RFC - 2535
Domain Name System Security Extensions
| Original: | ftp://ftp.isi.edu/in-notes/rfc2535.txt |
|---|---|
| Authors: | D. Eastlake [IBM] |
| Date: | March 1999 |
| Category: | Informational |
| This specification has been !!! obsoleted !!! | |
| Obsoleted by: | |
|---|---|
| RFC-4035prop | Protocol Modifications for the DNS Security Extensions (Updated by RFC-4470prop) |
| RFC-4034prop | Resource Records for the DNS Security Extensions (Updated by RFC-4470prop) |
| RFC-4033prop | DNS Security Introduction and Requirements |
| Obsoletes: | |
|---|---|
| RFC-2065 | Domain Name System Security Extensions (Obsoleted by RFC-2535 -> RFC-4033prop; -> RFC-4035prop; -> RFC-4034prop) |
| Updates: | |
|---|---|
| RFC-2181prop | Clarifications to the DNS Specification (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop, RFC-2535, RFC-4343prop) |
| RFC-1035std13 [STD 13] |
Domain names - implementation and specification (Updated by RFC-1876exp, RFC-1348, RFC-4033prop, RFC-4035prop, RFC-4034prop, RFC-2308prop, RFC-2065, RFC-2845prop, RFC-2181prop, RFC-1995prop, RFC-1996prop, RFC-2535, RFC-4343prop, RFC-3658, RFC-1982prop, RFC-2136prop, RFC-3425prop, RFC-1101, RFC-1183exp, RFC-2137) |
| RFC-1034std13 [STD 13] |
Domain names - concepts and facilities (Updated by RFC-1876exp, RFC-1348, RFC-4033prop, RFC-4035prop, RFC-4034prop, RFC-2308prop, RFC-2065, RFC-2181prop, RFC-2535, RFC-4343prop, RFC-1982prop, RFC-4592prop, RFC-1101, RFC-1183exp) |
| Updated by: | |
|---|---|
| RFC-3845 | DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3757 | Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3755 | Legacy Resolver Compatibility for Delegation Signer (DS) (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) (Updated by RFC-3757, RFC-3845) |
| RFC-3658 | Delegation Signer (DS) Resource Record (RR) (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) (Updated by RFC-3755) |
| RFC-3655 | Redefinition of DNS Authenticated Data (AD) bit (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3597prop | Handling of Unknown DNS Resource Record (RR) Types (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3445 | Limiting the Scope of the KEY Resource Record (RR) (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3226prop | DNSSEC and IPv6 A6 aware server/resolver message size requirements (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3090 | DNS Security Extension Clarification on Zone Status (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) (Updated by RFC-3658) |
| RFC-3008 | Domain Name System Security (DNSSEC) Signing Authority (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) (Updated by RFC-3658) |
| RFC-3007prop | Secure Domain Name System (DNS) Dynamic Update (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-2931prop | DNS Request and Transaction Signatures ( SIG(0)s ) |
| Referred by: | 67 RFC |
| Refers to: | 21 RFC |
Status
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
Extensions to the Domain Name System (DNS) are described that provide data integrity and authentication to security aware resolvers and applications through the use of cryptographic digital signatures. These digital signatures are included in secured zones as resource records. Security can also be provided through non-security aware DNS servers in some cases.
The extensions provide for the storage of authenticated public keys in the DNS. This storage of keys can support general public key distribution services as well as DNS security. The stored keys enable security aware resolvers to learn the authenticating key of zones in addition to those for which they are initially configured. Keys associated with DNS names can be retrieved to support other protocols. Provision is made for a variety of key types and algorithms.
In addition, the security extensions provide for the optional authentication of DNS protocol transactions and requests.
This document incorporates feedback on RFC 2065(-> 2535(-> 4035prop | 4034prop | 4033prop)) from early implementers and potential users.
-
prepared by Miloslav Nic
- the founder of Zvon.org and Law-Ref.org
- the head of B.Sc. program Informatics and chemistry [in Czech]
- the founder of Lidem.org - Volby 2006 - parliamentary elections in the Czech Republic [in Czech]
- the chief consultant of the publishing house ICT Press
- and Pavel Srb, a student of B.Sc. program Informatics and chemistry