7 Network Working Group D. Eastlake 3rd
8 Request for Comments: 2931 Motorola
9 Updates: 2535 September 2000
10 Category: Standards Track
13 DNS Request and Transaction Signatures ( SIG(0)s )
17 This document specifies an Internet standards track protocol for the
18 Internet community, and requests discussion and suggestions for
19 improvements. Please refer to the current edition of the "Internet
20 Official Protocol Standards" (STD 1) for the standardization state
21 and status of this protocol. Distribution of this memo is unlimited.
25 Copyright (C) The Internet Society (2000). All Rights Reserved.
29 Extensions to the Domain Name System (DNS) are described in [RFC
30 2535] that can provide data origin and transaction integrity and
31 authentication to security aware resolvers and applications through
32 the use of cryptographic digital signatures.
34 Implementation experience has indicated the need for minor but non-
35 interoperable changes in Request and Transaction signature resource
36 records ( SIG(0)s ). These changes are documented herein.
40 The contributions and suggestions of the following persons (in
41 alphabetic order) to this memo are gratefully acknowledged:
58 Eastlake Standards Track [Page 1]
60 RFC 2931 DNS SIG(0) September 2000
65 1. Introduction................................................. 2
66 2. SIG(0) Design Rationale...................................... 3
67 2.1 Transaction Authentication.................................. 3
68 2.2 Request Authentication...................................... 3
69 2.3 Keying...................................................... 3
70 2.4 Differences Between TSIG and SIG(0)......................... 4
71 3. The SIG(0) Resource Record................................... 4
72 3.1 Calculating Request and Transaction SIGs.................... 5
73 3.2 Processing Responses and SIG(0) RRs......................... 6
74 3.3 SIG(0) Lifetime and Expiration.............................. 7
75 4. Security Considerations...................................... 7
76 5. IANA Considerations.......................................... 7
77 References...................................................... 7
78 Author's Address................................................ 8
79 Appendix: SIG(0) Changes from RFC 2535.......................... 9
80 Full Copyright Statement........................................ 10
84 This document makes minor but non-interoperable changes to part of
85 [RFC 2535], familiarity with which is assumed, and includes
86 additional explanatory text. These changes concern SIG Resource
87 Records (RRs) that are used to digitally sign DNS requests and
88 transactions / responses. Such a resource record, because it has a
89 type covered field of zero, is frequently called a SIG(0). The
90 changes are based on implementation and attempted implementation
91 experience with TSIG [RFC 2845] and the [RFC 2535] specification for
94 Sections of [RFC 2535] updated are all of 4.1.8.1 and parts of 4.2
95 and 4.3. No changes are made herein related to the KEY or NXT RRs or
96 to the processing involved with data origin and denial authentication
99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
100 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
101 document are to be interpreted as described in [RFC 2119].
114 Eastlake Standards Track [Page 2]
116 RFC 2931 DNS SIG(0) September 2000
119 2. SIG(0) Design Rationale
121 SIG(0) provides protection for DNS transactions and requests that is
122 not provided by the regular SIG, KEY, and NXT RRs specified in [RFC
123 2535]. The authenticated data origin services of secure DNS either
124 provide protected data resource records (RRs) or authenticatably deny
125 their nonexistence. These services provide no protection for glue
126 records, DNS requests, no protection for message headers on requests
127 or responses, and no protection of the overall integrity of a
130 2.1 Transaction Authentication
132 Transaction authentication means that a requester can be sure it is
133 at least getting the messages from the server it queried and that the
134 received messages are in response to the query it sent. This is
135 accomplished by optionally adding either a TSIG RR [RFC 2845] or, as
136 described herein, a SIG(0) resource record at the end of the response
137 which digitally signs the concatenation of the server's response and
138 the corresponding resolver query.
140 2.2 Request Authentication
142 Requests can also be authenticated by including a TSIG or, as
143 described herein, a special SIG(0) RR at the end of the request.
144 Authenticating requests serves no function in DNS servers that
145 predate the specification of dynamic update. Requests with a non-
146 empty additional information section produce error returns or may
147 even be ignored by a few such older DNS servers. However, this syntax
148 for signing requests is defined for authenticating dynamic update
149 requests [RFC 2136], TKEY requests [RFC 2930], or future requests
150 requiring authentication.
154 The private keys used in transaction security belong to the host
155 composing the DNS response message, not to the zone involved.
156 Request authentication may also involve the private key of the host
157 or other entity composing the request or of a zone to be affected by
158 the request or other private keys depending on the request authority
159 it is sought to establish. The corresponding public key(s) are
160 normally stored in and retrieved from the DNS for verification as KEY
161 RRs with a protocol byte of 3 (DNSSEC) or 255 (ANY).
163 Because requests and replies are highly variable, message
164 authentication SIGs can not be pre-calculated. Thus it will be
165 necessary to keep the private key on-line, for example in software or
166 in a directly connected piece of hardware.
170 Eastlake Standards Track [Page 3]
172 RFC 2931 DNS SIG(0) September 2000
175 2.4 Differences Between TSIG and SIG(0)
177 There are significant differences between TSIG and SIG(0).
179 Because TSIG involves secret keys installed at both the requester and
180 server the presence of such a key implies that the other party
181 understands TSIG and very likely has the same key installed.
182 Furthermore, TSIG uses keyed hash authentication codes which are
183 relatively inexpensive to compute. Thus it is common to authenticate
184 requests with TSIG and responses are authenticated with TSIG if the
185 corresponding request is authenticated.
187 SIG(0) on the other hand, uses public key authentication, where the
188 public keys are stored in DNS as KEY RRs and a private key is stored
189 at the signer. Existence of such a KEY RR does not necessarily imply
190 implementation of SIG(0). In addition, SIG(0) involves relatively
191 expensive public key cryptographic operations that should be
192 minimized and the verification of a SIG(0) involves obtaining and
193 verifying the corresponding KEY which can be an expensive and lengthy
194 operation. Indeed, a policy of using SIG(0) on all requests and
195 verifying it before responding would, for some configurations, lead
196 to a deadly embrace with the attempt to obtain and verify the KEY
197 needed to authenticate the request SIG(0) resulting in additional
198 requests accompanied by a SIG(0) leading to further requests
199 accompanied by a SIG(0), etc. Furthermore, omitting SIG(0)s when not
200 required on requests halves the number of public key operations
201 required by the transaction.
203 For these reasons, SIG(0)s SHOULD only be used on requests when
204 necessary to authenticate that the requester has some required
205 privilege or identity. SIG(0)s on replies are defined in such a way
206 as to not require a SIG(0) on the corresponding request and still
207 provide transaction protection. For other replies, whether they are
208 authenticated by the server or required to be authenticated by the
209 requester SHOULD be a local configuration option.
211 3. The SIG(0) Resource Record
213 The structure of and type number of SIG resource records (RRs) is
214 given in [RFC 2535] Section 4.1. However all of Section 4.1.8.1 and
215 the parts of Sections 4.2 and 4.3 related to SIG(0) should be
216 considered replaced by the material below. Any conflict between [RFC
217 2535] and this document concerning SIG(0) RRs should be resolved in
218 favor of this document.
220 For all transaction SIG(0)s, the signer field MUST be a name of the
221 originating host and there MUST be a KEY RR at that name with the
222 public key corresponding to the private key used to calculate the
226 Eastlake Standards Track [Page 4]
228 RFC 2931 DNS SIG(0) September 2000
231 signature. (The host domain name used may be the inverse IP address
232 mapping name for an IP address of the host if the relevant KEY is
235 For all SIG(0) RRs, the owner name, class, TTL, and original TTL, are
236 meaningless. The TTL fields SHOULD be zero and the CLASS field
237 SHOULD be ANY. To conserve space, the owner name SHOULD be root (a
238 single zero octet). When SIG(0) authentication on a response is
239 desired, that SIG RR MUST be considered the highest priority of any
240 additional information for inclusion in the response. If the SIG(0)
241 RR cannot be added without causing the message to be truncated, the
242 server MUST alter the response so that a SIG(0) can be included.
243 This response consists of only the question and a SIG(0) record, and
244 has the TC bit set and RCODE 0 (NOERROR). The client should at this
245 point retry the request using TCP.
247 3.1 Calculating Request and Transaction SIGs
249 A DNS request may be optionally signed by including one SIG(0)s at
250 the end of the query additional information section. Such a SIG is
251 identified by having a "type covered" field of zero. It signs the
252 preceding DNS request message including DNS header but not including
253 the UDP/IP header and before the request RR counts have been adjusted
254 for the inclusions of the request SIG(0).
256 It is calculated by using a "data" (see [RFC 2535], Section 4.1.8) of
257 (1) the SIG's RDATA section entirely omitting (not just zeroing) the
258 signature subfield itself, (2) the DNS query messages, including DNS
259 header, but not the UDP/IP header and before the reply RR counts have
260 been adjusted for the inclusion of the SIG(0). That is
262 data = RDATA | request - SIG(0)
264 where "|" is concatenation and RDATA is the RDATA of the SIG(0) being
265 calculated less the signature itself.
267 Similarly, a SIG(0) can be used to secure a response and the request
268 that produced it. Such transaction signatures are calculated by
269 using a "data" of (1) the SIG's RDATA section omitting the signature
270 itself, (2) the entire DNS query message that produced this response,
271 including the query's DNS header but not its UDP/IP header, and (3)
272 the entire DNS response message, including DNS header but not the
273 UDP/IP header and before the response RR counts have been adjusted
274 for the inclusion of the SIG(0).
282 Eastlake Standards Track [Page 5]
284 RFC 2931 DNS SIG(0) September 2000
289 data = RDATA | full query | response - SIG(0)
291 where "|" is concatenation and RDATA is the RDATA of the SIG(0) being
292 calculated less the signature itself.
294 Verification of a response SIG(0) (which is signed by the server host
295 key, not the zone key) by the requesting resolver shows that the
296 query and response were not tampered with in transit, that the
297 response corresponds to the intended query, and that the response
298 comes from the queried server.
300 In the case of a DNS message via TCP, a SIG(0) on the first data
301 packet is calculated with "data" as above and for each subsequent
302 packet, it is calculated as follows:
304 data = RDATA | DNS payload - SIG(0) | previous packet
306 where "|" is concatenations, RDATA is as above, and previous packet
307 is the previous DNS payload including DNS header and the SIG(0) but
308 not the TCP/IP header. Support of SIG(0) for TCP is OPTIONAL. As an
309 alternative, TSIG may be used after, if necessary, setting up a key
310 with TKEY [RFC 2930].
312 Except where needed to authenticate an update, TKEY, or similar
313 privileged request, servers are not required to check a request
316 Note: requests and responses can either have a single TSIG or one
317 SIG(0) but not both a TSIG and a SIG(0).
319 3.2 Processing Responses and SIG(0) RRs
321 If a SIG RR is at the end of the additional information section of a
322 response and has a type covered of zero, it is a transaction
323 signature covering the response and the query that produced the
324 response. For TKEY responses, it MUST be checked and the message
325 rejected if the checks fail unless otherwise specified for the TKEY
326 mode in use. For all other responses, it MAY be checked and the
327 message rejected if the checks fail.
329 If a response's SIG(0) check succeed, such a transaction
330 authentication SIG does NOT directly authenticate the validity any
331 data-RRs in the message. However, it authenticates that they were
332 sent by the queried server and have not been diddled. (Only a proper
333 SIG(0) RR signed by the zone or a key tracing its authority to the
334 zone or to static resolver configuration can directly authenticate
338 Eastlake Standards Track [Page 6]
340 RFC 2931 DNS SIG(0) September 2000
343 data-RRs, depending on resolver policy.) If a resolver or server does
344 not implement transaction and/or request SIGs, it MUST ignore them
345 without error where they are optional and treat them as failing where
348 3.3 SIG(0) Lifetime and Expiration
350 The inception and expiration times in SIG(0)s are for the purpose of
351 resisting replay attacks. They should be set to form a time bracket
352 such that messages outside that bracket can be ignored. In IP
353 networks, this time bracket should not normally extend further than 5
354 minutes into the past and 5 minutes into the future.
356 4. Security Considerations
358 No additional considerations beyond those in [RFC 2535].
360 The inclusion of the SIG(0) inception and expiration time under the
361 signature improves resistance to replay attacks.
363 5. IANA Considerations
365 No new parameters are created or parameter values assigned by this
370 [RFC 1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
373 [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
374 Requirement Levels", BCP 14, RFC 2119, March 1997.
376 [RFC 2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
377 Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
380 [RFC 2535] Eastlake, D., "Domain Name System Security Extensions",
381 RFC 2535, March 1999.
383 [RFC 2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B.
384 Wellington, "Secret Key Transaction Signatures for DNS
385 (TSIG)", RFC 2845, May 2000.
387 [RFC 2930] Eastlake, D., "Secret Key Establishment for DNS (RR)", RFC
388 2930, September 2000.
394 Eastlake Standards Track [Page 7]
396 RFC 2931 DNS SIG(0) September 2000
401 Donald E. Eastlake 3rd
406 Phone: +1-978-562-2827(h)
408 Fax: +1 978-567-7941(h)
410 EMail: Donald.Eastlake@motorola.com
450 Eastlake Standards Track [Page 8]
452 RFC 2931 DNS SIG(0) September 2000
455 Appendix: SIG(0) Changes from RFC 2535
457 Add explanatory text concerning the differences between TSIG and
460 Change the data over which SIG(0) is calculated to include the SIG(0)
461 RDATA other than the signature itself so as to secure the signature
462 inception and expiration times and resist replay attacks. Specify
465 Add discussion of appropriate inception and expiration times for
468 Add wording to indicate that either a TSIG or one or more SIG(0)s may
469 be present but not both.
471 Reword some areas for clarity.
506 Eastlake Standards Track [Page 9]
508 RFC 2931 DNS SIG(0) September 2000
511 Full Copyright Statement
513 Copyright (C) The Internet Society (2000). All Rights Reserved.
515 This document and translations of it may be copied and furnished to
516 others, and derivative works that comment on or otherwise explain it
517 or assist in its implementation may be prepared, copied, published
518 and distributed, in whole or in part, without restriction of any
519 kind, provided that the above copyright notice and this paragraph are
520 included on all such copies and derivative works. However, this
521 document itself may not be modified in any way, such as by removing
522 the copyright notice or references to the Internet Society or other
523 Internet organizations, except as needed for the purpose of
524 developing Internet standards in which case the procedures for
525 copyrights defined in the Internet Standards process must be
526 followed, or as required to translate it into languages other than
529 The limited permissions granted above are perpetual and will not be
530 revoked by the Internet Society or its successors or assigns.
532 This document and the information contained herein is provided on an
533 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
534 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
535 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
536 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
537 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
541 Funding for the RFC Editor function is currently provided by the
562 Eastlake Standards Track [Page 10]
projects / FreeBSD / releng / 7.2.git / blob