This document describes extensions of the Domain Name System (DNS) protocol to support DNS security and public key distribution. It assumes that the reader is familiar with the Domain Name System, particularly as described in RFCs 1033, 1034, and 1035.
Section 2 provides an overview of the extensions and the key distribution, data origin authentication, and transaction and request security they provide.
Section 3 discusses the KEY resource record, its structure, use in DNS responses, and file representation. These resource records represent the public keys of entities named in the DNS and are used for key distribution.
Section 4 discusses the SIG digital signature resource record, its structure, use in DNS responses, and file representation. These resource records are used to authenticate other resource records in the DNS and optionally to authenticate DNS transactions and requests.
Section 5 discusses the NXT resource record and its use in DNS responses. The NXT RR permits authenticated denial in the DNS of the existence of a name or of a particular type for an existing name.
Section 6 discusses how a resolver can be configured with a starting key or keys and proceed to securely resolve DNS requests. Interactions between resolvers and servers are discussed for all combinations of security aware and security non-aware. Two additional query header bits are defined for signaling between resolvers and servers.
Section 7 reviews a variety of operational considerations including key generation, lifetime, and storage.
Section 8 defines levels of conformance for resolvers and servers.
Section 9 provides a few paragraphs on overall security considerations.
An Appendix is provided that gives details of base 64 encoding which is used in the file representation of some RR's defined in this document.