draft-ietf-dnssec-indirect-key-01.txt revision 599c6d44f4d41aab5d3da98214492eb26e674b65
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseINTERNET-DRAFT Indirect KEY RRs
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse November 1997
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Expires May 1998
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Indirect KEY RRs in the Domain Name System
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse -------- --- --- -- --- ------ ---- ------
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Donald E. Eastlake 3rd
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
33bdcae1f7a1a65e351dda2a766a0cf28b1e695dnd
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rseStatus of This Document
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse This draft, file name draft-ietf-dnssec-indirect-key-01.txt, is
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse intended to be become a Proposed Standard RFC. Distribution of this
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse document is unlimited. Comments should be sent to the DNSSEC mailing
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse list <dns-security@tis.com> or to the author.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse This document is an Internet-Draft. Internet-Drafts are working
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse documents of the Internet Engineering Task Force (IETF), its areas,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse and its working groups. Note that other groups may also distribute
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse working documents as Internet-Drafts.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Internet-Drafts are draft documents valid for a maximum of six
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse months. Internet-Drafts may be updated, replaced, or obsoleted by
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse other documents at any time. It is not appropriate to use Internet-
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse Drafts as reference material or to cite them other than as a
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse ``working draft'' or ``work in progress.''
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse To learn the current status of any Internet-Draft, please check the
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse 1id-abstracts.txt listing contained in the Internet-Drafts Shadow
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse Directories on ds.internic.net (East USA), ftp.isi.edu (West USA),
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse nic.nordu.net (North Europe), ftp.nis.garr.it (South Europe),
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse munnari.oz.au (Pacific Rim), or ftp.is.co.za (Africa).
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rseAbstract
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse RFC 2065 defines a means for storing cryptogrpahic public keys in the
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse Domain Name System. An additional code point is defined for the KEY
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse resource record (RR) algorithm field to indicate that the key itself
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse is not stored in the KEY RR but is pointed to by the KEY RR.
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse Encodings to indicate different types of key and pointer formats are
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse specified.
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323rse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseDonald E. Eastlake 3rd [Page 1]
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseINTERNET-DRAFT Indirect KEY RRs
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseTable of Contents
e18e68b42830409bf48de0df9eed3fe363664aa7aaron
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Status of This Document....................................1
8464a9c46b967001e38fe3c8afff51a649e9de51dougm Abstract...................................................1
579fd9e90990eee18b5e504eb4c0d2ce18f76208aaron
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Table of Contents..........................................2
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 1. Introduction............................................3
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 2. The Indirect KEY RR Algorithm...........................4
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 2.1 The Target Type Field..................................4
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 2.2 The Target Algorithm Field.............................5
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse 2.3 The Hash Fields........................................5
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 3. Performance Considerations..............................7
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 4. Security Considerations.................................7
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
05413593151a238718198cc04ca849b2426be106rse References.................................................8
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Author's Address...........................................8
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Expiration and File Name...................................8
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
434ad3e8e769a6a7a78c15f3ae2f7ae3adbfbb49wrowe
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
05413593151a238718198cc04ca849b2426be106rse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
421d9002d73db52972bcca8f4497fe5d603b6b8eaaron
421d9002d73db52972bcca8f4497fe5d603b6b8eaaron
421d9002d73db52972bcca8f4497fe5d603b6b8eaaronDonald E. Eastlake 3rd [Page 2]
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseINTERNET-DRAFT Indirect KEY RRs
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse1. Introduction
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse The Domain Name System (DNS) security extensions [RFC 2065] provide
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse for the general storage of public keys in the domain name system via
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse the KEY resource record (RR). These KEY RRs are used in support of
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse DNS security and may be used to support other security protocols.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse KEY RRs can be associated with users, zones, and hosts or other end
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse entities named in the DNS.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse For reasons given below, in many cases it will be desireable to store
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse a key or keys elsewhere and merely point to it from the KEY RR.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Indirect key storage makes it possible to point to a key service via
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse a URL, to have a compact pointer to a larger key or set of keys, to
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse point to a certificate either inside DNS [see draft-ietf-dnssec-
421d9002d73db52972bcca8f4497fe5d603b6b8eaaron certs-*.txt] or outside the DNS, and where appropriate, to store a
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse key or key set applicable to many DNS entries in some place and point
421d9002d73db52972bcca8f4497fe5d603b6b8eaaron to it from those entries.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse However, to simplify DNSSEC implementation, this technique MUST NOT
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse be used for KEY RRs used in for verification in DNSSEC.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
87a1c79b7b37702a254920ca5214fb282a4fb085dougm
87a1c79b7b37702a254920ca5214fb282a4fb085dougm
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
87a1c79b7b37702a254920ca5214fb282a4fb085dougm
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseDonald E. Eastlake 3rd [Page 3]
87a1c79b7b37702a254920ca5214fb282a4fb085dougm
87a1c79b7b37702a254920ca5214fb282a4fb085dougm
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseINTERNET-DRAFT Indirect KEY RRs
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
87a1c79b7b37702a254920ca5214fb282a4fb085dougm2. The Indirect KEY RR Algorithm
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Domain Name System (DNS) KEY Resource Record (RR) [RFC 2065]
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse algorithm number 252 is defined as the indirect key algorithm. This
87a1c79b7b37702a254920ca5214fb282a4fb085dougm algorithm MAY NOT be used for zone keys in support of DNS security.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse All KEYs used in DNSSEC validation must be stored directly in the
87a1c79b7b37702a254920ca5214fb282a4fb085dougm DNS.
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse When the algorithm byte of a KEY RR has thae value 252, the "public
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse key" portion of the RR is formated as follows:
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse | target type | target alg. | hash type |
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse | hash size | hash (variable size) /
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse | /
03181bdde77be8e10ed297a02db5d8f98ecb703ewrowe / pointer (varible size) /
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse / /
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse2.1 The Target Type Field
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Target type specifies the type of the key containing data being
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse pointed at.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse Target types 0 and 65535 are reserved.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse Target type 1 indicates that the pointer is a domain name from which
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse KEY RRs [RFC 2065] should be retrieved. Name compression in the
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse pointer field is prohibited.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Target type 2 indicates that the pointer is a null terminated
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse character string which is a URL [RFC 1738]. For exisiting data
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse transfer URL schemes, such as ftp, http, shttp, etc., the data is the
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse same as the public key portion of a KEY RR. (New URL schmes may be
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse defined which return multiple keys.)
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Target type 2 indicates that the pointer is a domain name from which
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse CERT RRs [draft-ietf-dnssec-certs-*.txt] should be retrieved. Name
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse compression in the pointer field is prohibiited.
7f683bb300df767164724ebc664f339ac396b434dougm
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Target type 3 indicates that the pointer is a null terminated
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse character string which is a URL [RFC 1738]. For exisiting data
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse transfer URL schemes, such as ftp, http, shttp, etc., the data is the
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse same as the entire RDATA portion of a CERT RR [draft-ietf-dnssec-
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseDonald E. Eastlake 3rd [Page 4]
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseINTERNET-DRAFT Indirect KEY RRs
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse certs-*.txt]. (New URL schmes may be defined which return multiple
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse such data blocks.)
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Target type 4 indicates that the pointer is a null terminated
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse character string which is a URL [RFC 1738]. For exisiting data
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse transfer URL schemes, such as ftp, http, shttp, etc., the data is a
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse PKCS#1 format key. (New URL schmes may be defined which return
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse multiple keys.)
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse The target types 5 through 255 are available for assignment by IANA.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Target type 256 through 511 (i.e., 256 + n) indicate that the pointer
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse is a null terminated character string which is a URL [RFC 1738]. For
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse exisiting data transfer URL schemes, such as ftp, http, shttp, etc.,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse the data is a certificate of the type indicated by a CERT RR [draft-
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse ietf-dnssec-certs-*.txt] certificate type of n. That is, target
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse types 257, 258, and 259 are PKIX, SPKI, and PGP certificates and
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse target types 509 and 510 are URL and OID private certificate types.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse (New URL schmes may be defined which return multiple such
421d9002d73db52972bcca8f4497fe5d603b6b8eaaron certificates.)
421d9002d73db52972bcca8f4497fe5d603b6b8eaaron
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse Target types 512 through 65534 are available for assignment by IANA.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse2.2 The Target Algorithm Field
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse The algorithm field is as defined in RFC 2065. if non-zero, it
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse specifies the algorithm type of the target key or keys pointed. If
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse zero, it does not specify what algorithm the target key or keys apply
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse to.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse2.3 The Hash Fields
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse If the indirecting KEY RR is retrieved from an appropriately secure
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse DNS zone with a resolver implementing DNS security, then there would
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse be a high level of confidence in the entire value of the KEY RR
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse including any direct keys. This may or may not be true of any
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse indirect key pointed to. If that key is embodied in a certificate or
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse retrieved via a secure protocol such as SHTTP, it may also be secure.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse But an indirecting KEY RR could, for example, simply have an FTP URL
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse pointing to a binary key stored elsewhere, the retrieval of which
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse would not be secure.
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse The hash option in algorithm 252 KEY RRs provides a means of
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse extending the security of the indirecting KEY RR to the actual key
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse material pointed at. By inclduing a hash in a secure indirecting RR,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse this secure hash can be checked against the hash of the actual keying
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseDonald E. Eastlake 3rd [Page 5]
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrseINTERNET-DRAFT Indirect KEY RRs
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse material
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse
421d9002d73db52972bcca8f4497fe5d603b6b8eaaron Type Hash Algorithm
421d9002d73db52972bcca8f4497fe5d603b6b8eaaron ---- --------------
421d9002d73db52972bcca8f4497fe5d603b6b8eaaron 0 indicates no hash present
184f5da95d14895f7f33c90b8b8f70653afb0d92wrowe 1 MD5 [RFC 1321]
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 2 SHA-1
184f5da95d14895f7f33c90b8b8f70653afb0d92wrowe 3 RIPEMD
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 4-254 available for assignment
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse 255 reserved
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
bb0b94431dc9a1591a0a38a6c48925c6d9213c83rse The hash size field is an unsigned octet count of the hash size. For
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse some hash algorithms it may be fixed by the algorithm choice but this
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse will not always be the case. For example, hash size is used to
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse distinguish between RIPEMD-128 (16 octets) and RIPEMD-160 (20
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse octets). If the hash algorithm is 0, the hash size MUST be zero and
a0e0d20b666cfc453ac76506079eb50e03997eefdougm no hash octets are present.
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm The hash field itself is variable size with its length specified by
a0e0d20b666cfc453ac76506079eb50e03997eefdougm the hash size field.
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougmDonald E. Eastlake 3rd [Page 6]
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougmINTERNET-DRAFT Indirect KEY RRs
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm3. Performance Considerations
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm With current public key technology, an indirect key will sometimes be
a0e0d20b666cfc453ac76506079eb50e03997eefdougm shorter than the keying material it points at. This may improve DNS
a0e0d20b666cfc453ac76506079eb50e03997eefdougm permformace in the retrieval of the initial KEY RR. However, an
a0e0d20b666cfc453ac76506079eb50e03997eefdougm additional retrieval step then needs to be done to get the actualy
a0e0d20b666cfc453ac76506079eb50e03997eefdougm keying material which must be added to the overall time to get the
a0e0d20b666cfc453ac76506079eb50e03997eefdougm public key.
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm4. Security Considerations
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm The indirecting step of using an indirect KEY RR adds complexity and
a0e0d20b666cfc453ac76506079eb50e03997eefdougm additional steps where security could go wrong. If the indirect key
a0e0d20b666cfc453ac76506079eb50e03997eefdougm RR was retrieved from a zone that was insecure for the resolver, you
a0e0d20b666cfc453ac76506079eb50e03997eefdougm have no security. If the indirect key RR, although secure itself,
a0e0d20b666cfc453ac76506079eb50e03997eefdougm point to a key which can not be securely retrieved and is not
a0e0d20b666cfc453ac76506079eb50e03997eefdougm validatated by a secure hash in the indirect key RR, you have no
a0e0d20b666cfc453ac76506079eb50e03997eefdougm security.
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
a0e0d20b666cfc453ac76506079eb50e03997eefdougm
22357f10585a847ebf7b084cbe1db07ba071aeb6dougm
22357f10585a847ebf7b084cbe1db07ba071aeb6dougm
dd7c683f683624b082d430935b594df7406782c2dougm
22357f10585a847ebf7b084cbe1db07ba071aeb6dougm
22357f10585a847ebf7b084cbe1db07ba071aeb6dougm
22357f10585a847ebf7b084cbe1db07ba071aeb6dougm
22357f10585a847ebf7b084cbe1db07ba071aeb6dougm
22357f10585a847ebf7b084cbe1db07ba071aeb6dougm
dd7c683f683624b082d430935b594df7406782c2dougm
22357f10585a847ebf7b084cbe1db07ba071aeb6dougm
22357f10585a847ebf7b084cbe1db07ba071aeb6dougm
dd7c683f683624b082d430935b594df7406782c2dougm
dd7c683f683624b082d430935b594df7406782c2dougm
dd7c683f683624b082d430935b594df7406782c2dougm
dd7c683f683624b082d430935b594df7406782c2dougm
dd7c683f683624b082d430935b594df7406782c2dougm
dd7c683f683624b082d430935b594df7406782c2dougm
dd7c683f683624b082d430935b594df7406782c2dougm
dd7c683f683624b082d430935b594df7406782c2dougm
dd7c683f683624b082d430935b594df7406782c2dougm
dd7c683f683624b082d430935b594df7406782c2dougm
6a26d195dfba3a91f8352cabd4547afa77675bb1aaron
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
e18e68b42830409bf48de0df9eed3fe363664aa7aaron
3c65aa88903de7330a07e133dfda779842fadad4wrowe
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
a1696119fa668c01957eea97a616fcbe95da9492wroweDonald E. Eastlake 3rd [Page 7]
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe
6b441532f6ac4ebd1c4867ab5f8a0165247b178ewroweINTERNET-DRAFT Indirect KEY RRs
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe
6b441532f6ac4ebd1c4867ab5f8a0165247b178ewroweReferences
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe PKCS#1
d54a31567fc49f1841d27a14796ae726016c54aadougm
3c65aa88903de7330a07e133dfda779842fadad4wrowe RFC 1034 - P. Mockapetris, "Domain Names - Concepts and Facilities",
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe STD 13, November 1987.
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
3c65aa88903de7330a07e133dfda779842fadad4wrowe RFC 1035 - P. Mockapetris, "Domain Names - Implementation and
3c65aa88903de7330a07e133dfda779842fadad4wrowe Specifications", STD 13, November 1987.
3c65aa88903de7330a07e133dfda779842fadad4wrowe
3c65aa88903de7330a07e133dfda779842fadad4wrowe RFC 1321 - R. Rivest, "The MD5 Message-Digest Algorithm", April 1992.
3c65aa88903de7330a07e133dfda779842fadad4wrowe
3c65aa88903de7330a07e133dfda779842fadad4wrowe RFC 1738 - T. Berners-Lee, L. Masinter & M. McCahill, "Uniform
3c65aa88903de7330a07e133dfda779842fadad4wrowe Resource Locators (URL)", December 1994.
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe
a1696119fa668c01957eea97a616fcbe95da9492wrowe RFC 2065 - D. Eastlake, C. Kaufman, "Domain Name System Security
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe Extensions", 01/03/1997.
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe draft-ietf-dnssec-certs-*.txt
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe
b40799adcfd0f0a2a465c2934585986f7bbc9bbcwrowe
d94fd18ee21dc9b8c1f422144a881e941687d41fdougmAuthor's Address
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm Donald E. Eastlake 3rd
dd9940ba9b4d9c09f034b910d1569db4a5111c75dougm CyberCash, Inc.
e62985c7a1b46a5036a247f35bddac1308985758dougm 318 Acton Street
98f81eac9530d487f05013cda9df99755bb59689trawick Carlisle, MA 01741 USA
98f81eac9530d487f05013cda9df99755bb59689trawick
98f81eac9530d487f05013cda9df99755bb59689trawick Telephone: +1 978 287 4877
98f81eac9530d487f05013cda9df99755bb59689trawick +1 703 620-4200 (main office, Reston, VA)
98f81eac9530d487f05013cda9df99755bb59689trawick FAX: +1 978 371 7148
98f81eac9530d487f05013cda9df99755bb59689trawick EMail: dee@cybercash.com
98f81eac9530d487f05013cda9df99755bb59689trawick
98f81eac9530d487f05013cda9df99755bb59689trawick
98f81eac9530d487f05013cda9df99755bb59689trawick
98f81eac9530d487f05013cda9df99755bb59689trawickExpiration and File Name
98f81eac9530d487f05013cda9df99755bb59689trawick
98f81eac9530d487f05013cda9df99755bb59689trawick This draft expires May 1998.
e62985c7a1b46a5036a247f35bddac1308985758dougm
98f81eac9530d487f05013cda9df99755bb59689trawick Its file name is draft-ietf-dnssec-indirect-key-01.txt.
e62985c7a1b46a5036a247f35bddac1308985758dougm
e62985c7a1b46a5036a247f35bddac1308985758dougm
8464a9c46b967001e38fe3c8afff51a649e9de51dougm
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
462f3213ebe7eb2a3527530497d0428e2298a034jorton
8464a9c46b967001e38fe3c8afff51a649e9de51dougm
3c65aa88903de7330a07e133dfda779842fadad4wrowe
3c65aa88903de7330a07e133dfda779842fadad4wrowe
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm
d94fd18ee21dc9b8c1f422144a881e941687d41fdougmDonald E. Eastlake 3rd [Page 8]
3c65aa88903de7330a07e133dfda779842fadad4wrowe
d94fd18ee21dc9b8c1f422144a881e941687d41fdougm