Browse Prior Art Database

DSA KEYs and SIGs in the Domain Name System (DNS) (RFC2536)

IP.com Disclosure Number: IPCOM000003122D
Original Publication Date: 1999-Mar-01
Included in the Prior Art Database: 2019-Feb-11
Document File: 6 page(s) / 8K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

D. Eastlake 3rd: AUTHOR

Related Documents

10.17487/RFC2536: DOI

Abstract

A standard method for storing US Government Digital Signature Algorithm keys and signatures in the Domain Name System is described which utilizes DNS KEY and SIG resource records. [STANDARDS-TRACK]

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 32% of the total text.

Network Working Group D. EastLake Request for Comments: 2536 IBM Category: Standards Track March 1999

DSA KEYs and SIGs in the Domain Name System (DNS)

Status of this Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

A standard method for storing US Government Digital Signature Algorithm keys and signatures in the Domain Name System is described which utilizes DNS KEY and SIG resource records.

Table of Contents

Abstract...................................................1 1. Introduction............................................1 2. DSA KEY Resource Records................................2 3. DSA SIG Resource Records................................3 4. Performance Considerations..............................3 5. Security Considerations.................................4 6. IANA Considerations.....................................4 References.................................................5 Author’s Address...........................................5 Full Copyright Statement...................................6

1. Introduction

The Domain Name System (DNS) is the global hierarchical replicated distributed database system for Internet addressing, mail proxy, and other information. The DNS has been extended to include digital signatures and cryptographic keys as described in [RFC 2535]. Thus the DNS can now be secured and can be used for secure key distribution.

Eastlake Standards Track [Page 1]

RFC 2536 DSA in the DNS March 1999

This document describes how to store US Government Digital Signature Algorithm (DSA) keys and signatures in the DNS. Familiarity with the US Digital Signature Algorithm is assumed [Schneier]. Implementation of DSA is mandatory for DNS security.

2. DSA KEY Resource Records

DSA public keys are stored in the DNS as KEY RRs using algorithm number 3 [RFC 2535]. The structure of the algorithm specific portion of the RDATA part of this RR is as shown below. These fields, from Q through Y are the "public key" part of the DSA KEY RR.

The period of key validity is not in the KEY RR but is indicated by the SIG RR(s) which signs and authenticates the KEY RR(s) at that domain name.

Field Size ----- ---- T 1 octet Q 20 octets P 64 + T*8 octets G 64 + T*8 octets Y 64 + T*8 octets

As described in [FIPS 186] and [Schneier]: T is a key size parameter chosen such that 0 <= T <= 8. (The meaning for algorithm 3 if the T octet is greater than 8 is reserved and the remainder of the RDATA portion may have a different format in that case.) Q is a prime number selected at key generation time such that 2**159 < Q < 2**160 so Q is always 20 octets long and, as with all other...

Processing...
Loading...