RFC 2535 (rfc2535) - Page 1 of 47
Domain Name System Security Extensions
Alternative Format: Original Text Document
Network Working Group D. Eastlake
Request for Comments: 2535 IBM
Obsoletes: 2065 March 1999
Updates: 2181, 1035, 1034
Category: Standards Track
Domain Name System Security Extensions
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
Extensions to the Domain Name System (DNS) are described that provide
data integrity and authentication to security aware resolvers and
applications through the use of cryptographic digital signatures.
These digital signatures are included in secured zones as resource
records. Security can also be provided through non-security aware
DNS servers in some cases.
The extensions provide for the storage of authenticated public keys
in the DNS. This storage of keys can support general public key
distribution services as well as DNS security. The stored keys
enable security aware resolvers to learn the authenticating key of
zones in addition to those for which they are initially configured.
Keys associated with DNS names can be retrieved to support other
protocols. Provision is made for a variety of key types and
algorithms.
In addition, the security extensions provide for the optional
authentication of DNS protocol transactions and requests.
This document incorporates feedback on RFC 2065 from early
implementers and potential users.
Eastlake Standards Track