RFC 2540 (rfc2540) - Page 2 of 6
Detached Domain Name System (DNS) Information
Alternative Format: Original Text Document
RFC 2540 Detached DNS Information March 1999
the DNS and to enable the authentication of information retrieved
from the DNS though digital signatures.
The DNS was not originally designed for storage of information
outside of the active zones and authoritative master files that are
part of the connected DNS. However there may be cases where this is
useful, particularly in connection with archived security
information.
2. General Format
The formats used for detached Domain Name System (DNS) information
are similar to those used for connected DNS information. The primary
difference is that elements of the connected DNS system (unless they
are an authoritative server for the zone containing the information)
are required to count down the Time To Live (TTL) associated with
each DNS Resource Record (RR) and discard them (possibly fetching a
fresh copy) when the TTL reaches zero. In contrast to this, detached
information may be stored in a off-line file, where it can not be
updated, and perhaps used to authenticate historic data or it might
be received via non-DNS protocols long after it was retrieved from
the DNS. Therefore, it is not practical to count down detached DNS
information TTL and it may be necessary to keep the data beyond the
point where the TTL (which is defined as an unsigned field) would
underflow. To preserve information as to the freshness of this
detached data, it is accompanied by its retrieval time.
Whatever retrieves the information from the DNS must associate this
retrieval time with it. The retrieval time remains fixed thereafter.
When the current time minus the retrieval time exceeds the TTL for
any particular detached RR, it is no longer a valid copy within the
normal connected DNS scheme. This may make it invalid in context for
some detached purposes as well. If the RR is a SIG (signature) RR it
also has an expiration time. Regardless of the TTL, it and any RRs
it signs can not be considered authenticated after the signature
expiration time.
Eastlake Experimental