IPSEC KEYing information resource record (ipseckey)

Last Modified: 2004-11-11


Samuel Weiler <weiler+ietf@watson.org>
Rob Austein <sra@hactrn.net>

Security Area Director(s):

Russell Housley <housley@vigilsec.com>
Sam Hartman <hartmans-ietf@mit.edu>

Security Area Advisor:

Russell Housley <housley@vigilsec.com>

Mailing Lists:

General Discussion: ipseckey@ietf.org
To Subscribe: ipseckey-request@ietf.org
Archive: http://www.ietf.org/mail-archive/web/ipseckey/index.html

Description of Working Group:

This effort has the goal of designing a IPSEC-specific resource
record for the domain name system (DNS) to replace the functionality
of the IPSEC sub-type of the KEY resource record.

The original DNSSEC specification explicitly specified flags on
the KEY resource records for use by IPSEC. Experience has shown that
this has operational problems. The DNSEXT working group is restricting
the use of the KEY record to DNS uses only. Thus, IPSEC keying via
DNS needs a new resource record.

The scope of work is to identify what information is needed in an
IPSEC-specific keying resource record. The content of the resource
record are not limited to only the information that is in the DNS
KEY record but may also contain useful IPSEC information information,
such as that which is required for Opportunistic Encryption. Other
possible uses are out of scope for this working group, since any
reuse will require a careful analysis of the trust model and possible
security interactions with IPsec.

The WG will define the semantics of the record only in terms of
how the data in the record can be used for initializing an IPSEC
session. Questions of when it is appropriate to do so are regarded
as policy issues that are out of scope for this WG.

This effort is specific to providing IPSEC information in DNS.
All other distribution channels are out of scope.

Goals and Milestones:

Done    Solicit various proposals on what information is needed in IPSEC specific KEYing record
Done    Publish first Internet-Draft of consensus DNS Resource Record
Done    Complete WG Last Call on consensus DNS RR proposal document and pass document to IESG for consideration as a Proposed Standard

No Current Internet-Drafts

Request For Comments:

A method for storing IPsec keying material in DNS (RFC 4025) (25408 bytes)