Browse Prior Art Database

Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG) (RFC3645)

IP.com Disclosure Number: IPCOM000019904D
Original Publication Date: 2003-Oct-01
Included in the Prior Art Database: 2003-Oct-09
Document File: 27 page(s) / 56K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

S. Kwan: AUTHOR [+6]

Abstract

The Secret Key Transaction Authentication for DNS (TSIG) protocol provides transaction level authentication for DNS. TSIG is extensible through the definition of new algorithms. This document specifies an algorithm based on the Generic Security Service Application Program Interface (GSS-API) (RFC2743). This document updates RFC 2845.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 7% of the total text.

Network Working Group S. Kwan

Request for Comments: 3645 P. Garg

Updates: 2845 J. Gilroy

Category: Standards Track L. Esibov

J. Westhead

Microsoft Corp.

R. Hall

Lucent Technologies

October 2003

Generic Security Service Algorithm for

Secret Key Transaction Authentication for DNS (GSS-TSIG)

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

The Secret Key Transaction Authentication for DNS (TSIG) protocol

provides transaction level authentication for DNS. TSIG is

extensible through the definition of new algorithms. This document

specifies an algorithm based on the Generic Security Service

Application Program Interface (GSS-API) (RFC2743). This document

updates RFC 2845.

Kwan, et al. Standards Track [Page 1]

RFC 3645 GSS-TSIG October 2003

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2

2. Algorithm Overview . . . . . . . . . . . . . . . . . . . . . . 3

2.1. GSS Details. . . . . . . . . . . . . . . . . . . . . . . 4

2.2. Modifications to the TSIG protocol (RFC 2845). . . . . . 4

3. Client Protocol Details. . . . . . . . . . . . . . . . . . . . 5

3.1. Negotiating Context. . . . . . . . . . . . . . . . . . . 5

3.1.1. Call GSS_Init_sec_context. . . . . . . . . . . . . 6

3.1.2. Send TKEY Query to Server. . . . . . . . . . . . . 8

3.1.3. Receive TKEY Query-Response from Server. . . . . . 8

3.2. Context Established. . . . . . . . . . . . . . . . . . . 11

3.2.1. Terminating a Context. . . . . . . . . . . . . . . 11

4. Server Protocol Details. . . . . . . . . . . . . . . . . . . . 12

4.1. Negotiating Context. . . . . . . . . . . . . . . . . . . 12

4.1.1. Receive TKEY Query from Client . . . . . . . . . . 12

4.1.2. Call GSS_Accept_sec_context. . . . . . . . . . . . 12

4.1.3. Send TKEY Query-Response to Client . . . . . . . . 13

4.2. Context Established. . . . . . . . . . . . . . . . . . . 15

4.2.1. Terminating a Context. . . . . . . . . . . . . . . 15

5. Sending and Verifying Signed Messages. . . . . . . . . . . . . 15

5.1. Sending a Signed Message - Call GSS_GetMIC . . . . . . . 15

5.2. Verifying a Signed Message - Call GSS_VerifyMIC. . . . . 16

6. Example usage of GSS-TSIG algorithm. . . . . . . . . . . . . . 18

7. Security Considerations. . . . . . . . . . . . . . . . . . . . 22

8. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 22

9. Conformance. . . . . . . . . . . . . . . . . . . . . . . . . . 22

10. Intellectual Property Statement. . . . . . . . . . . . . . . . 23

11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23

12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24

12.1. N...