Internet
Independent submission
A method for storing IPsec keying material in DNS.
Sandelman Software Works
470 Dawson Avenue
Ottawa
ON
K1Z 5V7
CA
mcr@sandelman.ottawa.on.ca
http://www.sandelman.ottawa.on.ca/
This document describes a new resource record for DNS. This record may be
used to store public keys for use in IPsec systems.
This record replaces the functionality of the sub-type #1 of the KEY Resource
Record, which has been proposed to be obsoleted by
.
The IPSECKEY resource record (RR) is used to publish a public key that is
to be associated with a Domain Name System (DNS) name. It will be a public
key as only public keys are stored in the DNS. This can be the
public key of a host, network, or application (in the case of per-port
keying).
An IPSECKEY RR is, like any other RR, authenticated by a SIG RR.
It is expected that there will often be multiple resource records of the
IPSECKEY type. This will be due to the need to rollover keys, and due to
the presence of multiple gateways.
The type number for the IPSECKEY RR is 45 (IANA TBD).
The RDATA for an IPSECKEY RR consists of a precedence value, a public key
(and algorithm type), and an optional gateway address.
The algorithm type ("algo") field indicates the type of key that is
present in the public key field. Valid values are:
No key is present.
A RSA key is present, in the format defined in
A DSA key is present, in the format defined in
This is an 8-bit precedence for this record. This is interpreted in a similar
way to the PREFERENCE field described in section 3.3.9 of .
If the algorithm type has the value 1, then public key portion contains an
RSA public key, encoded as described in secion 2 of , and repeated here:
RFC2065 limited the exponent and modulus to 2552 bits in length, and
RFC3110 to 4096 bits. No such limit is specified here for the purposes of
encoding and decoding.
The length in octets of the public exponent length is represented as one
octet if it is in the range of 1 to 255 and by a zero octet followed by a two
octet unsigned length if it is longer than 255 bytes.
The public key modulus field is a multiprecision unsigned integer. The
length of the modulus can be determined from the RDLENGTH and the preceding
RDATA fields including the exponent.
Leading zero bytes are prohibited in the exponent and modulus.
If the algorithm type has the value 2, then public key portion contains an
DSA public key, encoded as described in .
The gateway field indicates a gateway to which an IPsec tunnel may be
created in order to reach the entity holding this resource record.
The gateway field is a normal wire-encode domain name (section 3.3 of
).
As wire-encoded domain names are
self-describing as to length, no length field is necessary.
If no gateway is to be represented, then a null domain name is present.
It is most commonly a simple fully qualified domain name (FQDN).
IP version 4 and IP version 6 addresses may be represented using the reverse
name format, from in-addr.arpa. and ip6.arpa.
For instance, the IP version 4 address 192.0.1.2 is represented as the
domain name 2.1.0.192.in-addr.arpa.
IPSECKEY RRs may appear as lines in a zone data master file.
The precedence field is mandatory. While both the gateway and public key
fields are optional, it is illegal for neither to be present.
As the IPv4, IPv6 and FQDN references to the gateway are mutually
exclusive, they can share a position. If no gateway is to be indicated,
then the root (".") should be used.
IPv4 addresses are to be represented as a dotted decimal quad, with no
leading zeroes. IPv6 addresses are to be presented as specified in
section 2.2 of .
\
IANA is asked to assign resource record 45 to this resource record.
People who pushed me to write this.