Network Working Group R. Arends Internet-Draft Expires: April 29, 2003 M. Larson VeriSign D. Massey USC/ISI S. Rose NIST October 29, 2002 Resource Records for the DNS Security Extensions draft-ietf-dnsext-dnssec-records-02 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 29, 2003. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the KEY, DS, SIG, and NXT resource records. The purpose and format of each resource record is descibed in detail and an example of each Arends, et al. Expires April 29, 2003 [Page 1] Internet-Draft DNSSEC Resource Records October 2002 resource record is given. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 4 1.1 Background and Related Documents . . . . . . . . . . . . . 4 1.2 Reserved Words . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Editors Notes . . . . . . . . . . . . . . . . . . . . . . 4 1.3.1 Open Technical Issues . . . . . . . . . . . . . . . . . . 4 1.3.2 Technical Changes or Corrections . . . . . . . . . . . . . 4 1.3.3 Typos and Minor Corrections . . . . . . . . . . . . . . . 5 2. The KEY Resource Record . . . . . . . . . . . . . . . . . 6 2.1 KEY RDATA Wire Format . . . . . . . . . . . . . . . . . . 6 2.1.1 The Flags Field . . . . . . . . . . . . . . . . . . . . . 6 2.1.2 The Protocol Octet Field . . . . . . . . . . . . . . . . . 7 2.1.3 The Algorithm and Public Key Fields . . . . . . . . . . . 7 2.1.4 Notes on KEY RDATA Design . . . . . . . . . . . . . . . . 7 2.2 The KEY RR Presentation Format . . . . . . . . . . . . . . 7 2.3 KEY RR Example . . . . . . . . . . . . . . . . . . . . . . 7 3. The SIG Resource Record . . . . . . . . . . . . . . . . . 9 3.1 The SIG RDATA . . . . . . . . . . . . . . . . . . . . . . 9 3.1.1 The Type Covered Field . . . . . . . . . . . . . . . . . . 10 3.1.2 The Algorithm Number Field . . . . . . . . . . . . . . . . 10 3.1.3 The Labels Field . . . . . . . . . . . . . . . . . . . . . 10 3.1.4 Original TTL Field . . . . . . . . . . . . . . . . . . . . 10 3.1.5 Signature Expiration and Inception Fields . . . . . . . . 11 3.1.6 The Key Tag Field . . . . . . . . . . . . . . . . . . . . 11 3.1.7 The Signer's Name Field . . . . . . . . . . . . . . . . . 11 3.1.8 The Signature Field . . . . . . . . . . . . . . . . . . . 11 3.2 Calculating A Signature . . . . . . . . . . . . . . . . . 12 3.2.1 Calculating An RRset Signature . . . . . . . . . . . . . . 12 3.2.2 Calculating An Transaction Signature . . . . . . . . . . . 12 3.3 The SIG RR Presentation Format . . . . . . . . . . . . . . 13 3.4 Example of a SIG RR . . . . . . . . . . . . . . . . . . . 13 4. The NXT Resource Record . . . . . . . . . . . . . . . . . 15 4.1 NXT RDATA Wire Format . . . . . . . . . . . . . . . . . . 15 4.1.1 The Next Domain Name Field . . . . . . . . . . . . . . . . 15 4.1.2 The Type Bit Map Field . . . . . . . . . . . . . . . . . . 16 4.1.2.1 Alternate Formats for the Type Bit Map Field . . . . . . . 16 4.1.3 Inclusion of Wildcard Names in NXT RDATA . . . . . . . . . 16 4.2 The NXT RR Presentation Format . . . . . . . . . . . . . . 16 4.3 NXT RR Example . . . . . . . . . . . . . . . . . . . . . . 17 5. The DS Resource Record . . . . . . . . . . . . . . . . . . 18 5.1 DS RDATA Wire Format . . . . . . . . . . . . . . . . . . . 18 5.1.1 The Key Tag Field . . . . . . . . . . . . . . . . . . . . 18 Arends, et al. Expires April 29, 2003 [Page 2] Internet-Draft DNSSEC Resource Records October 2002 5.1.2 The Algorithm Field . . . . . . . . . . . . . . . . . . . 19 5.1.3 The Digest Type Field . . . . . . . . . . . . . . . . . . 19 5.1.4 The Digest Field . . . . . . . . . . . . . . . . . . . . . 19 5.2 The DS RR Presentation Format . . . . . . . . . . . . . . 19 5.3 DS Record Example . . . . . . . . . . . . . . . . . . . . 20 6. IANA Considerations . . . . . . . . . . . . . . . . . . . 21 7. Security Considerations . . . . . . . . . . . . . . . . . 22 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 23 References . . . . . . . . . . . . . . . . . . . . . . . . 24 Authors' Addresses . . . . . . . . . . . . . . . . . . . . 25 A. DNSSEC Algorithm and Digest Types . . . . . . . . . . . . 26 A.1 DNSSEC Algorithm Types . . . . . . . . . . . . . . . . . . 26 A.1.1 Indiret and Private Algorithm Types . . . . . . . . . . . 26 A.2 DNSSEC Digest Types . . . . . . . . . . . . . . . . . . . 27 B. Key Tag Calculation . . . . . . . . . . . . . . . . . . . 28 B.1 Key Tag for Algorithm 1 - RSA/MD5 . . . . . . . . . . . . 29 C. Canonical Form and Order of Resource Records . . . . . . 30 C.1 Canonical DNS Name Order . . . . . . . . . . . . . . . . . 30 C.2 Canonical RR Form . . . . . . . . . . . . . . . . . . . . 30 C.3 Canonical RR Ordering Within An RRset . . . . . . . . . . 31 C.4 Canonical Ordering of RR Types . . . . . . . . . . . . . . 31 Full Copyright Statement . . . . . . . . . . . . . . . . . 32 Arends, et al. Expires April 29, 2003 [Page 3] Internet-Draft DNSSEC Resource Records October 2002 1. Introduction The DNS Security Extensions (DNSSEC) introduce four resource records: the KEY, SIG, NXT, and DS resource records. This document defines the purpose of each resource record (RR), the RR's RDATA format, and its ASCII representation. An example of each RR type is also given. 1.1 Background and Related Documents This document is part of a family of documents that define the DNS security extensions. The DNS security extensions (DNSSEC) are a collection of resource records and DNS protocol modifications that add source authentication the Domain Name System (DNS). An introduction to DNSSEC and definition of common terms can be found in [13]. A description of DNS protocol modifications can be found in [14]. This document defines the DNSSEC resource records. The reader to assumed to be familiar with the basic DNS concepts described in RFC1034 [1] and RFC1035 [2] and should also be familiar with common DNSSEC terminology as defined in [13]. 1.2 Reserved Words The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [4]. 1.3 Editors Notes 1.3.1 Open Technical Issues The NXT section (Section 4) requires input from the working group. Since the opt-in issue is not resolved, this text describes the NXT record as it was defined in RFC 2535. This section may need to be updated, depending on the outcome of the opt-in discussion. The cryptographic algorithm types (Appendix A) requires input from the working group. The DSA algorithm was moved to OPTIONAL. This had strong consensus in workshops and various discussions and a seperate internet draft solely to move DSA from MANDATORY to OPTIONAL seemed excessive. This draft solicts input on that proposed change. The indirect and private algorithms types (Appendix A) are also worth noting. See the text in that section. 1.3.2 Technical Changes or Corrections Please report technical corrections to dnssec-editors@east.isi.edu. Arends, et al. Expires April 29, 2003 [Page 4] Internet-Draft DNSSEC Resource Records October 2002 To assist the editors, please indicate the text in error and point out the RFC that defines the correct behavior. For a technical change where there is no RFC that defines the correct behavior (or RFCs provide conflicting answers), please post the issue to namedroppers. An example correction to dnssec-editors might be: Page X says "DNSSEC RRs SHOULD be automatically returned in responses." This was true in RFC 2535, but RFC 3225 (Section 3, 3rd paragraph) says the DNSSEC RR types MUST NOT be included in responses unless the resolver indicated support for DNSSEC. 1.3.3 Typos and Minor Corrections Please report any typos corrections to dnssec-editors@east.isi.edu. To assist the editors, please provide enough context for us to quickly find the incorrect text. An example message to dnssec-editors might be: page X says "the DNSSEC standard has been in development for over 1 years". It should read "over 10 years". Arends, et al. Expires April 29, 2003 [Page 5] Internet-Draft DNSSEC Resource Records October 2002 2. The KEY Resource Record DNSSEC uses public key cryptogrpahy to sign and authenticate DNS resource record sets (RRsets). The public keys are stored in KEY resource records and are used in the DNSSEC authentication process described in [14]. In a typical example, a zone signs its authorititave RRsets using a private key and stores the corresponding public key in a KEY RR. A resolver can then use these signatures to authenticate RRsets from the zone. The KEY RR is also used to store public keys associated with other DNS operations, such as SIG(0) [14] and TKEY [9]. In all cases, the KEY RR plays a special role in secure DNS resolution and DNS message processing. The KEY RR is not intended as a record for storing arbitrary public keys. The KEY RR MUST NOT be used to store certificates or public keys that do not directly relate to the DNS infrastructure. Examples of certificates and public keys that MUST NOT be stored in the KEY RR include X.509 certificates, IPSEC public keys, and SSH public keys. The type number for the KEY RR is 25. The KEY RR is class independent. There are no special TTL requirements on the KEY record. DNSSEC best practices documents are encouraged to provide TTL recommendations. 2.1 KEY RDATA Wire Format The RDATA for a KEY RR consists of a 2 octet Flags Fields, a Protocol Octet, a one octet Algorithm Number, and the Public Key. 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | Protocol | Algorithm | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | / / Public Key / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| 2.1.1 The Flags Field Bit 7 of the Flags field is the Zone Key flag. If bit 7 is 1, then the KEY record holds a DNS zone key and the KEY's owner name MUST be the name of a zone. If bit 7 is 0, then the KEY record holds some Arends, et al. Expires April 29, 2003 [Page 6] Internet-Draft DNSSEC Resource Records October 2002 other type of DNS public key, such as a public key used by SIG(0) or TKEY. Bits 0-6 and 8-15 are reserved for future use and MUST be zero. 2.1.2 The Protocol Octet Field The Protocol Octet field MUST be 3. 2.1.3 The Algorithm and Public Key Fields The Algorithm field identifies the public key's cryptographic algorithm and determines the format of the Public Key field. A list of DNSSEC algorithm types can be found in Appendix A.1 2.1.4 Notes on KEY RDATA Design Although the Protocol Octet field is always 3, it is retained for backwards compatibility with an earlier version of the KEY record. The use of bit 7 as the Zone Key Flag is also due to backwards compatiblity issues. 2.2 The KEY RR Presentation Format A KEY RR may appear as a single line or multiple lines separated with newline characters if those lines are contained with parantheses. The presentation format of the RDATA portion is as follows: The Flag field is represented as an unsigned integer. The Protocol Octet field is represented as the unsigned integer 3. The Algorithm field is represented as an unsigned integer or as an algorithm mnemonic specified in Appendix A.1. The Public Key field is a Base 64 encoding of the Public Key Field. 2.3 KEY RR Example The following KEY RR stores a DNS zone key for isi.edu. isi.edu. 86400 IN KEY 256 3 5 ( AQPT0sh3WjVeRY3WqpBjtf xxDw==) The first four fields specify the owner name, TTL, Class, and RR type (KEY). 256 indicates the Flags field has the zone key bit is set. 3 is the fixed Protocol Octet value. 5 indicates the public key Arends, et al. Expires April 29, 2003 [Page 7] Internet-Draft DNSSEC Resource Records October 2002 algorithm. Appendix A.1 identifies algorithm type 5 as RSA/SHA1 and indicates that the format of the RSA/SHA1 public key field is defined in [12]. The remaining text is a base 64 encoding of the public key. Arends, et al. Expires April 29, 2003 [Page 8] Internet-Draft DNSSEC Resource Records October 2002 3. The SIG Resource Record DNSSEC uses public key cryptogrpahy to sign and authenticate DNS resource record sets (RRsets). The signatures are stored in SIG resource records and are used in the DNSSEC authentication process described in [14]. In a typical example, a zone signs its authorititave RRsets using a private key and stores the corresponding signatures in SIG RRs. A resolver can then use these signatures to authenticate RRsets from the zone. A SIG record contains the signature for an RRset with a particular name, class, and type. The SIG RR is said to "cover" this RRset. The SIG RR also specifies a validity interval for the signature and uses an algorithm signer's name, and key tag to identify the public key (KEY record) that can be used to verify the signature. The signature in SIG RR may also cover a transaction rather than an RRset [14]. In this case, the "Type Covered" field is set to 0 and the SIG RR is refered to as SIG(0) resource record. The type number for the SIG RR type is 24. The SIG RR is class independent, but MUST have the same class as the RRset it covers. The SIG RR TTL SHOULD match the TTL of the RRset it covers. 3.1 The SIG RDATA The RDATA portion of a SIG RR is shown below: 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | type covered | algorithm | labels | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | original TTL | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | signature expiration | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | signature inception | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | key tag | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ signer's name + | / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/ / / / signature / Arends, et al. Expires April 29, 2003 [Page 9] Internet-Draft DNSSEC Resource Records October 2002 / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.1.1 The Type Covered Field The Type Covered field identifies the RRset type covered by the SIG record. If Type Covered field is set to 0, the record is referred to as a SIG(0) RR and its signature covers a transaction rather than a specific RRset. [14] descirbes how to sign transactions using SIG(0) resource records. 3.1.2 The Algorithm Number Field The Algorithm Number field identies the cryptographic algorithm used to create the signature. A list of DNSSEC algorithm types can be found in Appendix A.1 3.1.3 The Labels Field The Labels field specifies the number of labels in the original SIG RR owner name. It is included to handle signatures associated with wildcard owner names. To validate the signature, a resolver requires the original owner name that was used when the signature was created. In most cases, the owner name used when the signature was created is identical to the owner name sent in any response. However, a wildcard owner name will be expanded during the query/response process and [14] describes how the label count is used to reconstruct the original (unexpanded) owner name. The Labels field does not count null labels for root and does not count any initial "*" in a wildcard name. The Labels field MUST be less than or equal to the number of labels in the SIG owner name. For example, "www.example.com." has a label count of 3 and "*.example.com." has a label count of 2. 3.1.4 Original TTL Field The Original TTL field specifies the original TTL of the covered RRset. To validate the signature, a resolver requires the original TTL used when the signature was created. However, caching servers will decrement the TTL and [14] describes how the Original TTL field count Arends, et al. Expires April 29, 2003 [Page 10] Internet-Draft DNSSEC Resource Records October 2002 is used to reconstruct the original (undecremented) TTL. If the Type Covered field is non-zero, the Original TTL value MUST be greater than or equal to the TTL of the SIG record itself. If the Type Covered field is 0 (i.e. a SIG(0) RR), the Original TTL field SHOULD be zero. 3.1.5 Signature Expiration and Inception Fields The Signature Inception and Signature Expiration fields specify a validity period for the signature. The SIG record MUST NOT be used for authentication prior to the inception date and MUST NOT be used for authentication after the expiratiation date. Inception and expiration dates are given as 32-bit unsigned numbers of seconds since the start of 1 January 1970 GMT, ignoring leap seconds. Ring arithmetic [3] to handle 32-bit wrap around. As result, these times can never be more than 68 years in the past or the future and the times are ambiguous modulo ~136 years. A SIG RR can have an expiration time numerically smaller than the inception time if the expiration time is near the 32-bit wrap around point and/ or the signature is long lived. 3.1.6 The Key Tag Field The Key Tag field contains the key tag of the public key (KEY RR) used to authenticate this signature. The process of calculating a key tag is given in Appendix B. 3.1.7 The Signer's Name Field The Signer's Name field identifies the name of the KEY RR used to authenticate this signature. If the Type Covered field is non-zero, the Signer's Name MUST contain the name of the zone containing the covered RRset and the SIG. The signer's name MAY be compressed with standard DNS name compression when being transmitted over the network. If the Type Covered field is 0 (i.e. a SIG(0) RR), the signer's name MUST be the name of the host originating the DNS message as described in [10]. 3.1.8 The Signature Field The Signature field contains the cryptographic signature. If the Type Covered field is non-zero, the signature covers the SIG RDATA (excluding the Signature field) and the RRset specified by the SIG owner name, SIG class, and SIG Type Covered field. Arends, et al. Expires April 29, 2003 [Page 11] Internet-Draft DNSSEC Resource Records October 2002 3.2 Calculating A Signature A signature covers either an RRset or a transaction. RRset signatures and transaction signatures are distinguished by the Type Covered field. RRset signatures have a non-zero Type Covered field. SIG RRs SHOULD NOT be generated for any "meta-type" such as ANY or AXFR. 3.2.1 Calculating An RRset Signature A signature covers the SIG RDATA (excluding the Signature Field itself) and covers the RRset specified by the SIG owner name, SIG class, and SIG Type Covered field. The RRset is in cannonical form (see Appendix C) and the set RR(1),...RR(n) is signed as follows: signature = sign(SIG_RDATA | RR(1) | RR(2)... ) where "|" denotes append SIG_RDATA is the wire format of the SIG RDATA fields with the Signer's Name field in cannonical form. the Signature field excluded. RR(i) = fqdn | class | type | TTL | RDATA length | RDATA fqdn is the Fully Qualified Domain Name in canonical form. All RR(i) MUST have the same fqdn as the SIG RR. All RR(i) MUST have the same class as the SIG RR. All RR(i) MUST have the RR type listed in SIG RR's Type Covered field. All RR(i) MUST have the TTL listed in the SIG Original TTL Field All names in the RDATA field are in canonical form The set of all RR(i) is sorted into cannonical order. 3.2.2 Calculating An Transaction Signature Arends, et al. Expires April 29, 2003 [Page 12] Internet-Draft DNSSEC Resource Records October 2002 3.3 The SIG RR Presentation Format A SIG RR may appear as a single logical line. The presentation format of the RDATA portion is as follows: The Type Covered field is represented by either an unsigned integer or the mnemonic for the RR type. The Algorithm field is represented as an unsigned integer or as an algorithm mnemonic specified in Appendix A.1. The Labels field is represented as an unsigned integer. The Original TTL field is represented as an unsigned integer. It MAY be omitted if it is equal the TTL of the SIG RR. The Signature Inception Time and Expiration Time fields are represented in the form YYYYMMDDHHmmSS, where: YYYY is the year MM is the month number (01-12) DD is the day of the month (01-31) HH is the hour in 24 hours notation (00-23) mm is the minute (00-59) SS is the second (00-59) The Key Tag field is represented as an unsigned integer. The Signer's Name field is represented as a domain name. The Signature field is a Base 64 encoding of the signature. 3.4 Example of a SIG RR The following a SIG RR stores the signature for the the A RRset of host.example.com: host.example.com. 30 IN SIG A 3 3 30 20011231120000 ( 20011108100000 65531 example.com CGr0uS55C4l/2RRc2NrMJbRt4oP+xVxwgMkC rJFXXDsybfEDdwoajAY= ) The first four fields specify the owner name, TTL, Class, and RR type Arends, et al. Expires April 29, 2003 [Page 13] Internet-Draft DNSSEC Resource Records October 2002 (SIG). The "A" represents the Type Covered field. is the algorithm used to create this signature. The first 3 identifies the Algorithm used to create the signature. The second 3 is the number of Labels in the original owner name and the 30 is the Original TTL for this SIG RR and the covered A RRset. The two dates are the expiration and inception dates. 65531 is the Key Tag and example.com. is the Signer's Name. The remaining text is a base 64 encoding of the signature. Note that combination of SIG RR owner name, class, and and Type Covered indicate this SIG covers the "host.example.com" A RRset. The Label value of 3 indicates no wildcard expansion was used. The Algorithm, Signer's Name, and Key Tag indicate this signature can be authenticated using an example.com zone KEY RR whose algorithm is 3 and key tag is 65531. Arends, et al. Expires April 29, 2003 [Page 14] Internet-Draft DNSSEC Resource Records October 2002 4. The NXT Resource Record The NXT resource record lists the RR types present at the NXT's owner name and lists the next canonical name in the zone. The collection of NXT or "next" resource records indicate what RRsets exist in a zone and provide a chain of all authoritative owner names in that zone. This information can be used for authenticated denial of existence, as desribed in [14]. Note that although a zone may contain non-authoritiative glue address records, these non-authoritative glue records MUST NOT be used when contructing the NXT resource record chain. The type number for the NXT RR is 30. The NXT RR is class independent. The NXT RR TTL SHOULD NOT exceed the minimum TTL in the zone's SOA RR. 4.1 NXT RDATA Wire Format The RDATA of the NXT RR is as shown below: 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / next domain name / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / type bit map / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4.1.1 The Next Domain Name Field The Next Domain Name field contains the next authoritive owner name in canonical order, where canonical order is defined in Appendix C.1. For the last owner name in the zone, the Next Domain Name field contains the zone apex name. The Next Domain Name field allows message compression. Note that non-authoritative glue address record names may exist in a zone, but these non-authoritative glue records MUST NOT be listed in the Next Domain Name. Any non-authoritative glue records are ignored (treated as though they were never present) when constructing an NXT. Arends, et al. Expires April 29, 2003 [Page 15] Internet-Draft DNSSEC Resource Records October 2002 4.1.2 The Type Bit Map Field The Type Bit Map field identifies the RRset types that exist at the NXT's owner name. Each bit in the Type Bit Map field corresponds to an RR type. Bit one corresponds to RR type 1 (A), bit 2 corresponds to RR type 2 (NS), and so forth. If a bit is set to 1, it indicates that an RRset of that type exists for the NXT's owner name. If a bit is set to zero, it indicates that no RRset of that type exists for the NXT's owner name. Trailing zero octets MUST be omitted. Thus the length of the Type Bit Map field varies and is dependent on the largest RR type present for the NXT's owner name. Trailing zero octets not specified MUST be interpreted as zero octets. Non-authoritative glue address record types MUST NOT be used when constructing the type bit map field. The OPT RR [8] type (41) also MUST NOT be used when constructing the type bit map field since it is not part of the zone data. In other words, the OPT RR type bit (bit 41) MUST be zero. 4.1.2.1 Alternate Formats for the Type Bit Map Field The above Type Bit Map format MUST NOT be used when an RR type number greater than 127 is in use. Bit 0 in the Type Bit Map Field is used to indicate an alternate format for the Type Bit Map field. If bit 0 is set to 1, it indicates some other format is being used for this field. No alternate formats are defined as of this writing. 4.1.3 Inclusion of Wildcard Names in NXT RDATA If a wildcard owner name appears in a zone, the wildcard is treated as a literal symbol and is treated the same as any other owner name. Wildcard owner names appear (unexpanded) in the Next Domain Name field without any wildcard expansion. [14] describes the impact of wildcards on authetnicated denial of existence. 4.2 The NXT RR Presentation Format A NXT RR may appear as a single line. The presentation format of the RDATA portion is as follows: The Next Domain Name field is represented as a domain name. Arends, et al. Expires April 29, 2003 [Page 16] Internet-Draft DNSSEC Resource Records October 2002 The Type Bit Map field is represented as a sequence of RR type mnemonics or as a sequence of unsigned integers denoting the RR types. 4.3 NXT RR Example The following NXT RR identifies the RRsets associated with a.example.com and identifies the next authoritative name after a.example.com. a.example.com. 86400 IN NXT c.example.com. A MX NXT The first four fields specify the name, TTL, Class, and RR type (NXT). The entry c.example.com is the next authoritative name after a.example.com (in cannonical order). The A MX and NXT nnemonics indicate there are A, MX, and NXT RRsets associated with the name a.example.com. Note the NXT record can be used for authenticted denial of existence. If the example NXT record were authenticed, it could be used to prove that b.example.com does not exist or could be used to prove there is no AAAA record assoicated with a.example.com. Authenticated denial of existence is discussed in [14] Arends, et al. Expires April 29, 2003 [Page 17] Internet-Draft DNSSEC Resource Records October 2002 5. The DS Resource Record The DS Resource Record points to a KEY RR and is used in the DNS KEY authentication process. A DS RR points to a KEY RR by storing the key tag, algorithm number, and a digest of KEY RR. Note that while the digest should be sufficient to identify key, storing the key tag and key algorithm helps make the identification process more efficient and more secure. By authenticating the DS record, a resolver can authenticate the KEY RR pointed to by the DS record. The key authentication proces is described in [14]. The DS RR and its corresponding KEY RR both have the same owner name, but they are stored in different locations. The DS RR is the first resource record that appears only on the upper side of a delegation. In other words, the DS RR for "example.com" is stored in "com" (the upper side of the delegation). The corresponding KEY RR is stored in the "example.com" zone (the lower side of the delegation). This simplifies DNS zone management and zone signing, but introduces special response processing requirements that are described in [14]. The type number for the DS record is 43. The DS resource record is class independent. There are no special TTL requirements on the DS resource record. DNSSEC best practices documents are encouraged to provide TTL recommendations. 5.1 DS RDATA Wire Format The RDATA for a DS RR consists of 2 octet Key Tag, a one octet Algorithm Number, a one octet Digest Type, and a Digest. 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | key tag | algorithm | Digest type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Digest / / / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 5.1.1 The Key Tag Field The Key Tag field lists the key tag of the KEY RR pointed to by the DS record. The KEY RR MUST be a a zone key. In other words, the KEY Arends, et al. Expires April 29, 2003 [Page 18] Internet-Draft DNSSEC Resource Records October 2002 RR Flags must have Flags bit 7 set to 1. The key tag used by the DS RR is identical to the key tag used by the SIG RR and Appendix B describes how to compute a key tag. 5.1.2 The Algorithm Field The Algorithm field lists the algorithm number of the KEY RR pointed to by the DS record. The algorithm number used by the DS RR is identical to the algorithm number used by the SIG RR and KEY RR. Appendix A.1 lists the algorithm number types. 5.1.3 The Digest Type Field The DS RR points to a KEY RR by including a digest of that KEY RR. The Digest Type field identifes the algorithm used to construct the digest and Appendix A.2 lists the possible digest algorithm types. 5.1.4 The Digest Field The DS record points to a KEY RR by including a digest of that KEY RR. The Digest field hold the digest. For a given KEY RR, the digest is calculated by appending the KEY RR's cannonical fully qualified owner name with the KEY RDATA and then applying the digest algorithm. digest = digest_algorithm( cannonical FQDN of KEY RR | KEY_RR_rdata) "|" denotes append KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key The size of the digest can vary depending on the digest algorithm and KEY RR size. However, the only currently defined digest algorithm is SHA-1 and it always produces a 24 byte digest regardless of KEY RR size. 5.2 The DS RR Presentation Format A DS RR may appear as a single line or multiple lines separated with newline characters if those lines are contained within parantheses. The presentation format of the RDATA portion is as follows: The Key Tag field is represented as an unsigned integer. Arends, et al. Expires April 29, 2003 [Page 19] Internet-Draft DNSSEC Resource Records October 2002 The Algorithm field is represented as an unsigned integer or as an algorithm mnemonic specified in Appendix A.1. The Digest Type field is represented as an unsigned integer. The Digest is presented in hexadecimal. 5.3 DS Record Example The following example shows a KEY RR and its corresponding DS RR. dskey.example. 86400 IN KEY 256 3 1 ( AQPwHb4UL1U9RHaU8qP+Ts5bVOU 1s7fYbj2b3CCbzNdj4+/ECd18yKiy UQqKqQFWW5T3iVc8SJOKnueJHt/Jb /wt) ; key tag = 28668 dskey.example. 3600 IN DS 28668 1 1 49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE The first four fields specify the name, TTL, Class, and RR type (DS). 28668 is the key tag for the corresponding "dskey.example." KEY RR and 1 algorithm used by this "dskey.example." KEY RR. The second 1 is the algorithm used to construct the digest and the final string is the digest in hex. Arends, et al. Expires April 29, 2003 [Page 20] Internet-Draft DNSSEC Resource Records October 2002 6. IANA Considerations This document introduces no new IANA considerations. This document only clarifies the use of existing DNS resource records. However for completeness, the IANA considerations from these previous documents are summarized below. No IANA changes are made by this document. RFC 2535 updated the IANA registry for DNS Resource Record Types and assigned types 24,25, and 30 to the SIG, KEY, and NXT (respectively). [DS RFC] assigned DNS Resource Record Type 43 to DS. RFC 2535 created an IANA registry for DNSSEC Resource Record Algorithm Numbers. Values to 1-4, and 252-255 were assigned by RFC 2535. Value 5 was assigned by RFC 3110. [DS RFC] created an IANA registry for DNSSEC DS Digest Types and assigned value 0 to reserved and value 1 to RSA/SHA-1. RFC 2535 created an IANA Registry to KEY Protocol Octet Values, but [KeyRestrict RFC] set all assigned values other than 3 to reserved and closed this IANA registry. The registry remains closed and all KEY records are required to have Protocol Octet value of 3. The Flag bits in the KEY RR are not assigned by IANA and there is no IANA registry for these flags. All changes to the meaning of the KEY RR Flag bits require a standards action. Arends, et al. Expires April 29, 2003 [Page 21] Internet-Draft DNSSEC Resource Records October 2002 7. Security Considerations This document describes the format of four DNS resource records used by the DNS security extensions and presents an algorithm for calculating a key tag for a public key. Other than the items desribed below, the resource records themselves introduce no security considerations. The use of these records is specified in a seperate document and security considerations related to the use these resource records are discussed in that document. The DS record points to a KEY RR using a cryptographic digest, the key algorithm type and a key tag. The DS record is intended to identify an existing KEY RR, but it is theoretically possibile for an attacker to generate a KEY that matches all the DS fields. The probability of constructing such a matching KEY depends on the type of digest algorithm in use and the only currently defined digest algorithm is SHA1. It is considered very difficult to constuct a public key that matches the algorithm, key tag, and SHA1 digest given in a DS record. The key tag is used to help efficiently select KEY resource records, but it does not uniquely identify a KEY resource record. It is possible that two distinct KEY RRs could have the same owner name, same algorithm type and same key tag. An implementation that used only the key tag to select a KEY RR may select the wrong public key for a given scenario. Implementations MUST NOT assume the key tag is unique public key identifier and this is clearly stated in the text. Arends, et al. Expires April 29, 2003 [Page 22] Internet-Draft DNSSEC Resource Records October 2002 8. Acknowledgements This document was created from the input and ideas of several members of the DNS Extensions Working Group and working group mailing list. The co-authors of this draft would like to express their thanks for the comments and suggestions received during the revision of these security extension specifications. Arends, et al. Expires April 29, 2003 [Page 23] Internet-Draft DNSSEC Resource Records October 2002 References [1] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987. [2] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [3] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, August 1996. [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [5] Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, July 1997. [6] Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999. [7] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System (DNS)", RFC 2536, March 1999. [8] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, August 1999. [9] Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)", RFC 2930, September 2000. [10] Eastlake, D., "DNS Request and Transaction Signatures ( SIG(0)s)", RFC 2931, September 2000. [11] Wellington, B., "Secure Domain Name System (DNS) Dynamic Update", RFC 3007, November 2000. [12] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)", RFC 3110, May 2001. [13] Arends, R., Larson, M., Massey, D. and S. Rose, "DNSSEC Intro", October 2002. [14] Arends, R., Larson, M., Massey, D. and S. Rose, "DNSSEC Protocol", October 2002. [15] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource Record", draft-ietf-dnsext-restrict-key-for-dnssec-02 (work in progress), March 2002. Arends, et al. Expires April 29, 2003 [Page 24] Internet-Draft DNSSEC Resource Records October 2002 Authors' Addresses Roy Arends Bankastraat 41-E 1094 EB Amsterdam NL EMail: roy@logmess.com Matt Larson VeriSign, Inc. 21345 Ridgetop Circle Dulles, VA 20166-6503 USA EMail: mlarson@verisign.com Dan Massey USC Information Sciences Institute 3811 N. Fairfax Drive Arlington, VA 22203 USA EMail: masseyd@isi.edu Scott Rose National Institute for Standards and Technology 100 Bureau Drive Gaithersburg, MD 20899-8920 USA EMail: scott.rose@nist.gov Arends, et al. Expires April 29, 2003 [Page 25] Internet-Draft DNSSEC Resource Records October 2002 Appendix A. DNSSEC Algorithm and Digest Types The DNS security exstentions are designed to be independent of the underlying cryptographic algorithms. The KEY, SIG, and DS resource records all use a DNSSEC Algorithm Number to identify the crytographic algorithm in use by the resource record. The DS resource record also specifies a Digest Algorithm Number to identify the digest algorithm used to construct the DS record. The currently defined Algorithm and Digest Types are listed below. Additional Algorithm or Digest Types could be added as advances in cryptography warrant. A DNSSEC aware resolver or name server MUST implement all MANDATORY algorithms. A.1 DNSSEC Algorithm Types An "Algorithm Number" field in the KEY, SIG, and DS resource record types identifies the cryptographic algorithm used by the resource record. Algorithm specific formats are described in separate documents. The following table lists the currently defined algorithm types and provides references to their supporting documents: VALUE Algorithm RFC STATUS 0 Reserved - - 1 RSA/MD5 RFC 2537 NOT RECOMMENDED 2 Diffie-Hellman RFC 2539 OPTIONAL 3 DSA RFC 2536 OPTIONAL 4 elliptic curve TBA OPTIONAL 5 RSA/SHA1 RFC 3110 MANDATORY 6-251 available for assignment - 252 indirect see below OPTIONAL 253 private see below OPTIONAL 254 private see below OPTIONAL 255 reserved - - A.1.1 Indiret and Private Algorithm Types RFC 2535 describes Algorithm number 252 as an indirect key format where the actual key material is elsewhere. This format was to be defined in a separate document. In the years between RFC 2535 and this document, no indirect key document has been prodcued. Algorithm number 253 is reserved for private use and will never be assigned to a specific algorithm. The public key area in the KEY RR and the signature area in the SIG RR begin with a wire encoded domain name. Only local domain name compression is permitted. The domain Arends, et al. Expires April 29, 2003 [Page 26] Internet-Draft DNSSEC Resource Records October 2002 name indicates the private algorithm to use and the remainder of the public key area is determined by that algorithm. Entities should only use domain names they control to designate their private algorithms. Algorithm number 254 is reserved for private use and will never be assigned to a specific algorithm. The public key area in the KEY RR and the signature area in the SIG RR begin with an unsigned length byte followed by a BER encoded Object Identifier (ISO OID) of that length. The OID indicates the private algorithm in use and the remainder of the area is whatever is required by that algorithm. Entities should only use OIDs they control to designate their private algorithms. Editors Note: There is currently no use of or operational experience with these algorithms. The editors (at least Dan!) recommend that these algorithm types be eliminated. We don't need this in the base spec and every other algorithm type requires a seperate document to describe it in detail. Note eliminating these from the base spec would not elminate any future functionality since there are 200+ available algorithm numbers. Anyone who feels they need this type of algorithm (or a similar algorithm) can write the document clearly describing it. A.2 DNSSEC Digest Types A "Digest Type" field in the DS resource record types identifies the cryptographic digest algorithm used by the resource record. The following table lists the currently defined digest algorithm types. VALUE Algorithm STATUS 0 Reserved - 1 RSA/SHA-1 MANDATORY 2-255 Unassigned - Arends, et al. Expires April 29, 2003 [Page 27] Internet-Draft DNSSEC Resource Records October 2002 Appendix B. Key Tag Calculation The key tag field provides a mechanism for efficiently selecting a public key. In most cases, a combination of owner name, algorithm, and key tag can efficiently identify a KEY record. For example, both the SIG and DS resource records have corresponding KEY records. A Key Tag field in the SIG and DS records can be used to help efficiently select the corresponding KEY RR when there is more than one candidate KEY RR available. However, it is essential to note that the key tag is not a unique identifier. It is theoretically possible for two distinct KEY RRs to have the same owner name, same algorithm, and same key tag. The key tag is used to efficiently limit the possible candidate keys but it does not uniquely identify a KEY record. Implementations MUST NOT assume the key tag uniquely idenifies a KEY RR. The following ANSI C reference implementation is provided for calculating a Key Tag. This reference implementation applies to all algorithm types except algorithm 1 (see Appendix B.1). The input is the public key material in base 64, not the entire RDATA of the KEY record that contains the public key. The code is written for clarity, not efficiency. /* assumes int is at least 16 bits first byte of the key tag is the most significant byte of return value second byte of the key tag is the least significant byte of return value */ int keytag ( unsigned char key[], /* the RDATA part of the KEY RR */ unsigned int keysize, /* the RDLENGTH */ ) { long int ac; /* assumed to be 32 bits or larger */ for ( ac = 0, i = 0; i < keysize; ++i ) ac += (i&1) ? key[i] : key[i]<<8; ac += (ac>>16) & 0xFFFF; return ac & 0xFFFF; } Arends, et al. Expires April 29, 2003 [Page 28] Internet-Draft DNSSEC Resource Records October 2002 B.1 Key Tag for Algorithm 1 - RSA/MD5 Algorithm 1 - RSA/MD5 key tag is the only algoritm that does not use the key tag defined above. For a KEY RR with algorithm 1, the key tag is the most signifigant 16 bits of the least signifigant 24 bits in the public key modulus. In others, the 4th to last and 3rd to last octets in the key modulus. Note that Algorithm 1 is NOT RECOMMENDED. Arends, et al. Expires April 29, 2003 [Page 29] Internet-Draft DNSSEC Resource Records October 2002 Appendix C. Canonical Form and Order of Resource Records This section defines a canonical form for resource records (RRs) and defines a name order and overall order. A canonical name order is required to construct the NXT name chain. A canonical RR form and ordering within an RRset is required to construct and verify SIG RRs. C.1 Canonical DNS Name Order For purposes of DNS security, owner names are sorted by treating individual labels as unsigned left justified octet strings. The absence of a octet sorts before a zero value octet and upper case letters are treated as lower case letters. To sort names in a zone, first sort all names based on only the highest level label. Next if multiple names appear within a level, sort based on the next highest level label. Repeat until all names have been sorted down to leaf node labels. For example, the following names are sorted in canonical DNS name order. The highest label is label level is foo.example. At this level, foo.example sorts first, followed by all names ending in a.foo.example and then all names ending z.foo.example. The names withing the a.foo.example level and z.foo.example level are sorted. foo.example a.foo.example yljkjljk.a.foo.example Z.a.foo.example zABC.a.FOO.EXAMPLE z.foo.example *.z.foo.example \200.z.foo.example C.2 Canonical RR Form For purposes of DNS security, the canonical form for an RR is the wire format of the RR with (1) all domain names fully expanded (no name compression via pointers) (2) all domain name letters set to lower case (3) any owner name wild cards in master file form (no substitution made for *) (4) the original TTL substituted for the current TTL. Arends, et al. Expires April 29, 2003 [Page 30] Internet-Draft DNSSEC Resource Records October 2002 C.3 Canonical RR Ordering Within An RRset For purposes of DNS security, RRs with same owner name and same type are sorted by treating the RDATA as a left justified unsigned octet sequence. The absence of an octet sorts before the zero octet. C.4 Canonical Ordering of RR Types RRs with the same owner name but different types are sorted based on the RR type number. The exception to this rule are SIG RRs, which are placed immediately after the type they cover. For example, an A record would be put before an MX record because type 1 (A) and is lower than type 15 (MX). If the A and MX records were both signed, the order would be A < SIG(A) < MX < SIG(MX). Arends, et al. Expires April 29, 2003 [Page 31] Internet-Draft DNSSEC Resource Records October 2002 Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Arends, et al. Expires April 29, 2003 [Page 32]