Browse Prior Art Database

Key Exchange Delegation Record for the DNS (RFC2230)

IP.com Disclosure Number: IPCOM000002789D
Original Publication Date: 1997-Nov-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 9 page(s) / 24K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

R. Atkinson: AUTHOR

Abstract

This note describes a mechanism whereby authorisation for one node to act as key exchanger for a second node is delegated and made available via the Secure DNS. This mechanism is intended to be used only with the Secure DNS. It can be used with several security services. For example, a system seeking to use IP Security [RFC- 1825, RFC-1826, RFC-1827] to protect IP packets for a given destination can use this mechanism to determine the set of authorised remote key exchanger systems for that destination.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 12% of the total text.

Network Working Group R. Atkinson

Request for Comments: 2230 NRL

Category: Informational November 1997

Key Exchange Delegation Record for the DNS

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1997). All Rights Reserved.

ABSTRACT

This note describes a mechanism whereby authorisation for one node to

act as key exchanger for a second node is delegated and made

available via the Secure DNS. This mechanism is intended to be used

only with the Secure DNS. It can be used with several security

services. For example, a system seeking to use IP Security [RFC-

1825, RFC-1826, RFC-1827] to protect IP packets for a given

destination can use this mechanism to determine the set of authorised

remote key exchanger systems for that destination.

1. INTRODUCTION

The Domain Name System (DNS) is the standard way that Internet nodes

locate information about addresses, mail exchangers, and other data

relating to remote Internet nodes. [RFC-1035, RFC-1034] More

recently, Eastlake and Kaufman have defined standards-track security

extensions to the DNS. [RFC-2065] These security extensions can be

used to authenticate signed DNS data records and can also be used to

store signed public keys in the DNS.

The KX record is useful in providing an authenticatible method of

delegating authorisation for one node to provide key exchange

services on behalf of one or more, possibly different, nodes. This

note specifies the syntax and semantics of the KX record, which is

currently in limited deployment in certain IP-based networks. The

reader is assumed to be familiar with the basics of DNS, including

familiarity with [RFC-1035, RFC-1034]. This document is not on the

IETF standards-track and does not specify any level of standard.

This document merely provides information for the Internet community.

1.1 Identity Terminology

This document relies upon the concept of "identity domination". This

concept might be new to the reader and so is explained in this

section. The subject of endpoint naming for security associations

has historically been somewhat contentious. This document takes no

position on what forms of identity should be used. In a network,

there are several forms of identity that are possible.

For example, IP Security has defined notions of identity that

include: IP Address, IP Address Range, Connection ID, Fully-Qualified

Domain Name (FQDN), and User with Fully Qualified Domain Name (USER

FQDN).

A USER FQDN identity dominates a FQDN identity. A FQDN identity in

turn dominates an IP Address identity. Similarly, a Connection ID

dominates an IP Address identity. An IP Address Range do...