RFC 2137 (rfc2137) - Page 2 of 11


Secure Domain Name System Dynamic Update



Alternative Format: Original Text Document



RFC 2137                         SDNSDU                       April 1997


      3.2 Zone Keys and Update Modes.............................8
      3.3 Wildcard Key Punch Through.............................9
      4. Update Signatures.......................................9
      4.1 Update Request Signatures..............................9
      4.2 Update Data Signatures................................10
      5. Security Considerations................................10
      References................................................10
      Author's Address..........................................11

1. Introduction

   Dynamic update operations have been defined for the Domain Name
   System (DNS) in RFC 2136, but without a detailed description of
   security for those updates.  Means of securing the DNS and using it
   for key distribution have been defined in RFC 2065.

   This memo proposes techniques based on the defined DNS security
   mechanisms to authenticate DNS updates.

   Familiarity with the DNS system [RFC 1034, 1035] is assumed.
   Familiarity with the DNS security and dynamic update proposals will
   be helpful.

1.1 Overview of DNS Dynamic Update

   DNS dynamic update defines a new DNS opcode, new DNS request and
   response structure if that opcode is used, and new error codes.  An
   update can specify complex combinations of deletion and insertion
   (with or without pre-existence testing) of resource records (RRs)
   with one or more owner names; however, all testing and changes for
   any particular DNS update request are restricted to a single zone.
   Updates occur at the primary server for a zone.

   The primary server for a secure dynamic zone must increment the zone
   SOA serial number when an update occurs or the next time the SOA is
   retrieved if one or more updates have occurred since the previous SOA
   retrieval and the updates themselves did not update the SOA.

1.2 Overview of DNS Security

   DNS security authenticates data in the DNS by also storing digital
   signatures in the DNS as SIG resource records (RRs).  A SIG RR
   provides a digital signature on the set of all RRs with the same
   owner name and class as the SIG and whose type is the type covered by
   the SIG.  The SIG RR cryptographically binds the covered RR set to
   the signer, time signed, signature expiration date, etc.  There are
   one or more keys associated with every secure zone and all data in
   the secure zone is signed either by a zone key or by a dynamic update



Eastlake                    Standards Track