RFC 3008 (rfc3008) - Page 2 of 7

Domain Name System Security (DNSSEC) Signing Authority

Alternative Format: Original Text Document
< Previous
Next >
RFC 3008                DNSSEC Signing Authority           November 2000


2 - The SIG Record

   A SIG record is normally associated with an RRset, and "covers" (that
   is, demonstrates the authenticity and integrity of) the RRset.  This
   is referred to as a "data SIG".  Note that there can be multiple SIG
   records covering an RRset, and the same validation process should be
   repeated for each of them.  Some data SIGs are considered "material",
   that is, relevant to a DNSSEC capable resolver, and some are
   "immaterial" or "extra-DNSSEC", as they are not relevant to DNSSEC
   validation.  Immaterial SIGs may have application defined roles.  SIG
   records may exist which are not bound to any RRset; these are also
   considered immaterial.  The validation process determines which SIGs
   are material; once a SIG is shown to be immaterial, no other
   validation is necessary.

   SIGs may also be used for transaction security.  In this case, a SIG
   record with a type covered field of 0 is attached to a message, and
   is used to protect message integrity.  This is referred to as a
   SIG(0) [RFC 2535, RFC 2931].

   The following sections define requirements for all of the fields of a
   SIG record.  These requirements MUST be met in order for a DNSSEC
   capable resolver to process this signature.  If any of these
   requirements are not met, the SIG cannot be further processed.
   Additionally, once a KEY has been identified as having generated this
   SIG, there are requirements that it MUST meet.

2.1 - Type Covered

   For a data SIG, the type covered MUST be the same as the type of data
   in the associated RRset.  For a SIG(0), the type covered MUST be 0.

2.2 - Algorithm Number

   The algorithm specified in a SIG MUST be recognized by the client,
   and it MUST be an algorithm that has a defined SIG rdata format.

2.3 - Labels

   The labels count MUST be less than or equal to the number of labels
   in the SIG owner name, as specified in [RFC 2535, section 4.1.3].

2.4 - Original TTL

   The original TTL MUST be greater than or equal to the TTL of the SIG
   record itself, since the TTL cannot be increased by intermediate
   servers.  This field can be ignored for SIG(0) records.




Wellington                  Standards Track
< Previous
Next >