RFC 2065 (rfc2065) - Page 3 of 41

Domain Name System Security Extensions

Alternative Format: Original Text Document
< Previous
Next >
RFC 2065                DNS Security Extensions             January 1997


   4.4 Signature Expiration, TTLs, and Validity..............24
   4.5 File Representation of SIG RRs........................25
   5. Non-existent Names and Types...........................26
   5.1 The NXT Resource Record...............................26
   5.2 NXT RDATA Format......................................27
   5.3 Example...............................................28
   5.4 Interaction of NXT RRs and Wildcard RRs...............28
   5.5 Blocking NXT Pseudo-Zone Transfers....................29
   5.6 Special Considerations at Delegation Points...........29
   6. The AD and CD Bits and How to Resolve Securely.........30
   6.1 The AD and CD Header Bits.............................30
   6.2 Boot File Format......................................32
   6.3 Chaining Through Zones................................32
   6.4 Secure Time...........................................33
   7. Operational Considerations.............................33
   7.1 Key Size Considerations...............................34
   7.2 Key Storage...........................................34
   7.3 Key Generation........................................35
   7.4 Key Lifetimes.........................................35
   7.5 Signature Lifetime....................................36
   7.6 Root..................................................36
   8. Conformance............................................36
   8.1 Server Conformance....................................36
   8.2 Resolver Conformance..................................37
   9. Security Considerations................................37
   References................................................38
   Authors' Addresses........................................39
   Appendix: Base 64 Encoding................................40

1. Overview of Contents

   This document describes extensions of the Domain Name System (DNS)
   protocol to support DNS security and public key distribution.  It
   assumes that the reader is familiar with the Domain Name System,
   particularly as described in RFCs 1033, 1034, and 1035.

   Section 2 provides an overview of the extensions and the key
   distribution, data origin authentication, and transaction and request
   security they provide.

   Section 3 discusses the KEY resource record, its structure, use in
   DNS responses, and file representation.  These resource records
   represent the public keys of entities named in the DNS and are used
   for key distribution.







Eastlake & Kaufman          Standards Track
< Previous
Next >