RFC 3445 (rfc3445) - Page 2 of 10

Limiting the Scope of the KEY Resource Record (RR)

RFC 3445         Limiting the KEY Resource Record (RR)     December 2002


   Section 2 presents the motivation for restricting the KEY record and
   Section 3 defines the revised KEY RR.  Sections 4 and 5 summarize the
   changes from RFC 2535 and discuss backwards compatibility.  It is
   important to note that this document restricts the use of the KEY RR
   and simplifies the flags, but does not change the definition or use
   of DNSSEC keys.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [1].

2. Motivation for Restricting the KEY RR

   The KEY RR RDATA [3] consists of Flags, a Protocol Octet, an
   Algorithm type, and a Public Key.  The Protocol Octet identifies the
   KEY RR sub-type.  DNSSEC public keys are stored in the KEY RR using a
   Protocol Octet value of 3.  Email, IPSEC, and TLS keys were also
   stored in the KEY RR and used Protocol Octet values of 1,2, and 4
   (respectively).  Protocol Octet values 5-254 were available for
   assignment by IANA and values were requested (but not assigned) for
   applications such as SSH.

   Any use of sub-typing has inherent limitations.  A resolver can not
   specify the desired sub-type in a DNS query and most DNS operations
   apply only to resource records sets.  For example, a resolver can not
   directly request the DNSSEC subtype KEY RRs.  Instead, the resolver
   has to request all KEY RRs associated with a DNS name and then search
   the set for the desired DNSSEC sub-type.  DNSSEC signatures also
   apply to the set of all KEY RRs associated with the DNS name,
   regardless of sub-type.

   In the case of the KEY RR, the inherent sub-type limitations are
   exacerbated since the sub-type is used to distinguish between DNSSEC
   keys and application keys.  DNSSEC keys and application keys differ
   in virtually every respect and Section 2.1 discusses these
   differences in more detail.  Combining these very different types of
   keys into a single sub-typed resource record adds unnecessary
   complexity and increases the potential for implementation and
   deployment errors.  Limited experimental deployment has shown that
   application keys stored in KEY RRs are problematic.

   This document addresses these issues by removing all application keys
   from the KEY RR.  Note that the scope of this document is strictly
   limited to the KEY RR and this document does not endorse or restrict
   the storage of application keys in other, yet undefined, resource
   records.





Massey & Rose               Standards Track