French too so I can help if you 1033 have questions like correct spelling... 1035 Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund 1036 Sivaraman and Ralph Dolmans participated in the discussions that 1037 prompted this document. 1039 Appendix B. Change History (to be removed before publication) 1041 draft-dupont-dnsop-rfc2845bis-00 1043 [RFC4635] was merged. 1045 Authors of original documents were moved to Acknowledgments 1046 (Appendix A). 1048 Section 2 was updated to [RFC8174] style. 1050 Spit references into normative and informative references and 1051 updated them. 1053 Added a text explaining why this document was written in the 1054 Abstract and at the beginning of the introduction. 1056 Clarified the layout of TSIG RDATA. 1058 Moved the text about using DNSSEC from the Introduction to the end 1059 of Security Considerations. 1061 Added the security clarifications: 1063 1. Emphasized that MAC is invalid until it is successfully 1064 validated. 1066 2. Added requirement that a request MAC that has not been 1067 successfully validated MUST NOT be included into a response. 1069 3. Added requirement that a request that has not been validated 1070 MUST NOT generate a signed response. 1072 4. Added note about MAC too short for the local policy to 1073 Section 6.3. 1075 5. Changed the order of server checks and swapped corresponding 1076 sections. 1078 6. Removed the truncation size limit "also case" as it does not 1079 apply and added confusion. 1081 7. Relocated the error provision for TSIG truncation to the new 1082 Section 6.5.4. Moved from RCODE 22 to RCODE 9 and TSIG ERROR 1083 22, i.e., aligned with other TSIG error cases. 1085 8. Added Section 6.6.4 about truncation error handling by 1086 clients. 1088 9. Removed the limit to HMAC output in replies as a request 1089 which specified a MAC length longer than the HMAC output is 1090 invalid according to the first processing rule in 1091 Section 6.5.2.1. 1093 10. Promoted the requirement that a secret length should be at 1094 least as long as the HMAC output to a SHOULD [RFC2119] key 1095 word. 1097 11. Added a short text to explain the security issue. 1099 draft-dupont-dnsop-rfc2845bis-01 1101 Improved wording (post-publication comments). 1103 Specialized and renamed the "TSIG on TCP connection" (Section 6.4) 1104 to "TSIG on zone transfer over a TCP connection". Added a SHOULD 1105 for a TSIG in each message (was envelope) for new implementations. 1107 draft-ietf-dnsop-rfc2845bis-00 1109 Adopted by the IETF DNSOP working group: title updated and version 1110 counter reset to 00. 1112 draft-ietf-dnsop-rfc2845bis-01 1114 Relationship between protocol change and principle of assuming the 1115 request MAC is invalid until validated clarified. (Jinmei Tatuya) 1117 Cross reference to considerations for forwarding servers added. 1118 (Bob Harold) 1120 Added text from [RFC3645] concerning the signing behavior if a 1121 secret key is added during a multi-message exchange. 1123 Added reference to [RFC6895]. 1125 Many improvements in the wording. 1127 Added RFC 2845 authors as co-authors of this document. 1129 draft-ietf-dnsop-rfc2845bis-02 1131 Added a recommendation to copy time fields in BADKEY errors. 1132 (Mark Andrews) 1134 draft-ietf-dnsop-rfc2845bis-03 1135 Further changes as a result of comments by Mukund Sivaraman. 1137 Miscellaneous changes to wording. 1139 Authors' Addresses 1141 Francis Dupont 1142 Internet Software Consortium 1143 950 Charter Street 1144 Redwood City, CA 94063 1145 United States of America 1147 Email: Francis.Dupont@fdupont.fr 1149 Stephen Morris 1150 Internet Software Consortium 1151 950 Charter Street 1152 Redwood City, CA 94063 1153 United States of America 1155 Email: stephen@isc.org 1157 Paul Vixie 1158 Farsight Security Inc 1159 177 Bovet Road, Suite 180 1160 San Mateo, CA 94402 1161 United States of America 1163 Email: paul@redbarn.org 1165 Donald E. Eastlake 3rd 1166 Huawei Technologies 1167 155 Beaver Street 1168 Milford, MA 01753 1169 United States of America 1171 Email: d3e3e3@gmail.com 1173 Olafur Gudmundsson 1174 CloudFlare 1175 San Francisco, CA 94107 1176 United States of America 1178 Email: olafur+ietf@cloudflare.com 1179 Brian Wellington 1180 Akamai 1181 United States of America 1183 Email: bwelling@akamai.com