DNSOP D. Eastlake
Internet-Draft Independent
Obsoletes: 2930 (if approved) M. Andrews
Intended status: Informational Internet Systems Consortium
Expires: 3 September 2025 2 March 2025
Secret Key Agreement for DNS: The TKEY Resource Record
draft-eastlake-dnsop-rfc2930bis-tkey-02
Abstract
RFC 8945 provides efficient authentication of Domain Name System
(DNS) protocol messages using shared secret keys and the Transaction
Signature (TSIG) resource record (RR). However, it provides no
mechanism for setting up such keys other than by configuration. This
document specifies the Transaction Key (TKEY) RR that can be used in
a variety of modes to establish shared secret keys between a DNS
resolver and server. This document obsoletes RFC 2930.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 3 September 2025.
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
Eastlake & Andrews Expires 3 September 2025 [Page 1]
�
Internet-Draft The DNS TKEY RR March 2025
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. General TKEY Considerations . . . . . . . . . . . . . . . . . 4
3. The TKEY Resource Record . . . . . . . . . . . . . . . . . . 5
3.1. Name Field . . . . . . . . . . . . . . . . . . . . . . . 7
3.2. The TTL Field . . . . . . . . . . . . . . . . . . . . . . 7
3.3. The RDLEN Field . . . . . . . . . . . . . . . . . . . . . 8
3.4. The Algorithm Field . . . . . . . . . . . . . . . . . . . 8
3.5. The Inception and Expiration Fields . . . . . . . . . . . 8
3.6. The Mode Field . . . . . . . . . . . . . . . . . . . . . 8
3.7. The Error Field . . . . . . . . . . . . . . . . . . . . . 8
3.8. The Key Size and Data Fields . . . . . . . . . . . . . . 9
3.9. The Other Size and Data Fields . . . . . . . . . . . . . 9
4. Key Naming and Key Table . . . . . . . . . . . . . . . . . . 10
4.1. Key Name . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.1. A Resolver Key Name Generation Strategy . . . . . . . 11
4.1.2. A Server Key Name Generation Strategy . . . . . . . . 11
4.2. Remote Address . . . . . . . . . . . . . . . . . . . . . 12
4.3. State . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4. Last Used . . . . . . . . . . . . . . . . . . . . . . . . 12
5. TKEY Modes . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Key Agreement Modes . . . . . . . . . . . . . . . . . . . 13
5.1.1. ECDH Exchanged Keying (Mode 6) . . . . . . . . . . . 13
5.1.2. Server Assigned Keying (Mode 1) . . . . . . . . . . . 15
5.1.3. Resolver Assigned Keying (Mode 4) . . . . . . . . . . 16
5.1.4. GSS-API Establishment (Mode 3) . . . . . . . . . . . 16
5.1.5. Diffie-Hellman Exchanged Keying (Mode 2,
Deprecated) . . . . . . . . . . . . . . . . . . . . . 17
5.2. Other Modes . . . . . . . . . . . . . . . . . . . . . . . 17
5.2.1. TKEY Deletion (Mode 5) . . . . . . . . . . . . . . . 17
5.2.2. TKEY Ping (Mode 8) . . . . . . . . . . . . . . . . . 18
5.2.3. Documentation Mode (Mode 7) . . . . . . . . . . . . . 18
5.3. Spontaneous Server Inclusion . . . . . . . . . . . . . . 18
6. TKEY Message Authentication . . . . . . . . . . . . . . . . . 19
6.1. Secret Key Authentication . . . . . . . . . . . . . . . . 19
6.2. Public Key Authentication . . . . . . . . . . . . . . . . 19
7. Key Data Encryption Methods . . . . . . . . . . . . . . . . . 19
Eastlake & Andrews Expires 3 September 2025 [Page 2]
�
Internet-Draft The DNS TKEY RR March 2025
7.1. Secret KEK Based Encryption . . . . . . . . . . . . . . . 20
7.2. Single Public Key Based Encryption . . . . . . . . . . . 20
7.3. Two Public Keys Based Encryption . . . . . . . . . . . . 21
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
8.1. Reference Update . . . . . . . . . . . . . . . . . . . . 21
8.2. Existing Assignments . . . . . . . . . . . . . . . . . . 21
8.3. TSIG/TKEY Registry Group . . . . . . . . . . . . . . . . 21
8.3.1. TKEY Modes Registry . . . . . . . . . . . . . . . . . 21
8.3.2. TKEY Key Wrapping Algorithm Registry . . . . . . . . 23
9. Security Considerations . . . . . . . . . . . . . . . . . . . 24
10. Normative References . . . . . . . . . . . . . . . . . . . . 24
11. Informative References . . . . . . . . . . . . . . . . . . . 26
Appendix A. Diffie-Hellman Exchanged Keying Details . . . . . . 28
Appendix B. Changes from RFC2930 . . . . . . . . . . . . . . . . 29
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 29
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction
[[[NOTE: Note that this draft contains occasional meta comments
inside triple square brackets like this. These are intended to aid
in the development of the document and would not appear in any
resulting RFC.]]]
The Domain Name System (DNS) is a hierarchical, distributed, highly
available database used for bi-directional mapping between domain
names and IP addresses, for email routing, service access, and for
other information [RFC1034] [RFC1035]. It has been extended to
provide for public key-based data authentication [RFC4034] [RFC4035]
and secure dynamic update [RFC3007]. Familiarity with these RFCs is
assumed.
[RFC8945] provides efficient authentication of DNS messages using
shared secret keys and the Transaction Signature (TSIG) resource
record (RR) but provides no mechanism for setting up such keys other
than by configuration. This document specifies the Transaction Key
(TKEY) RR that can be used in a variety of modes to establish and
delete such shared secret keys between a DNS resolver and server.
This document obsoletes [RFC2930].
TKEY established keying materials and TSIGs that use them are
associated with DNS servers and resolvers. They are not associated
with DNS zones. They may be used to authenticate requests and
transactions but they do not provide zone-based DNS RR data origin or
denial of existence authentication [RFC4034] [RFC4035].
Eastlake & Andrews Expires 3 September 2025 [Page 3]
�
Internet-Draft The DNS TKEY RR March 2025
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
General familiarity with DNS terminology [RFC9499] is assumed in this
document. In all cases herein, the term "resolver" or "requester"
includes that part of a server which may initiate requests including
full and incremental [RFC1995] zone transfer queries, forwarded
recursive queries, and the like.
For a message to be "silently ignored" means that is has no protocol
effect but it might still be logged or reported.
2. General TKEY Considerations
TKEY is a meta-RR that is not stored or cached and does not appear in
zone master files. It supports a variety of modes for the
establishment and deletion of shared secret keying information
between DNS resolvers and servers. The shared secret keying material
agreed to by using TKEY is an opaque octet sequence.
The establishment of such a shared secret requires that state be
maintained at both ends and the allocation of the resources to
maintain such state generally requires prior mutual agreement. In
the absence of willingness to provide such state, servers MUST return
error NotImp or Refused for an attempt to use TKEY and resolvers are
free to silently ignore any TKEY RRs they receive.
TKEY RRs are sent in the additional information section of DNS
queries for type TKEY and the corresponding returned TKEY appears in
the answer section of responses to such queries. Some TKEY RRs may
also be spontaneously included in other responses (see Section 5.3).
Type TKEY queries SHOULD NOT be flagged as recursive, and servers
MUST ignore the recursion desired header bit (RD) in TKEY queries
they receive. Type TKEY responses SHOULD be flagged as
authoritative, and resolvers MUST ignore the authoritative answer
(AA) bit in TKEY responses they receive. TKEY queries contain 1
question section entry with QTYPE TKEY, QCLASS 255 (ANY), and QNAME
the same as the name of the TKEY RR.
[[[Comment: Although current practice is to have the query QNAME be
the same as the name field of the TKEY RR, this does not appear to be
logically necessary. Some space could be saved by using root as the
QNAME.]]]
Eastlake & Andrews Expires 3 September 2025 [Page 4]
�
Internet-Draft The DNS TKEY RR March 2025
TKEY messages (DNS queries and responses) MUST be authenticated (see
Section 6) for all modes except GSS-API mode, which provides its own
security. In TKEY messages that contain secret keying material in
the Key Data field, that material MUST, be encrypted (see Section 7).
In the absence of required TKEY authentication or encryption, a
NotAuth error MUST be returned for a query and a reply MUST be
silently ignored.
Keys established via TKEY can be treated as soft state and need not
be preserved over crashes or reboots. Since DNS transactions are
originated by the resolver, the resolver can simply toss keys,
although it may have to go through another key exchange if it later
needs one. Similarly, the server can discard keys although that will
result in an error on receiving a query with a TSIG using the
discarded key.
3. The TKEY Resource Record
The TKEY resource record (RR) is a meta-RR that has the structure
shown in Table 1. Its RR type code is 249.
Eastlake & Andrews Expires 3 September 2025 [Page 5]
�
Internet-Draft The DNS TKEY RR March 2025
+================+==============+=============================+
| Field | Format | Comment |
+================+==============+=============================+
| NAME | domain | See description below. |
+----------------+--------------+-----------------------------+
| TTYPE | u_int16_t | TKEY, MUST be 249 (0x00F9). |
+----------------+--------------+-----------------------------+
| CLASS | u_int16_t | MUST be 255 (ANY, 0x00FF). |
+----------------+--------------+-----------------------------+
| TTL | u_int32_t | MUST be zero. |
+----------------+--------------+-----------------------------+
| RDLEN | u_int16_t | Size of RDATA. |
+----------------+--------------+-----------------------------+
| RDATA: | | |
+----------------+--------------+-----------------------------+
| Algorithm: | domain name | |
+----------------+--------------+-----------------------------+
| Inception: | u_int32_t | |
+----------------+--------------+-----------------------------+
| Expiration: | u_int32_t | |
+----------------+--------------+-----------------------------+
| Mode: | u_int16_t | |
+----------------+--------------+-----------------------------+
| Error: | u_int16_t | |
+----------------+--------------+-----------------------------+
| Key Size: | u_int16_t | |
+----------------+--------------+-----------------------------+
| Key Data: | octet-stream | |
+----------------+--------------+-----------------------------+
| Other Size: | u_int16_t | |
+----------------+--------------+-----------------------------+
| Other Data: | octet-stream | |
+----------------+--------------+-----------------------------+
Table 1: TKEY Resource Record
Further information on these fields is provided in the subsections
below.
There MUST NOT be more than one TKEY RR in a DNS message. If more
than one appears in a request, a server implementing TKEY MUST return
FormErr. If more than one appears in a response, they MUST all be
ignored.
Eastlake & Andrews Expires 3 September 2025 [Page 6]
�
Internet-Draft The DNS TKEY RR March 2025
[[[Comment: Actually, it could be meaningful to have multiple TKEY
RRs in a DNS message as long as no pair conflicted. For example, a
reply could contain a key agreement TKEY RR in the answer section
along with one or more key deletion TKEY RRs for other keys in the
additional information section. But it seems simpler to prohibit
such messages.]]]
3.1. Name Field
The Name field is a DNS domain name in wire encoding format. It
relates to naming keys and does not normally appear as a node in the
DNS name hierarchy. It MUST NOT be compressed. Its meaning differs
somewhat with mode and context as explained in Section 4. In some
cases where the Name field has a key name, it would be the same name
as used in a TSIG RR [RFC8945] using that key.
[[[Comment: The only reason the above specifies that Name not be
compressed is that there was a DNS implementation where such
compression would activate a bug. This was not required in [RFC2930]
and can probably be changed to allow compression of the TKEY RR Name
since RR QNAMEs are normally compressible. It is domain names
appearing within the TKEY RDATA, such as the Algorithm field, that
are not generally compressible.]]]
Although the DNS protocol is binary clean so that any octet value
should be usable in a label that is part of a domain name, to avoid
possible implementation bugs and to ease user interface and debugging
issues, it is RECOMMENDED that Name be composed of labels consisting
of letters, digits, underscore, and hyphen and that these labels
begin with a letter or digit. To indicate that no Name is present,
the Name field is set to the wire encoding of the domain name of the
root node, that is, the octet string consisting of a single zero
value octet.
For more information on Key Names, see Section 4.1.
3.2. The TTL Field
The TTL field is not used in TKEY RRs. It MUST be zero to minimize
the chance that a DNS implementation might not recognizing a TKEY RR
as a meta-RR and would erroneously cache it. Receipt of a TKEY RR
with a non-zero TTL field in a query results in a FormErr error
response.
Eastlake & Andrews Expires 3 September 2025 [Page 7]
�
Internet-Draft The DNS TKEY RR March 2025
3.3. The RDLEN Field
The RDLEN field MUST equal the length of the RDATA section through
the end of Other Data or the RR is to be considered malformed and
FormErr returned if a request or the message ignored if a reply.
3.4. The Algorithm Field
The Algorithm name is a domain name with the same values and meaning
as the Algorithm Name field in TSIG RRs (see [RFC8945]). It MUST NOT
be compressed. The algorithm determines how keying material agreed
to by using the TKEY RR is actually used to derive the algorithm
specific secret key or keys. For example, it might need to be
truncated or extended or split into multiple keys or otherwise
processed.
3.5. The Inception and Expiration Fields
The Expiration and Inception field values specify a date and time in
the form of a 32-bit unsigned number of seconds elapsed since 1
January 1970 00:00:00 UTC ignoring leap seconds, in network byte
order, modulo 2**32 using ring arithmetic [RFC1982], similar to the
fields with these names in the RRSIG RR [RFC4034]. In TKEY DNS
messages where these fields are meaningful, their meaning depends on
the mode.
Where the Inception and Expiration fields indicate a time interval,
if the expiration time is before the inception time in a request, the
BADTTIME error is returned in the Error field of the response.
To avoid different interpretations of the inception and expiration
times in TKEY RRs, resolvers and servers exchanging them MUST have
the same idea of what time it is. One way of doing this is with the
Network Time Protocol [RFC5905] but that or other time
synchronization used for this purpose MUST be done securely.
3.6. The Mode Field
The mode field specifies the general purpose of the TKEY RR, such as
a key agreement method. See Section 5.1 for more information on the
modes specified in this document.
3.7. The Error Field
The error code field is an extended RCODE [RFC6895]. In queries, it
MUST be sent as zero and ignored on receipt. The following values,
which may appear in replies, are used and/or specified in this
document or [RFC8945]:
Eastlake & Andrews Expires 3 September 2025 [Page 8]
�
Internet-Draft The DNS TKEY RR March 2025
+=======+=============+=================+
| Value | Description | Reference |
+=======+=============+=================+
| 0 | - no error | |
+-------+-------------+-----------------+
| 1 | FormErr | [RFC1035] |
+-------+-------------+-----------------+
| 4 | NotImp | [RFC1035] |
+-------+-------------+-----------------+
| 5 | Refused | [RFC1035] |
+-------+-------------+-----------------+
| 9 | NotAuth | [RFC1035] |
+-------+-------------+-----------------+
| 16 | BADSIG | [RFC8945] |
+-------+-------------+-----------------+
| 17 | BADKEY | [RFC8945] |
+-------+-------------+-----------------+
| 18 | BADTIME | [RFC8945] |
+-------+-------------+-----------------+
| 19 | BADMODE | [this document] |
+-------+-------------+-----------------+
| 20 | BADNAME | [this document] |
+-------+-------------+-----------------+
Table 2: Error Codes
When the TKEY RR Error Field is non-zero in a response to a TKEY
query, the DNS header RCODE field normally indicates no error.
However, it is possible, if a TKEY RR is spontaneously included in a
response (see Section 5.3), the TKEY RR and DNS header error fields
could have unrelated non-zero error codes.
3.8. The Key Size and Data Fields
The Key Size Field is an unsigned 16-bit integer in network octet
order. It specifies the size of the Key Data Field in octets. The
meaning of the contents of the Key Data field depends on the mode and
context.
3.9. The Other Size and Data Fields
The Other Size field is an unsigned 16-bit integer in network order
which specifies the size of the Other Data field in octets. The
Other Data field is intended for future expansion of the TKEY RR.
Eastlake & Andrews Expires 3 September 2025 [Page 9]
�
Internet-Draft The DNS TKEY RR March 2025
4. Key Naming and Key Table
DNS resolvers and servers that implement TSIG maintain a table of (1)
keying material shared with other DNS servers and resolvers with
which they have either been configured or successfully exchanged TKEY
RRs to establish such keys and (2) information about on going
attempts to establish such shared keys using TKEY. Each local table
entry logically contains the information listed below. The actual
structure and management of this table is a local matter as long as
the behavior is consistent this document. For example, it might be
accessed through one or more hash tables for rapid retrieval or have
additional information such as when a key was established or be
broken up into more than one table that are linked together. Some
fields in this table are further described in the subsections below
the table.
+============+==============+=================================+
| Field | Format | Explanation |
+============+==============+=================================+
| Key Name | domain name | Key name. |
+------------+--------------+---------------------------------+
| Remote | IPv4/IPv6 | Address of remote DNS server/ |
| Address | address | resolver. |
+------------+--------------+---------------------------------+
| Inception | u_int32_t | Keying information inception |
| | | time. |
+------------+--------------+---------------------------------+
| Expiration | u_int32_t | Keying information expiration |
| | | time. |
+------------+--------------+---------------------------------+
| Key | octet-string | The opaque shared secret keying |
| | | information. |
+------------+--------------+---------------------------------+
| State | unspecified | See below. |
+------------+--------------+---------------------------------+
| Algorithm | domain name | Key use algorithm. |
+------------+--------------+---------------------------------+
| Last Used | u_int32_t | The time at which a TSIG using |
| | | this key was most recently sent |
| | | or received and validated. |
+------------+--------------+---------------------------------+
Table 3: Key Table Entry
Eastlake & Andrews Expires 3 September 2025 [Page 10]
�
Internet-Draft The DNS TKEY RR March 2025
4.1. Key Name
At any DNS server or resolver only one octet string of keying
material and TSIG algorithm may be in place for any particular key
name. An attempt to establish agreement for a different set of
keying material for an existing name returns a BADNAME error. Since
a DNS TKEY reply message could be lost, it is a normal case and not
an error for a server to receive a TKEY request message to establish
a key that is the same as a key that the server state indicates is
already established.
To avoid confusion while managing or debugging a network, it is
RECOMMENDED that key names be globally unique. A key name generation
strategy for resolvers and servers is described below.
4.1.1. A Resolver Key Name Generation Strategy
For a TKEY RR with a non-root Name appearing in a query, the TKEY
Name field SHOULD be a domain name locally unique at the resolver,
less than 128 octets long in wire encoding, and meaningful to the
resolver to assist in distinguishing keys and/or key agreement
sessions. This length limit is suggested so that, when a resolver
provided name portion is concatenated with a server provided name
portion, the result will fit within the DNS protocol wire encoding
name length limit of 255 octets.
4.1.2. A Server Key Name Generation Strategy
For a TKEY RR appearing in a response to a query, the TKEY RR Name
field SHOULD be a globally unique server assigned name unless the
response indicates a TKEY error in which case the name from the query
should be copied in the response.
A reasonable server key name generation strategy is as follows:
* If the key is generated by a server as the result of a query with
root as its owner name, then the server SHOULD create a globally
unique domain name to be the key name. A suggested method is
prefixing a domain name of the server with a pseudo-random
[RFC4086] label having at least 128 bits of entropy using the
"file name safe" Base 64 encoding (Section 5 of [RFC4648]). For
example, a8s9ZW_n3mDg-okX072pp3.serv1.example.com. If generation
of a new pseudo-random name in each case is an excessive
computation load or entropy drain, a serial number prefix can be
added to a fixed pseudo-random name generated at DNS server start
time, such as 1234.a8s9ZW_n3mDgokX072pp3_.serv1.example.com, with
a new pseudo-random portion being generated periodically and on
reboot.
Eastlake & Andrews Expires 3 September 2025 [Page 11]
�
Internet-Draft The DNS TKEY RR March 2025
* If the key is generated as the result of a query with a non-root
name, say 789.resolv.example, then use the concatenation of that
name, after deletion of its terminal root label, with a name of
the server. For example, 789.resolv.example.serv1.example.com.
In the unlikely event that the unique TKEY NAME produced by whatever
strategy is in use exceeds the wire encoding size limit of 255
octets, it may be shortened to fit within that limit with only an
insignificant probability of losing uniqueness by replacing an
initial portion of the excessively long name with the shorter
encoding of a strong hash of that initial portion. For example, cut
the excessively long name between labels so that the right part is no
longer than 206 octets in wire encoding. Then take the prefix label
or labels constituting the left part, apply SHA-256 [RFC6234] to them
treated as a name in wire encoding, truncate the resulting hash to 30
octets, base32 [RFC4648] encode the result of that truncation
yielding 48 octets, and add the output of the base32 encoding as a
new single prefix label.
4.2. Remote Address
This is the address of the remote DNS server or resolver with which
the key is shared or is to be shared. It MUST be possible to have
table entries for more than one key for such a remote server or
resolver so that, for example, a new key can be established before a
key in use expires or is disabled.
4.3. State
This field is intended to encode an indication of the mode used in
setting the key, whether the local DNS processor was filling the role
of a resolver or server in the TKEY message exchange, and the status
of any in progress key negotiation. The details of this field's
value are implementation dependent.
4.4. Last Used
This is the time signed from the most recent DNS message TSIG
received and validated or sent using this Key using the same encoding
as the inception and expiration TKEY fields. This field might be
used to discard keys based on the least recently used or the like.
5. TKEY Modes
The following subsections describe the TKEY modes that are specified
in this document and the messages used for each mode.
Eastlake & Andrews Expires 3 September 2025 [Page 12]
�
Internet-Draft The DNS TKEY RR March 2025
Servers and resolvers supporting this specification MUST implement
the ECDH mode (see Section 5.1.1), Key Deletion mode (see
Section 5.2.1), and TKEY Ping (see Section 5.2.2). All other modes
are OPTIONAL.
A server supporting TKEY that receives a TKEY request with a mode it
does not support MUST return the BADMODE error.
5.1. Key Agreement Modes
A resolver and a server can agree on shared secret keying material
for use in TSIG through DNS requests from the resolver which are
syntactically DNS queries for type TKEY and answering responses from
the server. Such queries MUST have a TKEY RR in the additional
information section and the response MUST have a TKEY RR in the
answer section to indicate the mode in use and containing other
information where required by that mode. The query and response MUST
be authenticated (see Section 6) except when GSS-API mode
(Section 5.1.4) is used.
The inception and expiration time in TKEY RRs with a mode intended to
result in key agreement refer to a secret key validity interval,
except in the case of GSS-API mode (see Section 5.1.4). The
inception and expiration times in the query TKEY RR are those
requested for the keying material. The inception and expiration
times in the key agreement response TKEY RRs are the period the
server intends to consider the keying material valid which may be a
sub-interval or overlapping interval of the query specified time
interval. Servers may expire keys early, so this is not a guarantee.
If the expiration time in the resolver query is in the past or if it
is before the inception time, a BADTIME error MUST be returned. If
the inception time in the resolver query is in the future, indicating
an attempt to agree on a future key, a BADTIME error MAY be returned
by the server.
| Both DNS transaction security and DNSSEC data security
| originally used the SIG (type = 24) and KEY (type = 25) RRs
| [RFC2535]. DNSSEC was changed to use the RRSIG (type = 46) and
| DNSKEY (type = 48) RRs [RFC4034]; however, transaction
| security, including TKEY and SIG(0) [rfc2931bis], continue to
| use the SIG and KEY RRs.
5.1.1. ECDH Exchanged Keying (Mode 6)
Elliptic Curve Diffie-Hellman (ECDH) key exchange is a means whereby
two parties can derive shared secret information without requiring
secrecy of the messages they exchange [Schneier] [RFC8418].
Eastlake & Andrews Expires 3 September 2025 [Page 13]
�
Internet-Draft The DNS TKEY RR March 2025
To use this mode, there need to be compatible elliptic curve public
keys for the resolver and server involved [RFC6605]. However, there
could be multiple keys available for each of them. The purpose of
the TKEY message exchange is to select the elliptic key to be used
for the resolver and the elliptic key to be used for the server, to
provide nonce information, and to establish the key name and
associated key value and TSIG algorithm for the resulting shared key.
A resolver sends a query for type TKEY accompanied by a TKEY RR in
the additional information section specifying the ECDH exchange mode
and accompanied by a KEY RR also in the additional information
section specifying a resolver elliptic curve key. The TKEY RR
algorithm field is set to the authentication algorithm the resolver
plans to use in any TSIG RRs using the resulting key. Any "key data"
provided in the TKEY in the query is used as a random [RFC4086] nonce
to avoid always deriving the same keying material for the same pair
of KEY RRs.
The server response contains a TKEY in its answer section with the
ECDH assignment mode and echoes back the algorithm field from the
query. If there is "key data" provided in this server TKEY, it is
used as an additional nonce to avoid always deriving the same keying
material for the same pair of KEY RRs but an anycast group of servers
is only supported if such data is the same for all servers in that
group. If the TKEY error field is non-zero, the query failed for the
reason given. FORMERR is given if the query included no elliptic
curve KEY. BADKEY is given if the query included an incompatible
elliptic curve KEY.
If the response TKEY error field is zero, a server elliptic KEY RR
MUST be present in the answer section of the response. The resolver
supplied elliptic curve KEY RR SHOULD be echoed in the additional
information section. Both parties then calculate the same shared
secret quantity from the pair of elliptic curve KEY RRs used
[Schneier] (provided they are compatible) and the data in the TKEY
RRs, using HKDF [RFC5869] as follows where "|" indicates
concatenation and the string in double quotes indicates the octet
string of the ASCII [RFC0020] for that string without any terminating
zero octet or leading length octet or surrounding quotes:
IKM = shared secret from ECDH with resolver and server keys
salt = resolver-TKEY-data | server-TKEY-data
info = "IETF-TKEY-ECDH"
OKM = HKDF-Expand(HMAC-Hash(salt, IKM), info, L)
Eastlake & Andrews Expires 3 September 2025 [Page 14]
�
Internet-Draft The DNS TKEY RR March 2025
SHA-256 [RFC6234] is used in the HMAC-Hash [RFC2104]. L is the
length of the keying material needed for use in the Algorithm
specified. and OKM is the output keying material to use with TSIG.
5.1.2. Server Assigned Keying (Mode 1)
[[[Comment: The Server Assigned and Resolver Assigned (Section 5.1.3)
modes are more complex than the ECDH (Section 5.1.1) and Diffie-
Hellman (Section 5.1.5) modes, are the only modes that require
encryption, and it is not clear that they have been implemented. I
suggest that the Server Assigned and Resolver Assigned modes should
be deprecated.]]]
Optionally, the server can assign keying to be shared with the
resolver as detailed below.
A resolver sends a query for type TKEY accompanied by a TKEY RR
specifying the Server Assignment mode and a resolver KEY RR to be
used in encrypting the response, both in the additional information
section. This query MUST be authenticated (see Section 6).
Otherwise, an attacker can forge a resolver KEY for which they know
the private key, and thereby the attacker could extract a valid
shared secret key from the server response. The TKEY algorithm field
is ignored and SHOULD be set to root to minimize message size. It is
RECOMMENDED that any "key data" provided in the query TKEY RR by the
resolver be strongly mixed by the server with server generated
randomness [RFC4086] to derive the keying material to be sent which
SHOULD be at least 32 octets long. To avoid confusion, the KEY RR in
such a query SHOULD have a name that corresponds to the resolver but
it is only essential that it be a public key for which the resolver
has the corresponding private key so it can decrypt the response
data.
The server response contains a TKEY RR in its answer section with the
Server Assignment Mode and echoes the KEY RR provided in the query in
its additional information section.
If the response TKEY error field is zero, the key data portion of the
response answer TKEY RR will be the server assigned keying data
encrypted under the public key in the resolver provided KEY RR (see
Section 7). In this case, the owner name of the response answer TKEY
RR will be the server assigned name of the key.
If the error field of the response TKEY is non-zero, the query failed
for the reason given. FORMERR is given if the query specified no
resolver public key. BADKEY is given if the server does not support
the resolver public key specified.
Eastlake & Andrews Expires 3 September 2025 [Page 15]
�
Internet-Draft The DNS TKEY RR March 2025
5.1.3. Resolver Assigned Keying (Mode 4)
[[[Comment: The Resolver Assigned and Server Assigned (Section 5.1.2)
modes are more complex than the ECDH (Section 5.1.1) and Diffie-
Hellman (Section 5.1.5) modes, are the only modes that require
encryption, and it is not clear that they have been implemented. I
suggest that the Resolver Assigned and Server Assigned modes be
deprecated?]]]
Optionally, a server can accept a resolver assigned key. The keying
material MUST be encrypted under a server key for protection in
transmission as described in Section 7.
The resolver sends a TKEY query with a Resolver Assignment Mode TKEY
RR that specifies the encrypted keying material and a KEY RR
specifying the server public key used to encrypt the data, both in
the additional information section. The name of the key and the
keying data are controlled by the sending resolver and a globally
unique key name SHOULD be used. The query MUST be authenticated (see
Section 6). Otherwise, an attacker can forge a resolver assigned
TKEY query, and thereby the attacker could specify a shared secret
key that would be accepted and used by the server. The KEY RR used
MUST be one for which the server has the corresponding private key,
or it will not be able to decrypt the keying material and will return
a BADKEY error. If no resolver public key is present, the server
will return a FORMERR error. It is also important that no untrusted
party (preferably no other party than the server) has the private key
corresponding to the KEY RR because, if they do, they can capture the
messages to the server, learn the shared secret, and spoof valid
TSIGs.
The server response contains a TKEY RR in its answer section with the
Resolver Assignment Mode and SHOULD echo the KEY RR provided in the
query in its additional information section.
If the error field of the response TKEY is zero, the server has
accepted the keying data in the query TKEY.
5.1.4. GSS-API Establishment (Mode 3)
This mode is described in "Generic Security Algorithm for Secret Key
Transaction Authentication for DNS (GSS-TSIG)" [RFC3645] which should
be consulted for the full description. Basically, the resolver and
server can exchange queries and responses for type TKEY with a TKEY
RR specifying the GSS-API mode in the additional information section
and a GSS-API token in the key data portion of the TKEY RR.
Eastlake & Andrews Expires 3 September 2025 [Page 16]
�
Internet-Draft The DNS TKEY RR March 2025
Any issues of possible encryption of parts the GSS-API token data
being transmitted are handled by the GSS-API level. In addition, the
GSS-API level provides its own authentication so that this mode of
TKEY query and response MAY be, but does not need to be,
authenticated with a TSIG RR [RFC8945] or SIG(0) RR [rfc2931bis].
The inception and expiration times in a GSS-API mode TKEY RR are
ignored.
5.1.5. Diffie-Hellman Exchanged Keying (Mode 2, Deprecated)
The use of Diffie-Hellman Exchanged Keying mode is NOT RECOMMENDED
for the reasons given in Appendix A which also contains the
specification for that mode for compatibility with old TKEY
implementations. Use of ECDH Exchanged Keying is RECOMMENDED as an
alternative (see Section 5.1.1).
5.2. Other Modes
The TKEY modes specified in the subsections below do not provide for
agreement on a key but provide other functions.
5.2.1. TKEY Deletion (Mode 5)
To avoid attempted reliance in requests on keys no longer in effect,
servers MUST implement key deletion mode whereby the server
"discards" a key on receipt from a resolver of an authenticated
delete mode TKEY RR with that key's name. To be effective, the TKEY
MUST also have an inception time no later than the inception of the
key to be deleted and an expiration time no earlier than the
expiration time of the key to be deleted. This time restriction is
intended to minimize potential insecurities due to replaying deletion
mode TKEY RRs.
If the server has no record of a key with that name, it returns
BADNAME in the TKEY Error field in the reply. This error condition
may be due to the server having discarded the key. If it has a key
with that name but with a validity period extending outside that in
the deletion request, it returns a BADTIME error.
Key deletion TKEY queries MUST be authenticated (see Section 6).
This authentication MAY be a TSIG RR using the key to be deleted.
For resolver assigned keys and ECDH or Diffie-Hellman keys, the
server SHOULD discard all active state associated with the key name
in its key table. For server assigned keys, the server MAY simply
mark the key as no longer retained by the client and re-send it in
response to a future query for server assigned keying material.
Eastlake & Andrews Expires 3 September 2025 [Page 17]
�
Internet-Draft The DNS TKEY RR March 2025
Keys may also be deleted through spontaneous inclusion of a deletion
mode TKEY in a response as specified in Section 5.3.
5.2.2. TKEY Ping (Mode 8)
The TKEY Ping Mode is intended for use as a test of basic TKEY
plumbing and to check the synchronization of the resolver and server
clocks. It also provides a means for a resolver to determine if TKEY
is implemented at a server without changing the key storage state.
In a TKEY Ping mode query, the Name and Algorithm fields SHOULD be
set to root to save space and are ignored by the server. The
Inception field MUST be set to the time the query is constructed
according to the resolver's clock. The Expiration field MUST be set
to zero and ignored on receipt. A resolver MAY include a sequence
number or identification information or whatever else it might find
useful in the Key field. And the Other Data field SHOULD be sent
empty and ignored by the server.
A server implementing TKEY responds with a Ping Mode TKEY RR in the
answer section of its response copied from the query except that it
MUST set the Expiration field to the value of the server's clock when
the reply is constructed even if the response also indicated an error
such as BADTIME.
5.2.3. Documentation Mode (Mode 7)
This mode is assigned as a TKEY Mode to use in examples or
documentation. A server responds with BADMODE as the TKEY error if
it receives a TKEY RR indicating this mode. Mode 7 will never be
assigned any other use.
5.3. Spontaneous Server Inclusion
A DNS server MAY include a deletion mode (mode 5) TKEY RR
spontaneously in the additional information portion of any DNS query
response. To avoid confusion, this SHOULD NOT be done unless the
server has reason to believe that the resolver supports TKEY and
SHOULD only be done if the server has deleted the corresponding
secret key. This technique may be specified or allowed for modes
other than deletion in the future. A disadvantage of this technique
is that there is no way for the server to get any error or success
indication back and, in the case of UDP transport, no way to even
know if the DNS response reached the resolver.
Such a response MUST be authenticated for the TKEY to be effective.
If it is not authenticated, the resolver should ignore any included
TKEY RR. Failure by a client to receive or properly process such
Eastlake & Andrews Expires 3 September 2025 [Page 18]
�
Internet-Draft The DNS TKEY RR March 2025
additional information in a response would mean that the client might
use a key that the server had discarded in a TSIG and would then get
an error indication.
6. TKEY Message Authentication
Unless otherwise specified, all TKEY queries and responses MUST be
authenticated. A server receiving a TKEY query that is not
authenticated but needs to be authenticated returns a NotAuth error
in the returned TKEY Error field. A resolver receiving a TKEY reply
that needs to be authenticated but is not authenticated silently
ignores the TKEY RR.
To avoid replay attacks, it is necessary that a TKEY response or
query not be valid if replayed on the order of 2**32 second (about
136 years), or a multiple thereof, later. To accomplish this, the
keying material used in any TSIG or SIG(0) RR that authenticates a
TKEY message MUST NOT have a lifetime of more than 2**31 - 1 seconds
(about 68 years). Thus, on attempted replay, the authenticating TSIG
or SIG(0) RR would not be verifiable due to key expiration and a
replay would fail.
There are two methods of authentication as specified below.
6.1. Secret Key Authentication
If a shared secret key is in place between the resolver and server,
then TKEY queries and response can be authenticated with TSIG
[RFC8945]. So, for example, an existing shared secret key could be
used to authenticate a TKEY exchange that sets up a new key before
rolling over to that new key.
6.2. Public Key Authentication
As an alternative to secret key authentication, public key
authentication can be used with the SIG(0) RR as specified in
[rfc2931bis].
7. Key Data Encryption Methods
[[[Comment: If the Server Assigned and Resolver Assigned modes are
eliminated, this section and the proposed IANA wrapping algorithm
registry section would also be deleted. If it is going to remain,
this section needs more work.]]]
For the Server Assigned and Resolver Assigned key agreement modes,
secret keying material is sent within the Key Data field of a TKEY RR
encrypted as described below. The secret keying material being sent
Eastlake & Andrews Expires 3 September 2025 [Page 19]
�
Internet-Draft The DNS TKEY RR March 2025
will generally be fairly short, usually not much more than 32 octets,
because that is adequate for very strong protection with modern keyed
hash or symmetric algorithms. The ECDH and Diffie-Hellman modes do
not require encryption of the Key Data field while for the GSS-API
mode any such encryption needed is handled at the GSS-API level.
The first octet of the Key Data field indicates a key wrapping
algorithm. See Section 8.3.2.
The subsections below specify how to obtain a Key Encrypting Key
(KEK) candidate. If the key wrapping algorithm uses a KEK shorter
than the KEK candidate, the candidate is truncated by dropping
trailing octets until it is the correct length. If the key wrapping
algorithm uses a KEK longer than the KEK candidate, the first octet
of the candidate is appended to the KEK being constructed and then
subsequent octets from the candidate are appended to the KEK being
constructed until it is the required length. If the key wrapping
algorithm imposes a restriction on the KEK length, for example that
it be a multiple of a particular power of two in length, such that
both a KEK shorter than the candidate and one longer than the
candidate would be acceptable, the longer option MUST be chosen.
[[[Comment: Could use something much more complicated like HKDF but
I'm not sure it would be worth it.]]]
7.1. Secret KEK Based Encryption
If the TKEY RR whose Key Data field needs encryption is authenticated
by a TSIG, the TSIG secret key is used as a Key Encrypting Key (KEK)
candidate (see above).
7.2. Single Public Key Based Encryption
This section covers the case when a public key algorithm such as RSA
is used where the public and private keys can be used for encryption
and the corresponding decryption which recovers the originally
encrypted data.
For Resolver Assigned key, the KEY RR in the query additional
information section MUST be a public key for which the server has the
corresponding private key. For Server Assigned keying, the KEY RR in
the response additional information section MUST be a public key for
which the resolver has the corresponding private key. If this
condition is not met on a query, BADKEY is returned as an error.
If the KEY RR specifies the RSA algorithm, then the secret keying
material is encrypted as per the description of RSAES-PKCS1-v1_5
encryption in PKCS#1 [RFC8017]. The secret keying material being
sent is directly RSA encrypted in PKCS#1 format. It is not
Eastlake & Andrews Expires 3 September 2025 [Page 20]
�
Internet-Draft The DNS TKEY RR March 2025
"enveloped" under some other symmetric algorithm. In the unlikely
event that the keying material will not fit within one RSA modulus of
the chosen public key, additional RSA encryption blocks are included.
The length of each block is clear from the public RSA key specified
and the RSAES-PKCS1-v1_5 padding makes it clear what part of the
encrypted data is actually keying material and what part is
formatting or the required at least eight octets of random [RFC4086]
padding.
7.3. Two Public Keys Based Encryption
If two public keys, each possibly ephemeral, one for the resolver and
one for the server, are available, a shared initial secret could be
derived and used as a KEK candidate to protect a second secret within
the Key Data field. However, the initial secret can simply be used,
as in ECDH mode. So, use of this indirect method is not supported by
this document.
8. IANA Considerations
This section is to be interpreted as provided in [RFC8126].
8.1. Reference Update
IANA is requested to update all reference to [RFC2930] in the DNS
Parameters Registry Group to reference [this document].
8.2. Existing Assignments
The following assignments have already been made:
* RR Type 249 for TKEY.
* Extended RCODE Error values of 19, 20, and 21 as listed in
Section 3.7.
8.3. TSIG/TKEY Registry Group
IANA is requested to rename the existing "Secret Key Transaction
Authentication for DNS (TSIG) Algorithm Names" registry to be the
"DNS TSIG and TKEY Parameters"" registry group and include within it
the existing "TSIG Algorithm Names" registry and the two new
registries created below.
8.3.1. TKEY Modes Registry
IANA is requested to create a "TKEY Modes" Registry as follows:
Eastlake & Andrews Expires 3 September 2025 [Page 21]
�
Internet-Draft The DNS TKEY RR March 2025
Name: TKEY Modes
Reference: [this document]
Registration Procedures:
0x0000 - reserved
0x0001-0x0FFF - standards action
0x1000-0xFFEF - specification required
0xFFF0-0xFFFE - experimental use
0xFFFF - reserved
Initial contents as follows:
Eastlake & Andrews Expires 3 September 2025 [Page 22]
�
Internet-Draft The DNS TKEY RR March 2025
+==========+===================+================+=================+
| Value | Description | Implementation | Reference |
+==========+===================+================+=================+
| 0x0000 | - reserved | - | |
+----------+-------------------+----------------+-----------------+
| 0x0001 | Server Assignment | MAY | Section 5.1.2, |
| | | | [this document] |
+----------+-------------------+----------------+-----------------+
| 0x0002 | Diffie-Hellman | SHOULD NOT | Appendix A, |
| | exchange | | [this document] |
+----------+-------------------+----------------+-----------------+
| 0x0003 | GSS-API | MAY | Section 5.1.4, |
| | Negotiation | | [this document] |
+----------+-------------------+----------------+-----------------+
| 0x0004 | Resolver | MUST | Section 5.1.3, |
| | Assignment | | [this document] |
+----------+-------------------+----------------+-----------------+
| 0x0005 | Key Deletion | MUST | Section 5.2.1, |
| | | | [this document] |
+----------+-------------------+----------------+-----------------+
| 0x0006 | ECDH Agreement | SHOULD | Section 5.1.1 |
| | | | [this document] |
+----------+-------------------+----------------+-----------------+
| 0x0007 | Documentation/ | N/A | Section 5.2.3, |
| | example | | [this document] |
+----------+-------------------+----------------+-----------------+
| 0x0008 | TKEY Ping | MUST | Section 5.2.2, |
| | | | [this document] |
+----------+-------------------+----------------+-----------------+
| 0x0009 - | - unassigned | - | |
| 0x0FFF | | | |
+----------+-------------------+----------------+-----------------+
| 0x1000 - | - unassigned | - | |
| 0xFFEF | | | |
+----------+-------------------+----------------+-----------------+
| 0xFFF0 - | - experimental | - | |
| 0xFFFE | use | | |
+----------+-------------------+----------------+-----------------+
| 0xFFFF | - reserved | - | |
+----------+-------------------+----------------+-----------------+
Table 4
8.3.2. TKEY Key Wrapping Algorithm Registry
[[[Comment: If the Server Assigned and Resolver Assigned modes are
dropped, this registry would not be needed.]]]
Eastlake & Andrews Expires 3 September 2025 [Page 23]
�
Internet-Draft The DNS TKEY RR March 2025
IANA is requested to create a Registry as follows:
Name: TKEY Key Wrapping Algorithms
Reference: [this document]
Registration Procedure: IETF Consensus
+===========+==============+===========+
| Value | Description | Reference |
+===========+==============+===========+
| 0x00 | - reserved | |
+-----------+--------------+-----------+
| 0x01 | Triple-DES | [RFC3217] |
+-----------+--------------+-----------+
| 0x02 | AES-pad | [RFC5649] |
+-----------+--------------+-----------+
| 0x04-0xFE | - unassigned | |
+-----------+--------------+-----------+
| 0xFF | - reserved | |
+-----------+--------------+-----------+
Table 5: Key Wrapping Algorithms
9. Security Considerations
This specification is concerned with the secure establishment of
shared secret keys between DNS clients and servers in support of TSIG
[RFC8945].
Secret keys agreed to using TKEY and the private keys corresponding
to the public key belonging to DNS resolvers and servers are very
sensitive information. All practical steps should be taken to
protect them on every host on which they are stored. Generally, such
hosts need to be physically protected. If they are shared machines,
great care should be taken so that unprivileged processes have no
access to keying material. Resolvers sometimes run unprivileged,
which means all users of a host might be able to see whatever
configuration data are used by the resolver.
Protection against denial of service via the use of TKEY is not
provided. DNS servers and resolve should implement appropriate rate
limiting.
More TBD
10. Normative References
Eastlake & Andrews Expires 3 September 2025 [Page 24]
�
Internet-Draft The DNS TKEY RR March 2025
[RFC0020] Cerf, V., "ASCII format for network interchange", STD 80,
RFC 20, DOI 10.17487/RFC0020, October 1969,
<https://www.rfc-editor.org/info/rfc20>.
[RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
DOI 10.17487/RFC1982, August 1996,
<https://www.rfc-editor.org/info/rfc1982>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[rfc2931bis]
Eastlake, D. and J. Stenstam, "Domain Name System (DNS)
Public Key Based Request and Transaction Authentication (
SIG(0) )", work in process,
<https://datatracker.ietf.org/doc/draft-eastlake-dnsop-
rfc2931bis-tsigzero/>.
[RFC3217] Housley, R., "Triple-DES and RC2 Key Wrapping", RFC 3217,
DOI 10.17487/RFC3217, December 2001,
<https://www.rfc-editor.org/info/rfc3217>.
[RFC3645] Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J.,
and R. Hall, "Generic Security Service Algorithm for
Secret Key Transaction Authentication for DNS (GSS-TSIG)",
RFC 3645, DOI 10.17487/RFC3645, October 2003,
<https://www.rfc-editor.org/info/rfc3645>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>.
[RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption Standard
(AES) Key Wrap with Padding Algorithm", RFC 5649,
DOI 10.17487/RFC5649, September 2009,
<https://www.rfc-editor.org/info/rfc5649>.
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010,
<https://www.rfc-editor.org/info/rfc5869>.
Eastlake & Andrews Expires 3 September 2025 [Page 25]
�
Internet-Draft The DNS TKEY RR March 2025
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>.
[RFC6605] Hoffman, P. and W.C.A. Wijngaards, "Elliptic Curve Digital
Signature Algorithm (DSA) for DNSSEC", RFC 6605,
DOI 10.17487/RFC6605, April 2012,
<https://www.rfc-editor.org/info/rfc6605>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8418] Housley, R., "Use of the Elliptic Curve Diffie-Hellman Key
Agreement Algorithm with X25519 and X448 in the
Cryptographic Message Syntax (CMS)", RFC 8418,
DOI 10.17487/RFC8418, August 2018,
<https://www.rfc-editor.org/info/rfc8418>.
11. Informative References
[Schneier] Schneier, B., "Applied Cryptography Second Edition:
protocols, algorithms, and source code in C",
ISBN 0-471-11709-9, 1966.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
DOI 10.17487/RFC1995, August 1996,
<https://www.rfc-editor.org/info/rfc1995>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>.
[RFC2535] Eastlake 3rd, D., "Domain Name System Security
Extensions", RFC 2535, DOI 10.17487/RFC2535, March 1999,
<https://www.rfc-editor.org/info/rfc2535>.
Eastlake & Andrews Expires 3 September 2025 [Page 26]
�
Internet-Draft The DNS TKEY RR March 2025
[RFC2539] Eastlake 3rd, D., "Storage of Diffie-Hellman Keys in the
Domain Name System (DNS)", RFC 2539, DOI 10.17487/RFC2539,
March 1999, <https://www.rfc-editor.org/info/rfc2539>.
[RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
RR)", RFC 2930, DOI 10.17487/RFC2930, September 2000,
<https://www.rfc-editor.org/info/rfc2930>.
[RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, DOI 10.17487/RFC3007, November 2000,
<https://www.rfc-editor.org/info/rfc3007>.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<https://www.rfc-editor.org/info/rfc4035>.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005,
<https://www.rfc-editor.org/info/rfc4086>.
[RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
"Network Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,
<https://www.rfc-editor.org/info/rfc5905>.
[RFC6151] Turner, S. and L. Chen, "Updated Security Considerations
for the MD5 Message-Digest and the HMAC-MD5 Algorithms",
RFC 6151, DOI 10.17487/RFC6151, March 2011,
<https://www.rfc-editor.org/info/rfc6151>.
[RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
April 2013, <https://www.rfc-editor.org/info/rfc6895>.
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, DOI 10.17487/RFC8017, November 2016,
<https://www.rfc-editor.org/info/rfc8017>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
Eastlake & Andrews Expires 3 September 2025 [Page 27]
�
Internet-Draft The DNS TKEY RR March 2025
[RFC8945] Dupont, F., Morris, S., Vixie, P., Eastlake 3rd, D.,
Gudmundsson, O., and B. Wellington, "Secret Key
Transaction Authentication for DNS (TSIG)", STD 93,
RFC 8945, DOI 10.17487/RFC8945, November 2020,
<https://www.rfc-editor.org/info/rfc8945>.
[RFC9499] Hoffman, P. and K. Fujiwara, "DNS Terminology", BCP 219,
RFC 9499, DOI 10.17487/RFC9499, March 2024,
<https://www.rfc-editor.org/info/rfc9499>.
Appendix A. Diffie-Hellman Exchanged Keying Details
TKEY Mode 2, Diffie-Hellman Exchanged Keying, is deprecated for the
reasons given below. It SHOULD NOT be used unless needed for
compatibility with old TKEY implementations.
1. The mixing function used does not meet current cryptographic
standards because it uses MD5 [RFC6151].
2. The ad hoc method of combining the DH derived shared value with
various nonces is inferior to the HKDF [RFC5869] method used with
the ECDH TKEY mode specified in this document.
Diffie-Hellman (DH) key exchange is means whereby two parties can
derive some shared secret information without requiring any secrecy
of the messages they exchange [Schneier]. When this mode was
originally specified, it was assumed that RSA public/private keys
would be used. Provisions have been made for the storage of "DH"
(RSA) public keys in the DNS [RFC2539].
A resolver sends a query for type TKEY accompanied by a TKEY RR in
the additional information section specifying the Diffie-Hellman mode
and accompanied by a KEY RR also in the additional information
section specifying a resolver public key. The TKEY RR algorithm
field is set to the authentication algorithm the resolver plans to
use. The "key data" provided in the TKEY is used as a random
[RFC4086] nonce to avoid always deriving the same keying material for
the same pair of DH KEYs.
The server response contains a TKEY in its answer section with the
Diffie-Hellman mode. The "key data" provided in this TKEY is used as
an additional nonce to avoid always deriving the same keying material
for the same pair of DH KEYs. If the TKEY error field is non-zero,
the query failed for the reason given. FORMERR is given if the query
included no DH KEY and BADKEY is given if the query included an
incompatible DH KEY.
Eastlake & Andrews Expires 3 September 2025 [Page 28]
�
Internet-Draft The DNS TKEY RR March 2025
If the response TKEY error field is zero, the resolver supplied KEY
RR SHOULD be echoed in the additional information section and a
server Diffie-Hellman KEY RR MUST be present in the answer section of
the response. Both parties can then calculate the same shared secret
quantity from the pair of public keys used [Schneier] (provided these
keys are compatible) and the data in the TKEY RRs. The TKEY RR data
is mixed with the DH result as follows:
keying material =
XOR ( DH value, MD5 ( query data | DH value ) |
MD5 ( server data | DH value ) )
Where XOR is the bitwise exclusive-OR operation and "|" is octet-
string concatenation. The shorter of the two operands to XOR is
octet-wise left justified and padded with zero-valued octets to match
the length of the other operand. "DH value" is the Diffie-Hellman
value derived from the KEY RRs. Query data and server data are the
values sent in the TKEY RR data fields. These "query data" and
"server data" nonces are suffixed by the DH value, digested by MD5,
the results concatenated, and then XORed with the DH value.
The inception and expiration times in the query TKEY RR are those
requested for the keying material. The inception and expiration
times in the response TKEY RR are the maximum period the server will
consider the keying material valid. Servers may pre-expire keys, so
this is not a guarantee.
Appendix B. Changes from [RFC2930]
This document incorporates the following significant changes from
[RFC2930]:
* Addition of the ECDH exchange mode (#6), the example mode (#7),
and the ping mode (#8).
* Deprecation of Diffie-Hellman Exchanged Keying.
* Additional material including that concerned with authentication
of TKEY RRs and encryption of the Key Data field.
* Editorial changes including some re-organization.
Acknowledgements
The comments and suggestions of the following are gratefully
acknowledged:
tbd
Eastlake & Andrews Expires 3 September 2025 [Page 29]
�
Internet-Draft The DNS TKEY RR March 2025
The comments and suggestions of the following persons were
incorporated into RFC 2930, which was the previous version of this
document, and are gratefully acknowledged:
Olafur Gudmundsson, Stuart Kwan, Ed Lewis, Erik Nordmark, and
Brian Wellington.
Authors' Addresses
Donald E. Eastlake 3rd
Independent
2386 Panoramic Circle
Apopka, Florida 32703
United States of America
Phone: +1-508-333-2270
Email: d3e3e3@gmail.com
Mark Andrews
Internet Systems Consortium
Email: marka@isc.org
Eastlake & Andrews Expires 3 September 2025 [Page 30]