7 Network Working Group D. Eastlake
8 Request for Comments: 2535 IBM
9 Obsoletes: 2065 March 1999
10 Updates: 2181, 1035, 1034
11 Category: Standards Track
13 Domain Name System Security Extensions
17 This document specifies an Internet standards track protocol for the
18 Internet community, and requests discussion and suggestions for
19 improvements. Please refer to the current edition of the "Internet
20 Official Protocol Standards" (STD 1) for the standardization state
21 and status of this protocol. Distribution of this memo is unlimited.
25 Copyright (C) The Internet Society (1999). All Rights Reserved.
29 Extensions to the Domain Name System (DNS) are described that provide
30 data integrity and authentication to security aware resolvers and
31 applications through the use of cryptographic digital signatures.
32 These digital signatures are included in secured zones as resource
33 records. Security can also be provided through non-security aware
34 DNS servers in some cases.
36 The extensions provide for the storage of authenticated public keys
37 in the DNS. This storage of keys can support general public key
38 distribution services as well as DNS security. The stored keys
39 enable security aware resolvers to learn the authenticating key of
40 zones in addition to those for which they are initially configured.
41 Keys associated with DNS names can be retrieved to support other
42 protocols. Provision is made for a variety of key types and
45 In addition, the security extensions provide for the optional
46 authentication of DNS protocol transactions and requests.
48 This document incorporates feedback on RFC 2065 from early
49 implementers and potential users.
58 Eastlake Standards Track [Page 1]
60 RFC 2535 DNS Security Extensions March 1999
65 The significant contributions and suggestions of the following
66 persons (in alphabetic order) to DNS security are gratefully
82 Abstract...................................................1
83 Acknowledgments............................................2
84 1. Overview of Contents....................................4
85 2. Overview of the DNS Extensions..........................5
86 2.1 Services Not Provided..................................5
87 2.2 Key Distribution.......................................5
88 2.3 Data Origin Authentication and Integrity...............6
89 2.3.1 The SIG Resource Record..............................7
90 2.3.2 Authenticating Name and Type Non-existence...........7
91 2.3.3 Special Considerations With Time-to-Live.............7
92 2.3.4 Special Considerations at Delegation Points..........8
93 2.3.5 Special Considerations with CNAME....................8
94 2.3.6 Signers Other Than The Zone..........................9
95 2.4 DNS Transaction and Request Authentication.............9
96 3. The KEY Resource Record................................10
97 3.1 KEY RDATA format......................................10
98 3.1.1 Object Types, DNS Names, and Keys...................11
99 3.1.2 The KEY RR Flag Field...............................11
100 3.1.3 The Protocol Octet..................................13
101 3.2 The KEY Algorithm Number Specification................14
102 3.3 Interaction of Flags, Algorithm, and Protocol Bytes...15
103 3.4 Determination of Zone Secure/Unsecured Status.........15
104 3.5 KEY RRs in the Construction of Responses..............17
105 4. The SIG Resource Record................................17
106 4.1 SIG RDATA Format......................................17
107 4.1.1 Type Covered Field..................................18
108 4.1.2 Algorithm Number Field..............................18
109 4.1.3 Labels Field........................................18
110 4.1.4 Original TTL Field..................................19
114 Eastlake Standards Track [Page 2]
116 RFC 2535 DNS Security Extensions March 1999
119 4.1.5 Signature Expiration and Inception Fields...........19
120 4.1.6 Key Tag Field.......................................20
121 4.1.7 Signer's Name Field.................................20
122 4.1.8 Signature Field.....................................20
123 4.1.8.1 Calculating Transaction and Request SIGs..........21
124 4.2 SIG RRs in the Construction of Responses..............21
125 4.3 Processing Responses and SIG RRs......................22
126 4.4 Signature Lifetime, Expiration, TTLs, and Validity....23
127 5. Non-existent Names and Types...........................24
128 5.1 The NXT Resource Record...............................24
129 5.2 NXT RDATA Format......................................25
130 5.3 Additional Complexity Due to Wildcards................26
131 5.4 Example...............................................26
132 5.5 Special Considerations at Delegation Points...........27
133 5.6 Zone Transfers........................................27
134 5.6.1 Full Zone Transfers.................................28
135 5.6.2 Incremental Zone Transfers..........................28
136 6. How to Resolve Securely and the AD and CD Bits.........29
137 6.1 The AD and CD Header Bits.............................29
138 6.2 Staticly Configured Keys..............................31
139 6.3 Chaining Through The DNS..............................31
140 6.3.1 Chaining Through KEYs...............................31
141 6.3.2 Conflicting Data....................................33
142 6.4 Secure Time...........................................33
143 7. ASCII Representation of Security RRs...................34
144 7.1 Presentation of KEY RRs...............................34
145 7.2 Presentation of SIG RRs...............................35
146 7.3 Presentation of NXT RRs...............................36
147 8. Canonical Form and Order of Resource Records...........36
148 8.1 Canonical RR Form.....................................36
149 8.2 Canonical DNS Name Order..............................37
150 8.3 Canonical RR Ordering Within An RRset.................37
151 8.4 Canonical Ordering of RR Types........................37
152 9. Conformance............................................37
153 9.1 Server Conformance....................................37
154 9.2 Resolver Conformance..................................38
155 10. Security Considerations...............................38
156 11. IANA Considerations...................................39
157 References................................................39
158 Author's Address..........................................41
159 Appendix A: Base 64 Encoding..............................42
160 Appendix B: Changes from RFC 2065.........................44
161 Appendix C: Key Tag Calculation...........................46
162 Full Copyright Statement..................................47
170 Eastlake Standards Track [Page 3]
172 RFC 2535 DNS Security Extensions March 1999
175 1. Overview of Contents
177 This document standardizes extensions of the Domain Name System (DNS)
178 protocol to support DNS security and public key distribution. It
179 assumes that the reader is familiar with the Domain Name System,
180 particularly as described in RFCs 1033, 1034, 1035 and later RFCs. An
181 earlier version of these extensions appears in RFC 2065. This
182 replacement for that RFC incorporates early implementation experience
183 and requests from potential users.
185 Section 2 provides an overview of the extensions and the key
186 distribution, data origin authentication, and transaction and request
187 security they provide.
189 Section 3 discusses the KEY resource record, its structure, and use
190 in DNS responses. These resource records represent the public keys
191 of entities named in the DNS and are used for key distribution.
193 Section 4 discusses the SIG digital signature resource record, its
194 structure, and use in DNS responses. These resource records are used
195 to authenticate other resource records in the DNS and optionally to
196 authenticate DNS transactions and requests.
198 Section 5 discusses the NXT resource record (RR) and its use in DNS
199 responses including full and incremental zone transfers. The NXT RR
200 permits authenticated denial of the existence of a name or of an RR
201 type for an existing name.
203 Section 6 discusses how a resolver can be configured with a starting
204 key or keys and proceed to securely resolve DNS requests.
205 Interactions between resolvers and servers are discussed for various
206 combinations of security aware and security non-aware. Two
207 additional DNS header bits are defined for signaling between
208 resolvers and servers.
210 Section 7 describes the ASCII representation of the security resource
211 records for use in master files and elsewhere.
213 Section 8 defines the canonical form and order of RRs for DNS
216 Section 9 defines levels of conformance for resolvers and servers.
218 Section 10 provides a few paragraphs on overall security
221 Section 11 specified IANA considerations for allocation of additional
222 values of paramters defined in this document.
226 Eastlake Standards Track [Page 4]
228 RFC 2535 DNS Security Extensions March 1999
231 Appendix A gives details of base 64 encoding which is used in the
232 file representation of some RRs defined in this document.
234 Appendix B summarizes changes between this memo and RFC 2065.
236 Appendix C specified how to calculate the simple checksum used as a
237 key tag in most SIG RRs.
239 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
240 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
241 document are to be interpreted as described in [RFC2119].
243 2. Overview of the DNS Extensions
245 The Domain Name System (DNS) protocol security extensions provide
246 three distinct services: key distribution as described in Section 2.2
247 below, data origin authentication as described in Section 2.3 below,
248 and transaction and request authentication, described in Section 2.4
251 Special considerations related to "time to live", CNAMEs, and
252 delegation points are also discussed in Section 2.3.
254 2.1 Services Not Provided
256 It is part of the design philosophy of the DNS that the data in it is
257 public and that the DNS gives the same answers to all inquirers.
258 Following this philosophy, no attempt has been made to include any
259 sort of access control lists or other means to differentiate
262 No effort has been made to provide for any confidentiality for
263 queries or responses. (This service may be available via IPSEC [RFC
264 2401], TLS, or other security protocols.)
266 Protection is not provided against denial of service.
270 A resource record format is defined to associate keys with DNS names.
271 This permits the DNS to be used as a public key distribution
272 mechanism in support of DNS security itself and other protocols.
274 The syntax of a KEY resource record (RR) is described in Section 3.
275 It includes an algorithm identifier, the actual public key
276 parameter(s), and a variety of flags including those indicating the
277 type of entity the key is associated with and/or asserting that there
278 is no key associated with that entity.
282 Eastlake Standards Track [Page 5]
284 RFC 2535 DNS Security Extensions March 1999
287 Under conditions described in Section 3.5, security aware DNS servers
288 will automatically attempt to return KEY resources as additional
289 information, along with those resource records actually requested, to
290 minimize the number of queries needed.
292 2.3 Data Origin Authentication and Integrity
294 Authentication is provided by associating with resource record sets
295 (RRsets [RFC 2181]) in the DNS cryptographically generated digital
296 signatures. Commonly, there will be a single private key that
297 authenticates an entire zone but there might be multiple keys for
298 different algorithms, signers, etc. If a security aware resolver
299 reliably learns a public key of the zone, it can authenticate, for
300 signed data read from that zone, that it is properly authorized. The
301 most secure implementation is for the zone private key(s) to be kept
302 off-line and used to re-sign all of the records in the zone
303 periodically. However, there are cases, for example dynamic update
304 [RFCs 2136, 2137], where DNS private keys need to be on-line [RFC
307 The data origin authentication key(s) are associated with the zone
308 and not with the servers that store copies of the data. That means
309 compromise of a secondary server or, if the key(s) are kept off line,
310 even the primary server for a zone, will not necessarily affect the
311 degree of assurance that a resolver has that it can determine whether
314 A resolver could learn a public key of a zone either by reading it
315 from the DNS or by having it staticly configured. To reliably learn
316 a public key by reading it from the DNS, the key itself must be
317 signed with a key the resolver trusts. The resolver must be
318 configured with at least a public key which authenticates one zone as
319 a starting point. From there, it can securely read public keys of
320 other zones, if the intervening zones in the DNS tree are secure and
321 their signed keys accessible.
323 Adding data origin authentication and integrity requires no change to
324 the "on-the-wire" DNS protocol beyond the addition of the signature
325 resource type and the key resource type needed for key distribution.
326 (Data non-existence authentication also requires the NXT RR as
327 described in 2.3.2.) This service can be supported by existing
328 resolver and caching server implementations so long as they can
329 support the additional resource types (see Section 9). The one
330 exception is that CNAME referrals in a secure zone can not be
331 authenticated if they are from non-security aware servers (see
338 Eastlake Standards Track [Page 6]
340 RFC 2535 DNS Security Extensions March 1999
343 If signatures are separately retrieved and verified when retrieving
344 the information they authenticate, there will be more trips to the
345 server and performance will suffer. Security aware servers mitigate
346 that degradation by attempting to send the signature(s) needed (see
349 2.3.1 The SIG Resource Record
351 The syntax of a SIG resource record (signature) is described in
352 Section 4. It cryptographicly binds the RRset being signed to the
353 signer and a validity interval.
355 Every name in a secured zone will have associated with it at least
356 one SIG resource record for each resource type under that name except
357 for glue address RRs and delegation point NS RRs. A security aware
358 server will attempt to return, with RRs retrieved, the corresponding
359 SIGs. If a server is not security aware, the resolver must retrieve
360 all the SIG records for a name and select the one or ones that sign
361 the resource record set(s) that resolver is interested in.
363 2.3.2 Authenticating Name and Type Non-existence
365 The above security mechanism only provides a way to sign existing
366 RRsets in a zone. "Data origin" authentication is not obviously
367 provided for the non-existence of a domain name in a zone or the
368 non-existence of a type for an existing name. This gap is filled by
369 the NXT RR which authenticatably asserts a range of non-existent
370 names in a zone and the non-existence of types for the existing name
371 just before that range.
373 Section 5 below covers the NXT RR.
375 2.3.3 Special Considerations With Time-to-Live
377 A digital signature will fail to verify if any change has occurred to
378 the data between the time it was originally signed and the time the
379 signature is verified. This conflicts with our desire to have the
380 time-to-live (TTL) field of resource records tick down while they are
383 This could be avoided by leaving the time-to-live out of the digital
384 signature, but that would allow unscrupulous servers to set
385 arbitrarily long TTL values undetected. Instead, we include the
386 "original" TTL in the signature and communicate that data along with
387 the current TTL. Unscrupulous servers under this scheme can
388 manipulate the TTL but a security aware resolver will bound the TTL
389 value it uses at the original signed value. Separately, signatures
390 include a signature inception time and a signature expiration time. A
394 Eastlake Standards Track [Page 7]
396 RFC 2535 DNS Security Extensions March 1999
399 resolver that knows the absolute time can determine securely whether
400 a signature is in effect. It is not possible to rely solely on the
401 signature expiration as a substitute for the TTL, however, since the
402 TTL is primarily a database consistency mechanism and non-security
403 aware servers that depend on TTL must still be supported.
405 2.3.4 Special Considerations at Delegation Points
407 DNS security would like to view each zone as a unit of data
408 completely under the control of the zone owner with each entry
409 (RRset) signed by a special private key held by the zone manager.
410 But the DNS protocol views the leaf nodes in a zone, which are also
411 the apex nodes of a subzone (i.e., delegation points), as "really"
412 belonging to the subzone. These nodes occur in two master files and
413 might have RRs signed by both the upper and lower zone's keys. A
414 retrieval could get a mixture of these RRs and SIGs, especially since
415 one server could be serving both the zone above and below a
416 delegation point. [RFC 2181]
418 There MUST be a zone KEY RR, signed by its superzone, for every
419 subzone if the superzone is secure. This will normally appear in the
420 subzone and may also be included in the superzone. But, in the case
421 of an unsecured subzone which can not or will not be modified to add
422 any security RRs, a KEY declaring the subzone to be unsecured MUST
423 appear with the superzone signature in the superzone, if the
424 superzone is secure. For all but one other RR type the data from the
425 subzone is more authoritative so only the subzone KEY RR should be
426 signed in the superzone if it appears there. The NS and any glue
427 address RRs SHOULD only be signed in the subzone. The SOA and any
428 other RRs that have the zone name as owner should appear only in the
429 subzone and thus are signed only there. The NXT RR type is the
430 exceptional case that will always appear differently and
431 authoritatively in both the superzone and subzone, if both are
432 secure, as described in Section 5.
434 2.3.5 Special Considerations with CNAME
436 There is a problem when security related RRs with the same owner name
437 as a CNAME RR are retrieved from a non-security-aware server. In
438 particular, an initial retrieval for the CNAME or any other type may
439 not retrieve any associated SIG, KEY, or NXT RR. For retrieved types
440 other than CNAME, it will retrieve that type at the target name of
441 the CNAME (or chain of CNAMEs) and will also return the CNAME. In
442 particular, a specific retrieval for type SIG will not get the SIG,
443 if any, at the original CNAME domain name but rather a SIG at the
450 Eastlake Standards Track [Page 8]
452 RFC 2535 DNS Security Extensions March 1999
455 Security aware servers must be used to securely CNAME in DNS.
456 Security aware servers MUST (1) allow KEY, SIG, and NXT RRs along
457 with CNAME RRs, (2) suppress CNAME processing on retrieval of these
458 types as well as on retrieval of the type CNAME, and (3)
459 automatically return SIG RRs authenticating the CNAME or CNAMEs
460 encountered in resolving a query. This is a change from the previous
461 DNS standard [RFCs 1034/1035] which prohibited any other RR type at a
462 node where a CNAME RR was present.
464 2.3.6 Signers Other Than The Zone
466 There are cases where the signer in a SIG resource record is other
467 than one of the private key(s) used to authenticate a zone.
469 One is for support of dynamic update [RFC 2136] (or future requests
470 which require secure authentication) where an entity is permitted to
471 authenticate/update its records [RFC 2137] and the zone is operating
472 in a mode where the zone key is not on line. The public key of the
473 entity must be present in the DNS and be signed by a zone level key
474 but the other RR(s) may be signed with the entity's key.
476 A second case is support of transaction and request authentication as
477 described in Section 2.4.
479 In additions, signatures can be included on resource records within
480 the DNS for use by applications other than DNS. DNS related
481 signatures authenticate that data originated with the authority of a
482 zone owner or that a request or transaction originated with the
483 relevant entity. Other signatures can provide other types of
486 2.4 DNS Transaction and Request Authentication
488 The data origin authentication service described above protects
489 retrieved resource records and the non-existence of resource records
490 but provides no protection for DNS requests or for message headers.
492 If header bits are falsely set by a bad server, there is little that
493 can be done. However, it is possible to add transaction
494 authentication. Such authentication means that a resolver can be
495 sure it is at least getting messages from the server it thinks it
496 queried and that the response is from the query it sent (i.e., that
497 these messages have not been diddled in transit). This is
498 accomplished by optionally adding a special SIG resource record at
499 the end of the reply which digitally signs the concatenation of the
500 server's response and the resolver's query.
506 Eastlake Standards Track [Page 9]
508 RFC 2535 DNS Security Extensions March 1999
511 Requests can also be authenticated by including a special SIG RR at
512 the end of the request. Authenticating requests serves no function
513 in older DNS servers and requests with a non-empty additional
514 information section produce error returns or may even be ignored by
515 many of them. However, this syntax for signing requests is defined as
516 a way of authenticating secure dynamic update requests [RFC 2137] or
517 future requests requiring authentication.
519 The private keys used in transaction security belong to the entity
520 composing the reply, not to the zone involved. Request
521 authentication may also involve the private key of the host or other
522 entity composing the request or other private keys depending on the
523 request authority it is sought to establish. The corresponding public
524 key(s) are normally stored in and retrieved from the DNS for
527 Because requests and replies are highly variable, message
528 authentication SIGs can not be pre-calculated. Thus it will be
529 necessary to keep the private key on-line, for example in software or
530 in a directly connected piece of hardware.
532 3. The KEY Resource Record
534 The KEY resource record (RR) is used to store a public key that is
535 associated with a Domain Name System (DNS) name. This can be the
536 public key of a zone, a user, or a host or other end entity. Security
537 aware DNS implementations MUST be designed to handle at least two
538 simultaneously valid keys of the same type associated with the same
541 The type number for the KEY RR is 25.
543 A KEY RR is, like any other RR, authenticated by a SIG RR. KEY RRs
544 must be signed by a zone level key.
548 The RDATA for a KEY RR consists of flags, a protocol octet, the
549 algorithm number octet, and the public key itself. The format is as
562 Eastlake Standards Track [Page 10]
564 RFC 2535 DNS Security Extensions March 1999
567 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
568 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
569 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
570 | flags | protocol | algorithm |
571 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
575 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
577 The KEY RR is not intended for storage of certificates and a separate
578 certificate RR has been developed for that purpose, defined in [RFC
581 The meaning of the KEY RR owner name, flags, and protocol octet are
582 described in Sections 3.1.1 through 3.1.5 below. The flags and
583 algorithm must be examined before any data following the algorithm
584 octet as they control the existence and format of any following data.
585 The algorithm and public key fields are described in Section 3.2.
586 The format of the public key is algorithm dependent.
588 KEY RRs do not specify their validity period but their authenticating
589 SIG RR(s) do as described in Section 4 below.
591 3.1.1 Object Types, DNS Names, and Keys
593 The public key in a KEY RR is for the object named in the owner name.
595 A DNS name may refer to three different categories of things. For
596 example, foo.host.example could be (1) a zone, (2) a host or other
597 end entity , or (3) the mapping into a DNS name of the user or
598 account foo@host.example. Thus, there are flag bits, as described
599 below, in the KEY RR to indicate with which of these roles the owner
600 name and public key are associated. Note that an appropriate zone
601 KEY RR MUST occur at the apex node of a secure zone and zone KEY RRs
602 occur only at delegation points.
604 3.1.2 The KEY RR Flag Field
606 In the "flags" field:
608 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
609 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
610 | A/C | Z | XT| Z | Z | NAMTYP| Z | Z | Z | Z | SIG |
611 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
613 Bit 0 and 1 are the key "type" bits whose values have the following
618 Eastlake Standards Track [Page 11]
620 RFC 2535 DNS Security Extensions March 1999
623 10: Use of the key is prohibited for authentication.
624 01: Use of the key is prohibited for confidentiality.
625 00: Use of the key for authentication and/or confidentiality
626 is permitted. Note that DNS security makes use of keys
627 for authentication only. Confidentiality use flagging is
628 provided for use of keys in other protocols.
629 Implementations not intended to support key distribution
630 for confidentiality MAY require that the confidentiality
631 use prohibited bit be on for keys they serve.
632 11: If both bits are one, the "no key" value, there is no key
633 information and the RR stops after the algorithm octet.
634 By the use of this "no key" value, a signed KEY RR can
635 authenticatably assert that, for example, a zone is not
636 secured. See section 3.4 below.
638 Bits 2 is reserved and must be zero.
640 Bits 3 is reserved as a flag extension bit. If it is a one, a second
641 16 bit flag field is added after the algorithm octet and
642 before the key data. This bit MUST NOT be set unless one or
643 more such additional bits have been defined and are non-zero.
645 Bits 4-5 are reserved and must be zero.
647 Bits 6 and 7 form a field that encodes the name type. Field values
648 have the following meanings:
650 00: indicates that this is a key associated with a "user" or
651 "account" at an end entity, usually a host. The coding
652 of the owner name is that used for the responsible
653 individual mailbox in the SOA and RP RRs: The owner name
654 is the user name as the name of a node under the entity
655 name. For example, "j_random_user" on
656 host.subdomain.example could have a public key associated
657 through a KEY RR with name
658 j_random_user.host.subdomain.example. It could be used
659 in a security protocol where authentication of a user was
660 desired. This key might be useful in IP or other
661 security for a user level service such a telnet, ftp,
663 01: indicates that this is a zone key for the zone whose name
664 is the KEY RR owner name. This is the public key used
665 for the primary DNS security feature of data origin
666 authentication. Zone KEY RRs occur only at delegation
668 10: indicates that this is a key associated with the non-zone
669 "entity" whose name is the RR owner name. This will
670 commonly be a host but could, in some parts of the DNS
674 Eastlake Standards Track [Page 12]
676 RFC 2535 DNS Security Extensions March 1999
679 tree, be some other type of entity such as a telephone
680 number [RFC 1530] or numeric IP address. This is the
681 public key used in connection with DNS request and
682 transaction authentication services. It could also be
683 used in an IP-security protocol where authentication at
684 the host, rather than user, level was desired, such as
688 Bits 8-11 are reserved and must be zero.
690 Bits 12-15 are the "signatory" field. If non-zero, they indicate
691 that the key can validly sign things as specified in DNS
692 dynamic update [RFC 2137]. Note that zone keys (see bits
693 6 and 7 above) always have authority to sign any RRs in
694 the zone regardless of the value of the signatory field.
696 3.1.3 The Protocol Octet
698 It is anticipated that keys stored in DNS will be used in conjunction
699 with a variety of Internet protocols. It is intended that the
700 protocol octet and possibly some of the currently unused (must be
701 zero) bits in the KEY RR flags as specified in the future will be
702 used to indicate a key's validity for different protocols.
704 The following values of the Protocol Octet are reserved as indicated:
713 5-254 - available for assignment by IANA
717 1 is reserved for use in connection with TLS.
718 2 is reserved for use in connection with email.
719 3 is used for DNS security. The protocol field SHOULD be set to
720 this value for zone keys and other keys used in DNS security.
721 Implementations that can determine that a key is a DNS
722 security key by the fact that flags label it a zone key or the
723 signatory flag field is non-zero are NOT REQUIRED to check the
725 4 is reserved to refer to the Oakley/IPSEC [RFC 2401] protocol
726 and indicates that this key is valid for use in conjunction
730 Eastlake Standards Track [Page 13]
732 RFC 2535 DNS Security Extensions March 1999
735 with that security standard. This key could be used in
736 connection with secured communication on behalf of an end
737 entity or user whose name is the owner name of the KEY RR if
738 the entity or user flag bits are set. The presence of a KEY
739 resource with this protocol value is an assertion that the
740 host speaks Oakley/IPSEC.
741 255 indicates that the key can be used in connection with any
742 protocol for which KEY RR protocol octet values have been
743 defined. The use of this value is discouraged and the use of
744 different keys for different protocols is encouraged.
746 3.2 The KEY Algorithm Number Specification
748 This octet is the key algorithm parallel to the same field for the
749 SIG resource as described in Section 4.1. The following values are
754 0 - reserved, see Section 11
755 1 RSA/MD5 [RFC 2537] - recommended
756 2 Diffie-Hellman [RFC 2539] - optional, key only
757 3 DSA [RFC 2536] - MANDATORY
758 4 reserved for elliptic curve crypto
759 5-251 - available, see Section 11
760 252 reserved for indirect keys
761 253 private - domain name (see below)
762 254 private - OID (see below)
763 255 - reserved, see Section 11
765 Algorithm specific formats and procedures are given in separate
766 documents. The mandatory to implement for interoperability algorithm
767 is number 3, DSA. It is recommended that the RSA/MD5 algorithm,
768 number 1, also be implemented. Algorithm 2 is used to indicate
769 Diffie-Hellman keys and algorithm 4 is reserved for elliptic curve.
771 Algorithm number 252 indicates an indirect key format where the
772 actual key material is elsewhere. This format is to be defined in a
775 Algorithm numbers 253 and 254 are reserved for private use and will
776 never be assigned a specific algorithm. For number 253, the public
777 key area and the signature begin with a wire encoded domain name.
778 Only local domain name compression is permitted. The domain name
779 indicates the private algorithm to use and the remainder of the
780 public key area is whatever is required by that algorithm. For
781 number 254, the public key area for the KEY RR and the signature
782 begin with an unsigned length byte followed by a BER encoded Object
786 Eastlake Standards Track [Page 14]
788 RFC 2535 DNS Security Extensions March 1999
791 Identifier (ISO OID) of that length. The OID indicates the private
792 algorithm in use and the remainder of the area is whatever is
793 required by that algorithm. Entities should only use domain names
794 and OIDs they control to designate their private algorithms.
796 Values 0 and 255 are reserved but the value 0 is used in the
797 algorithm field when that field is not used. An example is in a KEY
798 RR with the top two flag bits on, the "no-key" value, where no key is
801 3.3 Interaction of Flags, Algorithm, and Protocol Bytes
803 Various combinations of the no-key type flags, algorithm byte,
804 protocol byte, and any future assigned protocol indicating flags are
805 possible. The meaning of these combinations is indicated below:
807 NK = no key type (flags bits 0 and 1 on)
809 PR = protocols indicated by protocol byte or future assigned flags
811 x represents any valid non-zero value(s).
814 0 0 0 Illegal, claims key but has bad algorithm field.
815 0 0 1 Specifies total lack of security for owner zone.
816 0 x 0 Illegal, claims key but has bad algorithm field.
817 0 x 1 Specified protocols unsecured, others may be secure.
818 x 0 0 Gives key but no protocols to use it.
819 x 0 1 Denies key for specific algorithm.
820 x x 0 Specifies key for protocols.
821 x x 1 Algorithm not understood for protocol.
823 3.4 Determination of Zone Secure/Unsecured Status
825 A zone KEY RR with the "no-key" type field value (both key type flag
826 bits 0 and 1 on) indicates that the zone named is unsecured while a
827 zone KEY RR with a key present indicates that the zone named is
828 secure. The secured versus unsecured status of a zone may vary with
829 different cryptographic algorithms. Even for the same algorithm,
830 conflicting zone KEY RRs may be present.
832 Zone KEY RRs, like all RRs, are only trusted if they are
833 authenticated by a SIG RR whose signer field is a signer for which
834 the resolver has a public key they trust and where resolver policy
835 permits that signer to sign for the KEY owner name. Untrusted zone
836 KEY RRs MUST be ignored in determining the security status of the
837 zone. However, there can be multiple sets of trusted zone KEY RRs
838 for a zone with different algorithms, signers, etc.
842 Eastlake Standards Track [Page 15]
844 RFC 2535 DNS Security Extensions March 1999
847 For any particular algorithm, zones can be (1) secure, indicating
848 that any retrieved RR must be authenticated by a SIG RR or it will be
849 discarded as bogus, (2) unsecured, indicating that SIG RRs are not
850 expected or required for RRs retrieved from the zone, or (3)
851 experimentally secure, which indicates that SIG RRs might or might
852 not be present but must be checked if found. The status of a zone is
853 determined as follows:
855 1. If, for a zone and algorithm, every trusted zone KEY RR for the
856 zone says there is no key for that zone, it is unsecured for that
859 2. If, there is at least one trusted no-key zone KEY RR and one
860 trusted key specifying zone KEY RR, then that zone is only
861 experimentally secure for the algorithm. Both authenticated and
862 non-authenticated RRs for it should be accepted by the resolver.
864 3. If every trusted zone KEY RR that the zone and algorithm has is
865 key specifying, then it is secure for that algorithm and only
866 authenticated RRs from it will be accepted.
870 (1) A resolver initially trusts only signatures by the superzone of
871 zone Z within the DNS hierarchy. Thus it will look only at the KEY
872 RRs that are signed by the superzone. If it finds only no-key KEY
873 RRs, it will assume the zone is not secure. If it finds only key
874 specifying KEY RRs, it will assume the zone is secure and reject any
875 unsigned responses. If it finds both, it will assume the zone is
876 experimentally secure
878 (2) A resolver trusts the superzone of zone Z (to which it got
879 securely from its local zone) and a third party, cert-auth.example.
880 When considering data from zone Z, it may be signed by the superzone
881 of Z, by cert-auth.example, by both, or by neither. The following
882 table indicates whether zone Z will be considered secure,
883 experimentally secure, or unsecured, depending on the signed zone KEY
886 c e r t - a u t h . e x a m p l e
888 KEY RRs| None | NoKeys | Mixed | Keys |
889 S --+-----------+-----------+----------+----------+
890 u None | illegal | unsecured | experim. | secure |
891 p --+-----------+-----------+----------+----------+
892 e NoKeys | unsecured | unsecured | experim. | secure |
893 r --+-----------+-----------+----------+----------+
894 Z Mixed | experim. | experim. | experim. | secure |
898 Eastlake Standards Track [Page 16]
900 RFC 2535 DNS Security Extensions March 1999
903 o --+-----------+-----------+----------+----------+
904 n Keys | secure | secure | secure | secure |
905 e +-----------+-----------+----------+----------+
907 3.5 KEY RRs in the Construction of Responses
909 An explicit request for KEY RRs does not cause any special additional
910 information processing except, of course, for the corresponding SIG
911 RR from a security aware server (see Section 4.2).
913 Security aware DNS servers include KEY RRs as additional information
914 in responses, where a KEY is available, in the following cases:
916 (1) On the retrieval of SOA or NS RRs, the KEY RRset with the same
917 name (perhaps just a zone key) SHOULD be included as additional
918 information if space is available. If not all additional information
919 will fit, type A and AAAA glue RRs have higher priority than KEY
922 (2) On retrieval of type A or AAAA RRs, the KEY RRset with the same
923 name (usually just a host RR and NOT the zone key (which usually
924 would have a different name)) SHOULD be included if space is
925 available. On inclusion of A or AAAA RRs as additional information,
926 the KEY RRset with the same name should also be included but with
927 lower priority than the A or AAAA RRs.
929 4. The SIG Resource Record
931 The SIG or "signature" resource record (RR) is the fundamental way
932 that data is authenticated in the secure Domain Name System (DNS). As
933 such it is the heart of the security provided.
935 The SIG RR unforgably authenticates an RRset [RFC 2181] of a
936 particular type, class, and name and binds it to a time interval and
937 the signer's domain name. This is done using cryptographic
938 techniques and the signer's private key. The signer is frequently
939 the owner of the zone from which the RR originated.
941 The type number for the SIG RR type is 24.
945 The RDATA portion of a SIG RR is as shown below. The integrity of
946 the RDATA information is protected by the signature field.
954 Eastlake Standards Track [Page 17]
956 RFC 2535 DNS Security Extensions March 1999
959 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
960 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
961 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
962 | type covered | algorithm | labels |
963 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
965 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
966 | signature expiration |
967 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
968 | signature inception |
969 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
971 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ signer's name +
973 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
977 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
979 4.1.1 Type Covered Field
981 The "type covered" is the type of the other RRs covered by this SIG.
983 4.1.2 Algorithm Number Field
985 This octet is as described in section 3.2.
989 The "labels" octet is an unsigned count of how many labels there are
990 in the original SIG RR owner name not counting the null label for
991 root and not counting any initial "*" for a wildcard. If a secured
992 retrieval is the result of wild card substitution, it is necessary
993 for the resolver to use the original form of the name in verifying
994 the digital signature. This field makes it easy to determine the
997 If, on retrieval, the RR appears to have a longer name than indicated
998 by "labels", the resolver can tell it is the result of wildcard
999 substitution. If the RR owner name appears to be shorter than the
1000 labels count, the SIG RR must be considered corrupt and ignored. The
1001 maximum number of labels allowed in the current DNS is 127 but the
1002 entire octet is reserved and would be required should DNS names ever
1003 be expanded to 255 labels. The following table gives some examples.
1004 The value of "labels" is at the top, the retrieved owner name on the
1005 left, and the table entry is the name to use in signature
1006 verification except that "bad" means the RR is corrupt.
1010 Eastlake Standards Track [Page 18]
1012 RFC 2535 DNS Security Extensions March 1999
1015 labels= | 0 | 1 | 2 | 3 | 4 |
1016 --------+-----+------+--------+----------+----------+
1017 .| . | bad | bad | bad | bad |
1018 d.| *. | d. | bad | bad | bad |
1019 c.d.| *. | *.d. | c.d. | bad | bad |
1020 b.c.d.| *. | *.d. | *.c.d. | b.c.d. | bad |
1021 a.b.c.d.| *. | *.d. | *.c.d. | *.b.c.d. | a.b.c.d. |
1023 4.1.4 Original TTL Field
1025 The "original TTL" field is included in the RDATA portion to avoid
1026 (1) authentication problems that caching servers would otherwise
1027 cause by decrementing the real TTL field and (2) security problems
1028 that unscrupulous servers could otherwise cause by manipulating the
1029 real TTL field. This original TTL is protected by the signature
1030 while the current TTL field is not.
1032 NOTE: The "original TTL" must be restored into the covered RRs when
1033 the signature is verified (see Section 8). This generaly implies
1034 that all RRs for a particular type, name, and class, that is, all the
1035 RRs in any particular RRset, must have the same TTL to start with.
1037 4.1.5 Signature Expiration and Inception Fields
1039 The SIG is valid from the "signature inception" time until the
1040 "signature expiration" time. Both are unsigned numbers of seconds
1041 since the start of 1 January 1970, GMT, ignoring leap seconds. (See
1042 also Section 4.4.) Ring arithmetic is used as for DNS SOA serial
1043 numbers [RFC 1982] which means that these times can never be more
1044 than about 68 years in the past or the future. This means that these
1045 times are ambiguous modulo ~136.09 years. However there is no
1046 security flaw because keys are required to be changed to new random
1047 keys by [RFC 2541] at least every five years. This means that the
1048 probability that the same key is in use N*136.09 years later should
1049 be the same as the probability that a random guess will work.
1051 A SIG RR may have an expiration time numerically less than the
1052 inception time if the expiration time is near the 32 bit wrap around
1053 point and/or the signature is long lived.
1055 (To prevent misordering of network requests to update a zone
1056 dynamically, monotonically increasing "signature inception" times may
1059 A secure zone must be considered changed for SOA serial number
1060 purposes not only when its data is updated but also when new SIG RRs
1061 are inserted (ie, the zone or any part of it is re-signed).
1066 Eastlake Standards Track [Page 19]
1068 RFC 2535 DNS Security Extensions March 1999
1073 The "key Tag" is a two octet quantity that is used to efficiently
1074 select between multiple keys which may be applicable and thus check
1075 that a public key about to be used for the computationally expensive
1076 effort to check the signature is possibly valid. For algorithm 1
1077 (MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two
1078 octets of the public key modulus needed to decode the signature
1079 field. That is to say, the most significant 16 of the least
1080 significant 24 bits of the modulus in network (big endian) order. For
1081 all other algorithms, including private algorithms, it is calculated
1082 as a simple checksum of the KEY RR as described in Appendix C.
1084 4.1.7 Signer's Name Field
1086 The "signer's name" field is the domain name of the signer generating
1087 the SIG RR. This is the owner name of the public KEY RR that can be
1088 used to verify the signature. It is frequently the zone which
1089 contained the RRset being authenticated. Which signers should be
1090 authorized to sign what is a significant resolver policy question as
1091 discussed in Section 6. The signer's name may be compressed with
1092 standard DNS name compression when being transmitted over the
1095 4.1.8 Signature Field
1097 The actual signature portion of the SIG RR binds the other RDATA
1098 fields to the RRset of the "type covered" RRs with that owner name
1099 and class. This covered RRset is thereby authenticated. To
1100 accomplish this, a data sequence is constructed as follows:
1102 data = RDATA | RR(s)...
1104 where "|" is concatenation,
1106 RDATA is the wire format of all the RDATA fields in the SIG RR itself
1107 (including the canonical form of the signer's name) before but not
1108 including the signature, and
1110 RR(s) is the RRset of the RR(s) of the type covered with the same
1111 owner name and class as the SIG RR in canonical form and order as
1112 defined in Section 8.
1114 How this data sequence is processed into the signature is algorithm
1115 dependent. These algorithm dependent formats and procedures are
1116 described in separate documents (Section 3.2).
1122 Eastlake Standards Track [Page 20]
1124 RFC 2535 DNS Security Extensions March 1999
1127 SIGs SHOULD NOT be included in a zone for any "meta-type" such as
1128 ANY, AXFR, etc. (but see section 5.6.2 with regard to IXFR).
1130 4.1.8.1 Calculating Transaction and Request SIGs
1132 A response message from a security aware server may optionally
1133 contain a special SIG at the end of the additional information
1134 section to authenticate the transaction.
1136 This SIG has a "type covered" field of zero, which is not a valid RR
1137 type. It is calculated by using a "data" (see Section 4.1.8) of the
1138 entire preceding DNS reply message, including DNS header but not the
1139 IP header and before the reply RR counts have been adjusted for the
1140 inclusion of any transaction SIG, concatenated with the entire DNS
1141 query message that produced this response, including the query's DNS
1142 header and any request SIGs but not its IP header. That is
1144 data = full response (less transaction SIG) | full query
1146 Verification of the transaction SIG (which is signed by the server
1147 host key, not the zone key) by the requesting resolver shows that the
1148 query and response were not tampered with in transit, that the
1149 response corresponds to the intended query, and that the response
1150 comes from the queried server.
1152 A DNS request may be optionally signed by including one or more SIGs
1153 at the end of the query. Such SIGs are identified by having a "type
1154 covered" field of zero. They sign the preceding DNS request message
1155 including DNS header but not including the IP header or any request
1156 SIGs at the end and before the request RR counts have been adjusted
1157 for the inclusions of any request SIG(s).
1159 WARNING: Request SIGs are unnecessary for any currently defined
1160 request other than update [RFC 2136, 2137] and will cause some old
1161 DNS servers to give an error return or ignore a query. However, such
1162 SIGs may in the future be needed for other requests.
1164 Except where needed to authenticate an update or similar privileged
1165 request, servers are not required to check request SIGs.
1167 4.2 SIG RRs in the Construction of Responses
1169 Security aware DNS servers SHOULD, for every authenticated RRset the
1170 query will return, attempt to send the available SIG RRs which
1171 authenticate the requested RRset. The following rules apply to the
1172 inclusion of SIG RRs in responses:
1178 Eastlake Standards Track [Page 21]
1180 RFC 2535 DNS Security Extensions March 1999
1183 1. when an RRset is placed in a response, its SIG RR has a higher
1184 priority for inclusion than additional RRs that may need to be
1185 included. If space does not permit its inclusion, the response
1186 MUST be considered truncated except as provided in 2 below.
1188 2. When a SIG RR is present in the zone for an additional
1189 information section RR, the response MUST NOT be considered
1190 truncated merely because space does not permit the inclusion of
1191 the SIG RR with the additional information.
1193 3. SIGs to authenticate glue records and NS RRs for subzones at a
1194 delegation point are unnecessary and MUST NOT be sent.
1196 4. If a SIG covers any RR that would be in the answer section of
1197 the response, its automatic inclusion MUST be in the answer
1198 section. If it covers an RR that would appear in the authority
1199 section, its automatic inclusion MUST be in the authority
1200 section. If it covers an RR that would appear in the additional
1201 information section it MUST appear in the additional information
1202 section. This is a change in the existing standard [RFCs 1034,
1203 1035] which contemplates only NS and SOA RRs in the authority
1206 5. Optionally, DNS transactions may be authenticated by a SIG RR at
1207 the end of the response in the additional information section
1208 (Section 4.1.8.1). Such SIG RRs are signed by the DNS server
1209 originating the response. Although the signer field MUST be a
1210 name of the originating server host, the owner name, class, TTL,
1211 and original TTL, are meaningless. The class and TTL fields
1212 SHOULD be zero. To conserve space, the owner name SHOULD be
1213 root (a single zero octet). If transaction authentication is
1214 desired, that SIG RR must be considered the highest priority for
1217 4.3 Processing Responses and SIG RRs
1219 The following rules apply to the processing of SIG RRs included in a
1222 1. A security aware resolver that receives a response from a
1223 security aware server via a secure communication with the AD bit
1224 (see Section 6.1) set, MAY choose to accept the RRs as received
1225 without verifying the zone SIG RRs.
1227 2. In other cases, a security aware resolver SHOULD verify the SIG
1228 RRs for the RRs of interest. This may involve initiating
1229 additional queries for SIG or KEY RRs, especially in the case of
1234 Eastlake Standards Track [Page 22]
1236 RFC 2535 DNS Security Extensions March 1999
1239 getting a response from a server that does not implement
1240 security. (As explained in 2.3.5 above, it will not be possible
1241 to secure CNAMEs being served up by non-secure resolvers.)
1243 NOTE: Implementers might expect the above SHOULD to be a MUST.
1244 However, local policy or the calling application may not require
1245 the security services.
1247 3. If SIG RRs are received in response to a user query explicitly
1248 specifying the SIG type, no special processing is required.
1250 If the message does not pass integrity checks or the SIG does not
1251 check against the signed RRs, the SIG RR is invalid and should be
1252 ignored. If all of the SIG RR(s) purporting to authenticate an RRset
1253 are invalid, then the RRset is not authenticated.
1255 If the SIG RR is the last RR in a response in the additional
1256 information section and has a type covered of zero, it is a
1257 transaction signature of the response and the query that produced the
1258 response. It MAY be optionally checked and the message rejected if
1259 the checks fail. But even if the checks succeed, such a transaction
1260 authentication SIG does NOT directly authenticate any RRs in the
1261 message. Only a proper SIG RR signed by the zone or a key tracing
1262 its authority to the zone or to static resolver configuration can
1263 directly authenticate RRs, depending on resolver policy (see Section
1264 6). If a resolver does not implement transaction and/or request
1265 SIGs, it MUST ignore them without error.
1267 If all checks indicate that the SIG RR is valid then RRs verified by
1268 it should be considered authenticated.
1270 4.4 Signature Lifetime, Expiration, TTLs, and Validity
1272 Security aware servers MUST NOT consider SIG RRs to authenticate
1273 anything before their signature inception or after its expiration
1274 time (see also Section 6). Security aware servers MUST NOT consider
1275 any RR to be authenticated after all its signatures have expired.
1276 When a secure server caches authenticated data, if the TTL would
1277 expire at a time further in the future than the authentication
1278 expiration time, the server SHOULD trim the TTL in the cache entry
1279 not to extent beyond the authentication expiration time. Within
1280 these constraints, servers should continue to follow DNS TTL aging.
1281 Thus authoritative servers should continue to follow the zone refresh
1282 and expire parameters and a non-authoritative server should count
1283 down the TTL and discard RRs when the TTL is zero (even for a SIG
1284 that has not yet reached its authentication expiration time). In
1285 addition, when RRs are transmitted in a query response, the TTL
1290 Eastlake Standards Track [Page 23]
1292 RFC 2535 DNS Security Extensions March 1999
1295 should be trimmed so that current time plus the TTL does not extend
1296 beyond the authentication expiration time. Thus, in general, the TTL
1297 on a transmitted RR would be
1299 min(authExpTim,max(zoneMinTTL,min(originalTTL,currentTTL)))
1301 When signatures are generated, signature expiration times should be
1302 set far enough in the future that it is quite certain that new
1303 signatures can be generated before the old ones expire. However,
1304 setting expiration too far into the future could mean a long time to
1305 flush any bad data or signatures that may have been generated.
1307 It is recommended that signature lifetime be a small multiple of the
1308 TTL (ie, 4 to 16 times the TTL) but not less than a reasonable
1309 maximum re-signing interval and not less than the zone expiry time.
1311 5. Non-existent Names and Types
1313 The SIG RR mechanism described in Section 4 above provides strong
1314 authentication of RRs that exist in a zone. But it is not clear
1315 above how to verifiably deny the existence of a name in a zone or a
1316 type for an existent name.
1318 The nonexistence of a name in a zone is indicated by the NXT ("next")
1319 RR for a name interval containing the nonexistent name. An NXT RR or
1320 RRs and its or their SIG(s) are returned in the authority section,
1321 along with the error, if the server is security aware. The same is
1322 true for a non-existent type under an existing name except that there
1323 is no error indication other than an empty answer section
1324 accompanying the NXT(s). This is a change in the existing standard
1325 [RFCs 1034/1035] which contemplates only NS and SOA RRs in the
1326 authority section. NXT RRs will also be returned if an explicit query
1327 is made for the NXT type.
1329 The existence of a complete set of NXT records in a zone means that
1330 any query for any name and any type to a security aware server
1331 serving the zone will result in an reply containing at least one
1332 signed RR unless it is a query for delegation point NS or glue A or
1335 5.1 The NXT Resource Record
1337 The NXT resource record is used to securely indicate that RRs with an
1338 owner name in a certain name interval do not exist in a zone and to
1339 indicate what RR types are present for an existing name.
1346 Eastlake Standards Track [Page 24]
1348 RFC 2535 DNS Security Extensions March 1999
1351 The owner name of the NXT RR is an existing name in the zone. It's
1352 RDATA is a "next" name and a type bit map. Thus the NXT RRs in a zone
1353 create a chain of all of the literal owner names in that zone,
1354 including unexpanded wildcards but omitting the owner name of glue
1355 address records unless they would otherwise be included. This implies
1356 a canonical ordering of all domain names in a zone as described in
1357 Section 8. The presence of the NXT RR means that no name between its
1358 owner name and the name in its RDATA area exists and that no other
1359 types exist under its owner name.
1361 There is a potential problem with the last NXT in a zone as it wants
1362 to have an owner name which is the last existing name in canonical
1363 order, which is easy, but it is not obvious what name to put in its
1364 RDATA to indicate the entire remainder of the name space. This is
1365 handled by treating the name space as circular and putting the zone
1366 name in the RDATA of the last NXT in a zone.
1368 The NXT RRs for a zone SHOULD be automatically calculated and added
1369 to the zone when SIGs are added. The NXT RR's TTL SHOULD NOT exceed
1370 the zone minimum TTL.
1372 The type number for the NXT RR is 30.
1374 NXT RRs are only signed by zone level keys.
1376 5.2 NXT RDATA Format
1378 The RDATA for an NXT RR consists simply of a domain name followed by
1379 a bit map, as shown below.
1381 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
1382 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1383 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1384 | next domain name /
1385 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1387 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1389 The NXT RR type bit map format currently defined is one bit per RR
1390 type present for the owner name. A one bit indicates that at least
1391 one RR of that type is present for the owner name. A zero indicates
1392 that no such RR is present. All bits not specified because they are
1393 beyond the end of the bit map are assumed to be zero. Note that bit
1394 30, for NXT, will always be on so the minimum bit map length is
1395 actually four octets. Trailing zero octets are prohibited in this
1396 format. The first bit represents RR type zero (an illegal type which
1397 can not be present) and so will be zero in this format. This format
1398 is not used if there exists an RR with a type number greater than
1402 Eastlake Standards Track [Page 25]
1404 RFC 2535 DNS Security Extensions March 1999
1407 127. If the zero bit of the type bit map is a one, it indicates that
1408 a different format is being used which will always be the case if a
1409 type number greater than 127 is present.
1411 The domain name may be compressed with standard DNS name compression
1412 when being transmitted over the network. The size of the bit map can
1413 be inferred from the RDLENGTH and the length of the next domain name.
1415 5.3 Additional Complexity Due to Wildcards
1417 Proving that a non-existent name response is correct or that a
1418 wildcard expansion response is correct makes things a little more
1421 In particular, when a non-existent name response is returned, an NXT
1422 must be returned showing that the exact name queried did not exist
1423 and, in general, one or more additional NXT's need to be returned to
1424 also prove that there wasn't a wildcard whose expansion should have
1425 been returned. (There is no need to return multiple copies of the
1426 same NXT.) These NXTs, if any, are returned in the authority section
1429 Furthermore, if a wildcard expansion is returned in a response, in
1430 general one or more NXTs needs to also be returned in the authority
1431 section to prove that no more specific name (including possibly more
1432 specific wildcards in the zone) existed on which the response should
1437 Assume zone foo.nil has entries for
1444 Then a query to a security aware server for huge.foo.nil would
1445 produce an error reply with an RCODE of NXDOMAIN and the authority
1446 section data including something like the following:
1458 Eastlake Standards Track [Page 26]
1460 RFC 2535 DNS Security Extensions March 1999
1463 foo.nil. NXT big.foo.nil NS KEY SOA NXT ;prove no *.foo.nil
1464 foo.nil. SIG NXT 1 2 ( ;type-cov=NXT, alg=1, labels=2
1465 19970102030405 ;signature expiration
1466 19961211100908 ;signature inception
1467 2143 ;key identifier
1469 AIYADP8d3zYNyQwW2EM4wXVFdslEJcUx/fxkfBeH1El4ixPFhpfHFElxbvKoWmvjDTCm
1470 fiYy2X+8XpFjwICHc398kzWsTMKlxovpz2FnCTM= ;signature (640 bits)
1472 big.foo.nil. NXT medium.foo.nil. A MX SIG NXT ;prove no huge.foo.nil
1473 big.foo.nil. SIG NXT 1 3 ( ;type-cov=NXT, alg=1, labels=3
1474 19970102030405 ;signature expiration
1475 19961211100908 ;signature inception
1476 2143 ;key identifier
1478 MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6VAuHAoNUz4YoU
1479 1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= ;signature (640 bits)
1481 Note that this response implies that big.foo.nil is an existing name
1482 in the zone and thus has other RR types associated with it than NXT.
1483 However, only the NXT (and its SIG) RR appear in the response to this
1484 query for huge.foo.nil, which is a non-existent name.
1486 5.5 Special Considerations at Delegation Points
1488 A name (other than root) which is the head of a zone also appears as
1489 the leaf in a superzone. If both are secure, there will always be
1490 two different NXT RRs with the same name. They can be easily
1491 distinguished by their signers, the next domain name fields, the
1492 presence of the SOA type bit, etc. Security aware servers should
1493 return the correct NXT automatically when required to authenticate
1494 the non-existence of a name and both NXTs, if available, on explicit
1497 Non-security aware servers will never automatically return an NXT and
1498 some old implementations may only return the NXT from the subzone on
1503 The subsections below describe how full and incremental zone
1504 transfers are secured.
1506 SIG RRs secure all authoritative RRs transferred for both full and
1507 incremental [RFC 1995] zone transfers. NXT RRs are an essential
1508 element in secure zone transfers and assure that every authoritative
1509 name and type will be present; however, if there are multiple SIGs
1510 with the same name and type covered, a subset of the SIGs could be
1514 Eastlake Standards Track [Page 27]
1516 RFC 2535 DNS Security Extensions March 1999
1519 sent as long as at least one is present and, in the case of unsigned
1520 delegation point NS or glue A or AAAA RRs a subset of these RRs or
1521 simply a modified set could be sent as long as at least one of each
1524 When an incremental or full zone transfer request is received with
1525 the same or newer version number than that of the server's copy of
1526 the zone, it is replied to with just the SOA RR of the server's
1527 current version and the SIG RRset verifying that SOA RR.
1529 The complete NXT chains specified in this document enable a resolver
1530 to obtain, by successive queries chaining through NXTs, all of the
1531 names in a zone even if zone transfers are prohibited. Different
1532 format NXTs may be specified in the future to avoid this.
1534 5.6.1 Full Zone Transfers
1536 To provide server authentication that a complete transfer has
1537 occurred, transaction authentication SHOULD be used on full zone
1538 transfers. This provides strong server based protection for the
1539 entire zone in transit.
1541 5.6.2 Incremental Zone Transfers
1543 Individual RRs in an incremental (IXFR) transfer [RFC 1995] can be
1544 verified in the same way as for a full zone transfer and the
1545 integrity of the NXT name chain and correctness of the NXT type bits
1546 for the zone after the incremental RR deletes and adds can check each
1547 disjoint area of the zone updated. But the completeness of an
1548 incremental transfer can not be confirmed because usually neither the
1549 deleted RR section nor the added RR section has a compete zone NXT
1550 chain. As a result, a server which securely supports IXFR must
1551 handle IXFR SIG RRs for each incremental transfer set that it
1554 The IXFR SIG is calculated over the incremental zone update
1555 collection of RRs in the order in which it is transmitted: old SOA,
1556 then deleted RRs, then new SOA and added RRs. Within each section,
1557 RRs must be ordered as specified in Section 8. If condensation of
1558 adjacent incremental update sets is done by the zone owner, the
1559 original IXFR SIG for each set included in the condensation must be
1560 discarded and a new on IXFR SIG calculated to cover the resulting
1563 The IXFR SIG really belongs to the zone as a whole, not to the zone
1564 name. Although it SHOULD be correct for the zone name, the labels
1565 field of an IXFR SIG is otherwise meaningless. The IXFR SIG is only
1566 sent as part of an incremental zone transfer. After validation of
1570 Eastlake Standards Track [Page 28]
1572 RFC 2535 DNS Security Extensions March 1999
1575 the IXFR SIG, the transferred RRs MAY be considered valid without
1576 verification of the internal SIGs if such trust in the server
1577 conforms to local policy.
1579 6. How to Resolve Securely and the AD and CD Bits
1581 Retrieving or resolving secure data from the Domain Name System (DNS)
1582 involves starting with one or more trusted public keys that have been
1583 staticly configured at the resolver. With starting trusted keys, a
1584 resolver willing to perform cryptography can progress securely
1585 through the secure DNS structure to the zone of interest as described
1586 in Section 6.3. Such trusted public keys would normally be configured
1587 in a manner similar to that described in Section 6.2. However, as a
1588 practical matter, a security aware resolver would still gain some
1589 confidence in the results it returns even if it was not configured
1590 with any keys but trusted what it got from a local well known server
1591 as if it were staticly configured.
1593 Data stored at a security aware server needs to be internally
1594 categorized as Authenticated, Pending, or Insecure. There is also a
1595 fourth transient state of Bad which indicates that all SIG checks
1596 have explicitly failed on the data. Such Bad data is not retained at
1597 a security aware server. Authenticated means that the data has a
1598 valid SIG under a KEY traceable via a chain of zero or more SIG and
1599 KEY RRs allowed by the resolvers policies to a KEY staticly
1600 configured at the resolver. Pending data has no authenticated SIGs
1601 and at least one additional SIG the resolver is still trying to
1602 authenticate. Insecure data is data which it is known can never be
1603 either Authenticated or found Bad in the zone where it was found
1604 because it is in or has been reached via a unsecured zone or because
1605 it is unsigned glue address or delegation point NS data. Behavior in
1606 terms of control of and flagging based on such data labels is
1607 described in Section 6.1.
1609 The proper validation of signatures requires a reasonably secure
1610 shared opinion of the absolute time between resolvers and servers as
1611 described in Section 6.4.
1613 6.1 The AD and CD Header Bits
1615 Two previously unused bits are allocated out of the DNS
1616 query/response format header. The AD (authentic data) bit indicates
1617 in a response that all the data included in the answer and authority
1618 portion of the response has been authenticated by the server
1619 according to the policies of that server. The CD (checking disabled)
1620 bit indicates in a query that Pending (non-authenticated) data is
1621 acceptable to the resolver sending the query.
1626 Eastlake Standards Track [Page 29]
1628 RFC 2535 DNS Security Extensions March 1999
1631 These bits are allocated from the previously must-be-zero Z field as
1635 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
1636 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
1638 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
1639 |QR| Opcode |AA|TC|RD|RA| Z|AD|CD| RCODE |
1640 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
1642 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
1644 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
1646 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
1648 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
1650 These bits are zero in old servers and resolvers. Thus the responses
1651 of old servers are not flagged as authenticated to security aware
1652 resolvers and queries from non-security aware resolvers do not assert
1653 the checking disabled bit and thus will be answered by security aware
1654 servers only with Authenticated or Insecure data. Security aware
1655 resolvers MUST NOT trust the AD bit unless they trust the server they
1656 are talking to and either have a secure path to it or use DNS
1657 transaction security.
1659 Any security aware resolver willing to do cryptography SHOULD assert
1660 the CD bit on all queries to permit it to impose its own policies and
1661 to reduce DNS latency time by allowing security aware servers to
1662 answer with Pending data.
1664 Security aware servers MUST NOT return Bad data. For non-security
1665 aware resolvers or security aware resolvers requesting service by
1666 having the CD bit clear, security aware servers MUST return only
1667 Authenticated or Insecure data in the answer and authority sections
1668 with the AD bit set in the response. Security aware servers SHOULD
1669 return Pending data, with the AD bit clear in the response, to
1670 security aware resolvers requesting this service by asserting the CD
1671 bit in their request. The AD bit MUST NOT be set on a response
1672 unless all of the RRs in the answer and authority sections of the
1673 response are either Authenticated or Insecure. The AD bit does not
1674 cover the additional information section.
1682 Eastlake Standards Track [Page 30]
1684 RFC 2535 DNS Security Extensions March 1999
1687 6.2 Staticly Configured Keys
1689 The public key to authenticate a zone SHOULD be defined in local
1690 configuration files before that zone is loaded at the primary server
1691 so the zone can be authenticated.
1693 While it might seem logical for everyone to start with a public key
1694 associated with the root zone and staticly configure this in every
1695 resolver, this has problems. The logistics of updating every DNS
1696 resolver in the world should this key ever change would be severe.
1697 Furthermore, many organizations will explicitly wish their "interior"
1698 DNS implementations to completely trust only their own DNS servers.
1699 Interior resolvers of such organizations can then go through the
1700 organization's zone servers to access data outside the organization's
1701 domain and need not be configured with keys above the organization's
1704 Host resolvers that are not part of a larger organization may be
1705 configured with a key for the domain of their local ISP whose
1706 recursive secure DNS caching server they use.
1708 6.3 Chaining Through The DNS
1710 Starting with one or more trusted keys for any zone, it should be
1711 possible to retrieve signed keys for that zone's subzones which have
1712 a key. A secure sub-zone is indicated by a KEY RR with non-null key
1713 information appearing with the NS RRs in the sub-zone and which may
1714 also be present in the parent. These make it possible to descend
1715 within the tree of zones.
1717 6.3.1 Chaining Through KEYs
1719 In general, some RRset that you wish to validate in the secure DNS
1720 will be signed by one or more SIG RRs. Each of these SIG RRs has a
1721 signer under whose name is stored the public KEY to use in
1722 authenticating the SIG. Each of those KEYs will, generally, also be
1723 signed with a SIG. And those SIGs will have signer names also
1724 referring to KEYs. And so on. As a result, authentication leads to
1725 chains of alternating SIG and KEY RRs with the first SIG signing the
1726 original data whose authenticity is to be shown and the final KEY
1727 being some trusted key staticly configured at the resolver performing
1730 In testing such a chain, the validity periods of the SIGs encountered
1731 must be intersected to determine the validity period of the
1732 authentication of the data, a purely algorithmic process. In
1733 addition, the validation of each SIG over the data with reference to
1734 a KEY must meet the objective cryptographic test implied by the
1738 Eastlake Standards Track [Page 31]
1740 RFC 2535 DNS Security Extensions March 1999
1743 cryptographic algorithm used (although even here the resolver may
1744 have policies as to trusted algorithms and key lengths). Finally,
1745 the judgement that a SIG with a particular signer name can
1746 authenticate data (possibly a KEY RRset) with a particular owner
1747 name, is primarily a policy question. Ultimately, this is a policy
1748 local to the resolver and any clients that depend on that resolver's
1749 decisions. It is, however, recommended, that the policy below be
1752 Let A < B mean that A is a shorter domain name than B formed by
1753 dropping one or more whole labels from the left end of B, i.e.,
1754 A is a direct or indirect superdomain of B. Let A = B mean that
1755 A and B are the same domain name (i.e., are identical after
1756 letter case canonicalization). Let A > B mean that A is a
1757 longer domain name than B formed by adding one or more whole
1758 labels on the left end of B, i.e., A is a direct or indirect
1761 Let Static be the owner names of the set of staticly configured
1762 trusted keys at a resolver.
1764 Then Signer is a valid signer name for a SIG authenticating an
1765 RRset (possibly a KEY RRset) with owner name Owner at the
1766 resolver if any of the following three rules apply:
1768 (1) Owner > or = Signer (except that if Signer is root, Owner
1769 must be root or a top level domain name). That is, Owner is the
1770 same as or a subdomain of Signer.
1772 (2) ( Owner < Signer ) and ( Signer > or = some Static ). That
1773 is, Owner is a superdomain of Signer and Signer is staticly
1774 configured or a subdomain of a staticly configured key.
1776 (3) Signer = some Static. That is, the signer is exactly some
1777 staticly configured key.
1779 Rule 1 is the rule for descending the DNS tree and includes a special
1780 prohibition on the root zone key due to the restriction that the root
1781 zone be only one label deep. This is the most fundamental rule.
1783 Rule 2 is the rule for ascending the DNS tree from one or more
1784 staticly configured keys. Rule 2 has no effect if only root zone
1785 keys are staticly configured.
1787 Rule 3 is a rule permitting direct cross certification. Rule 3 has
1788 no effect if only root zone keys are staticly configured.
1794 Eastlake Standards Track [Page 32]
1796 RFC 2535 DNS Security Extensions March 1999
1799 Great care should be taken that the consequences have been fully
1800 considered before making any local policy adjustments to these rules
1801 (other than dispensing with rules 2 and 3 if only root zone keys are
1802 staticly configured).
1804 6.3.2 Conflicting Data
1806 It is possible that there will be multiple SIG-KEY chains that appear
1807 to authenticate conflicting RRset answers to the same query. A
1808 resolver should choose only the most reliable answer to return and
1809 discard other data. This choice of most reliable is a matter of
1810 local policy which could take into account differing trust in
1811 algorithms, key sizes, staticly configured keys, zones traversed,
1812 etc. The technique given below is recommended for taking into
1813 account SIG-KEY chain length.
1815 A resolver should keep track of the number of successive secure zones
1816 traversed from a staticly configured key starting point to any secure
1817 zone it can reach. In general, the lower such a distance number is,
1818 the greater the confidence in the data. Staticly configured data
1819 should be given a distance number of zero. If a query encounters
1820 different Authenticated data for the same query with different
1821 distance values, that with a larger value should be ignored unless
1822 some other local policy covers the case.
1824 A security conscious resolver should completely refuse to step from a
1825 secure zone into a unsecured zone unless the unsecured zone is
1826 certified to be non-secure by the presence of an authenticated KEY RR
1827 for the unsecured zone with the no-key type value. Otherwise the
1828 resolver is getting bogus or spoofed data.
1830 If legitimate unsecured zones are encountered in traversing the DNS
1831 tree, then no zone can be trusted as secure that can be reached only
1832 via information from such non-secure zones. Since the unsecured zone
1833 data could have been spoofed, the "secure" zone reached via it could
1834 be counterfeit. The "distance" to data in such zones or zones
1835 reached via such zones could be set to 256 or more as this exceeds
1836 the largest possible distance through secure zones in the DNS.
1840 Coordinated interpretation of the time fields in SIG RRs requires
1841 that reasonably consistent time be available to the hosts
1842 implementing the DNS security extensions.
1844 A variety of time synchronization protocols exist including the
1845 Network Time Protocol (NTP [RFC 1305, 2030]). If such protocols are
1846 used, they MUST be used securely so that time can not be spoofed.
1850 Eastlake Standards Track [Page 33]
1852 RFC 2535 DNS Security Extensions March 1999
1855 Otherwise, for example, a host could get its clock turned back and
1856 might then believe old SIG RRs, and the data they authenticate, which
1857 were valid but are no longer.
1859 7. ASCII Representation of Security RRs
1861 This section discusses the format for master file and other ASCII
1862 presentation of the three DNS security resource records.
1864 The algorithm field in KEY and SIG RRs can be represented as either
1865 an unsigned integer or symbolicly. The following initial symbols are
1866 defined as indicated:
1878 7.1 Presentation of KEY RRs
1880 KEY RRs may appear as single logical lines in a zone data master file
1883 The flag field is represented as an unsigned integer or a sequence of
1884 mnemonics as follows separated by instances of the verticle bar ("|")
1887 BIT Mnemonic Explanation
1889 NOCONF =1 confidentiality use prohibited
1890 NOAUTH =2 authentication use prohibited
1891 NOKEY =3 no key present
1893 3 EXTEND flags extension
1897 USER =0 (default, may be omitted)
1899 HOST =2 (host or other end entity)
1906 Eastlake Standards Track [Page 34]
1908 RFC 2535 DNS Security Extensions March 1999
1911 10 FLAG10 - reserved
1912 11 FLAG11 - reserved
1913 12-15 signatory field, values 0 to 15
1914 can be represented by SIG0, SIG1, ... SIG15
1916 No flag mnemonic need be present if the bit or field it represents is
1919 The protocol octet can be represented as either an unsigned integer
1920 or symbolicly. The following initial symbols are defined:
1929 Note that if the type flags field has the NOKEY value, nothing
1930 appears after the algorithm octet.
1932 The remaining public key portion is represented in base 64 (see
1933 Appendix A) and may be divided up into any number of white space
1934 separated substrings, down to single base 64 digits, which are
1935 concatenated to obtain the full signature. These substrings can span
1936 lines using the standard parenthesis.
1938 Note that the public key may have internal sub-fields but these do
1939 not appear in the master file representation. For example, with
1940 algorithm 1 there is a public exponent size, then a public exponent,
1941 and then a modulus. With algorithm 254, there will be an OID size,
1942 an OID, and algorithm dependent information. But in both cases only a
1943 single logical base 64 string will appear in the master file.
1945 7.2 Presentation of SIG RRs
1947 A data SIG RR may be represented as a single logical line in a zone
1948 data file [RFC 1033] but there are some special considerations as
1949 described below. (It does not make sense to include a transaction or
1950 request authenticating SIG RR in a file as they are a transient
1951 authentication that covers data including an ephemeral transaction
1952 number and so must be calculated in real time.)
1954 There is no particular problem with the signer, covered type, and
1955 times. The time fields appears in the form YYYYMMDDHHMMSS where YYYY
1956 is the year, the first MM is the month number (01-12), DD is the day
1957 of the month (01-31), HH is the hour in 24 hours notation (00-23),
1958 the second MM is the minute (00-59), and SS is the second (00-59).
1962 Eastlake Standards Track [Page 35]
1964 RFC 2535 DNS Security Extensions March 1999
1967 The original TTL field appears as an unsigned integer.
1969 If the original TTL, which applies to the type signed, is the same as
1970 the TTL of the SIG RR itself, it may be omitted. The date field
1971 which follows it is larger than the maximum possible TTL so there is
1974 The "labels" field appears as an unsigned integer.
1976 The key tag appears as an unsigned number.
1978 However, the signature itself can be very long. It is the last data
1979 field and is represented in base 64 (see Appendix A) and may be
1980 divided up into any number of white space separated substrings, down
1981 to single base 64 digits, which are concatenated to obtain the full
1982 signature. These substrings can be split between lines using the
1983 standard parenthesis.
1985 7.3 Presentation of NXT RRs
1987 NXT RRs do not appear in original unsigned zone master files since
1988 they should be derived from the zone as it is being signed. If a
1989 signed file with NXTs added is printed or NXTs are printed by
1990 debugging code, they appear as the next domain name followed by the
1991 RR type present bits as an unsigned interger or sequence of RR
1994 8. Canonical Form and Order of Resource Records
1996 This section specifies, for purposes of domain name system (DNS)
1997 security, the canonical form of resource records (RRs), their name
1998 order, and their overall order. A canonical name order is necessary
1999 to construct the NXT name chain. A canonical form and ordering
2000 within an RRset is necessary in consistently constructing and
2001 verifying SIG RRs. A canonical ordering of types within a name is
2002 required in connection with incremental transfer (Section 5.6.2).
2004 8.1 Canonical RR Form
2006 For purposes of DNS security, the canonical form for an RR is the
2007 wire format of the RR with domain names (1) fully expanded (no name
2008 compression via pointers), (2) all domain name letters set to lower
2009 case, (3) owner name wild cards in master file form (no substitution
2010 made for *), and (4) the original TTL substituted for the current
2018 Eastlake Standards Track [Page 36]
2020 RFC 2535 DNS Security Extensions March 1999
2023 8.2 Canonical DNS Name Order
2025 For purposes of DNS security, the canonical ordering of owner names
2026 is to sort individual labels as unsigned left justified octet strings
2027 where the absence of a octet sorts before a zero value octet and
2028 upper case letters are treated as lower case letters. Names in a
2029 zone are sorted by sorting on the highest level label and then,
2030 within those names with the same highest level label by the next
2031 lower label, etc. down to leaf node labels. Within a zone, the zone
2032 name itself always exists and all other names are the zone name with
2033 some prefix of lower level labels. Thus the zone name itself always
2039 yljkjljk.a.foo.example
2046 8.3 Canonical RR Ordering Within An RRset
2048 Within any particular owner name and type, RRs are sorted by RDATA as
2049 a left justified unsigned octet sequence where the absence of an
2050 octet sorts before the zero octet.
2052 8.4 Canonical Ordering of RR Types
2054 When RRs of the same name but different types must be ordered, they
2055 are ordered by type, considering the type to be an unsigned integer,
2056 except that SIG RRs are placed immediately after the type they cover.
2057 Thus, for example, an A record would be put before an MX record
2058 because A is type 1 and MX is type 15 but if both were signed, the
2059 order would be A < SIG(A) < MX < SIG(MX).
2063 Levels of server and resolver conformance are defined below.
2065 9.1 Server Conformance
2067 Two levels of server conformance for DNS security are defined as
2074 Eastlake Standards Track [Page 37]
2076 RFC 2535 DNS Security Extensions March 1999
2079 BASIC: Basic server compliance is the ability to store and retrieve
2080 (including zone transfer) SIG, KEY, and NXT RRs. Any secondary or
2081 caching server for a secure zone MUST have at least basic compliance
2082 and even then some things, such as secure CNAMEs, will not work
2083 without full compliance.
2085 FULL: Full server compliance adds the following to basic compliance:
2086 (1) ability to read SIG, KEY, and NXT RRs in zone files and (2)
2087 ability, given a zone file and private key, to add appropriate SIG
2088 and NXT RRs, possibly via a separate application, (3) proper
2089 automatic inclusion of SIG, KEY, and NXT RRs in responses, (4)
2090 suppression of CNAME following on retrieval of the security type RRs,
2091 (5) recognize the CD query header bit and set the AD query header
2092 bit, as appropriate, and (6) proper handling of the two NXT RRs at
2093 delegation points. Primary servers for secure zones MUST be fully
2094 compliant and for complete secure operation, all secondary, caching,
2095 and other servers handling the zone SHOULD be fully compliant as
2098 9.2 Resolver Conformance
2100 Two levels of resolver compliance (including the resolver portion of
2101 a server) are defined for DNS Security:
2103 BASIC: A basic compliance resolver can handle SIG, KEY, and NXT RRs
2104 when they are explicitly requested.
2106 FULL: A fully compliant resolver (1) understands KEY, SIG, and NXT
2107 RRs including verification of SIGs at least for the mandatory
2108 algorithm, (2) maintains appropriate information in its local caches
2109 and database to indicate which RRs have been authenticated and to
2110 what extent they have been authenticated, (3) performs additional
2111 queries as necessary to attempt to obtain KEY, SIG, or NXT RRs when
2112 needed, (4) normally sets the CD query header bit on its queries.
2114 10. Security Considerations
2116 This document specifies extensions to the Domain Name System (DNS)
2117 protocol to provide data integrity and data origin authentication,
2118 public key distribution, and optional transaction and request
2121 It should be noted that, at most, these extensions guarantee the
2122 validity of resource records, including KEY resource records,
2123 retrieved from the DNS. They do not magically solve other security
2124 problems. For example, using secure DNS you can have high confidence
2125 in the IP address you retrieve for a host name; however, this does
2126 not stop someone for substituting an unauthorized host at that
2130 Eastlake Standards Track [Page 38]
2132 RFC 2535 DNS Security Extensions March 1999
2135 address or capturing packets sent to that address and falsely
2136 responding with packets apparently from that address. Any reasonably
2137 complete security system will require the protection of many
2138 additional facets of the Internet beyond DNS.
2140 The implementation of NXT RRs as described herein enables a resolver
2141 to determine all the names in a zone even if zone transfers are
2142 prohibited (section 5.6). This is an active area of work and may
2145 A number of precautions in DNS implementation have evolved over the
2146 years to harden the insecure DNS against spoofing. These precautions
2147 should not be abandoned but should be considered to provide
2148 additional protection in case of key compromise in secure DNS.
2150 11. IANA Considerations
2152 KEY RR flag bits 2 and 8-11 and all flag extension field bits can be
2153 assigned by IETF consensus as defined in RFC 2434. The remaining
2154 values of the NAMTYP flag field and flag bits 4 and 5 (which could
2155 conceivably become an extension of the NAMTYP field) can only be
2156 assigned by an IETF Standards Action [RFC 2434].
2158 Algorithm numbers 5 through 251 are available for assignment should
2159 sufficient reason arise. However, the designation of a new algorithm
2160 could have a major impact on interoperability and requires an IETF
2161 Standards Action [RFC 2434]. The existence of the private algorithm
2162 types 253 and 254 should satify most needs for private or proprietary
2165 Additional values of the Protocol Octet (5-254) can be assigned by
2166 IETF Consensus [RFC 2434].
2168 The meaning of the first bit of the NXT RR "type bit map" being a one
2169 can only be assigned by a standards action.
2173 [RFC 1033] Lottor, M., "Domain Administrators Operations Guide", RFC
2174 1033, November 1987.
2176 [RFC 1034] Mockapetris, P., "Domain Names - Concepts and
2177 Facilities", STD 13, RFC 1034, November 1987.
2179 [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
2180 Specifications", STD 13, RFC 1035, November 1987.
2186 Eastlake Standards Track [Page 39]
2188 RFC 2535 DNS Security Extensions March 1999
2191 [RFC 1305] Mills, D., "Network Time Protocol (v3)", RFC 1305, March
2194 [RFC 1530] Malamud, C. and M. Rose, "Principles of Operation for the
2195 TPC.INT Subdomain: General Principles and Policy", RFC
2198 [RFC 2401] Kent, S. and R. Atkinson, "Security Architecture for the
2199 Internet Protocol", RFC 2401, November 1998.
2201 [RFC 1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC
2202 1982, September 1996.
2204 [RFC 1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
2207 [RFC 2030] Mills, D., "Simple Network Time Protocol (SNTP) Version 4
2208 for IPv4, IPv6 and OSI", RFC 2030, October 1996.
2210 [RFC 2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
2211 Extensions (MIME) Part One: Format of Internet Message
2212 Bodies", RFC 2045, November 1996.
2214 [RFC 2065] Eastlake, D. and C. Kaufman, "Domain Name System Security
2215 Extensions", RFC 2065, January 1997.
2217 [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
2218 Requirement Levels", BCP 14, RFC 2119, March 1997.
2220 [RFC 2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound,
2221 "Dynamic Updates in the Domain Name System (DNS UPDATE)",
2222 RFC 2136, April 1997.
2224 [RFC 2137] Eastlake, D., "Secure Domain Name System Dynamic Update",
2225 RFC 2137, April 1997.
2227 [RFC 2181] Elz, R. and R. Bush, "Clarifications to the DNS
2228 Specification", RFC 2181, July 1997.
2230 [RFC 2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
2231 IANA Considerations Section in RFCs", BCP 26, RFC 2434,
2234 [RFC 2537] Eastlake, D., "RSA/MD5 KEYs and SIGs in the Domain Name
2235 System (DNS)", RFC 2537, March 1999.
2237 [RFC 2539] Eastlake, D., "Storage of Diffie-Hellman Keys in the
2238 Domain Name System (DNS)", RFC 2539, March 1999.
2242 Eastlake Standards Track [Page 40]
2244 RFC 2535 DNS Security Extensions March 1999
2247 [RFC 2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name
2248 System (DNS)", RFC 2536, March 1999.
2250 [RFC 2538] Eastlake, D. and O. Gudmundsson, "Storing Certificates in
2251 the Domain Name System", RFC 2538, March 1999.
2253 [RFC 2541] Eastlake, D., "DNS Operational Security Considerations",
2254 RFC 2541, March 1999.
2256 [RSA FAQ] - RSADSI Frequently Asked Questions periodic posting.
2260 Donald E. Eastlake 3rd
2262 65 Shindegan Hill Road
2266 Phone: +1-914-784-7913 (w)
2268 Fax: +1-914-784-3833 (w-fax)
2269 EMail: dee3@us.ibm.com
2298 Eastlake Standards Track [Page 41]
2300 RFC 2535 DNS Security Extensions March 1999
2303 Appendix A: Base 64 Encoding
2305 The following encoding technique is taken from [RFC 2045] by N.
2306 Borenstein and N. Freed. It is reproduced here in an edited form for
2309 A 65-character subset of US-ASCII is used, enabling 6 bits to be
2310 represented per printable character. (The extra 65th character, "=",
2311 is used to signify a special processing function.)
2313 The encoding process represents 24-bit groups of input bits as output
2314 strings of 4 encoded characters. Proceeding from left to right, a
2315 24-bit input group is formed by concatenating 3 8-bit input groups.
2316 These 24 bits are then treated as 4 concatenated 6-bit groups, each
2317 of which is translated into a single digit in the base 64 alphabet.
2319 Each 6-bit group is used as an index into an array of 64 printable
2320 characters. The character referenced by the index is placed in the
2323 Table 1: The Base 64 Alphabet
2325 Value Encoding Value Encoding Value Encoding Value Encoding
2340 14 O 31 f 48 w (pad) =
2344 Special processing is performed if fewer than 24 bits are available
2345 at the end of the data being encoded. A full encoding quantum is
2346 always completed at the end of a quantity. When fewer than 24 input
2347 bits are available in an input group, zero bits are added (on the
2348 right) to form an integral number of 6-bit groups. Padding at the
2349 end of the data is performed using the '=' character. Since all base
2350 64 input is an integral number of octets, only the following cases
2354 Eastlake Standards Track [Page 42]
2356 RFC 2535 DNS Security Extensions March 1999
2359 can arise: (1) the final quantum of encoding input is an integral
2360 multiple of 24 bits; here, the final unit of encoded output will be
2361 an integral multiple of 4 characters with no "=" padding, (2) the
2362 final quantum of encoding input is exactly 8 bits; here, the final
2363 unit of encoded output will be two characters followed by two "="
2364 padding characters, or (3) the final quantum of encoding input is
2365 exactly 16 bits; here, the final unit of encoded output will be three
2366 characters followed by one "=" padding character.
2410 Eastlake Standards Track [Page 43]
2412 RFC 2535 DNS Security Extensions March 1999
2415 Appendix B: Changes from RFC 2065
2417 This section summarizes the most important changes that have been
2418 made since RFC 2065.
2420 1. Most of Section 7 of [RFC 2065] called "Operational
2421 Considerations", has been removed and may be made into a separate
2422 document [RFC 2541].
2424 2. The KEY RR has been changed by (2a) eliminating the "experimental"
2425 flag as unnecessary, (2b) reserving a flag bit for flags
2426 expansion, (2c) more compactly encoding a number of bit fields in
2427 such a way as to leave unchanged bits actually used by the limited
2428 code currently deployed, (2d) eliminating the IPSEC and email flag
2429 bits which are replaced by values of the protocol field and adding
2430 a protocol field value for DNS security itself, (2e) adding
2431 material to indicate that zone KEY RRs occur only at delegation
2432 points, and (2f) removing the description of the RSA/MD5 algorithm
2433 to a separate document [RFC 2537]. Section 3.4 describing the
2434 meaning of various combinations of "no-key" and key present KEY
2435 RRs has been added and the secure / unsecure status of a zone has
2436 been clarified as being per algorithm.
2438 3. The SIG RR has been changed by (3a) renaming the "time signed"
2439 field to be the "signature inception" field, (3b) clarifying that
2440 signature expiration and inception use serial number ring
2441 arithmetic, (3c) changing the definition of the key footprint/tag
2442 for algorithms other than 1 and adding Appendix C to specify its
2443 calculation. In addition, the SIG covering type AXFR has been
2444 eliminated while one covering IXFR [RFC 1995] has been added (see
2447 4. Algorithm 3, the DSA algorithm, is now designated as the mandatory
2448 to implement algorithm. Algorithm 1, the RSA/MD5 algorithm, is
2449 now a recommended option. Algorithm 2 and 4 are designated as the
2450 Diffie-Hellman key and elliptic cryptography algorithms
2451 respectively, all to be defined in separate documents. Algorithm
2452 code point 252 is designated to indicate "indirect" keys, to be
2453 defined in a separate document, where the actual key is elsewhere.
2454 Both the KEY and SIG RR definitions have been simplified by
2455 eliminating the "null" algorithm 253 as defined in [RFC 2065].
2456 That algorithm had been included because at the time it was
2457 thought it might be useful in DNS dynamic update [RFC 2136]. It
2458 was in fact not so used and it is dropped to simplify DNS
2459 security. Howver, that algorithm number has been re-used to
2460 indicate private algorithms where a domain name specifies the
2466 Eastlake Standards Track [Page 44]
2468 RFC 2535 DNS Security Extensions March 1999
2471 5. The NXT RR has been changed so that (5a) the NXT RRs in a zone
2472 cover all names, including wildcards as literal names without
2473 expansion, except for glue address records whose names would not
2474 otherwise appear, (5b) all NXT bit map areas whose first octet has
2475 bit zero set have been reserved for future definition, (5c) the
2476 number of and circumstances under which an NXT must be returned in
2477 connection with wildcard names has been extended, and (5d) in
2478 connection with the bit map, references to the WKS RR have been
2479 removed and verticle bars ("|") have been added between the RR
2480 type mnemonics in the ASCII representation.
2482 6. Information on the canonical form and ordering of RRs has been
2483 moved into a separate Section 8.
2485 7. A subsection covering incremental and full zone transfer has been
2488 8. Concerning DNS chaining: Further specification and policy
2489 recommendations on secure resolution have been added, primarily in
2490 Section 6.3.1. It is now clearly stated that authenticated data
2491 has a validity period of the intersection of the validity periods
2492 of the SIG RRs in its authentication chain. The requirement to
2493 staticly configure a superzone's key signed by a zone in all of
2494 the zone's authoritative servers has been removed. The
2495 recommendation to continue DNS security checks in a secure island
2496 of DNS data that is separated from other parts of the DNS tree by
2497 insecure zones and does not contain a zone for which a key has
2498 been staticly configured was dropped.
2500 9. It was clarified that the presence of the AD bit in a response
2501 does not apply to the additional information section or to glue
2502 address or delegation point NS RRs. The AD bit only indicates
2503 that the answer and authority sections of the response are
2506 10. It is now required that KEY RRs and NXT RRs be signed only with
2509 11. Add IANA Considerations section and references to RFC 2434.
2522 Eastlake Standards Track [Page 45]
2524 RFC 2535 DNS Security Extensions March 1999
2527 Appendix C: Key Tag Calculation
2529 The key tag field in the SIG RR is just a means of more efficiently
2530 selecting the correct KEY RR to use when there is more than one KEY
2531 RR candidate available, for example, in verifying a signature. It is
2532 possible for more than one candidate key to have the same tag, in
2533 which case each must be tried until one works or all fail. The
2534 following reference implementation of how to calculate the Key Tag,
2535 for all algorithms other than algorithm 1, is in ANSI C. It is coded
2536 for clarity, not efficiency. (See section 4.1.6 for how to determine
2537 the Key Tag of an algorithm 1 key.)
2539 /* assumes int is at least 16 bits
2540 first byte of the key tag is the most significant byte of return
2542 second byte of the key tag is the least significant byte of
2548 unsigned char key[], /* the RDATA part of the KEY RR */
2549 unsigned int keysize, /* the RDLENGTH */
2552 long int ac; /* assumed to be 32 bits or larger */
2554 for ( ac = 0, i = 0; i < keysize; ++i )
2555 ac += (i&1) ? key[i] : key[i]<<8;
2556 ac += (ac>>16) & 0xFFFF;
2578 Eastlake Standards Track [Page 46]
2580 RFC 2535 DNS Security Extensions March 1999
2583 Full Copyright Statement
2585 Copyright (C) The Internet Society (1999). All Rights Reserved.
2587 This document and translations of it may be copied and furnished to
2588 others, and derivative works that comment on or otherwise explain it
2589 or assist in its implementation may be prepared, copied, published
2590 and distributed, in whole or in part, without restriction of any
2591 kind, provided that the above copyright notice and this paragraph are
2592 included on all such copies and derivative works. However, this
2593 document itself may not be modified in any way, such as by removing
2594 the copyright notice or references to the Internet Society or other
2595 Internet organizations, except as needed for the purpose of
2596 developing Internet standards in which case the procedures for
2597 copyrights defined in the Internet Standards process must be
2598 followed, or as required to translate it into languages other than
2601 The limited permissions granted above are perpetual and will not be
2602 revoked by the Internet Society or its successors or assigns.
2604 This document and the information contained herein is provided on an
2605 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
2606 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
2607 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
2608 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
2609 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2634 Eastlake Standards Track [Page 47]
projects / FreeBSD / releng / 7.2.git / blob