RFC 4034 - Resource Records for the DNS Security Extensions

Document Information

• RFC Number: 4034
• Published: March 2005
• Authors: R. Arends, R. Austein, M. Larson, D. Massey, S. Rose
• Obsoletes: RFC 2535, 3008, 3090, 3445, 3655, 3658, 3755, 3757, 3845
• Updates: RFC 1034, 1035, 2136, 2181, 2308, 3225, 3007, 3597, 3226
• Category: Standards Track

Status of This Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2005).

Abstract

This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given.

This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535.

---

Table of Contents

1. Introduction

• 1.1. Background and Related Documents
• 1.2. Reserved Words

2. The DNSKEY Resource Record

• 2.1. DNSKEY RDATA Wire Format
  • 2.1.1. The Flags Field
  • 2.1.2. The Protocol Field
  • 2.1.3. The Algorithm Field
  • 2.1.4. The Public Key Field
  • 2.1.5. Notes on DNSKEY RDATA Design
• 2.2. The DNSKEY RR Presentation Format
• 2.3. DNSKEY RR Example

3. The RRSIG Resource Record

• 3.1. RRSIG RDATA Wire Format
  • 3.1.1. The Type Covered Field
  • 3.1.2. The Algorithm Number Field
  • 3.1.3. The Labels Field
  • 3.1.4. Original TTL Field
  • 3.1.5. Signature Expiration and Inception Fields
  • 3.1.6. The Key Tag Field
  • 3.1.7. The Signer's Name Field
  • 3.1.8. The Signature Field
• 3.2. The RRSIG RR Presentation Format
• 3.3. RRSIG RR Example

4. The NSEC Resource Record

• 4.1. NSEC RDATA Wire Format
  • 4.1.1. The Next Domain Name Field
  • 4.1.2. The Type Bit Maps Field
  • 4.1.3. Inclusion of Wildcard Names in NSEC RDATA
• 4.2. The NSEC RR Presentation Format
• 4.3. NSEC RR Example

5. The DS Resource Record

• 5.1. DS RDATA Wire Format
  • 5.1.1. The Key Tag Field
  • 5.1.2. The Algorithm Field
  • 5.1.3. The Digest Type Field
  • 5.1.4. The Digest Field
• 5.2. Processing of DS RRs When Validating Responses
• 5.3. The DS RR Presentation Format
• 5.4. DS RR Example

6. Canonical Form and Order of Resource Records

• 6.1. Canonical DNS Name Order
• 6.2. Canonical RR Form
• 6.3. Canonical RR Ordering Within an RRset

7. IANA Considerations

8. Security Considerations

9. Acknowledgements

10. References

• 10.1. Normative References
• 10.2. Informative References

Appendix A. DNSSEC Algorithm and Digest Types

• A.1. DNSSEC Algorithm Types
  • A.1.1. Private Algorithm Types
• A.2. DNSSEC Digest Types

Appendix B. Key Tag Calculation

• B.1. Key Tag for Algorithm 1 (RSA/MD5)

---

Related RFC Documents

• RFC 4033 - DNSSEC Introduction and Requirements
• RFC 4035 - Protocol Modifications for the DNS Security Extensions
• RFC 5155 - NSEC3 (Enhanced Version of NSEC)
• RFC 8624 - Algorithm Implementation Requirements for DNSSEC