Browse Prior Art Database

DSA KEYs and SIGs in the Domain Name System (DNS) (RFC2536)

IP.com Disclosure Number: IPCOM000003122D
Original Publication Date: 1999-Mar-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 5 page(s) / 10K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

D. Eastlake: AUTHOR

Abstract

A standard method for storing US Government Digital Signature Algorithm keys and signatures in the Domain Name System is described which utilizes DNS KEY and SIG resource records.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 29% of the total text.

Network Working Group D. EastLake

Request for Comments: 2536 IBM

Category: Standards Track March 1999

DSA KEYs and SIGs in the Domain Name System (DNS)

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

A standard method for storing US Government Digital Signature

Algorithm keys and signatures in the Domain Name System is described

which utilizes DNS KEY and SIG resource records.

Table of Contents

Abstract...................................................1

1. Introduction............................................1

2. DSA KEY Resource Records................................2

3. DSA SIG Resource Records................................3

4. Performance Considerations..............................3

5. Security Considerations.................................4

6. IANA Considerations.....................................4

References.................................................5

Author's Address...........................................5

Full Copyright Statement...................................6

1. Introduction

The Domain Name System (DNS) is the global hierarchical replicated

distributed database system for Internet addressing, mail proxy, and

other information. The DNS has been extended to include digital

signatures and cryptographic keys as described in [RFC 2535]. Thus

the DNS can now be secured and can be used for secure key

distribution.

This document describes how to store US Government Digital Signature

Algorithm (DSA) keys and signatures in the DNS. Familiarity with the

US Digital Signature Algorithm is assumed [Schneier]. Implementation

of DSA is mandatory for DNS security.

2. DSA KEY Resource Records

DSA public keys are stored in the DNS as KEY RRs using algorithm

number 3 [RFC 2535]. The structure of the algorithm specific portion

of the RDATA part of this RR is as shown below. These fields, from Q

through Y are the "public key" part of the DSA KEY RR.

The period of key validity is not in the KEY RR but is indicated by

the SIG RR(s) which signs and authenticates the KEY RR(s) at that

domain name.

Field Size

----- ----

T 1 octet

Q 20 octets

P 64 + T*8 octets

G 64 + T*8 octets

Y 64 + T*8 octets

As described in [FIPS 186] and [Schneier]: T is a key size parameter

chosen such that 0 <= T <= 8. (The meaning for algorithm 3 if the ...