RFC 2065 (rfc2065) - Page 1 of 41
Domain Name System Security Extensions
Alternative Format: Original Text Document
Network Working Group D. Eastlake, 3rd
Request for Comments: 2065 CyberCash
Updates: 1034, 1035 C. Kaufman
Category: Standards Track Iris
January 1997
Domain Name System Security Extensions
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
The Domain Name System (DNS) has become a critical operational part
of the Internet infrastructure yet it has no strong security
mechanisms to assure data integrity or authentication. Extensions to
the DNS are described that provide these services to security aware
resolvers or applications through the use of cryptographic digital
signatures. These digital signatures are included in secured zones
as resource records. Security can still be provided even through
non-security aware DNS servers in many cases.
The extensions also provide for the storage of authenticated public
keys in the DNS. This storage of keys can support general public key
distribution service as well as DNS security. The stored keys enable
security aware resolvers to learn the authenticating key of zones in
addition to those for which they are initially configured. Keys
associated with DNS names can be retrieved to support other
protocols. Provision is made for a variety of key types and
algorithms.
In addition, the security extensions provide for the optional
authentication of DNS protocol transactions.
Eastlake & Kaufman Standards Track
