RFC 2540 (rfc2540) - Page 2 of 6


Detached Domain Name System (DNS) Information



Alternative Format: Original Text Document



RFC 2540                Detached DNS Information              March 1999


   the DNS and to enable the authentication of information retrieved
   from the DNS though digital signatures.

   The DNS was not originally designed for storage of information
   outside of the active zones and authoritative master files that are
   part of the connected DNS.  However there may be cases where this is
   useful, particularly in connection with archived security
   information.

2. General Format

   The formats used for detached Domain Name System (DNS) information
   are similar to those used for connected DNS information. The primary
   difference is that elements of the connected DNS system (unless they
   are an authoritative server for the zone containing the information)
   are required to count down the Time To Live (TTL) associated with
   each DNS Resource Record (RR) and discard them (possibly fetching a
   fresh copy) when the TTL reaches zero.  In contrast to this, detached
   information may be stored in a off-line file, where it can not be
   updated, and perhaps used to authenticate historic data or it might
   be received via non-DNS protocols long after it was retrieved from
   the DNS.  Therefore, it is not practical to count down detached DNS
   information TTL and it may be necessary to keep the data beyond the
   point where the TTL (which is defined as an unsigned field) would
   underflow.  To preserve information as to the freshness of this
   detached data, it is accompanied by its retrieval time.

   Whatever retrieves the information from the DNS must associate this
   retrieval time with it.  The retrieval time remains fixed thereafter.
   When the current time minus the retrieval time exceeds the TTL for
   any particular detached RR, it is no longer a valid copy within the
   normal connected DNS scheme.  This may make it invalid in context for
   some detached purposes as well.  If the RR is a SIG (signature) RR it
   also has an expiration time.  Regardless of the TTL, it and any RRs
   it signs can not be considered authenticated after the signature
   expiration time.















Eastlake                      Experimental