Secret Key Transaction Authentication for DNS (TSIG)Internet Software Consortium950 Charter StreetRedwood CityCA94063United StatesFrancis.Dupont@fdupont.frInternet Software Consortium950 Charter StreetRedwood CityCA94063United Statesstephen@isc.orghttp://www.isc.org
Operations and Management Area
Internet Engineering Task ForceThis protocol allows for transaction level authentication using
shared secrets and one way hashing. It can be used to authenticate
dynamic updates as coming from an approved client, or to authenticate
responses as coming from an approved recursive name server.No provision has been made here for distributing the shared
secrets: it is expected that a network administrator will
statically configure name servers and clients using some out
of band mechanism such as sneaker-net until a secure automated
mechanism for key distribution is available.This document includes revised original TSIG specifications
(RFC2845) and the extension for HMAC-SHA (RFC4635).In 2017, security problems in two nameservers strictly following
and
(i.e., TSIG and HMAC-SHA extension) specifications were
discovered.
The implementations were fixed but, to avoid similar problems
in the future, the two documents were updated and merged,
producing these revised specifications for TSIG.The Domain Name System (DNS) , is a replicated hierarchical distributed
database system that provides information fundamental to Internet
operations, such as name <=> address translation and mail
handling information.This document specifies use of a message authentication code
(MAC), either HMAC-MD5 or HMAC-SHA (keyed hash functions), to
provide an efficient means of point-to-point authentication and
integrity checking for transactions.The second area where the secret key based MACs specified in
this document can be used is to authenticate DNS update requests
as well as transaction responses, providing a lightweight
alternative to the protocol described by .A further use of this mechanism is to protect zone transfers.
In this case the data covered would be the whole zone transfer
including any glue records sent. The protocol described by DNSSEC
does not protect glue records and unsigned
records unless SIG(0) (transaction signature) is used.The authentication mechanism proposed in this document uses
shared secret keys to establish a trust relationship between two
entities. Such keys must be protected in a fashion similar to
private keys, lest a third party masquerade as one of the intended
parties (forge MACs). There is an urgent need to provide simple and
efficient authentication between clients and local servers and this
proposal addresses that need. This proposal is unsuitable for
general server to server authentication for servers which speak with
many other servers, since key management would become unwieldy with
the number of shared keys going up quadratically. But it is suitable
for many resolvers on hosts that only talk to a few recursive
servers.A server acting as an indirect caching resolver -- a "forwarder"
in common usage -- might use transaction-based authentication when
communicating with its small number of preconfigured "upstream"
servers. Other uses of DNS secret key authentication and possible
systems for automatic secret key distribution may be proposed in
separate future documents.Note that use of TSIG presumes prior agreement between the resolver
and server involved as to the algorithm and key to be used.Since the publication of first version of this document
() a mechanism based on
asymmetric signatures using the SIG RR was specified (SIG(0)
) when this document uses
symmetric authentication codes calculated by HMAC using strong hash functions.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.RRTYPE = TSIG (250)
ERROR = 0..15 (a DNS RCODE)
ERROR = 16 (BADSIG)
ERROR = 17 (BADKEY)
ERROR = 18 (BADTIME)
ERROR = 22 (BADTRUNC)To provide secret key authentication, we use a new RR
type whose mnemonic is TSIG and whose type code is 250.
TSIG is a meta-RR and MUST NOT be cached. TSIG RRs are
used for authentication between DNS entities that have
established a shared secret key. TSIG RRs are dynamically
computed to cover a particular DNS transaction and are not
DNS RRs in the usual sense.As the TSIG RRs are related to one DNS request/response,
there is no value in storing or retransmitting them, thus the
TSIG RR is discarded once it has been used to authenticate a DNS
message. All multi-octet
integers in the TSIG record are sent in network byte order (see
2.3.2).The name of the key used in domain
name syntax. The name should reflect the names of the
hosts and uniquely identify the key among a set of keys
these two hosts may share at any given time. If hosts
A.site.example and B.example.net share a key, possibilities
for the key name include <id>.A.site.example,
<id>.B.example.net, and
<id>.A.site.example.B.example.net. It should be
possible for more than one key to be in simultaneous use
among a set of interacting hosts. The name only needs
to be meaningful to the communicating hosts but a meaningful
mnemonic name as above is strongly recommended.
The name may be used as a local index
to the key involved and it is recommended that it be
globally unique. Where a key is just shared between two
hosts, its name actually only need only be meaningful to
them but it is recommended that the key name be mnemonic
and incorporate the resolver and server host names in
that order.TSIG (250: Transaction SIGnature)ANY0(variable)The RDATA for a TSIG RR consists of an octet stream
Algorithm Name field, a uint48_t Time Signed field, a
uint16_t Fudge field, a uint16_t MAC Size field, a octet
stream MAC field, a uint16_t Original ID, a uint16_t Error
field, a uint16_t Other Len field and an octet stream of
Other Data.The Algorithm Name field identifies the TSIG algorithm
name in the domain name syntax.The Time Signed field specifies seconds since
1970-01-01 UTC.The Fudge field specifies allowed time difference in
seconds permitted in the Time Signed field.The MAC Size field specifies the length of MAC field in
octets. Truncation is indicated by a MAC size less than
the HMAC size.The MAC field contents are defined by the used Algorithm.The Error field contains the Expanded RCODE covering
TSIG processing.The Other Len field specifies the length of Other Data
in octets.The Other Data field is empty unless Error == BADTIME.HOST.EXAMPLE.TSIGANY0As appropriateField NameContentsAlgorithm NameSAMPLE-ALG.EXAMPLE.Time Signed853804800Fudge300MAC SizeAs appropriateMACAs appropriateOriginal IDAs appropriateError0 (NOERROR)Other Len0Other DataEmptyOnce the outgoing message has been constructed, the keyed
message digest operation can be performed. The resulting
message digest will then be stored in a TSIG which is
appended to the additional data section (the ARCOUNT is
incremented to reflect this). If the TSIG record cannot
be added without causing the message to be truncated, the
server MUST alter the response so that a TSIG can be included.
This response consists of only the question and a TSIG
record, and has the TC bit set and RCODE 0 (NOERROR). The
client SHOULD at this point retry the request using TCP
(per 4.2.2).If an incoming message contains a TSIG record, it MUST
be the last record in the additional section. Multiple
TSIG records are not allowed. If a TSIG record is present
in any other position, the packet is dropped and a response
with RCODE 1 (FORMERR) MUST be returned. Upon receipt of
a message with a correctly placed TSIG RR, the TSIG RR is
copied to a safe location, removed from the DNS Message,
and decremented out of the DNS message header's ARCOUNT.
At this point the keyed message digest operation is performed:
until this operation concludes that the signature is valid,
the signature MUST be considered to be invalid.
If the algorithm name or key name is unknown to the recipient,
or if the message digests do not match, the whole DNS message
MUST be discarded. If the message is a query, a response
with RCODE 9 (NOTAUTH) MUST be sent back to the originator
with TSIG ERROR 17 (BADKEY) or TSIG ERROR 16 (BADSIG). If
no key is available to sign this message it MUST be sent
unsigned (MAC size == 0 and empty MAC). A message to the
system operations log SHOULD be generated, to warn the
operations staff of a possible security incident in progress.
Care should be taken to ensure that logging of this type
of event does not open the system to a denial of service
attack.The data digested includes the two timer values in the
TSIG header in order to defend against replay attacks. If
this were not done, an attacker could replay old messages
but update the "Time Signed" and "Fudge" fields to make the
message look new. This data is named "TSIG Timers", and
for the purpose of digest calculation they are invoked in
their "on the wire" format, in the following order: first
Time Signed, then Fudge. For example:Field NameValueWire FormatMeaningTime Signed85380480000 00 32 e4 07 00Tue Jan 21 00:00:00 1997Fudge30001 2C5 minutesWhen generating or verifying the contents of a TSIG
record, the following data are digested, in network byte
order or wire format, as appropriate:A whole and complete DNS message in wire format, before
the TSIG RR has been added to the additional data section
and before the DNS Message Header's ARCOUNT field has
been incremented to contain the TSIG RR. If the message
ID differs from the original message ID, the original
message ID is substituted for the message ID. This could
happen when forwarding a dynamic update request, for
example.SourceField NameNotesTSIG RRNAMEKey name, in canonical wire formatTSIG RRCLASS(Always ANY in the current specification)TSIG RRTTL(Always 0 in the current specification)TSIG RDATAAlgorithm Namein canonical wire formatTSIG RDATATime Signedin network byte orderTSIG RDATAFudgein network byte orderTSIG RDATAErrorin network byte orderTSIG RDATAOther Lenin network byte orderTSIG RDATAOther Dataexactly as transmittedThe RR RDLEN and RDATA MAC Length are not included in the hash
since they are not guaranteed to be knowable before the MAC is
generated.The Original ID field is not included in this section,
as it has already been substituted for the message ID in
the DNS header and hashed.For each label type, there must be a defined "Canonical
wire format" that specifies how to express a label in an
unambiguous way. For label type 00, this is defined in , for label type 01, this is defined in
. The use of label types other than
00 and 01 is not defined for this specification.When generating the MAC to be included in a response, the
validated request MAC MUST be included in the digest. If the
request MAC failed to validate, an unsigned error message MUST
be returned instead. ().The request's MAC is digested in wire format,
including the following fields:FieldTypeDescriptionMAC Lengthuint16_tin network byte orderMAC Dataoctet streamexactly as transmittedDigested components are fed into the hashing function as a
continuous octet stream with no interfield padding.Client performs the message digest operation and appends a TSIG
record to the additional data section and transmits the request to
the server. The client MUST store the message digest from the
request while awaiting an answer. The digest components for a
request are:DNS Message (request)
TSIG Variables (request)Note that some older name servers will not accept requests with
a nonempty additional data section. Clients SHOULD only attempt
signed transactions with servers who are known to support TSIG and
share some secret key with the client -- so, this is not a problem
in practice.When a server has generated a response to a signed request, it
signs the response using the same algorithm and key. The server
MUST NOT generate a signed response to an unsigned request or
a request that fails validation. The digest components are:Request MAC
DNS Message (response)
TSIG Variables (response)When a server detects an error relating to the key or MAC, the
server SHOULD send back an unsigned error message (MAC size == 0
and empty MAC). If an error is detected relating to the TSIG
validity period or the MAC is too short for the local policy,
the server SHOULD send back a signed error message.
The digest components are:Request MAC (if the request MAC validated)
DNS Message (response)
TSIG Variables (response)The reason that the request is not included in this digest in
some cases is to make it possible for the client to verify the
error. If the error is not a TSIG error the response MUST be
generated as specified in .A DNS TCP session can include multiple DNS envelopes. This is,
for example, commonly used by zone transfer. Using TSIG on such a
connection can protect the connection from hijacking and provide
data integrity. The TSIG MUST be included on the first and last
DNS envelopes. It can be optionally placed on any intermediary
envelopes. It is expensive to include it on every envelopes, but
it MUST be placed on at least every 100'th envelope. The first
envelope is processed as a standard answer, and subsequent messages
have the following digest components:Prior Digest (running)
DNS Messages (any unsigned messages since the last TSIG)
TSIG Timers (current message)This allows the client to rapidly detect when the session has
been altered; at which point it can close the connection and retry.
If a client TSIG verification fails, the client MUST close the
connection. If the client does not receive TSIG records frequently
enough (as specified above) it SHOULD assume the connection has
been hijacked and it SHOULD close the connection. The client SHOULD
treat this the same way as they would any other interrupted transfer
(although the exact behavior is not specified).Upon receipt of a message, server will check if there is a TSIG
RR. If one exists, the server is REQUIRED to return a TSIG RR in
the response. The server MUST perform the following checks in the
following order, check Key, check MAC, check Time values,
check Truncation policy.If a non-forwarding server does not recognize the key
used by the client, the server MUST generate an error
response with RCODE 9 (NOTAUTH) and TSIG ERROR 17 (BADKEY).
This response MUST be unsigned as specified in . The server SHOULD log the error.When space is at a premium and the strength of the full
length of an HMAC is not needed, it is reasonable to truncate
the HMAC and use the truncated value for
authentication. HMAC SHA-1 truncated to 96 bits is an option
available in several IETF protocols, including IPsec and TLS.Processing of a truncated MAC follows these rules
If "MAC size" field is greater than HMAC output length:
This case MUST NOT be generated and, if received,
MUST cause the packet to be dropped and RCODE 1
(FORMERR) to be returned.
If "MAC size" field equals HMAC output length:
The entire output HMAC output is present and used.
"MAC size" field is less than HMAC output length but
greater than that specified in case 4, below:
This is sent when the signer has truncated the HMAC
output to an allowable length, as described in
, taking initial octets and
discarding trailing octets. TSIG truncation can only be
to an integral number of octets. On receipt of a packet
with truncation thus indicated, the locally calculated
MAC is similarly truncated and only the truncated values
are compared for authentication. The request MAC used
when calculating the TSIG MAC for a reply is the
truncated request MAC.
"MAC size" field is less than the larger of 10 (octets) and half
the length of the hash function in use:
With the exception of certain TSIG error messages
described in , where it is
permitted that the MAC size be zero, this case MUST NOT
be generated and, if received, MUST cause the packet to
be dropped and RCODE 1 (FORMERR) to be returned.
If a TSIG fails to verify, the server MUST generate
an error response as specified in
with RCODE 9
(NOTAUTH) and TSIG ERROR 16 (BADSIG). This response MUST
be unsigned as specified in .
The server SHOULD log the error.If the server time is outside the time interval specified
by the request (which is: Time Signed, plus/minus Fudge),
the server MUST generate an error response with RCODE 9
(NOTAUTH) and TSIG ERROR 18 (BADTIME). The server SHOULD
also cache the most recent time signed value in a message
generated by a key, and SHOULD return BADTIME if a message
received later has an earlier time signed value. A
response indicating a BADTIME error MUST be signed by the
same key as the request. It MUST include the client's
current time in the time signed field, the server's current
time (a uint48_t) in the other data field, and 6 in the
other data length field. This is done so that the client
can verify a message with a BADTIME error without the
verification failing due to another BADTIME error. The
data signed is specified in .
The server SHOULD log the error.If a TSIG is received with truncation that is permitted
under above but the MAC is too short
for the local policy in force, an RCODE 9 (NOTAUTH) and TSIG
ERROR 22 (BADTRUNC) MUST be returned. The server SHOULD
log the error.When a client receives a response from a server and
expects to see a TSIG, it first checks if the TSIG RR is
present in the response. Otherwise, the response is treated
as having a format error and discarded. The client then
extracts the TSIG, adjusts the ARCOUNT, and calculates the
keyed digest in the same way as the server, applying the
same rules to decide if truncated MAC is valid.
If the TSIG
does not validate, that response MUST be discarded, unless
the RCODE is 9 (NOTAUTH), in which case the client SHOULD
attempt to verify the response as if it were a TSIG Error
response, as specified in .
A message containing an
unsigned TSIG record or a TSIG record which fails verification
SHOULD NOT be considered an acceptable response; the client
SHOULD log an error and continue to wait for a signed
response until the request times out.If an RCODE on a response is 9 (NOTAUTH), and the
response TSIG validates, and the TSIG key is different
from the key used on the request, then this is a Key
error. The client MAY retry the request using the key
specified by the server. This should never occur, as a
server MUST NOT sign a response with a different key than
signed the request.If the response RCODE is 9 (NOTAUTH) and TSIG ERROR
is 16 (BADSIG), this is a MAC error, and client MAY retry
the request with a new request ID but it would be better
to try a different shared key if one is available. Clients
SHOULD keep track of how many MAC errors are associated
with each key. Clients SHOULD log this event.If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR
is 18 (BADTIME), or the current time does not fall in the
range specified in the TSIG record, then this is a Time
error. This is an indication that the client and server
clocks are not synchronized. In this case the client
SHOULD log the event. DNS resolvers MUST NOT adjust any
clocks in the client based on BADTIME errors, but the
server's time in the other data field SHOULD be logged.If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR
is 22 (BADTRUNC) the this is a Truncation error. The client
MAY retry with lesser truncation up to the full HMAC output
(no truncation), using the truncation used in the response
as a hint for what the server policy allowed
(). Clients SHOULD log this event.A server acting as a forwarding server of a DNS message
SHOULD check for the existence of a TSIG record. If the name on
the TSIG is not of a secret that the server shares with the
originator the server MUST forward the message unchanged
including the TSIG. If the name of the TSIG is of a key this
server shares with the originator, it MUST process the TSIG. If
the TSIG passes all checks, the forwarding server MUST, if
possible, include a TSIG of his own, to the destination or the
next forwarder. If no transaction security is available to the
destination and the response has the AD flag (see ), the forwarder MUST unset the AD flag before
adding the TSIG to the answer.The only message digest algorithm specified in the first
version of these specifications was
"HMAC-MD5" (see , ). The "HMAC-MD5" algorithm is mandatory to
implement for interoperability.The use of SHA-1 ,
, (which is a 160-bit hash as compared to
the 128 bits for MD5), and additional hash algorithms in
the SHA family , ,
with 224, 256, 384, and
512 bits may be preferred in some cases. This is because
increasingly successful cryptanalytic attacks are being made on the
shorter hashes.Use of TSIG between a DNS resolver and server is by mutual
agreement. That agreement can include the support of additional
algorithms and criteria as to which algorithms and truncations are
acceptable, subject to the restriction and guidelines in
above.
Key agreement can be by the TKEY mechanism
or some other mutually agreeable method.The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig identifiers are
included in the table below for convenience. Implementations that
support TSIG MUST also implement HMAC SHA1 and HMAC SHA256 and MAY
implement gss-tsig and the other algorithms listed below.RequirementNameMandatoryHMAC-MD5.SIG-ALG.REG.INTOptionalgss-tsigMandatoryhmac-sha1Optionalhmac-sha224Mandatoryhmac-sha256Optionalhmac-sha384Optionalhmac-sha512SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented.Use of TSIG is by mutual agreement between a resolver and server.
Implicit in such an "agreement" are criteria as to acceptable keys and
algorithms and, with the extensions in this document, truncations.
Note that it is common for implementations to bind the TSIG secret
key or keys that may be in place at a resolver and server to
particular algorithms. Thus, such implementations only permit the
use of an algorithm if there is an associated key in place. Receipt
of an unknown, unimplemented, or disabled algorithm typically results
in a BADKEY error.Local policies MAY require the rejection of TSIGs, even though
they use an algorithm for which implementation is mandatory.When a local policy permits acceptance of a TSIG with a particular
algorithm and a particular non-zero amount of truncation, it SHOULD
also permit the use of that algorithm with lesser truncation (a
longer MAC) up to the full HMAC output.Regardless of a lower acceptable truncated MAC length specified by
local policy, a reply SHOULD be sent with a MAC at least as long as
that in the corresponding request. Note if the request specified a MAC
length longer than the HMAC output it will be rejected by
processing rules case 1.Implementations permitting multiple acceptable algorithms and/or
truncations SHOULD permit this list to be ordered by presumed
strength and SHOULD allow different truncations for the same
algorithm to be treated as separate entities in this list. When so
implemented, policies SHOULD accept a presumed stronger algorithm and
truncation than the minimum strength required by the policy.Secret keys are very sensitive information and all available
steps should be taken to protect them on every host on which they
are stored. Generally such hosts need to be physically protected.
If they are multi-user machines, great care should be taken that
unprivileged users have no access to keying material. Resolvers
often run unprivileged, which means all users of a host would be
able to see whatever configuration data is used by the resolver.A name server usually runs privileged, which means its
configuration data need not be visible to all users of the host.
For this reason, a host that implements transaction-based
authentication should probably be configured with a "stub
resolver" and a local caching and forwarding name server. This
presents a special problem for which
otherwise depends on clients to communicate only with a zone's
authoritative name servers.Use of strong random shared secrets is essential to the
security of TSIG. See for a discussion
of this issue. The secret SHOULD be at least as long as the keyed
message digest, i.e., 16 bytes for HMAC-MD5 or 20 bytes for
HMAC-SHA1.IANA maintains a registry of algorithm names to be used as
"Algorithm Names" as defined in . Algorithm
names are text strings encoded using the syntax of a domain name.
There is no structure required other than names for different
algorithms must be unique when compared as DNS names, i.e.,
comparison is case insensitive. Previous specifications
and defined
values for HMAC MD5 and SHA. IANA has also registered "gss-tsig"
as an identifier for TSIG authentication where the cryptographic
operations are delegated to the Generic Security Service (GSS)
.New algorithms are assigned using
the IETF Consensus policy defined in .
The algorithm name
HMAC-MD5.SIG-ALG.REG.INT looks like a fully-qualified domain
name for historical reasons;
other algorithm names are simple (i.e., single-component) names.IANA maintains a registry of "TSIG Error values" to be used
for "Error" values as defined in .
Initial values should be those defined in .
New TSIG
error codes for the TSIG error field are assigned using the IETF
Consensus policy defined in .The approach specified here is computationally much less
expensive than the signatures specified in DNSSEC. As long as
the shared secret key is not compromised, strong authentication
is provided for the last hop from a local name server to the
user resolver.Secret keys should be changed periodically. If the client host
has been compromised, the server should suspend the use of all
secrets known to that client. If possible, secrets should be stored
in encrypted form. Secrets should never be transmitted in the clear
over any network. This document does not address the issue on how
to distribute secrets. Secrets should never be shared by more than
two entities.This mechanism does not authenticate source data, only its
transmission between two parties who share some secret. The
original source data can come from a compromised zone master or
can be corrupted during transit from an authentic zone master to
some "caching forwarder." However, if the server is faithfully
performing the full DNSSEC security checks, then
only security checked data will be available to the client.A fudge value that is too large may leave the server open
to replay attacks. A fudge value that is too small may cause
failures if machines are not time synchronized or there are unexpected
network delays. The recommended value in most situation is 300
seconds.For all of the message authentication code algorithms listed in
this document,
those producing longer values are believed to be stronger; however,
while there have been some arguments that mild truncation can
strengthen a MAC by reducing the information available to an
attacker, excessive truncation clearly weakens authentication by
reducing the number of bits an attacker has to try to break the
authentication by brute force .Significant progress has been made recently in cryptanalysis of hash
functions of the types used here, all of which ultimately derive
from the design of MD4. While the results so far should not effect
HMAC, the stronger SHA-1 and SHA-256 algorithms are being made
mandatory due to caution. Note that today SHA-3
is available as an alternative to SHA-2
using a very different design.See also the Security Considerations section of from which the limits on truncation in this
RFC were taken.To bind an answer with its corresponding request the MAC
of the answer is computed using the MAC request. Unfortunately
original specifications failed to
clearly require the MAC request to be successfully validated.This document proposes the principle that the MAC must be
considered to be invalid until it was validated. This leads
to the requirement that only a validated request MAC is
included in a signed answer. Or with other words when the
request MAC was not validated the answer must be unsigned
with a BADKEY or BADSIG TSIG error.This section from the original document
analyzes DNSSEC in order to justify the introduction of TSIG.DNS has recently been extended by DNSSEC
(, and
) to provide for data origin
authentication, and public key distribution, all based on
public key cryptography and public key based digital
signatures. To be practical, this form of security
generally requires extensive local caching of keys and
tracing of authentication through multiple keys and
signatures to a pre-trusted locally configured key.One difficulty with the DNSSEC scheme is that common DNS
implementations include simple "stub" resolvers which do not
have caches. Such resolvers typically rely on a caching DNS
server on another host. It is impractical for these stub
resolvers to perform general DNSSEC authentication and they
would naturally depend on their caching DNS server to
perform such services for them. To do so securely requires
secure communication of queries and responses. DNSSEC
provides public key transaction signatures to support this,
but such signatures are very expensive computationally to
generate. In general, these require the same complex public
key logic that is impractical for stubs.A second area where use of straight DNSSEC public key
based mechanisms may be impractical is authenticating
dynamic update requests. DNSSEC
provides for request signatures but with DNSSEC they, like
transaction signatures, require computationally expensive
public key cryptography and complex authentication logic.
Secure Domain Name System Dynamic Update
() describes how different keys are
used in dynamically updated zones.Secure Hash Standard (SHS)National Institute of Standards and
TechnologySHA-3 StandardNational Institute of Standards and
TechnologyThis document just consolidates and updates the earlier documents
by the authors of (Paul Vixie,
Olafur Gudmundsson, Donald E. Eastlake 3rd and Brian Wellington)
and (Donald E. Eastlake 3rd). It would
not be possible without their original work.The security problem addressed by this document was reported
by Clement Berthaux from Synacktiv.Note for the RFC Editor (to be removed before publication):
the first 'e' in Clement is a fact a small 'e' with acute,
unicode code U+00E9. I do not know if xml2rfc supports non ASCII
characters so I prefer to not experiment with it. BTW I am French too
too so I can help if you have questions like correct spelling...Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury,
Mukund Sivaraman and Ralph Dolmans participated in the discussions
that prompted this document.draft-dupont-dnsop-rfc2845bis-00 was merged.Authors of original documents were moved to
Acknowledgments (). was updated to
style.Spit references into normative and informative references
and updated them.Added a text explaining why this document was written
in the Abstract and at the beginning of the introduction.Clarified the layout of TSIG RDATA.Moved the text about using DNSSEC from the Introduction
to the end of Security Considerations.Added the security clarifications:
Emphasized that MAC is invalid until it is successfully
validated.Added requirement that a request MAC that has not been
successfully validated MUST NOT be included into a
response.Added requirement that a request that has not been
validated to the MUST NOT generate a signed response.Added note about MAC too short for the local policy to the
.Changed the order of server checks and swapped corresponding
sections.Removed the truncation size limit "also case" as it does not
apply and added confusion.Relocated the error provision for TSIG truncation to the new
. Moved from RCODE 22
to RCODE 9 and TSIG ERROR 22, i.e., aligned with other TSIG
error cases.Added about truncation error
handling by clients.Removed the limit to HMAC output in replies as a request
which specified a MAC length longer than the HMAC output
is invalid according the the first processing rule in .Promoted the requirement that a secret length should be at
least as long as the keyed message digest to a
SHOULD key word.Added a short text to explain the security issue.