draft-ietf-dnsop-rfc2845bis-03.txt   draft-ietf-dnsop-rfc2845bis-04.txt 
Internet Engineering Task Force F. Dupont Internet Engineering Task Force F. Dupont
Internet-Draft S. Morris Internet-Draft S. Morris
Obsoletes: 2845, 4635 (if approved) ISC Obsoletes: 2845, 4635 (if approved) ISC
Intended status: Standards Track P. Vixie Intended status: Standards Track P. Vixie
Expires: September 8, 2019 Farsight Expires: December 27, 2019 Farsight
D. Eastlake 3rd D. Eastlake 3rd
Huawei Huawei
O. Gudmundsson O. Gudmundsson
CloudFlare CloudFlare
B. Wellington B. Wellington
Akamai Akamai
March 7, 2019 June 25, 2019
Secret Key Transaction Authentication for DNS (TSIG) Secret Key Transaction Authentication for DNS (TSIG)
draft-ietf-dnsop-rfc2845bis-03 draft-ietf-dnsop-rfc2845bis-04
Abstract Abstract
This document describes a protocol for transaction level This document describes a protocol for transaction level
authentication using shared secrets and one way hashing. It can be authentication using shared secrets and one way hashing. It can be
used to authenticate dynamic updates as coming from an approved used to authenticate dynamic updates as coming from an approved
client, or to authenticate responses as coming from an approved name client, or to authenticate responses as coming from an approved name
server. server.
No recommendation is made here for distributing the shared secrets: No recommendation is made here for distributing the shared secrets:
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 8, 2019. This Internet-Draft will expire on December 27, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 35 skipping to change at page 2, line 35
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Key Words . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Background . . . . . . . . . . . . . . . . . . . . . . . 3
3. New Assigned Numbers . . . . . . . . . . . . . . . . . . . . 4 1.2. Protocol Overview . . . . . . . . . . . . . . . . . . . . 4
1.3. Document History . . . . . . . . . . . . . . . . . . . . 4
2. Key Words . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Assigned Numbers . . . . . . . . . . . . . . . . . . . . . . 5
4. TSIG RR Format . . . . . . . . . . . . . . . . . . . . . . . 5 4. TSIG RR Format . . . . . . . . . . . . . . . . . . . . . . . 5
4.1. TSIG RR Type . . . . . . . . . . . . . . . . . . . . . . 5 4.1. TSIG RR Type . . . . . . . . . . . . . . . . . . . . . . 5
4.2. TSIG Calculation . . . . . . . . . . . . . . . . . . . . 5 4.2. TSIG Record Format . . . . . . . . . . . . . . . . . . . 5
4.3. TSIG Record Format . . . . . . . . . . . . . . . . . . . 5 4.3. MAC Computation . . . . . . . . . . . . . . . . . . . . . 8
4.4. Example . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.3.1. Request MAC . . . . . . . . . . . . . . . . . . . . . 8
5. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7 4.3.2. DNS Message . . . . . . . . . . . . . . . . . . . . . 8
5.1. Effects of Adding TSIG to Outgoing Messages . . . . . . . 8 4.3.3. TSIG Variables . . . . . . . . . . . . . . . . . . . 8
5.2. TSIG Processing on Incoming Messages . . . . . . . . . . 8 5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 9
5.3. Time Values Used in TSIG Calculations . . . . . . . . . . 8 5.1. Generation of TSIG on Requests . . . . . . . . . . . . . 9
5.4. TSIG Variables and Coverage . . . . . . . . . . . . . . . 9 5.2. Server Processing of Request . . . . . . . . . . . . . . 10
5.4.1. DNS Message . . . . . . . . . . . . . . . . . . . . . 9 5.2.1. Key Check and Error Handling . . . . . . . . . . . . 10
5.4.2. TSIG Variables . . . . . . . . . . . . . . . . . . . 9 5.2.2. MAC Check and Error Handling . . . . . . . . . . . . 11
5.4.3. Request MAC . . . . . . . . . . . . . . . . . . . . . 10 5.2.3. Time Check and Error Handling . . . . . . . . . . . . 12
5.5. Component Padding . . . . . . . . . . . . . . . . . . . . 10 5.2.4. Truncation Check and Error Handling . . . . . . . . . 12
6. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 10 5.3. Generation of TSIG on Answers . . . . . . . . . . . . . . 12
6.1. TSIG Generation on Requests . . . . . . . . . . . . . . . 10 5.3.1. TSIG on Zone Transfer Over a TCP Connection . . . . . 13
6.2. TSIG on Answers . . . . . . . . . . . . . . . . . . . . . 10 5.3.2. Generation of TSIG on Error Returns . . . . . . . . . 13
6.3. TSIG on TSIG Error Returns . . . . . . . . . . . . . . . 11 5.4. Client Processing of Answer . . . . . . . . . . . . . . . 14
6.4. TSIG on Zone Transfer Over a TCP Connection . . . . . . . 11 5.4.1. Key Error Handling . . . . . . . . . . . . . . . . . 14
6.5. Server TSIG checks . . . . . . . . . . . . . . . . . . . 12 5.4.2. MAC Error Handling . . . . . . . . . . . . . . . . . 14
6.5.1. Key Check and Error Handling . . . . . . . . . . . . 12 5.4.3. Time Error Handling . . . . . . . . . . . . . . . . . 15
6.5.2. MAC Check and Error Handling . . . . . . . . . . . . 12 5.4.4. Truncation Error Handling . . . . . . . . . . . . . . 15
6.5.3. Time Check and Error Handling . . . . . . . . . . . . 13 5.5. Special Considerations for Forwarding Servers . . . . . . 15
6.5.4. Truncation Check and Error Handling . . . . . . . . . 13 6. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 15
6.6. Client Processing of Answer . . . . . . . . . . . . . . . 14 7. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 16
6.6.1. Key Error Handling . . . . . . . . . . . . . . . . . 14 8. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 17
6.6.2. MAC Error Handling . . . . . . . . . . . . . . . . . 14 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
6.6.3. Time Error Handling . . . . . . . . . . . . . . . . . 14 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18
6.6.4. Truncation Error Handling . . . . . . . . . . . . . . 14 10.1. Issue Fixed in this Document . . . . . . . . . . . . . . 19
6.7. Special Considerations for Forwarding Servers . . . . . . 15 10.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 19
7. Algorithms and Identifiers . . . . . . . . . . . . . . . . . 15 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
8. TSIG Truncation Policy . . . . . . . . . . . . . . . . . . . 16 11.1. Normative References . . . . . . . . . . . . . . . . . . 20
9. Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . 17 11.2. Informative References . . . . . . . . . . . . . . . . . 20
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
11. Security Considerations . . . . . . . . . . . . . . . . . . . 18
11.1. Issue Fixed in this Document . . . . . . . . . . . . . . 19
11.2. Why not DNSSEC? . . . . . . . . . . . . . . . . . . . . 19
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
12.1. Normative References . . . . . . . . . . . . . . . . . . 20
12.2. Informative References . . . . . . . . . . . . . . . . . 20
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 22 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 22
Appendix B. Change History (to be removed before publication) . 23 Appendix B. Change History (to be removed before publication) . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
The Domain Name System (DNS) [RFC1034], [RFC1035] is a replicated 1.1. Background
The Domain Name System (DNS, [RFC1034], [RFC1035]) is a replicated
hierarchical distributed database system that provides information hierarchical distributed database system that provides information
fundamental to Internet operations, such as name <=> address fundamental to Internet operations, such as name to address
translation and mail handling information. translation and mail handling information.
In 2017, two nameservers strictly following [RFC2845] and [RFC4635]
(i.e., TSIG and its HMAC-SHA extension) specifications were
discovered to have security problems related to this feature. The
implementations were fixed but, to avoid similar problems in the
future, the two documents were updated and merged, producing this
revised specification for TSIG.
This document specifies use of a message authentication code (MAC), This document specifies use of a message authentication code (MAC),
generated using certain keyed hash functions, to provide an efficient generated using certain keyed hash functions, to provide an efficient
means of point-to-point authentication and integrity checking for DNS means of point-to-point authentication and integrity checking for DNS
transactions. Such transactions include DNS update requests and transactions. Such transactions include DNS update requests and
responses for which this can provide a lightweight alternative to the responses for which this can provide a lightweight alternative to the
protocol described by [RFC3007]. secure DNS dynamic update protocol described by [RFC3007].
A further use of this mechanism is to protect zone transfers. In A further use of this mechanism is to protect zone transfers. In
this case the data covered would be the whole zone transfer including this case the data covered would be the whole zone transfer including
any glue records sent. The protocol described by DNSSEC does not any glue records sent. The protocol described by DNSSEC ([RFC4033],
protect glue records and unsigned records unless SIG(0) (transaction [RFC4034], [RFC4035]) does not protect glue records and unsigned
signature) is used. records unless SIG(0) (transaction signature) is used.
The authentication mechanism proposed in this document uses shared The authentication mechanism proposed in this document uses shared
secret keys to establish a trust relationship between two entities. secret keys to establish a trust relationship between two entities.
Such keys must be protected in a manner similar to private keys, lest Such keys must be protected in a manner similar to private keys, lest
a third party masquerade as one of the intended parties (by forging a third party masquerade as one of the intended parties (by forging
the MAC). There is an urgent need to provide simple and efficient the MAC). There is an urgent need to provide simple and efficient
authentication between clients and local servers and this proposal authentication between clients and local servers and this proposal
addresses that need. The proposal is unsuitable for general server addresses that need. The proposal is unsuitable for general server
to server authentication for servers which speak with many other to server authentication for servers which speak with many other
servers, since key management would become unwieldy with the number servers, since key management would become unwieldy with the number
of shared keys going up quadratically. But it is suitable for many of shared keys going up quadratically. But it is suitable for many
resolvers on hosts that only talk to a few recursive servers. resolvers on hosts that only talk to a few recursive servers.
skipping to change at page 4, line 23 skipping to change at page 4, line 15
Such keys must be protected in a manner similar to private keys, lest Such keys must be protected in a manner similar to private keys, lest
a third party masquerade as one of the intended parties (by forging a third party masquerade as one of the intended parties (by forging
the MAC). There is an urgent need to provide simple and efficient the MAC). There is an urgent need to provide simple and efficient
authentication between clients and local servers and this proposal authentication between clients and local servers and this proposal
addresses that need. The proposal is unsuitable for general server addresses that need. The proposal is unsuitable for general server
to server authentication for servers which speak with many other to server authentication for servers which speak with many other
servers, since key management would become unwieldy with the number servers, since key management would become unwieldy with the number
of shared keys going up quadratically. But it is suitable for many of shared keys going up quadratically. But it is suitable for many
resolvers on hosts that only talk to a few recursive servers. resolvers on hosts that only talk to a few recursive servers.
A server acting as an indirect caching resolver -- a "forwarder" in 1.2. Protocol Overview
common usage -- might use transaction-based authentication when
communicating with its small number of preconfigured "upstream"
servers. Other uses of DNS secret key authentication and possible
systems for automatic secret key distribution may be proposed in
separate future documents.
Note that use of TSIG presumes prior agreement between the two Secret Key Transaction Authentication makes use of signatures on
parties involved (e.g., resolver and server) as to any algorithm and messages sent between the parties involved (e.g. resolver and
key to be used. server). These are known as "transaction signatures", or TSIG. For
historical reasons, in this document they are referred to as message
authentication codes (MAC).
Since the publication of first version of this document ([RFC2845]) a Use of TSIG presumes prior agreement between the two parties involved
mechanism based on asymmetric signatures using the SIG RR was (e.g., resolver and server) as to any algorithm and key to be used.
specified (SIG(0) [RFC2931]) whereas this document uses symmetric The way that this agreement is reached is outside the scope of the
authentication codes calculated by HMAC [RFC2104] using strong hash document.
functions.
A DNS message exchange involves the sending of a query and the
receipt of one of more DNS messages in response. For the query, the
MAC is calculated based on the hash of the contents and the agreed
TSIG key. The MAC for the response is similar, but also includes the
MAC of the query as part of the calculation. Where a response
comprises multiple packets, the calculation of the MAC associated
with the second and subsequent packets includes in its inputs the MAC
for the the preceding packet. In this way it is possible to detect
any interruption in the packet sequence.
The MAC is contained in a TSIG resource record included in the
Additional Section of the DNS message.
1.3. Document History
TSIG was originally specified by [RFC2845]. In 2017, two nameservers
strictly following that document (and the related [RFC4635]) were
discovered to have security problems related to this feature. The
implementations were fixed but, to avoid similar problems in the
future, the two documents were updated and merged, producing this
revised specification for TSIG.
2. Key Words 2. Key Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. New Assigned Numbers 3. Assigned Numbers
RRTYPE = TSIG (250) This document defines the following RR type and associated value:
ERROR = 0..15 (a DNS RCODE)
ERROR = 16 (BADSIG) TSIG (250)
ERROR = 17 (BADKEY)
ERROR = 18 (BADTIME) In addition, the document also defines the following DNS RCODEs and
ERROR = 22 (BADTRUNC) associated names:
16 (BADSIG)
17 (BADKEY)
18 (BADTIME)
22 (BADTRUNC)
(See [RFC6895] Section 2.3 concerning the assignment of the value 16 (See [RFC6895] Section 2.3 concerning the assignment of the value 16
to BADSIG.) to BADSIG.)
These RCODES may appear within the "Error" field of a TSIG RR.
4. TSIG RR Format 4. TSIG RR Format
4.1. TSIG RR Type 4.1. TSIG RR Type
To provide secret key authentication, we use a new RR type whose To provide secret key authentication, we use an RR type whose
mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and
MUST NOT be cached. TSIG RRs are used for authentication between DNS MUST NOT be cached. TSIG RRs are used for authentication between DNS
entities that have established a shared secret key. TSIG RRs are entities that have established a shared secret key. TSIG RRs are
dynamically computed to cover a particular DNS transaction and are dynamically computed to cover a particular DNS transaction and are
not DNS RRs in the usual sense. not DNS RRs in the usual sense.
4.2. TSIG Calculation
As the TSIG RRs are related to one DNS request/response, there is no As the TSIG RRs are related to one DNS request/response, there is no
value in storing or retransmitting them, thus the TSIG RR is value in storing or retransmitting them, thus the TSIG RR is
discarded once it has been used to authenticate a DNS message. discarded once it has been used to authenticate a DNS message.
Recommendations concerning the message digest algorithm can be found
in Section 7. All multi-octet integers in the TSIG record are sent
in network byte order (see [RFC1035] 2.3.2).
4.3. TSIG Record Format 4.2. TSIG Record Format
The fields of the TSIG RR are described below. As is usual, all
multi-octet integers in the record are sent in network byte order
(see [RFC1035] 2.3.2).
NAME The name of the key used in domain name syntax. The name NAME The name of the key used in domain name syntax. The name
should reflect the names of the hosts and uniquely identify the should reflect the names of the hosts and uniquely identify the
key among a set of keys these two hosts may share at any given key among a set of keys these two hosts may share at any given
time. If hosts A.site.example and B.example.net share a key, time. If hosts A.site.example and B.example.net share a key,
possibilities for the key name include <id>.A.site.example, possibilities for the key name include <id>.A.site.example,
<id>.B.example.net, and <id>.A.site.example.B.example.net. It <id>.B.example.net, and <id>.A.site.example.B.example.net. It
should be possible for more than one key to be in simultaneous should be possible for more than one key to be in simultaneous
use among a set of interacting hosts. The name only needs to use among a set of interacting hosts. The name only needs to
be meaningful to the communicating hosts but a meaningful be meaningful to the communicating hosts but a meaningful
mnemonic name as above is strongly recommended. mnemonic name as suggested above is strongly recommended.
The name may be used as a local index to the key involved and The name may be used as a local index to the key involved and
it is recommended that it be globally unique. Where a key is it is recommended that it be globally unique. Where a key is
just shared between two hosts, its name actually need only be just shared between two hosts, its name actually need only be
meaningful to them but it is recommended that the key name be meaningful to them but it is recommended that the key name be
mnemonic and incorporates the names of participating agents or mnemonic and incorporates the names of participating agents or
resources. resources.
TYPE This MUST be TSIG (250: Transaction SIGnature) TYPE This MUST be TSIG (250: Transaction SIGnature)
CLASS This MUST be ANY CLASS This MUST be ANY
TTL This MUST be 0 TTL This MUST be 0
RdLen (variable) RdLen (variable)
RDATA The RDATA for a TSIG RR consists of an octet stream Algorithm RDATA The RDATA for a TSIG RR consists of a number of fields,
Name field, a uint48_t Time Signed field, a uint16_t Fudge described below:
field, a uint16_t MAC Size field, a octet stream MAC field, a
uint16_t Original ID, a uint16_t Error field, a uint16_t Other
Len field and an octet stream of Other Data.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ Algorithm Name / / Algorithm Name /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Time Signed +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time Signed +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | Fudge | | | Fudge |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 6, line 35 skipping to change at page 7, line 4
| MAC Size | / | MAC Size | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MAC / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MAC /
/ / / /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Original ID | Error | | Original ID | Error |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Other Len | / | Other Len | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data /
/ / / /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The contents of the RDATA fields are: The contents of the RDATA fields are:
* Algorithm Name - identifies the TSIG algorithm name in the * Algorithm Name - a octet sequence identifying the TSIG
domain name syntax. (Allowed names are listed in Table 1.) algorithm name in the domain name syntax. (Allowed names
The name is stored in the DNS name wire format as described are listed in Table 1.) The name is stored in the DNS name
in [RFC1034]. As per [RFC3597], this name MUST NOT be wire format as described in [RFC1034]. As per [RFC3597],
compressed. this name MUST NOT be compressed.
* Time Signed - time signed as seconds since 00:00 on
1970-01-01 UTC ignoring leap seconds.
* Fudge - specifies the allowed time difference in seconds
permitted in the Time Signed field.
* MAC Size - the length of MAC field in octets. Truncation is
indicated by a MAC size less than the size of the keyed hash
produced by the algorithm specified by the Algorithm Name.
* MAC - the contents of this field are defined by the TSIG
algorithm used, possibly truncated as specified by MAC Size.
* Error - contains the expanded RCODE covering TSIG
processing.
* Other Len - specifies the length of the "Other Data" field
in octets.
* Other Data - this field will be empty unless the content of
the Error field is BADTIME, in which case it will contain
the server's current time (see Section 6.5.3).
4.4. Example
NAME HOST.EXAMPLE.
TYPE TSIG * Time Signed - an unsigned 48-bit integer containing the time
signed as seconds since 00:00 on 1970-01-01 UTC, ignoring
leap seconds.
CLASS ANY * Fudge - an unsigned 16-bit integer specifying the allowed
time difference in seconds permitted in the Time Signed
field.
TTL 0 * MAC Size - an unsigned 16-bit integer giving the length of
MAC field in octets. Truncation is indicated by a MAC size
less than the size of the keyed hash produced by the
algorithm specified by the Algorithm Name.
RdLen As appropriate * MAC - a sequence of octets whose contents are defined by the
TSIG algorithm used, possibly truncated as specified by MAC
Size. The length of this field is given by the Mac Size.
Calculation of the MAC is detailed in Section 4.3.
RDATA * Original ID - An unsigned 16-bit integer holding the message
ID of the original request message. For a TSIG RR on a
request, it is set equal to the DNS message ID. In a TSIG
attached to a response - or in cases such as the forwarding
of a dynamic update request - the field contains the ID of
the original DNS request.
Field Name Contents * Error - an unsigned 16-bit integer containing the extended
-------------- ------------------------ RCODE covering TSIG processing.
Algorithm Name HMAC-MD5.SIG-ALG.REG.INT
Time Signed 853804800
Fudge 300
MAC Size As appropriate
MAC As appropriate
Original ID As appropriate
Error 0 (NOERROR)
Other Len 0
Other Data Empty
5. Protocol Operation * Other Len - an unsigned 16-bit integer specifying the length
5.1. Effects of Adding TSIG to Outgoing Messages of the "Other Data" field in octets.
Once the outgoing message has been constructed, the HMAC computation * Other Data - this unsigned 48-bit integer field will be
can be performed. The resulting MAC will then be stored in a TSIG empty unless the content of the Error field is BADTIME, in
which is appended to the additional data section (the ARCOUNT is which case it will contain the server's current time as the
incremented to reflect the extra RR). If the TSIG record cannot be number of seconds since 00:00 on 1970-01-01 UTC, ignoring
added without causing the message to be truncated, the server MUST leap seconds (see Section 5.2.3).
alter the response so that a TSIG can be included. This response
consists of only the question and a TSIG record, and has the TC bit
set and RCODE 0 (NOERROR). The client SHOULD at this point retry the
request using TCP (per [RFC1035] 4.2.2).
5.2. TSIG Processing on Incoming Messages 4.3. MAC Computation
If an incoming message contains a TSIG record, it MUST be the last When generating or verifying the contents of a TSIG record, the the
record in the additional section. Multiple TSIG records are not data listed in the rest of this section are passed, in the order
allowed. If a TSIG record is present in any other position, the DNS listed below, as input to MAC computation. The data are passed in
message is dropped and a response with RCODE 1 (FORMERR) MUST be network byte order or wire format, as appropriate, and are fed into
returned. Upon receipt of a message with exactly one correctly the hashing function as a continuous octet sequence with no
placed TSIG RR, the TSIG RR is copied to a safe location, removed interfield separator or padding.
from the DNS Message, and decremented out of the DNS message header's
ARCOUNT. At this point the keyed hash (HMAC) computation is
performed.
If the algorithm name or key name is unknown to the recipient, or if 4.3.1. Request MAC
the MACs do not match, the whole DNS message MUST be discarded. If
the message is a query, a response with RCODE 9 (NOTAUTH) MUST be
sent back to the originator with TSIG ERROR 17 (BADKEY) or TSIG ERROR
16 (BADSIG). If no key is available to sign this message it MUST be
sent unsigned (MAC size == 0 and empty MAC). The algorithm name,
time signed, and fudge fields SHOULD be copied to the response to
provide off path spoof protection. A message to the system
operations log SHOULD be generated, to warn the operations staff of a
possible security incident in progress. Care should be taken to
ensure that logging of this type of event does not open the system to
a denial of service attack.
Until these error checks are successfully passed, concluding that the Only included in the computation of a MAC for a response message (or
signature is valid, the signature MUST be considered to be invalid. the first message in a multi-message response), the validated request
MAC MUST be included in the MAC computation. If the request MAC
failed to validate, an unsigned error message MUST be returned
instead. (Section 5.3.2).
5.3. Time Values Used in TSIG Calculations The request's MAC, comprising the following fields, is digested in
wire format:
The data digested includes the two timer values in the TSIG header in Field Type Description
order to defend against replay attacks. If this were not done, an ---------- ----------------------- ----------------------
attacker could replay old messages but update the "Time Signed" and MAC Length Unsigned 16-bit integer in network byte order
"Fudge" fields to make the message look new. This data is named MAC Data octet sequence exactly as transmitted
"TSIG Timers", and for the purpose of MAC calculation, they are
hashed in their "on the wire" format, in the following order: first
Time Signed, then Fudge. For example:
Field Name Value Wire Format Meaning Special considerations apply to the TSIG calculation for the second
----------- --------- ----------------- ------------------------ and subsequent messages a response that consists of multiple DNS
Time Signed 853804800 00 00 32 e4 07 00 Tue Jan 21 00:00:00 1997 messages (e.g. a zone transfer). These are described in
Fudge 300 01 2C 5 minutes Section 5.3.1.
5.4. TSIG Variables and Coverage 4.3.2. DNS Message
When generating or verifying the contents of a TSIG record, the A whole and complete DNS message in wire format. When creating a
following data are passed as input to MAC computation, in network TSIG, this is the message before the TSIG RR has been added to the
byte order or wire format, as appropriate: additional data section and before the DNS Message Header's ARCOUNT
field has been incremented to contain the TSIG RR.
5.4.1. DNS Message When verifying an incoming message, this is the message after the
TSIG RR and been removed and the ARCOUNT field has been decremented.
If the message ID differs from the original message ID, the original
message ID is substituted for the message ID. (This could happen,
for example, when forwarding a dynamic update request.)
A whole and complete DNS message in wire format, before the TSIG RR 4.3.3. TSIG Variables
has been added to the additional data section and before the DNS
Message Header's ARCOUNT field has been incremented to contain the
TSIG RR. If the message ID differs from the original message ID, the
original message ID is substituted for the message ID. This could
happen when forwarding a dynamic update request, for example.
5.4.2. TSIG Variables Also included in the digest is certain information present in the
TSIG RR. Adding this data provides further protection against an
attempt to interfere with the message.
Source Field Name Notes Source Field Name Notes
---------- -------------- ----------------------------------------- ---------- -------------- -----------------------------------------
TSIG RR NAME Key name, in canonical wire format TSIG RR NAME Key name, in canonical wire format
TSIG RR CLASS (Always ANY in the current specification) TSIG RR CLASS (Always ANY in the current specification)
TSIG RR TTL (Always 0 in the current specification) TSIG RR TTL (Always 0 in the current specification)
TSIG RDATA Algorithm Name in canonical wire format TSIG RDATA Algorithm Name in canonical wire format
TSIG RDATA Time Signed in network byte order TSIG RDATA Time Signed in network byte order
TSIG RDATA Fudge in network byte order TSIG RDATA Fudge in network byte order
TSIG RDATA Error in network byte order TSIG RDATA Error in network byte order
skipping to change at page 9, line 51 skipping to change at page 9, line 27
The RR RDLEN and RDATA MAC Length are not included in the input to The RR RDLEN and RDATA MAC Length are not included in the input to
MAC computation since they are not guaranteed to be knowable before MAC computation since they are not guaranteed to be knowable before
the MAC is generated. the MAC is generated.
The Original ID field is not included in this section, as it has The Original ID field is not included in this section, as it has
already been substituted for the message ID in the DNS header and already been substituted for the message ID in the DNS header and
hashed. hashed.
For each label type, there must be a defined "Canonical wire format" For each label type, there must be a defined "Canonical wire format"
that specifies how to express a label in an unambiguous way. For that specifies how to express a label in an unambiguous way. For
label type 00, this is defined in [RFC4034], for label type 01, this label type 00, this is defined in [RFC4034] Section 6.1. The use of
is defined in [RFC6891]. The use of label types other than 00 and 01 label types other than 00 is not defined for this specification.
is not defined for this specification.
5.4.3. Request MAC
When generating the MAC to be included in a response, the validated
request MAC MUST be included in the MAC computation. If the request
MAC failed to validate, an unsigned error message MUST be returned
instead. (Section 6.3).
The request's MAC is digested in wire format, including the following
fields:
Field Type Description 4.3.3.1. Time Values Used in TSIG Calculations
---------- ------------ ----------------------
MAC Length uint16_t in network byte order
MAC Data octet stream exactly as transmitted
5.5. Component Padding The data digested includes the two timer values in the TSIG header in
order to defend against replay attacks. If this were not done, an
attacker could replay old messages but update the "Time Signed" and
"Fudge" fields to make the message look new. This data is named
"TSIG Timers", and for the purpose of MAC calculation, they are
hashed in their "on the wire" format, in the following order: first
Time Signed, then Fudge.
Digested components (i.e., inputs to the keyed hash computation) are 5. Protocol Details
fed into the hashing function as a continuous octet stream with no
interfield separator or padding.
6. Protocol Details 5.1. Generation of TSIG on Requests
6.1. TSIG Generation on Requests Once the outgoing record has been constructed, the client performs
the keyed hash (HMAC) computation, appends a TSIG record with the
calculated MAC to the Additional Data section (incrementing the
ARCOUNT to reflect the additional RR), and transmits the request to
the server. This TSIG record MUST be the only TSIG RR in the message
and MUST be last record in the Additional Data section. The client
MUST store the MAC and the key name from the request while awaiting
an answer.
The client performs the keyed hash (HMAC) computation and appends a The digest components for a request are:
TSIG record to the additional data section and transmits the request
to the server. The client MUST store the MAC from the request while
awaiting an answer. The digest components for a request are:
DNS Message (request) DNS Message (request)
TSIG Variables (request) TSIG Variables (request)
Note that some older name servers will not accept requests with a Note that some older name servers will not accept requests with a
nonempty additional data section. Clients SHOULD only attempt signed nonempty additional data section. Clients SHOULD only attempt signed
transactions with servers who are known to support TSIG and share transactions with servers who are known to support TSIG and share
some algorithm and secret key with the client -- so, this is not a some algorithm and secret key with the client -- so, this is not a
problem in practice. problem in practice.
6.2. TSIG on Answers 5.2. Server Processing of Request
When a server has generated a response to a signed request, it signs
the response using the same algorithm and key. The server MUST NOT
generate a signed response to a request if either the KEY is invalid
or the MAC fails validation. It also MUST NOT not generate a signed
response to an unsigned request, except in the case of a response to
a client's unsigned TKEY request if the secret key is established on
the server side after the server processed the client's request.
Signing responses to unsigned TKEY requests MUST be explicitly
specified in the description of an individual secret key
establishment algorithm [RFC3645].
The digest components are:
Request MAC
DNS Message (response)
TSIG Variables (response)
6.3. TSIG on TSIG Error Returns
When a server detects an error relating to the key or MAC, the server
SHOULD send back an unsigned error message (MAC size == 0 and empty
MAC). It MUST NOT send back a signed error message.
If an error is detected relating to the TSIG validity period or the
MAC is too short for the local policy, the server SHOULD send back a
signed error message. The digest components are:
Request MAC (if the request MAC validated)
DNS Message (response)
TSIG Variables (response)
The reason that the request is not included in this MAC in some cases
is to make it possible for the client to verify the error. If the
error is not a TSIG error the response MUST be generated as specified
in Section 6.2.
6.4. TSIG on Zone Transfer Over a TCP Connection
A zone transfer over a DNS TCP session can include multiple DNS
messages. Using TSIG on such a connection can protect the connection
from hijacking and provide data integrity. The TSIG MUST be included
on the first and last DNS messages, and SHOULD be placed on all
intermediary messages. For backward compatibility, a client which
receives DNS messages and verifies TSIG MUST accept up to 99
intermediary messages without a TSIG. The first message is processed
as a standard answer (see Section 6.2) and subsequent messages have
the following digest components:
Prior MAC (running) If an incoming message contains a TSIG record, it MUST be the last
DNS Messages (any unsigned messages since the last TSIG) record in the additional section. Multiple TSIG records are not
TSIG Timers (current message) allowed. If multiple TSIG records are detected or a TSIG record is
present in any other position, the DNS message is dropped and a
response with RCODE 1 (FORMERR) MUST be returned. Upon receipt of a
message with exactly one correctly placed TSIG RR, the TSIG RR is
copied to a safe location, removed from the DNS Message, and
decremented out of the DNS message header's ARCOUNT.
This allows the client to rapidly detect when the session has been If the TSIG RR cannot be understood, the server MUST regard the
altered; at which point it can close the connection and retry. If a message as corrupt and return a FORMERR to the server. Otherwise the
client TSIG verification fails, the client MUST close the connection. the server is REQUIRED to return a TSIG RR in the response.
If the client does not receive TSIG records frequently enough (as
specified above) it SHOULD assume the connection has been hijacked
and it SHOULD close the connection. The client SHOULD treat this the
same way as they would any other interrupted transfer (although the
exact behavior is not specified here).
6.5. Server TSIG checks To validate the received TSIG RR, the server MUST perform the
following checks in the following order:
Upon receipt of a message, server will check if there is a TSIG RR. 1. Check KEY
If one exists, the server is REQUIRED to return a TSIG RR in the 2. Check MAC
response. The server MUST perform the following checks in the 3. Check TIME values
following order, check KEY, check MAC, check TIME values, check 4. Check Truncation policy
Truncation policy.
6.5.1. Key Check and Error Handling 5.2.1. Key Check and Error Handling
If a non-forwarding server does not recognize the key used by the If a non-forwarding server does not recognize the key or algorithm
client, the server MUST generate an error response with RCODE 9 used by the client (or recognises the algorithm but does not
(NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be unsigned implement it), the server MUST generate an error response with RCODE
as specified in Section 6.3. The server SHOULD log the error. 9 (NOTAUTH) and TSIG ERROR 17 (BADKEY). This response MUST be
(Special considerations apply to forwarding servers, see unsigned as specified in Section 5.3.2. The server SHOULD log the
Section 6.7.) error. (Special considerations apply to forwarding servers, see
Section 5.5.)
6.5.2. MAC Check and Error Handling 5.2.2. MAC Check and Error Handling
If a TSIG fails to verify, the server MUST generate an error response Using the information in the TSIG, the server should verify the MAC
as specified in Section 6.3 with RCODE 9 (NOTAUTH) and TSIG ERROR 16 by doing its own calculation and comparing the result with the MAC
(BADSIG). This response MUST be unsigned as specified in received. If the MAC fails to verify, the server MUST generate an
Section 6.3. The server SHOULD log the error. error response as specified in Section 5.3.2 with RCODE 9 (NOTAUTH)
and TSIG ERROR 16 (BADSIG). This response MUST be unsigned as
specified in Section 5.3.2. The server SHOULD log the error.
6.5.2.1. Specifying Truncation 5.2.2.1. MAC Truncation
When space is at a premium and the strength of the full length of a When space is at a premium and the strength of the full length of a
MAC is not needed, it is reasonable to truncate the keyed hash and MAC is not needed, it is reasonable to truncate the keyed hash and
use the truncated value for authentication. HMAC SHA-1 truncated to use the truncated value for authentication. HMAC SHA-1 truncated to
96 bits is an option available in several IETF protocols, including 96 bits is an option available in several IETF protocols, including
IPsec and TLS. IPsec and TLS.
Processing of a truncated MAC follows these rules Processing of a truncated MAC follows these rules:
1. If "MAC size" field is greater than keyed hash output length: 1. If "MAC size" field is greater than keyed hash output length:
This case MUST NOT be generated and, if received, MUST cause the This case MUST NOT be generated and, if received, MUST cause the
DNS message to be dropped and RCODE 1 (FORMERR) to be returned. DNS message to be dropped and RCODE 1 (FORMERR) to be returned.
2. If "MAC size" field equals keyed hash output length: 2. If "MAC size" field equals keyed hash output length:
The entire output keyed hash output is present and used. The entire output keyed hash output is present and used.
3. "MAC size" field is less than keyed hash output length but 3. "MAC size" field is less than the larger of 10 (octets) and half
greater than that specified in case 4, below: the length of the hash function in use:
With the exception of certain TSIG error messages described in
Section 5.3.2, where it is permitted that the MAC size be zero,
this case MUST NOT be generated and, if received, MUST cause the
DNS message to be dropped and RCODE 1 (FORMERR) to be returned.
4. Otherwise:
This is sent when the signer has truncated the keyed hash output This is sent when the signer has truncated the keyed hash output
to an allowable length, as described in [RFC2104], taking initial to an allowable length, as described in [RFC2104], taking initial
octets and discarding trailing octets. TSIG truncation can only octets and discarding trailing octets. TSIG truncation can only
be to an integral number of octets. On receipt of a DNS message be to an integral number of octets. On receipt of a DNS message
with truncation thus indicated, the locally calculated MAC is with truncation thus indicated, the locally calculated MAC is
similarly truncated and only the truncated values are compared similarly truncated and only the truncated values are compared
for authentication. The request MAC used when calculating the for authentication. The request MAC used when calculating the
TSIG MAC for a reply is the truncated request MAC. TSIG MAC for a reply is the truncated request MAC.
4. "MAC size" field is less than the larger of 10 (octets) and half 5.2.3. Time Check and Error Handling
the length of the hash function in use:
With the exception of certain TSIG error messages described in
Section 6.3, where it is permitted that the MAC size be zero,
this case MUST NOT be generated and, if received, MUST cause the
DNS message to be dropped and RCODE 1 (FORMERR) to be returned.
6.5.3. Time Check and Error Handling
If the server time is outside the time interval specified by the If the server time is outside the time interval specified by the
request (which is: Time Signed, plus/minus Fudge), the server MUST request (which is: Time Signed, plus/minus Fudge), the server MUST
generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18 generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18
(BADTIME). The server SHOULD also cache the most recent time signed (BADTIME). The server SHOULD also cache the most recent time signed
value in a message generated by a key, and SHOULD return BADTIME if a value in a message generated by a key, and SHOULD return BADTIME if a
message received later has an earlier time signed value. A response message received later has an earlier time signed value. A response
indicating a BADTIME error MUST be signed by the same key as the indicating a BADTIME error MUST be signed by the same key as the
request. It MUST include the client's current time in the time request. It MUST include the client's current time in the time
signed field, the server's current time (a uint48_t) in the other signed field, the server's current time (an unsigned 48-bit integer)
data field, and 6 in the other data length field. This is done so in the other data field, and 6 in the other data length field. This
that the client can verify a message with a BADTIME error without the is done so that the client can verify a message with a BADTIME error
verification failing due to another BADTIME error. The data signed without the verification failing due to another BADTIME error. The
is specified in Section 6.3. The server SHOULD log the error. data signed is specified in Section 5.3.2. The server SHOULD log the
error.
6.5.4. Truncation Check and Error Handling 5.2.4. Truncation Check and Error Handling
If a TSIG is received with truncation that is permitted under If a TSIG is received with truncation that is permitted under
Section 6.5.2.1 above but the MAC is too short for the local policy Section 5.2.2.1 above but the MAC is too short for the local policy
in force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be in force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be
returned. The server SHOULD log the error. returned. The server SHOULD log the error.
6.6. Client Processing of Answer 5.3. Generation of TSIG on Answers
When a server has generated a response to a signed request, it signs
the response using the same algorithm and key. The server MUST NOT
generate a signed response to a request if either the KEY is invalid
(e.g. key name or algorithm name are unknown), or the MAC fails
validation: see Section 5.3.2 for details of responding in these
cases.
It also MUST NOT not generate a signed response to an unsigned
request, except in the case of a response to a client's unsigned TKEY
request if the secret key is established on the server side after the
server processed the client's request. Signing responses to unsigned
TKEY requests MUST be explicitly specified in the description of an
individual secret key establishment algorithm [RFC3645].
The digest components used to generate a TSIG on a response are:
Request MAC
DNS Message (response)
TSIG Variables (response)
(This calculation is different for the second and subsequent message
in a multi-message answer, see below.)
If addition of the TSIG record will cause the message to be
truncated, the server MUST alter the response so that a TSIG can be
included. This response consists of only the question and a TSIG
record, and has the TC bit set and an RCODE of 0 (NOERROR). The
client SHOULD at this point retry the request using TCP (as per
[RFC1035] 4.2.2).
5.3.1. TSIG on Zone Transfer Over a TCP Connection
A zone transfer over a DNS TCP session can include multiple DNS
messages. Using TSIG on such a connection can protect the connection
from hijacking and provide data integrity. The TSIG MUST be included
on all DNS messages in the response. For backward compatibility, a
client which receives DNS messages and verifies TSIG MUST accept up
to 99 intermediary messages without a TSIG. The first message is
processed as a standard answer (see Section 5.3) but subsequent
messages have the following digest components:
Prior MAC (running)
DNS Messages (any unsigned messages since the last TSIG)
TSIG Timers (current message)
The "Prior MAC" is the MAC from the TSIG attached to the last message
containing a TSIG. "DNS Messages" comprises the concatenation (in
message order) of all messages after the last message that included a
TSIG and includes the current message. "TSIG timers" comprises the
"Time Signed" and "Fudge" fields (in that order) pertaining to the
message for which the TSIG is being created: this means that the
successive TSIG records in the stream will have monotonically
increasing "Time Signed" fields. Note that only the timers are
included in the second and subsequent messages, not all the TSIG
variables.
This allows the client to rapidly detect when the session has been
altered; at which point it can close the connection and retry. If a
client TSIG verification fails, the client MUST close the connection.
If the client does not receive TSIG records frequently enough (as
specified above) it SHOULD assume the connection has been hijacked
and it SHOULD close the connection. The client SHOULD treat this the
same way as they would any other interrupted transfer (although the
exact behavior is not specified here).
5.3.2. Generation of TSIG on Error Returns
When a server detects an error relating to the key or MAC in the
incoming request, the server SHOULD send back an unsigned error
message (MAC size == 0 and empty MAC). It MUST NOT send back a
signed error message.
If an error is detected relating to the TSIG validity period or the
MAC is too short for the local policy, the server SHOULD send back a
signed error message. The digest components are:
Request MAC (if the request MAC validated)
DNS Message (response)
TSIG Variables (response)
The reason that the request is not included in this MAC in some cases
is to make it possible for the client to verify the error. If the
error is not a TSIG error the response MUST be generated as specified
in Section 5.3.
5.4. Client Processing of Answer
When a client receives a response from a server and expects to see a When a client receives a response from a server and expects to see a
TSIG, it first checks if the TSIG RR is present in the response. TSIG, it performs the same checks as described in Section 5.2, with
Otherwise, the response is treated as having a format error and the following modifications:
discarded. The client then extracts the TSIG, adjusts the ARCOUNT,
and calculates the MAC in the same way as the server, applying the
same rules to decide if truncated MAC is valid. If the TSIG does not
validate, that response MUST be discarded, unless the RCODE is 9
(NOTAUTH), in which case the client SHOULD attempt to verify the
response as if it were a TSIG Error response, as specified in
Section 6.3. A message containing an unsigned TSIG record or a TSIG
record which fails verification SHOULD NOT be considered an
acceptable response; the client SHOULD log an error and continue to
wait for a signed response until the request times out.
6.6.1. Key Error Handling o If the TSIG RR does not validate, that response MUST be discarded,
unless the RCODE is 9 (NOTAUTH), in which case the client SHOULD
proceed as described in the following subsections.
If an RCODE on a response is 9 (NOTAUTH), and the response TSIG A message containing an unsigned TSIG record or a TSIG record which
validates, and the TSIG key is different from the key used on the fails verification SHOULD NOT be considered an acceptable response;
request, then this is a Key error. The client MAY retry the request the client SHOULD log an error and continue to wait for a signed
using the key specified by the server. This should never occur, as a response until the request times out.
server MUST NOT sign a response with a different key than signed the
request.
6.6.2. MAC Error Handling 5.4.1. Key Error Handling
If an RCODE on a response is 9 (NOTAUTH), but the response TSIG
validates and the TSIG key recognised by the client but different
from that used on the request, then this is a Key Error. The client
MAY retry the request using the key specified by the server.
However, this should never occur, as a server MUST NOT sign a
response with a different key to that used to sign the request.
5.4.2. MAC Error Handling
If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG), If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG),
this is a MAC error, and client MAY retry the request with a new this is a MAC error, and client MAY retry the request with a new
request ID but it would be better to try a different shared key if request ID but it would be better to try a different shared key if
one is available. Clients SHOULD keep track of how many MAC errors one is available. Clients SHOULD keep track of how many MAC errors
are associated with each key. Clients SHOULD log this event. are associated with each key. Clients SHOULD log this event.
6.6.3. Time Error Handling 5.4.3. Time Error Handling
If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18
(BADTIME), or the current time does not fall in the range specified (BADTIME), or the current time does not fall in the range specified
in the TSIG record, then this is a Time error. This is an indication in the TSIG record, then this is a Time error. This is an indication
that the client and server clocks are not synchronized. In this case that the client and server clocks are not synchronized. In this case
the client SHOULD log the event. DNS resolvers MUST NOT adjust any the client SHOULD log the event. DNS resolvers MUST NOT adjust any
clocks in the client based on BADTIME errors, but the server's time clocks in the client based on BADTIME errors, but the server's time
in the other data field SHOULD be logged. in the other data field SHOULD be logged.
6.6.4. Truncation Error Handling 5.4.4. Truncation Error Handling
If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22 If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22
(BADTRUNC) then this is a Truncation error. The client MAY retry (BADTRUNC) then this is a Truncation error. The client MAY retry
with a lesser truncation up to the full HMAC output (no truncation), with a lesser truncation up to the full HMAC output (no truncation),
using the truncation used in the response as a hint for what the using the truncation used in the response as a hint for what the
server policy allowed (Section 8). Clients SHOULD log this event. server policy allowed (Section 7). Clients SHOULD log this event.
6.7. Special Considerations for Forwarding Servers 5.5. Special Considerations for Forwarding Servers
A server acting as a forwarding server of a DNS message SHOULD check A server acting as a forwarding server of a DNS message SHOULD check
for the existence of a TSIG record. If the name on the TSIG is not for the existence of a TSIG record. If the name on the TSIG is not
of a secret that the server shares with the originator the server of a secret that the server shares with the originator the server
MUST forward the message unchanged including the TSIG. If the name MUST forward the message unchanged including the TSIG. If the name
of the TSIG is of a key this server shares with the originator, it of the TSIG is of a key this server shares with the originator, it
MUST process the TSIG. If the TSIG passes all checks, the forwarding MUST process the TSIG. If the TSIG passes all checks, the forwarding
server MUST, if possible, include a TSIG of its own, to the server MUST, if possible, include a TSIG of its own, to the
destination or the next forwarder. If no transaction security is destination or the next forwarder. If no transaction security is
available to the destination and the message is a query then, if the available to the destination and the message is a query then, if the
corresponding response has the AD flag (see [RFC4035]) set, the corresponding response has the AD flag (see [RFC4035]) set, the
forwarder MUST clear the AD flag before adding the TSIG to the forwarder MUST clear the AD flag before adding the TSIG to the
response and returning the result to the system from which it response and returning the result to the system from which it
received the query. received the query.
7. Algorithms and Identifiers 6. Algorithms and Identifiers
The only message digest algorithm specified in the first version of The only message digest algorithm specified in the first version of
these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321], these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321],
[RFC2104]). The "HMAC-MD5" algorithm is mandatory to implement for [RFC2104]). The "HMAC-MD5" algorithm is mandatory to implement for
interoperability. interoperability.
The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as
compared to the 128 bits for MD5), and additional hash algorithms in compared to the 128 bits for MD5), and additional hash algorithms in
the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384, the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384,
and 512 bits may be preferred in some cases. This is because and 512 bits may be preferred in some cases. This is because
increasingly successful cryptanalytic attacks are being made on the increasingly successful cryptanalytic attacks are being made on the
shorter hashes. shorter hashes.
Use of TSIG between two DNS agents is by mutual agreement. That Use of TSIG between two DNS agents is by mutual agreement. That
agreement can include the support of additional algorithms and agreement can include the support of additional algorithms and
criteria as to which algorithms and truncations are acceptable, criteria as to which algorithms and truncations are acceptable,
subject to the restriction and guidelines in Section 6.5.2.1 above. subject to the restriction and guidelines in Section 5.2.2.1 above.
Key agreement can be by the TKEY mechanism [RFC2930] or some other Key agreement can be by the TKEY mechanism [RFC2930] or some other
mutually agreeable method. mutually agreeable method.
The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig [RFC3645]
identifiers are included in the table below for convenience.
Implementations that support TSIG MUST also implement HMAC SHA1 and Implementations that support TSIG MUST also implement HMAC SHA1 and
HMAC SHA256 and MAY implement gss-tsig and the other algorithms HMAC SHA256 and MAY implement gss-tsig and the other algorithms
listed below. listed below. SHA-1 truncated to 96 bits (12 octets) SHOULD be
implemented.
Requirement Name Requirement Name
----------- ------------------------ ----------- ------------------------
Mandatory HMAC-MD5.SIG-ALG.REG.INT Mandatory HMAC-MD5.SIG-ALG.REG.INT
Optional gss-tsig Optional gss-tsig
Mandatory hmac-sha1 Mandatory hmac-sha1
Optional hmac-sha224 Optional hmac-sha224
Mandatory hmac-sha256 Mandatory hmac-sha256
Optional hmac-sha384 Optional hmac-sha384
Optional hmac-sha512 Optional hmac-sha512
Table 1 Table 1
SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented. 7. TSIG Truncation Policy
8. TSIG Truncation Policy
As noted above, two DNS agents (e.g., resolver and server) must As noted above, two DNS agents (e.g., resolver and server) must
mutually agree to use TSIG. Implicit in such an "agreement" are mutually agree to use TSIG. Implicit in such an "agreement" are
criteria as to acceptable keys and algorithms and, with the criteria as to acceptable keys and algorithms and, with the
extensions in this document, truncations. Note that it is common for extensions in this document, truncations. Local policies MAY require
implementations to bind the TSIG secret key or keys that may be in the rejection of TSIGs, even though they use an algorithm for which
place at two parties to particular algorithms. Thus, such implementation is mandatory.
implementations only permit the use of an algorithm if there is an
associated key in place. Receipt of an unknown, unimplemented, or
disabled algorithm typically results in a BADKEY error.
Local policies MAY require the rejection of TSIGs, even though they
use an algorithm for which implementation is mandatory.
When a local policy permits acceptance of a TSIG with a particular When a local policy permits acceptance of a TSIG with a particular
algorithm and a particular non-zero amount of truncation, it SHOULD algorithm and a particular non-zero amount of truncation, it SHOULD
also permit the use of that algorithm with lesser truncation (a also permit the use of that algorithm with lesser truncation (a
longer MAC) up to the full keyed hash output. longer MAC) up to the full keyed hash output.
Regardless of a lower acceptable truncated MAC length specified by Regardless of a lower acceptable truncated MAC length specified by
local policy, a reply SHOULD be sent with a MAC at least as long as local policy, a reply SHOULD be sent with a MAC at least as long as
that in the corresponding request. Note if the request specified a that in the corresponding request. Note if the request specified a
MAC length longer than the keyed hash output it will be rejected by MAC length longer than the keyed hash output it will be rejected by
processing rules Section 6.5.2.1 case 1. processing rules Section 5.2.2.1 case 1.
Implementations permitting multiple acceptable algorithms and/or Implementations permitting multiple acceptable algorithms and/or
truncations SHOULD permit this list to be ordered by presumed truncations SHOULD permit this list to be ordered by presumed
strength and SHOULD allow different truncations for the same strength and SHOULD allow different truncations for the same
algorithm to be treated as separate entities in this list. When so algorithm to be treated as separate entities in this list. When so
implemented, policies SHOULD accept a presumed stronger algorithm and implemented, policies SHOULD accept a presumed stronger algorithm and
truncation than the minimum strength required by the policy. truncation than the minimum strength required by the policy.
9. Shared Secrets 8. Shared Secrets
Secret keys are very sensitive information and all available steps Secret keys are very sensitive information and all available steps
should be taken to protect them on every host on which they are should be taken to protect them on every host on which they are
stored. Generally such hosts need to be physically protected. If stored. Generally such hosts need to be physically protected. If
they are multi-user machines, great care should be taken that they are multi-user machines, great care should be taken that
unprivileged users have no access to keying material. Resolvers unprivileged users have no access to keying material. Resolvers
often run unprivileged, which means all users of a host would be able often run unprivileged, which means all users of a host would be able
to see whatever configuration data is used by the resolver. to see whatever configuration data is used by the resolver.
A name server usually runs privileged, which means its configuration A name server usually runs privileged, which means its configuration
skipping to change at page 17, line 27 skipping to change at page 17, line 29
a host that implements transaction-based authentication should a host that implements transaction-based authentication should
probably be configured with a "stub resolver" and a local caching and probably be configured with a "stub resolver" and a local caching and
forwarding name server. This presents a special problem for forwarding name server. This presents a special problem for
[RFC2136] which otherwise depends on clients to communicate only with [RFC2136] which otherwise depends on clients to communicate only with
a zone's authoritative name servers. a zone's authoritative name servers.
Use of strong random shared secrets is essential to the security of Use of strong random shared secrets is essential to the security of
TSIG. See [RFC4086] for a discussion of this issue. The secret TSIG. See [RFC4086] for a discussion of this issue. The secret
SHOULD be at least as long as the keyed hash output [RFC2104]. SHOULD be at least as long as the keyed hash output [RFC2104].
10. IANA Considerations 9. IANA Considerations
IANA maintains a registry of algorithm names to be used as "Algorithm IANA maintains a registry of algorithm names to be used as "Algorithm
Names" as defined in Section 4.3. Algorithm names are text strings Names" as defined in Section 4.2. Algorithm names are text strings
encoded using the syntax of a domain name. There is no structure encoded using the syntax of a domain name. There is no structure
required other than names for different algorithms must be unique required other than names for different algorithms must be unique
when compared as DNS names, i.e., comparison is case insensitive. when compared as DNS names, i.e., comparison is case insensitive.
Previous specifications [RFC2845] and [RFC4635] defined values for Previous specifications [RFC2845] and [RFC4635] defined values for
HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an HMAC MD5 and SHA. IANA has also registered "gss-tsig" as an
identifier for TSIG authentication where the cryptographic operations identifier for TSIG authentication where the cryptographic operations
are delegated to the Generic Security Service (GSS) [RFC3645]. are delegated to the Generic Security Service (GSS) [RFC3645].
New algorithms are assigned using the IETF Consensus policy defined New algorithms are assigned using the IETF Consensus policy defined
in [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like in [RFC8126]. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like
a fully-qualified domain name for historical reasons; other algorithm a fully-qualified domain name for historical reasons; other algorithm
names are simple (i.e., single-component) names. names are simple (i.e., single-component) names.
IANA maintains a registry of RCODES (error codes), including "TSIG IANA maintains a registry of RCODES (error codes), including "TSIG
Error values" to be used for "Error" values as defined in Error values" to be used for "Error" values as defined in
Section 4.3. New error codes are assigned and specified as in Section 4.2. New error codes are assigned and specified as in
[RFC6895]. [RFC6895].
11. Security Considerations 10. Security Considerations
The approach specified here is computationally much less expensive The approach specified here is computationally much less expensive
than the signatures specified in DNSSEC. As long as the shared than the signatures specified in DNSSEC. As long as the shared
secret key is not compromised, strong authentication is provided secret key is not compromised, strong authentication is provided
between two DNS systems, e.g., for the last hop from a local name between two DNS systems, e.g., for the last hop from a local name
server to the user resolver, or between primary and secondary server to the user resolver, or between primary and secondary
nameservers. nameservers.
Recommendations for choosing and maintaining secret keys can be found Recommendations for choosing and maintaining secret keys can be found
in [RFC2104]. If the client host has been compromised, the server in [RFC2104]. If the client host has been compromised, the server
skipping to change at page 19, line 5 skipping to change at page 19, line 5
authentication by brute force [RFC2104]. authentication by brute force [RFC2104].
Significant progress has been made recently in cryptanalysis of hash Significant progress has been made recently in cryptanalysis of hash
functions of the types used here. While the results so far should functions of the types used here. While the results so far should
not affect HMAC, the stronger SHA-1 and SHA-256 algorithms are being not affect HMAC, the stronger SHA-1 and SHA-256 algorithms are being
made mandatory as a precaution. made mandatory as a precaution.
See also the Security Considerations section of [RFC2104] from which See also the Security Considerations section of [RFC2104] from which
the limits on truncation in this RFC were taken. the limits on truncation in this RFC were taken.
11.1. Issue Fixed in this Document 10.1. Issue Fixed in this Document
When signing a DNS reply message using TSIG, the MAC computation uses When signing a DNS reply message using TSIG, the MAC computation uses
the request message's MAC as an input to cryptographically relate the the request message's MAC as an input to cryptographically relate the
reply to the request. The original TSIG specification [RFC2845] reply to the request. The original TSIG specification [RFC2845]
required that the TIME values be checked before the request's MAC. required that the TIME values be checked before the request's MAC.
If the TIME was invalid, some implementations failed to carry out If the TIME was invalid, some implementations failed to carry out
further checks and could use an invalid request MAC in the signed further checks and could use an invalid request MAC in the signed
reply. reply.
This document makes it a madatory that the request MAC is considered This document makes it a madatory that the request MAC is considered
to be invalid until it has been validated: until then, any answer to be invalid until it has been validated: until then, any answer
must be unsigned. For this reason, the request MAC is now checked must be unsigned. For this reason, the request MAC is now checked
before the TIME value. before the TIME value.
11.2. Why not DNSSEC? 10.2. Why not DNSSEC?
This section from the original document [RFC2845] analyzes DNSSEC in This section from the original document [RFC2845] analyzes DNSSEC in
order to justify the introduction of TSIG. order to justify the introduction of TSIG.
DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and "DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and
[RFC4035]) to provide for data origin authentication, and public key [RFC4035]) to provide for data origin authentication, and public key
distribution, all based on public key cryptography and public key distribution, all based on public key cryptography and public key
based digital signatures. To be practical, this form of security based digital signatures. To be practical, this form of security
generally requires extensive local caching of keys and tracing of generally requires extensive local caching of keys and tracing of
authentication through multiple keys and signatures to a pre-trusted authentication through multiple keys and signatures to a pre-trusted
locally configured key. locally configured key.
One difficulty with the DNSSEC scheme is that common DNS One difficulty with the DNSSEC scheme is that common DNS
implementations include simple "stub" resolvers which do not have implementations include simple "stub" resolvers which do not have
caches. Such resolvers typically rely on a caching DNS server on caches. Such resolvers typically rely on a caching DNS server on
skipping to change at page 19, line 51 skipping to change at page 19, line 51
but such signatures are very expensive computationally to generate. but such signatures are very expensive computationally to generate.
In general, these require the same complex public key logic that is In general, these require the same complex public key logic that is
impractical for stubs. impractical for stubs.
A second area where use of straight DNSSEC public key based A second area where use of straight DNSSEC public key based
mechanisms may be impractical is authenticating dynamic update mechanisms may be impractical is authenticating dynamic update
[RFC2136] requests. DNSSEC provides for request signatures but with [RFC2136] requests. DNSSEC provides for request signatures but with
DNSSEC they, like transaction signatures, require computationally DNSSEC they, like transaction signatures, require computationally
expensive public key cryptography and complex authentication logic. expensive public key cryptography and complex authentication logic.
Secure Domain Name System Dynamic Update ([RFC3007]) describes how Secure Domain Name System Dynamic Update ([RFC3007]) describes how
different keys are used in dynamically updated zones. different keys are used in dynamically updated zones."
12. References 11. References
12.1. Normative References 11.1. Normative References
[FIPS180-4] [FIPS180-4]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard (SHS)", FIPS PUB 180-4, August 2015. Hash Standard (SHS)", FIPS PUB 180-4, August 2015.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
skipping to change at page 20, line 44 skipping to change at page 20, line 44
[RFC4635] Eastlake 3rd, D., "HMAC SHA (Hashed Message Authentication [RFC4635] Eastlake 3rd, D., "HMAC SHA (Hashed Message Authentication
Code, Secure Hash Algorithm) TSIG Algorithm Identifiers", Code, Secure Hash Algorithm) TSIG Algorithm Identifiers",
RFC 4635, DOI 10.17487/RFC4635, August 2006, RFC 4635, DOI 10.17487/RFC4635, August 2006,
<https://www.rfc-editor.org/info/rfc4635>. <https://www.rfc-editor.org/info/rfc4635>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
12.2. Informative References 11.2. Informative References
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
DOI 10.17487/RFC1321, April 1992, DOI 10.17487/RFC1321, April 1992,
<https://www.rfc-editor.org/info/rfc1321>. <https://www.rfc-editor.org/info/rfc1321>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997, DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>. <https://www.rfc-editor.org/info/rfc2104>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997, RFC 2136, DOI 10.17487/RFC2136, April 1997,
<https://www.rfc-editor.org/info/rfc2136>. <https://www.rfc-editor.org/info/rfc2136>.
[RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
RR)", RFC 2930, DOI 10.17487/RFC2930, September 2000, RR)", RFC 2930, DOI 10.17487/RFC2930, September 2000,
<https://www.rfc-editor.org/info/rfc2930>. <https://www.rfc-editor.org/info/rfc2930>.
[RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September
2000, <https://www.rfc-editor.org/info/rfc2931>.
[RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, Update", RFC 3007, DOI 10.17487/RFC3007, November 2000,
<https://www.rfc-editor.org/info/rfc3007>. <https://www.rfc-editor.org/info/rfc3007>.
[RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1
(SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001, (SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001,
<https://www.rfc-editor.org/info/rfc3174>. <https://www.rfc-editor.org/info/rfc3174>.
[RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J., [RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J.,
and R. Hall, "Generic Security Service Algorithm for and R. Hall, "Generic Security Service Algorithm for
skipping to change at page 22, line 20 skipping to change at page 22, line 15
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086, "Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005, DOI 10.17487/RFC4086, June 2005,
<https://www.rfc-editor.org/info/rfc4086>. <https://www.rfc-editor.org/info/rfc4086>.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, (SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011, DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>. <https://www.rfc-editor.org/info/rfc6234>.
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
for DNS (EDNS(0))", STD 75, RFC 6891,
DOI 10.17487/RFC6891, April 2013,
<https://www.rfc-editor.org/info/rfc6891>.
[RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
April 2013, <https://www.rfc-editor.org/info/rfc6895>. April 2013, <https://www.rfc-editor.org/info/rfc6895>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
Appendix A. Acknowledgments Appendix A. Acknowledgments
skipping to change at page 22, line 52 skipping to change at page 22, line 42
Clement Berthaux from Synacktiv. Clement Berthaux from Synacktiv.
Note for the RFC Editor (to be removed before publication): the first Note for the RFC Editor (to be removed before publication): the first
'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9. 'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9.
I do not know if xml2rfc supports non ASCII characters so I prefer to I do not know if xml2rfc supports non ASCII characters so I prefer to
not experiment with it. BTW I am French too so I can help if you not experiment with it. BTW I am French too so I can help if you
have questions like correct spelling... have questions like correct spelling...
Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund
Sivaraman and Ralph Dolmans participated in the discussions that Sivaraman and Ralph Dolmans participated in the discussions that
prompted this document. prompted this document. Mukund Sivaraman and Martin Hoffman made
extermely helpful suggestions concerning the structure and wording of
the updated document.
Appendix B. Change History (to be removed before publication) Appendix B. Change History (to be removed before publication)
draft-dupont-dnsop-rfc2845bis-00 draft-dupont-dnsop-rfc2845bis-00
[RFC4635] was merged. [RFC4635] was merged.
Authors of original documents were moved to Acknowledgments Authors of original documents were moved to Acknowledgments
(Appendix A). (Appendix A).
skipping to change at page 23, line 39 skipping to change at page 23, line 33
1. Emphasized that MAC is invalid until it is successfully 1. Emphasized that MAC is invalid until it is successfully
validated. validated.
2. Added requirement that a request MAC that has not been 2. Added requirement that a request MAC that has not been
successfully validated MUST NOT be included into a response. successfully validated MUST NOT be included into a response.
3. Added requirement that a request that has not been validated 3. Added requirement that a request that has not been validated
MUST NOT generate a signed response. MUST NOT generate a signed response.
4. Added note about MAC too short for the local policy to 4. Added note about MAC too short for the local policy to
Section 6.3. Section 5.3.2.
5. Changed the order of server checks and swapped corresponding 5. Changed the order of server checks and swapped corresponding
sections. sections.
6. Removed the truncation size limit "also case" as it does not 6. Removed the truncation size limit "also case" as it does not
apply and added confusion. apply and added confusion.
7. Relocated the error provision for TSIG truncation to the new 7. Relocated the error provision for TSIG truncation to the new
Section 6.5.4. Moved from RCODE 22 to RCODE 9 and TSIG ERROR Section 5.2.4. Moved from RCODE 22 to RCODE 9 and TSIG ERROR
22, i.e., aligned with other TSIG error cases. 22, i.e., aligned with other TSIG error cases.
8. Added Section 6.6.4 about truncation error handling by 8. Added Section 5.4.4 about truncation error handling by
clients. clients.
9. Removed the limit to HMAC output in replies as a request 9. Removed the limit to HMAC output in replies as a request
which specified a MAC length longer than the HMAC output is which specified a MAC length longer than the HMAC output is
invalid according to the first processing rule in invalid according to the first processing rule in
Section 6.5.2.1. Section 5.2.2.1.
10. Promoted the requirement that a secret length should be at 10. Promoted the requirement that a secret length should be at
least as long as the HMAC output to a SHOULD [RFC2119] key least as long as the HMAC output to a SHOULD [RFC2119] key
word. word.
11. Added a short text to explain the security issue. 11. Added a short text to explain the security issue.
draft-dupont-dnsop-rfc2845bis-01 draft-dupont-dnsop-rfc2845bis-01
Improved wording (post-publication comments). Improved wording (post-publication comments).
Specialized and renamed the "TSIG on TCP connection" (Section 6.4) Specialized and renamed the "TSIG on TCP connection"
to "TSIG on zone transfer over a TCP connection". Added a SHOULD (Section 5.3.1) to "TSIG on zone transfer over a TCP connection".
for a TSIG in each message (was envelope) for new implementations. Added a SHOULD for a TSIG in each message (was envelope) for new
implementations.
draft-ietf-dnsop-rfc2845bis-00 draft-ietf-dnsop-rfc2845bis-00
Adopted by the IETF DNSOP working group: title updated and version Adopted by the IETF DNSOP working group: title updated and version
counter reset to 00. counter reset to 00.
draft-ietf-dnsop-rfc2845bis-01 draft-ietf-dnsop-rfc2845bis-01
Relationship between protocol change and principle of assuming the Relationship between protocol change and principle of assuming the
request MAC is invalid until validated clarified. (Jinmei Tatuya) request MAC is invalid until validated clarified. (Jinmei Tatuya)
skipping to change at page 25, line 4 skipping to change at page 24, line 48
Many improvements in the wording. Many improvements in the wording.
Added RFC 2845 authors as co-authors of this document. Added RFC 2845 authors as co-authors of this document.
draft-ietf-dnsop-rfc2845bis-02 draft-ietf-dnsop-rfc2845bis-02
Added a recommendation to copy time fields in BADKEY errors. Added a recommendation to copy time fields in BADKEY errors.
(Mark Andrews) (Mark Andrews)
draft-ietf-dnsop-rfc2845bis-03 draft-ietf-dnsop-rfc2845bis-03
Further changes as a result of comments by Mukund Sivaraman. Further changes as a result of comments by Mukund Sivaraman.
Miscellaneous changes to wording. Miscellaneous changes to wording.
Major restructing as a result of comprehensive review by Martin
Hoffman. Amongst the more significant changes:
* More comprehensive introduction.
* Merged "Protocol Description" and "Protocol Details" sections.
* Reordered sections so as to follow message exchange through
"client "sending", "server receipt", "server sending", "client
receipt".
* Added miscellaneous clarifications.
Authors' Addresses Authors' Addresses
Francis Dupont Francis Dupont
Internet Software Consortium Internet Software Consortium
950 Charter Street 950 Charter Street
Redwood City, CA 94063 Redwood City, CA 94063
United States of America United States of America
Email: Francis.Dupont@fdupont.fr Email: Francis.Dupont@fdupont.fr
 End of changes. 109 change blocks. 
397 lines changed or deleted 407 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/