RFC 3445 (rfc3445) - Page 2 of 10
Limiting the Scope of the KEY Resource Record (RR)
Alternative Format: Original Text Document
RFC 3445 Limiting the KEY Resource Record (RR) December 2002
Section 2 presents the motivation for restricting the KEY record and
Section 3 defines the revised KEY RR. Sections 4 and 5 summarize the
changes from RFC 2535 and discuss backwards compatibility. It is
important to note that this document restricts the use of the KEY RR
and simplifies the flags, but does not change the definition or use
of DNSSEC keys.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
2. Motivation for Restricting the KEY RR
The KEY RR RDATA [3] consists of Flags, a Protocol Octet, an
Algorithm type, and a Public Key. The Protocol Octet identifies the
KEY RR sub-type. DNSSEC public keys are stored in the KEY RR using a
Protocol Octet value of 3. Email, IPSEC, and TLS keys were also
stored in the KEY RR and used Protocol Octet values of 1,2, and 4
(respectively). Protocol Octet values 5-254 were available for
assignment by IANA and values were requested (but not assigned) for
applications such as SSH.
Any use of sub-typing has inherent limitations. A resolver can not
specify the desired sub-type in a DNS query and most DNS operations
apply only to resource records sets. For example, a resolver can not
directly request the DNSSEC subtype KEY RRs. Instead, the resolver
has to request all KEY RRs associated with a DNS name and then search
the set for the desired DNSSEC sub-type. DNSSEC signatures also
apply to the set of all KEY RRs associated with the DNS name,
regardless of sub-type.
In the case of the KEY RR, the inherent sub-type limitations are
exacerbated since the sub-type is used to distinguish between DNSSEC
keys and application keys. DNSSEC keys and application keys differ
in virtually every respect and Section 2.1 discusses these
differences in more detail. Combining these very different types of
keys into a single sub-typed resource record adds unnecessary
complexity and increases the potential for implementation and
deployment errors. Limited experimental deployment has shown that
application keys stored in KEY RRs are problematic.
This document addresses these issues by removing all application keys
from the KEY RR. Note that the scope of this document is strictly
limited to the KEY RR and this document does not endorse or restrict
the storage of application keys in other, yet undefined, resource
records.
Massey & Rose Standards Track