RFC 2137 (rfc2137) - Page 3 of 11

Secure Domain Name System Dynamic Update

Alternative Format: Original Text Document
< Previous
Next >
RFC 2137                         SDNSDU                       April 1997


   key tracing its authority to a zone key.

   DNS security also defines transaction SIGs and request SIGs.
   Transaction SIGs appear at the end of a response.  Transaction SIGs
   authenticate the response and bind it to the corresponding request
   with the key of the host where the responding DNS server is.  Request
   SIGs appear at the end of a request and authenticate the request with
   the key of the submitting entity.

   Request SIGs are the primary means of authenticating update requests.

   DNS security also permits the storage of public keys in the DNS via
   KEY RRs.  These KEY RRs are also, of course, authenticated by SIG
   RRs.  KEY RRs for zones are stored in their superzone and subzone
   servers, if any, so that the secure DNS tree of zones can be
   traversed by a security aware resolver.

2. Two Basic Modes

   A dynamic secure zone is any secure DNS zone containing one or more
   KEY RRs that can authorize dynamic updates, i.e., entity or user KEY
   RRs with the signatory field non-zero, and whose zone KEY RR
   signatory field indicates that updates are implemented. There are two
   basic modes of dynamic secure zone which relate to the update
   strategy, mode A and mode B.  A summary comparison table is given
   below and then each mode is described.

























Eastlake                    Standards Track
< Previous
Next >