Independent submissionM. Richardson
Expires: August 2, 2003February 2003

A method for storing IPsec keying material in DNS.

Status of this Memo

This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at

The list of Internet-Draft Shadow Directories can be accessed at

This Internet-Draft will expire on August 2, 2003.

Copyright Notice

Copyright (C) The Internet Society (2003). All Rights Reserved.


This document describes a new resource record for DNS. This record may be used to store public keys for use in IPsec systems.

This record replaces the functionality of the sub-type #1 of the KEY Resource Record, which has been proposed to be obsoleted by [1].


Table of Contents


1. Introduction

1.1 Overview



2. Storage formats

The IPSECKEY resource record (RR) is used to publish a public key that is to be associated with a Domain Name System (DNS) name. It will be a public key as only public keys are stored in the DNS. This can be the public key of a host, network, or application (in the case of per-port keying).

An IPSECKEY RR is, like any other RR, authenticated by a SIG RR.

It is expected that there will often be multiple resource records of the IPSECKEY type. This will be due to the need to rollover keys, and due to the presence of multiple gateways.

The type number for the IPSECKEY RR is 45 (IANA TBD).



The RDATA for an IPSECKEY RR consists of a precedence value, a public key (and algorithm type), and an optional gateway address.

                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |  algorithm    |  precedence   |         gateway               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
   ~                            gateway                            ~
   |                                                               /
   /                          public key                           
   /                                                               /

3.1 RDATA format - algorithm type

The algorithm type ("algo") field indicates the type of key that is present in the public key field. Valid values are:

No key is present.
A RSA key is present, in the format defined in
A DSA key is present, in the format defined in

3.2 RDATA format - precedence

This is an 8-bit precedence for this record. This is interpreted in a similar way to the PREFERENCE field described in section 3.3.9 of [3].

3.3 RDATA format - RSA public key

If the algorithm type has the value 1, then public key portion contains an RSA public key, encoded as described in secion 2 of [8], and repeated here:

                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   | pub exp length|        public key exponent                    /
   |                                                               /
   +-                           modulus                            /
   |                                                               /

RFC2065 limited the exponent and modulus to 2552 bits in length, and RFC3110 to 4096 bits. No such limit is specified here for the purposes of encoding and decoding. The length in octets of the public exponent length is represented as one octet if it is in the range of 1 to 255 and by a zero octet followed by a two octet unsigned length if it is longer than 255 bytes. The public key modulus field is a multiprecision unsigned integer. The length of the modulus can be determined from the RDLENGTH and the preceding RDATA fields including the exponent.

Leading zero bytes are prohibited in the exponent and modulus.

3.4 RDATA format - DSA public key

If the algorithm type has the value 2, then public key portion contains an DSA public key, encoded as described in [7].

3.5 RDATA format - gateway

The gateway field indicates a gateway to which an IPsec tunnel may be created in order to reach the entity holding this resource record. The gateway field is a normal wire-encode domain name (section 3.3 of [3]).

As wire-encoded domain names are self-describing as to length, no length field is necessary. If no gateway is to be represented, then a null domain name is present.

It is most commonly a simple fully qualified domain name (FQDN). IP version 4 and IP version 6 addresses may be represented using the reverse name format, from and

For instance, the IP version 4 address is represented as the domain name


4. Presentation formats

4.1 Representation of IPSECKEY RRs

IPSECKEY RRs may appear as lines in a zone data master file. The precedence field is mandatory. While both the gateway and public key fields are optional, it is illegal for neither to be present.

As the IPv4, IPv6 and FQDN references to the gateway are mutually exclusive, they can share a position. If no gateway is to be indicated, then the root (".") should be used.

IPv4 addresses are to be represented as a dotted decimal quad, with no leading zeroes. IPv6 addresses are to be presented as specified in section 2.2 of [4]. 7200 IN     IPSECKEY ( 10
            RSA: AQOrXJxB56Q28iOO43Va36elIFFKc/QB2orIeL94BdC5X4idFQZjSpsZ
	         fejrfi1H )


5. IANA Considerations

IANA is asked to assign resource record 45 to this resource record.


6. Acknowledgments

People who pushed me to write this.


Normative references

[1] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource Record (RR)", RFC 3445, December 2002.
[2] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987.
[3] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.
[4] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 1884, December 1995.
[5] Thomson, S. and C. Huitema, "DNS Extensions to support IP version 6", RFC 1886, December 1995.
[6] Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999.
[7] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System (DNS)", RFC 2536, March 1999.
[8] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)", RFC 3110, May 2001.


Author's Address

  Michael C. Richardson
  Sandelman Software Works
  470 Dawson Avenue
  Ottawa, ON K1Z 5V7


Full Copyright Statement