Domain Name System Security Extensions

Extensions to the Domain Name System (DNS) are described that provide data integrity and authentication to security aware resolvers or applications through the use of cryptographic digital signatures. These digital signatures are included in secured zones as resource records. Security can still be provided even through non-security aware DNS servers in many cases. The extensions also provide for the storage of authenticated public keys in the DNS. This storage of keys can support general public key distribution services as well as DNS security. The stored keys enable security aware resolvers to learn the authenticating key of zones in addition to those for which they are initially configured. Keys associated with DNS names can be retrieved to support other protocols. Provision is made for a variety of key types and algorithms. In addition, the security extensions provide for the optional authentication of DNS protocol transactions and requests. This document incorporates feedback from implementors and potential users to the existing Proposed Standard in RFC 2065. Acknowledgments The significant contributions of the following persons (in alphabetic order) to DNS security are gratefully acknowledged: Jim Galvin John Gilmore Olafur Gudmundsson Charlie Kaufman Edward Lewis Jeffrey I. Schiller Donald E. Eastlake 3rd [Page 2] INTERNET-DRAFT DNS Protocol Security Extensions July 1997 Table of