RFC 2230 (rfc2230) - Page 1 of 11
Key Exchange Delegation Record for the DNS
Alternative Format: Original Text Document
Network Working Group R. Atkinson
Request for Comments: 2230 NRL
Category: Informational November 1997
Key Exchange Delegation Record for the DNS
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1997). All Rights Reserved.
ABSTRACT
This note describes a mechanism whereby authorisation for one node to
act as key exchanger for a second node is delegated and made
available via the Secure DNS. This mechanism is intended to be used
only with the Secure DNS. It can be used with several security
services. For example, a system seeking to use IP Security [RFC-
1825, RFC-1826, RFC-1827] to protect IP packets for a given
destination can use this mechanism to determine the set of authorised
remote key exchanger systems for that destination.
1. INTRODUCTION
The Domain Name System (DNS) is the standard way that Internet nodes
locate information about addresses, mail exchangers, and other data
relating to remote Internet nodes. [RFC-1035, RFC-1034] More
recently, Eastlake and Kaufman have defined standards-track security
extensions to the DNS. [RFC-2065] These security extensions can be
used to authenticate signed DNS data records and can also be used to
store signed public keys in the DNS.
The KX record is useful in providing an authenticatible method of
delegating authorisation for one node to provide key exchange
services on behalf of one or more, possibly different, nodes. This
note specifies the syntax and semantics of the KX record, which is
currently in limited deployment in certain IP-based networks. The
Atkinson Informational