| TOC |
|
This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 2, 2003.
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document describes a new resource record for DNS. This record may be used to store public keys for use in IPsec systems.
This record replaces the functionality of the sub-type #1 of the KEY Resource Record, which has been proposed to be obsoleted by [1].
| TOC |
| TOC |
Overview.
| TOC |
The IPSECKEY resource record (RR) is used to publish a public key that is to be associated with a Domain Name System (DNS) name. It will be a public key as only public keys are stored in the DNS. This can be the public key of a host, network, or application (in the case of per-port keying).
An IPSECKEY RR is, like any other RR, authenticated by a SIG RR.
It is expected that there will often be multiple resource records of the IPSECKEY type. This will be due to the need to rollover keys, and due to the presence of multiple gateways.
The type number for the IPSECKEY RR is 45 (IANA TBD).
| TOC |
The RDATA for an IPSECKEY RR consists of a precedence value, a public key (and algorithm type), and an optional gateway address.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| algorithm | precedence | gateway |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
~ gateway ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| /
/ public key
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
The algorithm type ("algo") field indicates the type of key that is present in the public key field. Valid values are:
- 0
- No key is present.
- 1
- A RSA key is present, in the format defined in
- 2
- A DSA key is present, in the format defined in
This is an 8-bit precedence for this record. This is interpreted in a similar way to the PREFERENCE field described in section 3.3.9 of [3].
If the algorithm type has the value 1, then public key portion contains an RSA public key, encoded as described in secion 2 of [8], and repeated here:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| pub exp length| public key exponent /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| /
+- modulus /
| /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
RFC2065 limited the exponent and modulus to 2552 bits in length, and RFC3110 to 4096 bits. No such limit is specified here for the purposes of encoding and decoding. The length in octets of the public exponent length is represented as one octet if it is in the range of 1 to 255 and by a zero octet followed by a two octet unsigned length if it is longer than 255 bytes. The public key modulus field is a multiprecision unsigned integer. The length of the modulus can be determined from the RDLENGTH and the preceding RDATA fields including the exponent.
Leading zero bytes are prohibited in the exponent and modulus.
If the algorithm type has the value 2, then public key portion contains an DSA public key, encoded as described in [7].
The gateway field indicates a gateway to which an IPsec tunnel may be created in order to reach the entity holding this resource record. The gateway field is a normal wire-encode domain name (section 3.3 of [3]).
As wire-encoded domain names are self-describing as to length, no length field is necessary. If no gateway is to be represented, then a null domain name is present.
It is most commonly a simple fully qualified domain name (FQDN). IP version 4 and IP version 6 addresses may be represented using the reverse name format, from in-addr.arpa. and ip6.arpa.
For instance, the IP version 4 address 192.0.1.2 is represented as the domain name 2.1.0.192.in-addr.arpa.
| TOC |
IPSECKEY RRs may appear as lines in a zone data master file. The precedence field is mandatory. While both the gateway and public key fields are optional, it is illegal for neither to be present.
As the IPv4, IPv6 and FQDN references to the gateway are mutually exclusive, they can share a position. If no gateway is to be indicated, then the root (".") should be used.
IPv4 addresses are to be represented as a dotted decimal quad, with no leading zeroes. IPv6 addresses are to be presented as specified in section 2.2 of [4].
38.46.139.192.in-addr.arpa. 7200 IN IPSECKEY ( 10
38.46.139.192.in-addr.arpa.
RSA: AQOrXJxB56Q28iOO43Va36elIFFKc/QB2orIeL94BdC5X4idFQZjSpsZ
Th48wKVXUE9xjwUkwR4R4/+1vjNN7KFp9fcqa2OxgjsoGqCn+3OPR8La
9uyvZg0OBuSTj3qkbh/2HacAUJ7vqvjQ3W8Wj6sMXtTueR8NNcdSzJh1
49ch3zqfiXrxxna8+8UEDQaRR9KOPiSvXb2KjnuDan6hDKOT4qTZRRRC
MWwnNQ9zPIMNbLBp0rNcZ+ZGFg2ckWtWh5yhv1iXYLV2vmd9DB6d4Dv8
cW7scc3rPmDXpYR6APqPBRHlcbenfHCt+oCkEWse8OQhMM56KODIVQq3
fejrfi1H )
| TOC |
IANA is asked to assign resource record 45 to this resource record.
| TOC |
People who pushed me to write this.
| TOC |
| [1] | Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource Record (RR)", RFC 3445, December 2002. |
| [2] | Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987. |
| [3] | Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. |
| [4] | Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 1884, December 1995. |
| [5] | Thomson, S. and C. Huitema, "DNS Extensions to support IP version 6", RFC 1886, December 1995. |
| [6] | Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999. |
| [7] | Eastlake, D., "DSA KEYs and SIGs in the Domain Name System (DNS)", RFC 2536, March 1999. |
| [8] | Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)", RFC 3110, May 2001. |
| TOC |
| Michael C. Richardson | |
| Sandelman Software Works | |
| 470 Dawson Avenue | |
| Ottawa, ON K1Z 5V7 | |
| CA | |
| EMail: | mcr@sandelman.ottawa.on.ca |
| URI: | http://www.sandelman.ottawa.on.ca/ |
| TOC |
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Funding for the RFC Editor function is currently provided by the Internet Society.