RFC - 4035
Protocol Modifications for the DNS Security Extensions
| Original: | ftp://ftp.isi.edu/in-notes/rfc4035.txt |
|---|---|
| Authors: | R. Arends [Telematica Instituut], R. Austein [3755, 3757, 3845], M. Larson [3007, 3597, 3226], D. Massey [Colorado State University], S. Rose [NIST] |
| Date: | March 2005 |
| Category: | Proposed Standard |
| Obsoletes: | |
|---|---|
| RFC-3845 | DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3757 | Domain Name System KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3755 | Legacy Resolver Compatibility for Delegation Signer (DS) (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) (Updated by RFC-3757, RFC-3845) |
| RFC-3658 | Delegation Signer (DS) Resource Record (RR) (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) (Updated by RFC-3755) |
| RFC-3655 | Redefinition of DNS Authenticated Data (AD) bit (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3445 | Limiting the Scope of the KEY Resource Record (RR) (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3090 | DNS Security Extension Clarification on Zone Status (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) (Updated by RFC-3658) |
| RFC-3008 | Domain Name System Security (DNSSEC) Signing Authority (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) (Updated by RFC-3658) |
| RFC-2535 | Domain Name System Security Extensions (Obsoleted by RFC-4033prop, RFC-4035prop, RFC-4034prop) (Updated by RFC-3755, RFC-3757, RFC-3226prop, RFC-3658, RFC-3655, RFC-3007prop, RFC-3008, RFC-3845, RFC-3597prop, RFC-3445, RFC-3090, RFC-2931prop) |
| Updates: | |
|---|---|
| RFC-3597prop | Handling of Unknown DNS Resource Record (RR) Types (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3226prop | DNSSEC and IPv6 A6 aware server/resolver message size requirements (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3225prop | Indicating Resolver Support of DNSSEC (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-3007prop | Secure Domain Name System (DNS) Dynamic Update (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-2308prop | Negative Caching of DNS Queries (DNS NCACHE) (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop) |
| RFC-2181prop | Clarifications to the DNS Specification (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop, RFC-2535, RFC-4343prop) |
| RFC-2136prop | Dynamic Updates in the Domain Name System (DNS UPDATE) (Updated by RFC-4033prop, RFC-4035prop, RFC-4034prop, RFC-3007prop) |
| RFC-1035std13 [STD 13] |
Domain names - implementation and specification (Updated by RFC-1876exp, RFC-1348, RFC-4033prop, RFC-4035prop, RFC-4034prop, RFC-2308prop, RFC-2065, RFC-2845prop, RFC-2181prop, RFC-1995prop, RFC-1996prop, RFC-2535, RFC-4343prop, RFC-3658, RFC-1982prop, RFC-2136prop, RFC-3425prop, RFC-1101, RFC-1183exp, RFC-2137) |
| RFC-1034std13 [STD 13] |
Domain names - concepts and facilities (Updated by RFC-1876exp, RFC-1348, RFC-4033prop, RFC-4035prop, RFC-4034prop, RFC-2308prop, RFC-2065, RFC-2181prop, RFC-2535, RFC-4343prop, RFC-1982prop, RFC-4592prop, RFC-1101, RFC-1183exp) |
| Updated by: | |
|---|---|
| RFC-4470prop | Minimally Covering NSEC Records and DNSSEC On-line Signing |
| Referred by: | 18 RFC |
| Refers to: | 16 RFC |
Status
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications.
This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535.
-
prepared by Miloslav Nic
- the founder of Zvon.org and Law-Ref.org
- the head of B.Sc. program Informatics and chemistry [in Czech]
- the founder of Lidem.org - Volby 2006 - parliamentary elections in the Czech Republic [in Czech]
- the chief consultant of the publishing house ICT Press
- and Pavel Srb, a student of B.Sc. program Informatics and chemistry