draft-ietf-dnsind-indirect-key-00.txt revision 599c6d44f4d41aab5d3da98214492eb26e674b65
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingDNSIND Working Group D. Eastlake
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingINTERNET-DRAFT IBM
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingExpires October 1999
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Indirect KEY RRs in the Domain Name System (DNS)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding -------- --- --- -- --- ------ ---- ------ -----
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Donald E. Eastlake 3rd
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingStatus of This Document
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding This draft, file name draft-ietf-dnsind-indirect-key-00.txt, is
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding intended to be become a Proposed Standard RFC. Distribution of this
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding document is unlimited. Comments should be sent to the DNSSEC mailing
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding list <dns-security@tis.com> or to the author.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding This document is an Internet-Draft and is in full conformance with
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding all provisions of Section 10 of RFC2026. Internet-Drafts are working
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding documents of the Internet Engineering Task Force (IETF), its areas,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding and its working groups. Note that other groups may also distribute
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding working documents as Internet-Drafts.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Internet-Drafts are draft documents valid for a maximum of six
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding months. Internet-Drafts may be updated, replaced, or obsoleted by
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding other documents at any time. It is not appropriate to use Internet-
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Drafts as reference material or to cite them other than as a
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding ``working draft'' or ``work in progress.''
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding The list of current Internet-Drafts can be accessed at
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding The list of Internet-Draft Shadow Directories can be accessed at
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding To view the entire list of current Internet-Drafts, please check the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding [RFC 2535] defines a means for storing cryptographic public keys in
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding the Domain Name System. An additional code point is defined for the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding algorithm field of the KEY resource record (RR) to indicate that the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding key is not stored in the KEY RR but is pointed to by the KEY RR.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Encodings to indicate different types of key and pointer formats are
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding [This draft is moved from the DNSSEC WG as part of that WG's merger
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding into me DNSIND WG. It would have been draft-ietf-dnssec-indirect-
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding key-02.txt in the DNSSEC WG.]
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingD. Eastlake 3rd [Page 1]
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingINTERNET-DRAFT Indirect KEY RRs
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingTable of Contents
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Status of This Document....................................1
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Abstract...................................................1
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Table of Contents..........................................2
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 1. Introduction............................................3
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 2. The Indirect KEY RR Algorithm...........................3
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 2.1 The Target Type Field..................................4
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 2.2 The Target Algorithm Field.............................5
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 2.3 The Hash Fields........................................5
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 3. Performance Considerations..............................6
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 4. IANA Considerations.....................................6
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 5. Security Considerations.................................6
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding References.................................................7
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Author's Address...........................................7
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Expiration and File Name...................................8
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingD. Eastlake 3rd [Page 2]
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingINTERNET-DRAFT Indirect KEY RRs
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding1. Introduction
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding The Domain Name System (DNS) security extensions [RFC 2535] provide
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding for the general storage of public keys in the domain name system via
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding the KEY resource record (RR). These KEY RRs are used in support of
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding DNS security and may be used to support other security protocols.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding KEY RRs can be associated with users, zones, and hosts or other end
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding entities named in the DNS.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding For reasons given below, it will sometimes be desireable to store a
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding key or keys elsewhere and merely point to it from the KEY RR.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Indirect key storage makes it possible to point to a key service via
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding a URL, to have a compact pointer to a larger key or set of keys, to
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding point to a certificate either inside DNS [RFC 2538] or outside the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding DNS, and where appropriate, to store a key or key set applicable to
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding many DNS entries in some place and point to it from those entries.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding However, to simplify DNSSEC implementation, this technique MUST NOT
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding be used for KEY RRs used in for verification in DNSSEC, i.e., the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding value of the "protocol" field of an indirect KEY RR MUST NOT be 3.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD",
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding "RECOMMENDED", and "MAY" in this document are to be interpreted as
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding described in [RFC 2119].
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding2. The Indirect KEY RR Algorithm
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Domain Name System (DNS) KEY Resource Record (RR) [RFC 2535]
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding algorithm number 252 is defined as the indirect key algorithm. This
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding algorithm MAY NOT be used for zone keys in support of DNS security.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding All KEYs used in DNSSEC validation MUST be stored directly in the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding When the algorithm byte of a KEY RR has the value 252, the "public
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding key" portion of the RR is formated as follows:
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
b4c8a80f7dbfc9b56dbe03bdc28f0b5eb5f23697rbb | target type | target alg. | hash type |
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding | hash size | hash (variable size) /
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding / pointer (variable size) /
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingD. Eastlake 3rd [Page 3]
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingINTERNET-DRAFT Indirect KEY RRs
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding2.1 The Target Type Field
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Target type specifies the type of the key containing data being
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding pointed at.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Target type
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding -----------
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 0 - reserved, see section 4
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 1 - indicates that the pointer is a domain name from which KEY RRs
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding [RFC 2535] should be retrieved. Name compression in the pointer
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding field is prohibited.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 2 - indicates that the pointer is a null terminated character string
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding which is a URL [RFC 1738]. For exisiting data transfer URL
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding schemes, such as ftp, http, shttp, etc., the data is the same as
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding the public key portion of a KEY RR. (New URL schemes may be
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding defined which return multiple keys.)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 3 - indicates that the pointer is a domain name from which CERT RRs
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding [RFC 2538] should be retrieved. Name compression in the pointer
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding field is prohibited.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 4 - indicates that the pointer is a null terminated character string
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding which is a URL [RFC 1738]. For exisiting data transfer URL
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding schemes, such as ftp, http, shttp, etc., the data is the same as
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding the entire RDATA portion of a CERT RR [RFC 2538]. (New URL
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding schemes may be defined which return multiple such data blocks.)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 5 - indicates that the pointer is a null terminated character string
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding which is a URL [RFC 1738]. For exisiting data transfer URL
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding schemes, such as ftp, http, shttp, etc., the data is a PKCS#1 [RFC
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 2437] format key. (New URL schemes may be defined which return
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding multiple keys.)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 6 through 255 - available for assignment, see section 4.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 256 through 511 (i.e., 256 + n) - indicate that the pointer is a null
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding terminated character string which is a URL [RFC 1738]. For
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding exisiting data transfer URL schemes, such as ftp, http, shttp,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding etc., the data is a certificate of the type indicated by a CERT RR
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding [RFC 2538] certificate type of n. That is, target types 257, 258,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding and 259 are PKIX, SPKI, and PGP certificates and target types 509
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding and 510 are URL and OID private certificate types. (New URL
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding schemes may be defined which return multiple such certificates.)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 512 through 65534 - available for assignment, see section 4.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 65535 reserved, see section 4.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingD. Eastlake 3rd [Page 4]
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingINTERNET-DRAFT Indirect KEY RRs
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding2.2 The Target Algorithm Field
b4c8a80f7dbfc9b56dbe03bdc28f0b5eb5f23697rbb The algorithm field is as defined in [RFC 2535]. If non-zero, it
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding specifies the algorithm type of the target key or keys pointed. If
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding zero, it does not specify what algorithm the target key or keys apply
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding2.3 The Hash Fields
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding If the indirecting KEY RRset [RFC 2181, 2535] is retrieved from an
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding appropriately secure DNS zone with a resolver implementing DNS
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding security, then there would be a high level of confidence in the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding entire value of the KEY RRset including any direct keys. This may or
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding may not be true of any indirect key pointed to. If an indirect key
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding is embodied in a certificate or retrieved via a secure protocol such
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding as SHTTP, it may also be secure. But an indirecting KEY RR could,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding for example, simply have an FTP URL pointing to a binary key stored
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding elsewhere, the retrieval of which would not be secure.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding The hash option in algorithm 252 KEY RRs provides a means of
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding extending the security of the indirecting KEY RR to the actual key
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding material pointed at. By including a hash in a secure indirecting RR,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding this secure hash can be checked against the hash of the actual keying
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Type Hash Algorithm
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding ---- --------------
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 0 indicates no hash present
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 1 MD5 [RFC 1321]
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 4-252 available, see section 4
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 253 private, domain name (see below)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 254 private, OID (see below)
b4c8a80f7dbfc9b56dbe03bdc28f0b5eb5f23697rbb 255 reserved
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Codes 253 and 254 indicate that a private, proprietary, local, or
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding experimental hash algorithm is used. For code 253, the hash field
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding begins with a wire encoded domain name (with compression prohibited)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding that indicates the algorithm to use. For code 254, the hash field
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding begins with a one byte unsigned OID length followed by a BER encoded
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding OID which indicates the algorithm to use.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding The hash size field is an unsigned octet count of the hash field size
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding less the length of any code 253 or 254 prefix. For some hash
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding algorithms it may be fixed by the algorithm choice but this will not
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding always be the case. For example, hash size is used to distinguish
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding between RIPEMD-128 (16 octets) and RIPEMD-160 (20 octets). If the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingD. Eastlake 3rd [Page 5]
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingINTERNET-DRAFT Indirect KEY RRs
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding hash algorithm field is 0, the hash size MUST be zero and no hash
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding octets are present.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding The hash field itself is variable size with its length specified by
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding the hash size field and any code 253 or 254 prefix.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding3. Performance Considerations
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding With current public key technology, an indirect key will sometimes be
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding shorter than the keying material it points at. In addition, there
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding can be cases where a single indirect KEY RR points to multiple keys
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding elsewhere. This may improve DNS performance in the retrieval of the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding initial KEY RR. However, an additional retrieval step then needs to
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding be done to get the actually keying material which must be added to
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding the overall time to get the public key.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding4. IANA Considerations
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding IETF consensus, standards action, and similar terms in this section
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding are as define in [RFC 2434].
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding KEY RR algorithm number 252 was already reserved for indirect keys in
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding An IETF standards action is required to allocate target type codes
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding hex x0000, x0006 through x00FF, x0200 through x0FFF, and xFFFF.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Codes in the range x1000 through x7FFF can be allocated by an IETF
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding consensus. Codes x8000 through xFEFF are available on a first come
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding first serve basis. Codes xFF00 through xFFFE are available for
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding experimentation or private local use without allocation. Use of
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding codes in this block may result in conflicts outside such experiment
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding or locality.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding An IETF consensus is required to allocate an indirect KEY RR hash
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding algorithm code in the range 4-252 and a standards action is required
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding to allocate hash algorithm code 255. Codes 253 and 254 should cover
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding requirements for local, private, or proprietary algorithms.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding5. Security Considerations
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding The indirecting step of using an indirect KEY RR adds complexity and
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding additional steps where security could go wrong. If the indirect key
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RR was retrieved from a zone that was insecure for the resolver, you
b4c8a80f7dbfc9b56dbe03bdc28f0b5eb5f23697rbb have no security. If the indirect key RR, although secure itself,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingD. Eastlake 3rd [Page 6]
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingINTERNET-DRAFT Indirect KEY RRs
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding point to a key which can not be securely retrieved and is not
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding validateted by a secure hash in the indirect key RR, you have no
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RFC 1034 - P. Mockapetris, "Domain Names - Concepts and Facilities",
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding STD 13, November 1987.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RFC 1035 - P. Mockapetris, "Domain Names - Implementation and
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Specifications", STD 13, November 1987.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RFC 1321 - R. Rivest, "The MD5 Message-Digest Algorithm", April 1992.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RFC 1738 - T. Berners-Lee, L. Masinter & M. McCahill, "Uniform
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Resource Locators (URL)", December 1994.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RFC 2119 - "Key words for use in RFCs to Indicate Requirement
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Levels", S. Bradner. March 1997.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RFC 2181 - R. Elz, R. Bush, "Clarifications to the DNS
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Specification", July 1997.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RFC 2434 - T. Narten, H. Alvestrand, "Guidelines for Writing an IANA
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Considerations Section in RFCs", October 1998.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RFC 2437 - B. Kaliski, J. Staddon, "PKCS #1: RSA Cryptography
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Specifications Version 2.0", October 1998.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RFC 2535 - D. Eastlake, "Domain Name System Security Extensions",
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding March 1999.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding RFC 2538 - D. Eastlake, O. Gudmundsson, "Storing Certificates in the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Domain Name System (DNS)", March 1999.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingAuthor's Address
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Donald E. Eastlake 3rd
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding 65 shindegan Hill Road, RR #1
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Carmel, NY 10512 USA
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Telephone: +1-914-784-7913 (w)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding +1-914-276-2668 (h)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding FAX: +1-914-784-3833 (w)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding EMail: dee3@us.ibm.com
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingD. Eastlake 3rd [Page 7]
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingINTERNET-DRAFT Indirect KEY RRs
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingExpiration and File Name
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding This draft expires October 1999.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Its file name is draft-ietf-dnsind-indirect-key-00.txt.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fieldingD. Eastlake 3rd [Page 8]