RFC 2137 (rfc2137) - Page 3 of 11
Secure Domain Name System Dynamic Update
Alternative Format: Original Text Document
RFC 2137 SDNSDU April 1997
key tracing its authority to a zone key.
DNS security also defines transaction SIGs and request SIGs.
Transaction SIGs appear at the end of a response. Transaction SIGs
authenticate the response and bind it to the corresponding request
with the key of the host where the responding DNS server is. Request
SIGs appear at the end of a request and authenticate the request with
the key of the submitting entity.
Request SIGs are the primary means of authenticating update requests.
DNS security also permits the storage of public keys in the DNS via
KEY RRs. These KEY RRs are also, of course, authenticated by SIG
RRs. KEY RRs for zones are stored in their superzone and subzone
servers, if any, so that the secure DNS tree of zones can be
traversed by a security aware resolver.
2. Two Basic Modes
A dynamic secure zone is any secure DNS zone containing one or more
KEY RRs that can authorize dynamic updates, i.e., entity or user KEY
RRs with the signatory field non-zero, and whose zone KEY RR
signatory field indicates that updates are implemented. There are two
basic modes of dynamic secure zone which relate to the update
strategy, mode A and mode B. A summary comparison table is given
below and then each mode is described.
Eastlake Standards Track