Dismiss
There will be a system update on Friday, May 5th, 6 PM ET. You may experience a brief service interruption.
Browse Prior Art Database

DNS Security Operational Considerations (RFC2541)

IP.com Disclosure Number: IPCOM000003127D
Original Publication Date: 1999-Mar-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 8 page(s) / 13K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

D. Eastlake: AUTHOR

Abstract

Secure DNS is based on cryptographic techniques. A necessary part of the strength of these techniques is careful attention to the operational aspects of key and signature generation, lifetime, size, and storage. In addition, special attention must be paid to the security of the high level zones, particularly the root zone. This document discusses these operational aspects for keys and signatures used in connection with the KEY and SIG DNS resource records.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 22% of the total text.

Network Working Group D. Eastlake

Request for Comments: 2541 IBM

Category: Informational March 1999

DNS Security Operational Considerations

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

Secure DNS is based on cryptographic techniques. A necessary part of

the strength of these techniques is careful attention to the

operational aspects of key and signature generation, lifetime, size,

and storage. In addition, special attention must be paid to the

security of the high level zones, particularly the root zone. This

document discusses these operational aspects for keys and signatures

used in connection with the KEY and SIG DNS resource records.

Acknowledgments

The contributions and suggestions of the following persons (in

alphabetic order) are gratefully acknowledged:

John Gilmore

Olafur Gudmundsson

Charlie Kaufman

Table of Contents

Abstract...................................................1

Acknowledgments............................................1

1. Introduction............................................2

2. Public/Private Key Generation...........................2

3. Public/Private Key Lifetimes............................2

4. Public/Private Key Size Considerations..................3

4.1 RSA Key Sizes..........................................3

4.2 DSS Key Sizes..........................................4

5. Private Key Storage.....................................4

6. High Level Zones, The Root Zone, and The Meta-Root Key..5

7. Security Considerations.................................5

References.................................................6

Author's Address...........................................6

Full Copyright Statement...................................7

1. Introduction

This document describes operational considerations for the

generation, lifetime, size, and storage of DNS cryptographic keys and

signatures for use in the KEY and SIG resource records [RFC 2535].

Particular attention is paid to high level zones and the root zone.

2. Public/Private Key Generation

Careful generation of all keys is a sometimes overlooked but

absolutely essential element in any cryptographically secure system.

The strongest algorithms used with the longest keys are still of no

use if an adversary can guess enough to lower the size of the likely

key space so that it can be exhaustively searched. Technical

suggestions for the generation of random keys will be found in [RFC

1750].

Long term keys are particularly sensitive as they will represent a

more valuable target and be subject to attack for a longer time than

...