RFC 2538 (rfc2538) - Page 2 of 10


Storing Certificates in the Domain Name System (DNS)



Alternative Format: Original Text Document



RFC 2538            Storing Certificates in the DNS           March 1999


1. Introduction

   Public keys are frequently published in the form of a certificate and
   their authenticity is commonly demonstrated by certificates and
   related certificate revocation lists (CRLs).  A certificate is a
   binding, through a cryptographic digital signature, of a public key,
   a validity interval and/or conditions, and identity, authorization,
   or other information. A certificate revocation list is a list of
   certificates that are revoked, and incidental information, all signed
   by the signer (issuer) of the revoked certificates. Examples are
   X.509 certificates/CRLs in the X.500 directory system or PGP
   certificates/revocations used by PGP software.

   Section 2 below specifies a CERT resource record (RR) for the storage
   of certificates in the Domain Name System.

   Section 3 discusses appropriate owner names for CERT RRs.

   Sections 4, 5, and 6 below cover performance, IANA, and security
   considerations, respectively.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC 2119].

2. The CERT Resource Record

   The CERT resource record (RR) has the structure given below.  Its RR
   type code is 37.

                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |             type              |             key tag           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   algorithm   |                                               /
    +---------------+            certificate or CRL                 /
    /                                                               /
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|

   The type field is the certificate type as define in section 2.1
   below.

   The algorithm field has the same meaning as the algorithm field in
   KEY and SIG RRs [RFC 2535] except that a zero algorithm field
   indicates the algorithm is unknown to a secure DNS, which may simply
   be the result of the algorithm not having been standardized for
   secure DNS.



Eastlake & Gudmundsson      Standards Track