Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC) (RFC8145)
Original Publication Date: 2017-Apr-01
Included in the Prior Art Database: 2017-Apr-12
Internet Society Requests For Comment (RFCs)
D. Wessels: AUTHOR [+3]
The DNS Security Extensions (DNSSEC) [RFC4033] [RFC4034] [RFC4035] were developed to provide origin authentication and integrity protection for DNS data by using digital signatures. DNSSEC uses Key Tags to efficiently match signatures to the keys from which they are generated. The Key Tag is a 16-bit value computed from the RDATA portion of a DNSKEY resource record (RR) using a formula not unlike a ones-complement checksum. RRSIG RRs contain a Key Tag field whose value is equal to the Key Tag of the DNSKEY RR that validates the signature.
Internet Engineering Task Force (IETF) D. Wessels Request for Comments: 8145 Verisign Category: Standards Track W. Kumari ISSN: 2070-1721 Google P. Hoffman ICANN April 2017
Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)
The DNS Security Extensions (DNSSEC) were developed to provide origin authentication and integrity protection for DNS data by using digital signatures. These digital signatures can be verified by building a chain of trust starting from a trust anchor and proceeding down to a particular node in the DNS. This document specifies two different ways for validating resolvers to signal to a server which keys are referenced in their chain of trust. The data from such signaling allow zone administrators to monitor the progress of rollovers in a DNSSEC-signed zone.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8145.
al. Standards Track [Page 1]
RFC 8145 DNSSEC Key Tag Signaling April 2017
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Le...