RFC 4035 - Protocol Modifications for the DNS Security Extensions
Published: March 2005
Status: Standards Track
Authors: R. Arends (Telematica Instituut), R. Austein (ISC), M. Larson (VeriSign), D. Massey (Colorado State University), S. Rose (NIST)
Abstract
This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications.
This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535.
Table of Contents
- 1. Introduction
- 1.1. Background and Related Documents
- 1.2. Reserved Words
- 2. Zone Signing
- 2.1. Including DNSKEY RRs in a Zone
- 2.2. Including RRSIG RRs in a Zone
- 2.3. Including NSEC RRs in a Zone
- 2.4. Including DS RRs in a Zone
- 2.5. Changes to the CNAME Resource Record
- 2.6. DNSSEC RR Types Appearing at Zone Cuts
- 2.7. Example of a Secure Zone
- 3. Serving
- 3.1. Authoritative Name Servers
- 3.1.1. Including RRSIG RRs in a Response
- 3.1.2. Including DNSKEY RRs in a Response
- 3.1.3. Including NSEC RRs in a Response
- 3.1.4. Including DS RRs in a Response
- 3.1.5. Responding to Queries for Type AXFR or IXFR
- 3.1.6. The AD and CD Bits in an Authoritative Response
- 3.2. Recursive Name Servers
- 3.2.1. The DO Bit
- 3.2.2. The CD Bit
- 3.2.3. The AD Bit
- 3.3. Example DNSSEC Responses
- 3.1. Authoritative Name Servers
- 4. Resolving
- 4.1. EDNS Support
- 4.2. Signature Verification Support
- 4.3. Determining Security Status of Data
- 4.4. Configured Trust Anchors
- 4.5. Response Caching
- 4.6. Handling of the CD and AD Bits
- 4.7. Caching BAD Data
- 4.8. Synthesized CNAMEs
- 4.9. Stub Resolvers
- 4.9.1. Handling of the DO Bit
- 4.9.2. Handling of the CD Bit
- 4.9.3. Handling of the AD Bit
- 5. Authenticating DNS Responses
- 5.1. Special Considerations for Islands of Security
- 5.2. Authenticating Referrals
- 5.3. Authenticating an RRset with an RRSIG RR
- 5.3.1. Checking the RRSIG RR Validity
- 5.3.2. Reconstructing the Signed Data
- 5.3.3. Checking the Signature
- 5.3.4. Authenticating a Wildcard Expanded RRset Positive Response
- 5.4. Authenticated Denial of Existence
- 5.5. Resolver Behavior When Signatures Do Not Validate
- 5.6. Authentication Example
- 6. IANA Considerations
- 7. Security Considerations
- 8. Acknowledgements
- 9. References
- 9.1. Normative References
- 9.2. Informative References
Appendices
- Appendix A. Signed Zone Example
- Appendix B. Example Responses
- B.1. Answer
- B.2. Name Error
- B.3. No Data Error
- B.4. Referral to Signed Zone
- B.5. Referral to Unsigned Zone
- B.6. Wildcard Expansion
- B.7. Wildcard No Data Error
- B.8. DS Child Zone No Data Error
- Appendix C. Authentication Examples
- C.1. Authenticating an Answer
- C.1.1. Authenticating the Example DNSKEY RR
- C.2. Name Error
- C.3. No Data Error
- C.4. Referral to Signed Zone
- C.5. Referral to Unsigned Zone
- C.6. Wildcard Expansion
- C.7. Wildcard No Data Error
- C.8. DS Child Zone No Data Error
- C.1. Authenticating an Answer
Related Resources
- Official RFC: RFC 4035
- RFC DataTracker: RFC 4035 Status
- Errata: RFC Editor Errata
Related RFCs
This document is part of the DNSSEC trilogy:
- RFC 4033 - DNS Security Introduction and Requirements
- RFC 4034 - Resource Records for the DNS Security Extensions
- RFC 4035 - Protocol Modifications for the DNS Security Extensions (this document)
See also:
- RFC 5155 - DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
- RFC 6840 - Clarifications and Implementation Notes for DNS Security
- RFC 8624 - Algorithm Implementation Requirements and Usage Guidance for DNSSEC