RFC 3645 (rfc3645) - Page 2 of 26

Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)

Alternative Format: Original Text Document
< Previous
Next >
RFC 3645                        GSS-TSIG                    October 2003


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Algorithm Overview . . . . . . . . . . . . . . . . . . . . . .  3
       2.1.  GSS Details. . . . . . . . . . . . . . . . . . . . . . .  4
       2.2.  Modifications to the TSIG protocol (RFC 2845). . . . . .  4
   3.  Client Protocol Details. . . . . . . . . . . . . . . . . . . .  5
       3.1.  Negotiating Context. . . . . . . . . . . . . . . . . . .  5
           3.1.1.  Call GSS_Init_sec_context. . . . . . . . . . . . .  6
           3.1.2.  Send TKEY Query to Server. . . . . . . . . . . . .  8
           3.1.3.  Receive TKEY Query-Response from Server. . . . . .  8
       3.2.  Context Established. . . . . . . . . . . . . . . . . . . 11
           3.2.1.  Terminating a Context. . . . . . . . . . . . . . . 11
   4.  Server Protocol Details. . . . . . . . . . . . . . . . . . . . 12
       4.1.  Negotiating Context. . . . . . . . . . . . . . . . . . . 12
           4.1.1.  Receive TKEY Query from Client . . . . . . . . . . 12
           4.1.2.  Call GSS_Accept_sec_context. . . . . . . . . . . . 12
           4.1.3.  Send TKEY Query-Response to Client . . . . . . . . 13
       4.2.  Context Established. . . . . . . . . . . . . . . . . . . 15
           4.2.1.  Terminating a Context. . . . . . . . . . . . . . . 15
   5.  Sending and Verifying Signed Messages. . . . . . . . . . . . . 15
       5.1.  Sending a Signed Message - Call GSS_GetMIC . . . . . . . 15
       5.2.  Verifying a Signed Message - Call GSS_VerifyMIC. . . . . 16
   6.  Example usage of GSS-TSIG algorithm. . . . . . . . . . . . . . 18
   7.  Security Considerations. . . . . . . . . . . . . . . . . . . . 22
   8.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 22
   9.  Conformance. . . . . . . . . . . . . . . . . . . . . . . . . . 22
   10. Intellectual Property Statement. . . . . . . . . . . . . . . . 23
   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
       12.1.  Normative References. . . . . . . . . . . . . . . . . . 24
       12.2.  Informative References. . . . . . . . . . . . . . . . . 24
   13. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
   14. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 26

1.  Introduction

   The Secret Key Transaction Authentication for DNS (TSIG) [RFC 2845]
   protocol was developed to provide a lightweight authentication and
   integrity of messages between two DNS entities, such as client and
   server or server and server.  TSIG can be used to protect dynamic
   update messages, authenticate regular message or to off-load
   complicated DNSSEC [RFC 2535] processing from a client to a server and
   still allow the client to be assured of the integrity of the answers.







Kwan, et al.                Standards Track
< Previous
Next >