1. Overview of Contents
This document standardizes extensions of the Domain Name System (DNS) protocol to support DNS security and public key distribution. It assumes that the reader is familiar with the Domain Name System, particularly as described in RFCs 1033, 1034std13, 1035std13 and later RFCs. An earlier version of these extensions appears in RFC 2065(-> 2535(-> 4035prop | 4034prop | 4033prop)). This replacement for that RFC incorporates early implementation experience and requests from potential users.
Section 2 provides an overview of the extensions and the key distribution, data origin authentication, and transaction and request security they provide.
Section 3 discusses the KEY resource record, its structure, and use in DNS responses. These resource records represent the public keys of entities named in the DNS and are used for key distribution.
Section 4 discusses the SIG digital signature resource record, its structure, and use in DNS responses. These resource records are used to authenticate other resource records in the DNS and optionally to authenticate DNS transactions and requests.
Section 5 discusses the NXT resource record (RR) and its use in DNS responses including full and incremental zone transfers. The NXT RR permits authenticated denial of the existence of a name or of an RR type for an existing name.
Section 6 discusses how a resolver can be configured with a starting key or keys and proceed to securely resolve DNS requests. Interactions between resolvers and servers are discussed for various combinations of security aware and security non-aware. Two additional DNS header bits are defined for signaling between resolvers and servers.
Section 7 describes the ASCII representation of the security resource records for use in master files and elsewhere.
Section 8 defines the canonical form and order of RRs for DNS security purposes.
Section 9 defines levels of conformance for resolvers and servers.
Section 10 provides a few paragraphs on overall security considerations.
Section 11 specified IANA considerations for allocation of additional values of paramters defined in this document.
Appendix A gives details of base 64 encoding which is used in the file representation of some RRs defined in this document.
Appendix B summarizes changes between this memo and RFC 2065(-> 2535(-> 4035prop | 4034prop | 4033prop)).
Appendix C specified how to calculate the simple checksum used as a key tag in most SIG RRs.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119].