tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search

RFC 4035

 
 
 

Protocol Modifications for the DNS Security Extensions

Part 3 of 3, p. 34 to 53
Prev RFC Part

 


prevText      Top      Up      ToC       Page 34 
9.  References

9.1.  Normative References

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, November 1987.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC1122]  Braden, R., "Requirements for Internet Hosts -
              Communication Layers", STD 3, RFC 1122, October 1989.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
              Specification", RFC 2181, July 1997.

Top      Up      ToC       Page 35 
   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", RFC 2460, December 1998.

   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
              2671, August 1999.

   [RFC2672]  Crawford, M., "Non-Terminal DNS Name Redirection", RFC
              2672, August 1999.

   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
              3225, December 2001.

   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
              message size requirements", RFC 3226, December 2001.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements", RFC
              4033, March 2005.

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for DNS Security Extensions", RFC
              4034, March 2005.

9.2.  Informative References

   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
              NCACHE)", RFC 2308, March 1998.

   [RFC2535]  Eastlake 3rd, D., "Domain Name System Security
              Extensions", RFC 2535, March 1999.

   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
              Update", RFC 3007, November 2000.

   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
              Authenticated Data (AD) bit", RFC 3655, November 2003.

Top      Up      ToC       Page 36 
Appendix A.  Signed Zone Example

   The following example shows a (small) complete signed zone.

   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
                              1081539377
                              3600
                              300
                              3600000
                              3600
                              )
                  3600 RRSIG  SOA 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
                              jV7j86HyQgM5e7+miRAz8V01b0I= )
                  3600 NS     ns1.example.
                  3600 NS     ns2.example.
                  3600 RRSIG  NS 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
                  3600 MX     1 xx.example.
                  3600 RRSIG  MX 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              HyDHYVT5KHSZ7HtO/vypumPmSZQrcOP3tzWB
                              2qaKkHVPfau/DgLgS/IKENkYOGL95G4N+NzE
                              VyNU8dcTOckT+ChPcGeVjguQ7a3Ao9Z/ZkUO
                              6gmmUW4b89rz1PUxW4jzUxj66PTwoVtUU/iM
                              W6OISukd1EQt7a0kygkg+PEDxdI= )
                  3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
                  3600 RRSIG  NSEC 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
                  3600 DNSKEY 256 3 5 (
                              AQOy1bZVvpPqhg4j7EJoM9rI3ZmyEx2OzDBV
                              rZy/lvI5CQePxXHZS4i8dANH4DX3tbHol61e
                              k8EFMcsGXxKciJFHyhl94C+NwILQdzsUlSFo
                              vBZsyl/NX6yEbtw/xN9ZNcrbYvgjjZ/UVPZI

Top      Up      ToC       Page 37 
                              ySFNsgEYvh0z2542lzMKR4Dh8uZffQ==
                              )
                  3600 DNSKEY 257 3 5 (
                              AQOeX7+baTmvpVHb2CcLnL1dMRWbuscRvHXl
                              LnXwDzvqp4tZVKp1sZMepFb8MvxhhW3y/0QZ
                              syCjczGJ1qk8vJe52iOhInKROVLRwxGpMfzP
                              RLMlGybr51bOV/1se0ODacj3DomyB4QB5gKT
                              Yot/K9alk5/j8vfd4jWCWD+E1Sze0Q==
                              )
                  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
                              20040409183619 9465 example.
                              ZxgauAuIj+k1YoVEOSlZfx41fcmKzTFHoweZ
                              xYnz99JVQZJ33wFS0Q0jcP7VXKkaElXk9nYJ
                              XevO/7nAbo88iWsMkSpSR6jWzYYKwfrBI/L9
                              hjYmyVO9m6FjQ7uwM4dCP/bIuV/DKqOAK9NY
                              NC3AHfvCV1Tp4VKDqxqG7R5tTVM= )
                  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              eGL0s90glUqcOmloo/2y+bSzyEfKVOQViD9Z
                              DNhLz/Yn9CQZlDVRJffACQDAUhXpU/oP34ri
                              bKBpysRXosczFrKqS5Oa0bzMOfXCXup9qHAp
                              eFIku28Vqfr8Nt7cigZLxjK+u0Ws/4lIRjKk
                              7z5OXogYVaFzHKillDt3HRxHIZM= )
   a.example.     3600 IN NS  ns1.a.example.
                  3600 IN NS  ns2.a.example.
                  3600 DS     57855 5 1 (
                              B6DCD485719ADCA18E5F3D48A2331627FDD3
                              636B )
                  3600 RRSIG  DS 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ
                              oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH
                              kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD
                              EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/
                              Fm+v6ccF2EGNLRiY08kdkz+XHHo= )
                  3600 NSEC   ai.example. NS DS RRSIG NSEC
                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              cOlYgqJLqlRqmBQ3iap2SyIsK4O5aqpKSoba
                              U9fQ5SMApZmHfq3AgLflkrkXRXvgxTQSKkG2
                              039/cRUs6Jk/25+fi7Xr5nOVJsb0lq4zsB3I
                              BBdjyGDAHE0F5ROJj87996vJupdm1fbH481g
                              sdkOW6Zyqtz3Zos8N0BBkEx+2G4= )
   ns1.a.example. 3600 IN A   192.0.2.5
   ns2.a.example. 3600 IN A   192.0.2.6
   ai.example.    3600 IN A   192.0.2.9
                  3600 RRSIG  A 5 2 3600 20040509183619 (
                              20040409183619 38519 example.

Top      Up      ToC       Page 38 
                              pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B
                              ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd
                              hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u
                              ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy
                              6zrTpg9FkS0XGVmYRvOTNYx2HvQ= )
                  3600 HINFO  "KLH-10" "ITS"
                  3600 RRSIG  HINFO 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              Iq/RGCbBdKzcYzlGE4ovbr5YcB+ezxbZ9W0l
                              e/7WqyvhOO9J16HxhhL7VY/IKmTUY0GGdcfh
                              ZEOCkf4lEykZF9NPok1/R/fWrtzNp8jobuY7
                              AZEcZadp1WdDF3jc2/ndCa5XZhLKD3JzOsBw
                              FvL8sqlS5QS6FY/ijFEDnI4RkZA= )
                  3600 AAAA   2001:db8::f00:baa9
                  3600 RRSIG  AAAA 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK
                              kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh
                              1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T
                              cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2
                              sZM6QjBBLmukH30+w1z3h8PUP2o= )
                  3600 NSEC   b.example. A HINFO AAAA RRSIG NSEC
                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              QoshyPevLcJ/xcRpEtMft1uoIrcrieVcc9pG
                              CScIn5Glnib40T6ayVOimXwdSTZ/8ISXGj4p
                              P8Sh0PlA6olZQ84L453/BUqB8BpdOGky4hsN
                              3AGcLEv1Gr0QMvirQaFcjzOECfnGyBm+wpFL
                              AhS+JOVfDI/79QtyTI0SaDWcg8U= )
   b.example.     3600 IN NS  ns1.b.example.
                  3600 IN NS  ns2.b.example.
                  3600 NSEC   ns1.example. NS RRSIG NSEC
                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
   ns1.b.example. 3600 IN A   192.0.2.7
   ns2.b.example. 3600 IN A   192.0.2.8
   ns1.example.   3600 IN A   192.0.2.1
                  3600 RRSIG  A 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet
                              5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06
                              im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+
                              +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK

Top      Up      ToC       Page 39 
                              v/iVXSYC0b7mPSU+EOlknFpVECs= )
                  3600 NSEC   ns2.example. A RRSIG NSEC
                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8
                              1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB
                              jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq
                              ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8
                              IZaIGBLryQWGLw6Y6X8dqhlnxJM= )
   ns2.example.   3600 IN A   192.0.2.2
                  3600 RRSIG  A 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq
                              Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu
                              yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO
                              6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq
                              rdhx8SZ0yy4ObIRzIzvBFLiSS8o= )
                  3600 NSEC   *.w.example. A RRSIG NSEC
                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              N0QzHvaJf5NRw1rE9uxS1Ltb2LZ73Qb9bKGE
                              VyaISkqzGpP3jYJXZJPVTq4UVEsgT3CgeHvb
                              3QbeJ5Dfb2V9NGCHj/OvF/LBxFFWwhLwzngH
                              l+bQAgAcMsLu/nL3nDi1y/JSQjAcdZNDl4bw
                              Ymx28EtgIpo9A0qmP08rMBqs1Jw= )
   *.w.example.   3600 IN MX  1 ai.example.
                  3600 RRSIG  MX 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2
                              f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc
                              tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X
                              TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw
                              4kX18MMR34i8lC36SR5xBni8vHI= )
                  3600 NSEC   x.w.example. MX RRSIG NSEC
                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9
                              HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU
                              5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx
                              91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8
                              s1InQ2UoIv6tJEaaKkP701j8OLA= )
   x.w.example.   3600 IN MX  1 xx.example.
                  3600 RRSIG  MX 5 3 3600 20040509183619 (
                              20040409183619 38519 example.
                              Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1
                              XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP
                              H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I
                              kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1

Top      Up      ToC       Page 40 
                              jNSlwZ2mSWKHfxFQxPtLj8s32+k= )
                  3600 NSEC   x.y.w.example. MX RRSIG NSEC
                  3600 RRSIG  NSEC 5 3 3600 20040509183619 (
                              20040409183619 38519 example.
                              aRbpHftxggzgMXdDlym9SsADqMZovZZl2QWK
                              vw8J0tZEUNQByH5Qfnf5N1FqH/pS46UA7A4E
                              mcWBN9PUA1pdPY6RVeaRlZlCr1IkVctvbtaI
                              NJuBba/VHm+pebTbKcAPIvL9tBOoh+to1h6e
                              IjgiM8PXkBQtxPq37wDKALkyn7Q= )
   x.y.w.example. 3600 IN MX  1 xx.example.
                  3600 RRSIG  MX 5 4 3600 20040509183619 (
                              20040409183619 38519 example.
                              k2bJHbwP5LH5qN4is39UiPzjAWYmJA38Hhia
                              t7i9t7nbX/e0FPnvDSQXzcK7UL+zrVA+3MDj
                              q1ub4q3SZgcbLMgexxIW3Va//LVrxkP6Xupq
                              GtOB9prkK54QTl/qZTXfMQpW480YOvVknhvb
                              +gLcMZBnHJ326nb/TOOmrqNmQQE= )
                  3600 NSEC   xx.example. MX RRSIG NSEC
                  3600 RRSIG  NSEC 5 4 3600 20040509183619 (
                              20040409183619 38519 example.
                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
   xx.example.    3600 IN A   192.0.2.10
                  3600 RRSIG  A 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP
                              7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa
                              0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y
                              VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx
                              kbIDV6GPPSZVusnZU6OMgdgzHV4= )
                  3600 HINFO  "KLH-10" "TOPS-20"
                  3600 RRSIG  HINFO 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              GY2PLSXmMHkWHfLdggiox8+chWpeMNJLkML0
                              t+U/SXSUsoUdR91KNdNUkTDWamwcF8oFRjhq
                              BcPZ6EqrF+vl5v5oGuvSF7U52epfVTC+wWF8
                              3yCUeUw8YklhLWlvk8gQ15YKth0ITQy8/wI+
                              RgNvuwbioFSEuv2pNlkq0goYxNY= )
                  3600 AAAA   2001:db8::f00:baaa
                  3600 RRSIG  AAAA 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C
                              aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z
                              ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr
                              U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/

Top      Up      ToC       Page 41 
                              xS9cL2QgW7FChw16mzlkH6/vsfs= )
                  3600 NSEC   example. A HINFO AAAA RRSIG NSEC
                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              ZFWUln6Avc8bmGl5GFjD3BwT530DUZKHNuoY
                              9A8lgXYyrxu+pqgFiRVbyZRQvVB5pccEOT3k
                              mvHgEa/HzbDB4PIYY79W+VHrgOxzdQGGCZzi
                              asXrpSGOWwSOElghPnMIi8xdF7qtCntr382W
                              GghLahumFIpg4MO3LS/prgzVVWo= )

   The apex DNSKEY set includes two DNSKEY RRs, and the DNSKEY RDATA
   Flags indicate that each of these DNSKEY RRs is a zone key.  One of
   these DNSKEY RRs also has the SEP flag set and has been used to sign
   the apex DNSKEY RRset; this is the key that should be hashed to
   generate a DS record to be inserted into the parent zone.  The other
   DNSKEY is used to sign all the other RRsets in the zone.

   The zone includes a wildcard entry, "*.w.example".  Note that the
   name "*.w.example" is used in constructing NSEC chains, and that the
   RRSIG covering the "*.w.example" MX RRset has a label count of 2.

   The zone also includes two delegations.  The delegation to
   "b.example" includes an NS RRset, glue address records, and an NSEC
   RR; note that only the NSEC RRset is signed.  The delegation to
   "a.example" provides a DS RR; note that only the NSEC and DS RRsets
   are signed.

Appendix B.  Example Responses

   The examples in this section show response messages using the signed
   zone example in Appendix A.

B.1.  Answer

   A successful query to an authoritative server.

   ;; Header: QR AA DO RCODE=0
   ;;
   ;; Question
   x.w.example.        IN MX

   ;; Answer
   x.w.example.   3600 IN MX  1 xx.example.
   x.w.example.   3600 RRSIG  MX 5 3 3600 20040509183619 (
                              20040409183619 38519 example.
                              Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1
                              XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP
                              H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I

Top      Up      ToC       Page 42 
                              kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1
                              jNSlwZ2mSWKHfxFQxPtLj8s32+k= )

   ;; Authority
   example.       3600 NS     ns1.example.
   example.       3600 NS     ns2.example.
   example.       3600 RRSIG  NS 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )

   ;; Additional
   xx.example.    3600 IN A   192.0.2.10
   xx.example.    3600 RRSIG  A 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP
                              7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa
                              0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y
                              VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx
                              kbIDV6GPPSZVusnZU6OMgdgzHV4= )
   xx.example.    3600 AAAA   2001:db8::f00:baaa
   xx.example.    3600 RRSIG  AAAA 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C
                              aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z
                              ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr
                              U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/
                              xS9cL2QgW7FChw16mzlkH6/vsfs= )
   ns1.example.   3600 IN A   192.0.2.1
   ns1.example.   3600 RRSIG  A 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet
                              5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06
                              im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+
                              +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK
                              v/iVXSYC0b7mPSU+EOlknFpVECs= )
   ns2.example.   3600 IN A   192.0.2.2
   ns2.example.   3600 RRSIG  A 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq
                              Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu
                              yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO
                              6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq
                              rdhx8SZ0yy4ObIRzIzvBFLiSS8o= )

Top      Up      ToC       Page 43 
B.2.  Name Error

   An authoritative name error.  The NSEC RRs prove that the name does
   not exist and that no covering wildcard exists.

   ;; Header: QR AA DO RCODE=3
   ;;
   ;; Question
   ml.example.         IN A

   ;; Answer
   ;; (empty)

   ;; Authority
   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
                              1081539377
                              3600
                              300
                              3600000
                              3600
                              )
   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
                              jV7j86HyQgM5e7+miRAz8V01b0I= )
   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
   b.example.     3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
   example.       3600 RRSIG  NSEC 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )

   ;; Additional
   ;; (empty)

Top      Up      ToC       Page 44 
B.3.  No Data Error

   A "no data" response.  The NSEC RR proves that the name exists and
   that the requested RR type does not.

   ;; Header: QR AA DO RCODE=0
   ;;
   ;; Question
   ns1.example.        IN MX

   ;; Answer
   ;; (empty)

   ;; Authority
   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
                              1081539377
                              3600
                              300
                              3600000
                              3600
                              )
   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
                              jV7j86HyQgM5e7+miRAz8V01b0I= )
   ns1.example.   3600 NSEC   ns2.example. A RRSIG NSEC
   ns1.example.   3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8
                              1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB
                              jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq
                              ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8
                              IZaIGBLryQWGLw6Y6X8dqhlnxJM= )

   ;; Additional
   ;; (empty)

B.4.  Referral to Signed Zone

   Referral to a signed zone.  The DS RR contains the data which the
   resolver will need to validate the corresponding DNSKEY RR in the
   child zone's apex.

   ;; Header: QR DO RCODE=0
   ;;

Top      Up      ToC       Page 45 
   ;; Question
   mc.a.example.       IN MX

   ;; Answer
   ;; (empty)

   ;; Authority
   a.example.     3600 IN NS  ns1.a.example.
   a.example.     3600 IN NS  ns2.a.example.
   a.example.     3600 DS     57855 5 1 (
                              B6DCD485719ADCA18E5F3D48A2331627FDD3
                              636B )
   a.example.     3600 RRSIG  DS 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ
                              oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH
                              kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD
                              EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/
                              Fm+v6ccF2EGNLRiY08kdkz+XHHo= )

   ;; Additional
   ns1.a.example. 3600 IN A   192.0.2.5
   ns2.a.example. 3600 IN A   192.0.2.6

B.5.  Referral to Unsigned Zone

   Referral to an unsigned zone.  The NSEC RR proves that no DS RR for
   this delegation exists in the parent zone.

   ;; Header: QR DO RCODE=0
   ;;
   ;; Question
   mc.b.example.       IN MX

   ;; Answer
   ;; (empty)

   ;; Authority
   b.example.     3600 IN NS  ns1.b.example.
   b.example.     3600 IN NS  ns2.b.example.
   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
   b.example.     3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )

Top      Up      ToC       Page 46 
   ;; Additional
   ns1.b.example. 3600 IN A   192.0.2.7
   ns2.b.example. 3600 IN A   192.0.2.8

B.6.  Wildcard Expansion

   A successful query that was answered via wildcard expansion.  The
   label count in the answer's RRSIG RR indicates that a wildcard RRset
   was expanded to produce this response, and the NSEC RR proves that no
   closer match exists in the zone.

   ;; Header: QR AA DO RCODE=0
   ;;
   ;; Question
   a.z.w.example.      IN MX

   ;; Answer
   a.z.w.example. 3600 IN MX  1 ai.example.
   a.z.w.example. 3600 RRSIG  MX 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2
                              f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc
                              tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X
                              TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw
                              4kX18MMR34i8lC36SR5xBni8vHI= )

   ;; Authority
   example.       3600 NS     ns1.example.
   example.       3600 NS     ns2.example.
   example.       3600 RRSIG  NS 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040509183619 (
                              20040409183619 38519 example.
                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )

   ;; Additional
   ai.example.    3600 IN A   192.0.2.9
   ai.example.    3600 RRSIG  A 5 2 3600 20040509183619 (

Top      Up      ToC       Page 47 
                              20040409183619 38519 example.
                              pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B
                              ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd
                              hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u
                              ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy
                              6zrTpg9FkS0XGVmYRvOTNYx2HvQ= )
   ai.example.    3600 AAAA   2001:db8::f00:baa9
   ai.example.    3600 RRSIG  AAAA 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK
                              kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh
                              1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T
                              cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2
                              sZM6QjBBLmukH30+w1z3h8PUP2o= )

B.7.  Wildcard No Data Error

   A "no data" response for a name covered by a wildcard.  The NSEC RRs
   prove that the matching wildcard name does not have any RRs of the
   requested type and that no closer match exists in the zone.

   ;; Header: QR AA DO RCODE=0
   ;;
   ;; Question
   a.z.w.example.      IN AAAA

   ;; Answer
   ;; (empty)

   ;; Authority
   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
                              1081539377
                              3600
                              300
                              3600000
                              3600
                              )
   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
                              jV7j86HyQgM5e7+miRAz8V01b0I= )
   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040509183619 (
                              20040409183619 38519 example.
                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp

Top      Up      ToC       Page 48 
                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
   *.w.example.   3600 NSEC   x.w.example. MX RRSIG NSEC
   *.w.example.   3600 RRSIG  NSEC 5 2 3600 20040509183619 (
                              20040409183619 38519 example.
                              r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9
                              HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU
                              5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx
                              91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8
                              s1InQ2UoIv6tJEaaKkP701j8OLA= )

   ;; Additional
   ;; (empty)

B.8.  DS Child Zone No Data Error

   A "no data" response for a QTYPE=DS query that was mistakenly sent to
   a name server for the child zone.

   ;; Header: QR AA DO RCODE=0
   ;;
   ;; Question
   example.            IN DS

   ;; Answer
   ;; (empty)

   ;; Authority
   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
                              1081539377
                              3600
                              300
                              3600000
                              3600
                              )
   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
                              jV7j86HyQgM5e7+miRAz8V01b0I= )
   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
   example.       3600 RRSIG  NSEC 5 1 3600 20040509183619 (
                              20040409183619 38519 example.
                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm

Top      Up      ToC       Page 49 
                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )

   ;; Additional
   ;; (empty)

Appendix C.  Authentication Examples

   The examples in this section show how the response messages in
   Appendix B are authenticated.

C.1.  Authenticating an Answer

   The query in Appendix B.1 returned an MX RRset for "x.w.example.com".
   The corresponding RRSIG indicates that the MX RRset was signed by an
   "example" DNSKEY with algorithm 5 and key tag 38519.  The resolver
   needs the corresponding DNSKEY RR in order to authenticate this
   answer.  The discussion below describes how a resolver might obtain
   this DNSKEY RR.

   The RRSIG indicates the original TTL of the MX RRset was 3600, and,
   for the purpose of authentication, the current TTL is replaced by
   3600.  The RRSIG labels field value of 3 indicates that the answer
   was not the result of wildcard expansion.  The "x.w.example.com" MX
   RRset is placed in canonical form, and, assuming the current time
   falls between the signature inception and expiration dates, the
   signature is authenticated.

C.1.1.  Authenticating the Example DNSKEY RR

   This example shows the logical authentication process that starts
   from the a configured root DNSKEY (or DS RR) and moves down the tree
   to authenticate the desired "example" DNSKEY RR.  Note that the
   logical order is presented for clarity.  An implementation may choose
   to construct the authentication as referrals are received or to
   construct the authentication chain only after all RRsets have been
   obtained, or in any other combination it sees fit.  The example here
   demonstrates only the logical process and does not dictate any
   implementation rules.

   We assume the resolver starts with a configured DNSKEY RR for the
   root zone (or a configured DS RR for the root zone).  The resolver
   checks whether this configured DNSKEY RR is present in the root
   DNSKEY RRset (or whether the DS RR matches some DNSKEY in the root
   DNSKEY RRset), whether this DNSKEY RR has signed the root DNSKEY
   RRset, and whether the signature lifetime is valid.  If all these

Top      Up      ToC       Page 50 
   conditions are met, all keys in the DNSKEY RRset are considered
   authenticated.  The resolver then uses one (or more) of the root
   DNSKEY RRs to authenticate the "example" DS RRset.  Note that the
   resolver may have to query the root zone to obtain the root DNSKEY
   RRset or "example" DS RRset.

   Once the DS RRset has been authenticated using the root DNSKEY, the
   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
   RR that matches one of the authenticated "example" DS RRs.  If such a
   matching "example" DNSKEY is found, the resolver checks whether this
   DNSKEY RR has signed the "example" DNSKEY RRset and the signature
   lifetime is valid.  If these conditions are met, all keys in the
   "example" DNSKEY RRset are considered authenticated.

   Finally, the resolver checks that some DNSKEY RR in the "example"
   DNSKEY RRset uses algorithm 5 and has a key tag of 38519.  This
   DNSKEY is used to authenticate the RRSIG included in the response.
   If multiple "example" DNSKEY RRs match this algorithm and key tag,
   then each DNSKEY RR is tried, and the answer is authenticated if any
   of the matching DNSKEY RRs validate the signature as described above.

C.2.  Name Error

   The query in Appendix B.2 returned NSEC RRs that prove that the
   requested data does not exist and no wildcard applies.  The negative
   reply is authenticated by verifying both NSEC RRs.  The NSEC RRs are
   authenticated in a manner identical to that of the MX RRset discussed
   above.

C.3.  No Data Error

   The query in Appendix B.3 returned an NSEC RR that proves that the
   requested name exists, but the requested RR type does not exist.  The
   negative reply is authenticated by verifying the NSEC RR.  The NSEC
   RR is authenticated in a manner identical to that of the MX RRset
   discussed above.

C.4.  Referral to Signed Zone

   The query in Appendix B.4 returned a referral to the signed
   "a.example." zone.  The DS RR is authenticated in a manner identical
   to that of the MX RRset discussed above.  This DS RR is used to
   authenticate the "a.example" DNSKEY RRset.

   Once the "a.example" DS RRset has been authenticated using the
   "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
   for some "a.example" DNSKEY RR that matches the DS RR.  If such a
   matching "a.example" DNSKEY is found, the resolver checks whether

Top      Up      ToC       Page 51 
   this DNSKEY RR has signed the "a.example" DNSKEY RRset and whether
   the signature lifetime is valid.  If all these conditions are met,
   all keys in the "a.example" DNSKEY RRset are considered
   authenticated.

C.5.  Referral to Unsigned Zone

   The query in Appendix B.5 returned a referral to an unsigned
   "b.example." zone.  The NSEC proves that no authentication leads from
   "example" to "b.example", and the NSEC RR is authenticated in a
   manner identical to that of the MX RRset discussed above.

C.6.  Wildcard Expansion

   The query in Appendix B.6 returned an answer that was produced as a
   result of wildcard expansion.  The answer section contains a wildcard
   RRset expanded as it would be in a traditional DNS response, and the
   corresponding RRSIG indicates that the expanded wildcard MX RRset was
   signed by an "example" DNSKEY with algorithm 5 and key tag 38519.
   The RRSIG indicates that the original TTL of the MX RRset was 3600,
   and, for the purpose of authentication, the current TTL is replaced
   by 3600.  The RRSIG labels field value of 2 indicates that the answer
   is the result of wildcard expansion, as the "a.z.w.example" name
   contains 4 labels.  The name "a.z.w.w.example" is replaced by
   "*.w.example", the MX RRset is placed in canonical form, and,
   assuming that the current time falls between the signature inception
   and expiration dates, the signature is authenticated.

   The NSEC proves that no closer match (exact or closer wildcard) could
   have been used to answer this query, and the NSEC RR must also be
   authenticated before the answer is considered valid.

C.7.  Wildcard No Data Error

   The query in Appendix B.7 returned NSEC RRs that prove that the
   requested data does not exist and no wildcard applies.  The negative
   reply is authenticated by verifying both NSEC RRs.

C.8.  DS Child Zone No Data Error

   The query in Appendix B.8 returned NSEC RRs that shows the requested
   was answered by a child server ("example" server).  The NSEC RR
   indicates the presence of an SOA RR, showing that the answer is from
   the child .  Queries for the "example" DS RRset should be sent to the
   parent servers ("root" servers).

Top      Up      ToC       Page 52 
Authors' Addresses

   Roy Arends
   Telematica Instituut
   Brouwerijstraat 1
   7523 XC  Enschede
   NL

   EMail: roy.arends@telin.nl


   Rob Austein
   Internet Systems Consortium
   950 Charter Street
   Redwood City, CA  94063
   USA

   EMail: sra@isc.org


   Matt Larson
   VeriSign, Inc.
   21345 Ridgetop Circle
   Dulles, VA  20166-6503
   USA

   EMail: mlarson@verisign.com


   Dan Massey
   Colorado State University
   Department of Computer Science
   Fort Collins, CO 80523-1873

   EMail: massey@cs.colostate.edu


   Scott Rose
   National Institute for Standards and Technology
   100 Bureau Drive
   Gaithersburg, MD  20899-8920
   USA

   EMail: scott.rose@nist.gov

Top      Up      ToC       Page 53 
Full Copyright Statement

   Copyright (C) The Internet Society (2005).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at ietf-
   ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.