DNSSEC Protocol Related RFCs (DNSSEC, DNS Security Extensions)

Internet Systems Consortium (ISC) is excited to announce a new DNSSEC Training.

The ISC DNSSEC Technical Workshop covers DNSSEC Implementation and Deployment.

Complete international training schedule is available here. On-site trainings are also possible.

DNSSEC Protocol RFC (IETF)

Related Reading

Note: Core DNSSEC RFCs are RFC 4033, RFC 4034, and RFC 4035 (old DNSSEC RFC 2535 is now obsolete).

RFC 6014	Cryptographic Algorithm Identifier Allocation for DNSSEC
	Show complete RFC 6014 (Nov 2010) Show all RFCs that refer to RFC 6014 This document specifies how DNSSEC cryptographic algorithm identifiers in the IANA registries are allocated. It changes the requirement from "standard required" to "RFC Required". It does not change the list of algorithms that are recommended or required for DNSSEC implementations.

RFC 5933	Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC
	Show complete RFC 5933 (Jul 2010) Show all RFCs that refer to RFC 5933 This document describes how to produce digital signatures and hash functions using the GOST R 34.10-2001 and GOST R 34.11-94 algorithms for DNSKEY, RRSIG, and DS resource records, for use in the Domain Name System Security Extensions (DNSSEC).

RFC 5910

Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)

Show complete RFC 5910 (May 2010)

Show all RFCs that refer to RFC 5910

This document describes an Extensible Provisioning Protocol (EPP) extension mapping for the provisioning and management of Domain Name System security (DNSSEC) extensions for domain names stored in a shared central repository. Specified in XML, this mapping extends the EPP domain name mapping to provide additional features required for the provisioning of DNS security extensions. This document obsoletes RFC 4310.

RFC 5702	Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
	Show complete RFC 5702 (Oct 2009) Show all RFCs that refer to RFC 5702 This document describes how to produce RSA/SHA-256 and RSA/SHA-512 DNSKEY and RRSIG resource records for use in the Domain Name System Security Extensions (RFC 4033, RFC 4034, and RFC 4035).

RFC 5155

DNS Security (DNSSEC) Hashed Authenticated Denial of Existence

Show complete RFC 5155 (Mar 2008)

Show all RFCs that refer to RFC 5155

The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones.

RFC 5074	DNSSEC Lookaside Validation (DLV)
	Show complete RFC 5074 (Nov 2007) Show all RFCs that refer to RFC 5074 DNSSEC Lookaside Validation (DLV) is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain. It allows validating resolvers to validate DNSSEC-signed data from zones whose ancestors either aren't signed or don't publish Delegation Signer (DS) records for their children.

RFC 5011

Automated Updates of DNS Security (DNSSEC) Trust Anchors

Show complete RFC 5011 (Sep 2007)

Show all RFCs that refer to RFC 5011

This document describes a means for automated, authenticated, and authorized updating of DNSSEC "trust anchors". The method provides protection against N-1 key compromises of N keys in the trust point key set. Based on the trust established by the presence of a current anchor, other anchors may be added at the same place in the hierarchy, and, ultimately, supplant the existing anchor(s).

RFC 4986

Show complete RFC 4986 (Aug 2007)

Show all RFCs that refer to RFC 4986

Every DNS security-aware resolver must have at least one Trust Anchor to use as the basis for validating responses from DNS signed zones. For various reasons, most DNS security-aware resolvers are expected to have several Trust Anchors. For some operations, manual monitoring and updating of Trust Anchors may be feasible, but many operations will require automated methods for updating Trust Anchors in their security-aware resolvers. This document identifies the requirements that must be met by an automated DNS Trust Anchor rollover solution for security-aware DNS resolvers.

RFC 4956

DNS Security (DNSSEC) Opt-In

Show complete RFC 4956 (Jul 2007)

Show all RFCs that refer to RFC 4956

In the DNS security (DNSSEC) extensions, delegations to unsigned subzones are cryptographically secured. Maintaining this cryptography is not always practical or necessary. This document describes an experimental "Opt-In" model that allows administrators to omit this cryptography and manage the cost of adopting DNSSEC with large zones.

RFC 4955	DNS Security (DNSSEC) Experiments
	Show complete RFC 4955 (Jul 2007) Show all RFCs that refer to RFC 4955 This document describes a methodology for deploying alternate, non-backwards-compatible, DNS Security (DNSSEC) methodologies in an experimental fashion without disrupting the deployment of standard DNSSEC.

RFC 4641

DNSSEC Operational Practices

Show complete RFC 4641 (Sep 2006)

Show all RFCs that refer to RFC 4641

This document describes a set of practices for operating the DNS with security extensions (DNSSEC). The target audience is zone administrators deploying DNSSEC. The document discusses operational aspects of using keys and signatures in the DNS. It discusses issues of key generation, key storage, signature generation, key rollover, and related policies. This document obsoletes RFC 2541, as it covers more operational ground and gives more up-to-date requirements with respect to key sizes and the new DNSSEC specification.

RFC 4635

HMAC SHA TSIG Algorithm Identifiers

Show complete RFC 4635 (Aug 2006)

Show all RFCs that refer to RFC 4635

Use of the Domain Name System TSIG resource record requires specification of a cryptographic message authentication code. Currently, identifiers have been specified only for HMAC MD5 (Hashed Message Authentication Code, Message Digest 5) and GSS (Generic Security Service) TSIG algorithms. This document standardizes identifiers and implementation requirements for additional HMAC SHA (Secure Hash Algorithm) TSIG algorithms and standardizes how to specify and handle the truncation of HMAC values in TSIG.

RFC 4509	Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)
	Show complete RFC 4509 (May 2006) Show all RFCs that refer to RFC 4509 This document specifies how to use the SHA-256 digest type in DNS Delegation Signer (DS) Resource Records (RRs). DS records, when stored in a parent zone, point to DNSKEYs in a child zone.

RFC 4471

Derivation of DNS Name Predecessor and Successor

Show complete RFC 4471 (Sep 2006)

Show all RFCs that refer to RFC 4471

This document describes two methods for deriving the canonically-ordered predecessor and successor of a DNS name. These methods may be used for dynamic NSEC resource record synthesis, enabling security-aware name servers to provide authenticated denial of existence without disclosing other owner names in a DNSSEC secured zone.

RFC 4470

Minimally Covering NSEC Records and DNSSEC On-line Signing

Show complete RFC 4470 (Apr 2006)

Show all RFCs that refer to RFC 4470

This document describes how to construct DNSSEC NSEC resource records that cover a smaller range of names than called for by RFC 4034. By generating and signing these records on demand, authoritative name servers can effectively stop the disclosure of zone contents otherwise made possible by walking the chain of NSEC records in a signed zone.

RFC 4431	The DNSSEC Lookaside Validation (DLV) DNS Resource Record
	Show complete RFC 4431 (Feb 2006) Show all RFCs that refer to RFC 4431 This document defines a new DNS resource record, called the DNSSEC Lookaside Validation (DLV) RR, for publishing DNSSEC trust anchors outside of the DNS delegation chain.

RFC 4398	Storing Certificates in the Domain Name System (DNS)
	Show complete RFC 4398 (Mar 2006) Show all RFCs that refer to RFC 4398 Cryptographic public keys are frequently published, and their authenticity is demonstrated by certificates. A CERT resource record (RR) is defined so that such certificates and related certificate revocation lists can be stored in the Domain Name System (DNS). This document obsoletes RFC 2538.

RFC 4035

Protocol Modifications for the DNS Security Extensions

Show complete RFC 4035 (Mar 2005)

Show all RFCs that refer to RFC 4035

This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535.

RFC 4034

Resource Records for the DNS Security Extensions

Show complete RFC 4034 (Mar 2005)

Show all RFCs that refer to RFC 4034

This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535.

RFC 4033

DNS Security Introduction and Requirements

Show complete RFC 4033 (Mar 2005)

Show all RFCs that refer to RFC 4033

The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535.

RFC 4025

A Method for Storing IPsec Keying Material in DNS

Show complete RFC 4025 (Feb 2005)

Show all RFCs that refer to RFC 4025

This document describes a new resource record for the Domain Name System (DNS). This record may be used to store public keys for use in IP security (IPsec) systems. The record also includes provisions for indicating what system should be contacted when an IPsec tunnel is established with the entity in question. This record replaces the functionality of the sub-type #4 of the KEY Resource Record, which has been obsoleted by RFC 3445.

RFC 3833

Threat Analysis of the Domain Name System (DNS)

Show complete RFC 3833 (Aug 2004)

Show all RFCs that refer to RFC 3833

Although the DNS Security Extensions (DNSSEC) have been under development for most of the last decade, the IETF has never written down the specific set of threats against which DNSSEC is designed to protect. Among other drawbacks, this cart-before-the-horse situation has made it difficult to determine whether DNSSEC meets its design goals, since its design goals are not well specified. This note attempts to document some of the known threats to the DNS, and, in doing so, attempts to measure to what extent (if any) DNSSEC is a useful tool in defending against these threats.

RFC 3645

Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)

Show complete RFC 3645 (Oct 2003)

Show all RFCs that refer to RFC 3645

The Secret Key Transaction Authentication for DNS (TSIG) protocol provides transaction level authentication for DNS. TSIG is extensible through the definition of new algorithms. This document specifies an algorithm based on the Generic Security Service Application Program Interface (GSS-API) (RFC-2743). This document updates RFC-2845.

RFC 3597	Handling of Unknown DNS Resource Record (RR) Types
	Show complete RFC 3597 (Sep 2003) Show all RFCs that refer to RFC 3597 Extending the Domain Name System (DNS) with new Resource Record (RR) types currently requires changes to name server software. This document specifies the changes necessary to allow future DNS implementations to handle new RR types transparently.

RFC 3226

DNSSEC and IPv6 A6 aware server/resolver message size requirements

Show complete RFC 3226 (Dec 2001)

Show all RFCs that refer to RFC 3226

This document mandates support for EDNS0 (Extension Mechanisms for DNS) in DNS entities claiming to support either DNS Security Extensions or A6 records. This requirement is necessary because these new features increase the size of DNS messages. If EDNS0 is not supported fall back to TCP will happen, having a detrimental impact on query latency and DNS server load. This document updates RFC-2535 and RFC RFC-2874, by adding new requirements.

RFC 3225

Indicating Resolver Support of DNSSEC

Show complete RFC 3225 (Dec 2001)

Show all RFCs that refer to RFC 3225

In order to deploy DNSSEC (Domain Name System Security Extensions) operationally, DNSSEC aware servers should only perform automatic inclusion of DNSSEC RRs when there is an explicit indication that the resolver can understand those RRs. This document proposes the use of a bit in the EDNS0 header to provide that explicit indication and describes the necessary protocol changes to implement that notification.

RFC 3130	Notes from the State-Of-The-Technology: DNSSEC
	Show complete RFC 3130 (Jun 2001) Show all RFCs that refer to RFC 3130 This is a memo of a DNSSEC (Domain Name System Security Extensions) status meeting.

RFC 3110

RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)

Show complete RFC 3110 (May 2001)

Show all RFCs that refer to RFC 3110

This document describes how to produce RSA/SHA1 SIG resource records (RRs) in Section 3 and, so as to completely replace RFC-2537, describes how to produce RSA KEY RRs in Section 2. Since the adoption of a Proposed Standard for RSA signatures in the DNS (Domain Name Space), advances in hashing have been made. A new DNS signature algorithm is defined to make these advances available in SIG RRs. The use of the previously specified weaker mechanism is deprecated. The algorithm number of the RSA KEY RR is changed to correspond to this new SIG algorithm. No other changes are made to DNS security.

RFC 3008	Domain Name System Security (DNSSEC) Signing Authority
	Show complete RFC 3008 (Nov 2000) Show all RFCs that refer to RFC 3008 This document proposes a revised model of Domain Name System Security (DNSSEC) Signing Authority. The revised model is designed to clarify earlier documents and add additional restrictions to simplify the secure resolution process. Specifically, this affects the authorization of keys to sign sets of records.

RFC 3007

Secure Domain Name System (DNS) Dynamic Update

Show complete RFC 3007 (Nov 2000)

Show all RFCs that refer to RFC 3007

This document proposes a method for performing secure Domain Name System (DNS) dynamic updates. The method described here is intended to be flexible and useful while requiring as few changes to the protocol as possible. The authentication of the dynamic update message is separate from later DNSSEC validation of the data. Secure communication based on authenticated requests and transactions is used to provide authorization.

RFC 2931

DNS Request and Transaction Signatures ( SIG(0)s )

Show complete RFC 2931 (Sep 2000)

Show all RFCs that refer to RFC 2931

Extensions to the Domain Name System (DNS) are described in [RFC-2535] that can provide data origin and transaction integrity and authentication to security aware resolvers and applications through the use of cryptographic digital signatures. Implementation experience has indicated the need for minor but non- interoperable changes in Request and Transaction signature resource records ( SIG(0)s ). These changes are documented herein.

RFC 2930

Secret Key Establishment for DNS (TKEY RR)

Show complete RFC 2930 (Sep 2000)

Show all RFCs that refer to RFC 2930

[RFC-2845] provides a means of authenticating Domain Name System (DNS) queries and responses using shared secret keys via the Transaction Signature (TSIG) resource record (RR). However, it provides no mechanism for setting up such keys other than manual exchange. This document describes a Transaction Key (TKEY) RR that can be used in a number of different modes to establish shared secret keys between a DNS resolver and server.

RFC 2929	Domain Name System (DNS) IANA Considerations
	Show complete RFC 2929 (Sep 2000) Show all RFCs that refer to RFC 2929 Internet Assigned Number Authority (IANA) parameter assignment considerations are given for the allocation of Domain Name System (DNS) classes, Resource Record (RR) types, operation codes, error codes, etc.

RFC 2870

Root Name Server Operational Requirements

Show complete RFC 2870 (Jun 2000)

Show all RFCs that refer to RFC 2870

As the internet becomes increasingly critical to the world's social and economic infrastructure, attention has rightly focused on the correct, safe, reliable, and secure operation of the internet infrastructure itself. The root domain name servers are seen as a crucial part of that technical infrastructure. The primary focus of this document is to provide guidelines for operation of the root name servers. Other major zone server operators (gTLDs, ccTLDs, major zones) may also find it useful. These guidelines are intended to meet the perceived societal needs without overly prescribing technical details.

RFC 2845

Secret Key Transaction Authentication for DNS (TSIG)

Show complete RFC 2845 (May 2000)

Show all RFCs that refer to RFC 2845

This protocol allows for transaction level authentication using shared secrets and one way hashing. It can be used to authenticate dynamic updates as coming from an approved client, or to authenticate responses as coming from an approved recursive name server. No provision has been made here for distributing the shared secrets; it is expected that a network administrator will statically configure name servers and clients using some out of band mechanism such as sneaker-net until a secure automated mechanism for key distribution is available.

RFC 2540	Detached Domain Name System (DNS) Information
	Show complete RFC 2540 (Mar 1999) Show all RFCs that refer to RFC 2540 A standard format is defined for representing detached DNS information. This is anticipated to be of use for storing information retrieved from the Domain Name System (DNS), including security information, in archival contexts or contexts not connected to the Internet.

RFC 2539	Storage of Diffie-Hellman Keys in the Domain Name System (DNS)
	Show complete RFC 2539 (Mar 1999) Show all RFCs that refer to RFC 2539 A standard method for storing Diffie-Hellman keys in the Domain Name System is described which utilizes DNS KEY resource records.

RFC 2536	DSA KEYs and SIGs in the Domain Name System (DNS)
	Show complete RFC 2536 (Mar 1999) Show all RFCs that refer to RFC 2536 A standard method for storing US Government Digital Signature Algorithm keys and signatures in the Domain Name System is described which utilizes DNS KEY and SIG resource records.

RFC 2181

Clarifications to the DNS Specification

Show complete RFC 2181 (Jul 1997)

Show all RFCs that refer to RFC 2181

This document considers some areas that have been identified as problems with the specification of the Domain Name System, and proposes remedies for the defects identified. Eight separate issues are considered: IP packet header address usage from multi-homed servers, TTLs in sets of records with the same name, class, and type, correct handling of zone cuts, three minor issues concerning SOA records and their use, the precise definition of the Time to Live (TTL), Use of the TC (truncated) header bit, the issue of what is an authoritative, or canonical, name, and the issue of what makes a valid DNS label. The first six of these are areas where the correct behaviour has been somewhat unclear, we seek to rectify that. The other two are already adequately specified, however the specifications seem to be sometimes ignored. We seek to reinforce the existing specifications.

DNSSEC.NET

BIND9.NET

BGP4.AS

HONEYPOTS.NET

WARDRIVE.NET

FORENSICS.NL

SECURITYBOOKS

NETWORKINGBOOKS

af183d41d32b8d2060360fbf713dd70a