Browse Prior Art Database

Domain Name System Security Extensions (RFC2535)

IP.com Disclosure Number: IPCOM000003121D
Original Publication Date: 1999-Mar-01
Included in the Prior Art Database: 2000-Sep-13

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

D. Eastlake: AUTHOR

Abstract

Extensions to the Domain Name System (DNS) are described that provide data integrity and authentication to security aware resolvers and applications through the use of cryptographic digital signatures. These digital signatures are included in secured zones as resource records. Security can also be provided through non-security aware DNS servers in some cases.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 3% of the total text.

Network Working Group D. Eastlake

Request for Comments: 2535 IBM

Obsoletes: 2065 March 1999

Updates: 2181, 1035, 1034

Category: Standards Track

Domain Name System Security Extensions

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

Extensions to the Domain Name System (DNS) are described that provide

data integrity and authentication to security aware resolvers and

applications through the use of cryptographic digital signatures.

These digital signatures are included in secured zones as resource

records. Security can also be provided through non-security aware

DNS servers in some cases.

The extensions provide for the storage of authenticated public keys

in the DNS. This storage of keys can support general public key

distribution services as well as DNS security. The stored keys

enable security aware resolvers to learn the authenticating key of

zones in addition to those for which they are initially configured.

Keys associated with DNS names can be retrieved to support other

protocols. Provision is made for a variety of key types and

algorithms.

In addition, the security extensions provide for the optional

authentication of DNS protocol transactions and requests.

This document incorporates feedback on RFC 2065 from early

implementers and potential users.

Acknowledgments

The significant contributions and suggestions of the following

persons (in alphabetic order) to DNS security are gratefully

acknowledged:

James M. Galvin

John Gilmore

Olafur Gudmundsson

Charlie Kaufman

Edward Lewis

Thomas Narten

Radia J. Perlman

Jeffrey I. Schiller

Steven (Xunhua) Wang

Brian Wellington

Table of Contents

Abstract...................................................1

Acknowledgments............................................2

1. Overview of Contents....................................4

2. Overview of the DNS Extensions..........................5

2.1 Services Not Provided..................................5

2.2 Key Distribution.......................................5

2.3 Data Origin Authentication and Integrity...............6

2.3.1 The SIG Resource Record..............................7

2.3.2 Authenticating Name and Type Non-existence...........7

2.3.3 Special Considerations With Time-to-Live.............7

2.3.4 Special Considerations at Delegation Points..........8

2.3.5 Special Considerations with CNAME............