RFC 2536 DSA in the DNS March 1999 This document describes how to store US Government Digital Signature Algorithm (DSA) keys and signatures in the DNS. Familiarity with the US Digital Signature Algorithm is assumed [Schneier]. Implementation of DSA is mandatory for DNS security. 2. DSA KEY Resource Records DSA public keys are stored in the DNS as KEY RRs using algorithm number 3 [RFC 2535]. The structure of the algorithm specific portion of the RDATA part of this RR is as shown below. These fields, from Q through Y are the "public key" part of the DSA KEY RR. The period of key validity is not in the KEY RR but is indicated by the SIG RR(s) which signs and authenticates the KEY RR(s) at that domain name. Field Size ----- ---- T 1 octet Q 20 octets P 64 + T*8 octets G 64 + T*8 octets Y 64 + T*8 octets As described in [FIPS 186] and [Schneier]: T is a key size parameter chosen such that 0