KEY Resource Record
KEY Resource Records are used to propagate public keys through DNS . KEY records were used in the context of DNSSEC (DNS Security), but were replaced by the almost identical DNSKEY resource records from 2004 .
background
Today, public key systems are considered to be powerful and versatile encryption methods . The owner of a key, for example, signs a message with the private key known only to himself . A recipient can verify this signature with the aid of the corresponding public key and thus ensure that the message actually originates from the sender and that it is unadulterated.
A basic problem of public key systems is the distribution of public keys: How does a user make his public key known to the world? The procedure described here uses DNS. The owner of the key stores it as KEY-RR on a publicly accessible DNS server. Everyone who needs the public key of this user sends a corresponding DNS request. He then receives the public key in response. The procedure thus corresponds to the propagation of IP addresses.
construction
A KEY-RR consists of the following fields:
- Label
- Name of the owner of the key
- Class
- only IN permitted
- Type
- KEY
- Flags
- additional information such as B. host, zone or user key
- protocol
- 1 = TLS , 2 = email , 3 = DNSSEC , 4 = IPsec , 255 = all
- Encryption method
- 1 = MD5 , 2 = Diffie Hellman , 3 = DSA
- key
example
child.example IN KEY ( 256 ; Zonenschlüssel 3 ; dnssec 3 ; DSA-Verschlüsselung BOPdJjdc/ZQWCVA/ONz6LjvugMnB2KKL3F1D2i9Gdrpi rcWRKS2DfRn5KiMM2HQXBHv0ZdkFs/tmjg7rYxrN+bzB NrlwfU5RMjioi67PthD07EHbZjwoZ5sKC2BZ/M596hyg fx5JAvbIWBQVF+ztiuCnWCkbGvVXwsmE+odINCur+o+E jA9hF06LqTviUJKqTxisQO5OHM/0ufNenzIbijJPTXbU cF3vW+CMlX+AUPLSag7YnhWaEu7BLCKfg3vJVw9mtaN2 W3oWPRdebGUf/QfyVKXoWD6zDLByCZh4wKvpcwgAsel4 bO5LVe7s8qstSxqrwzmvaZ5XYOMZFbN7CXtutiswAkb0 pkehIYime6IRkDwWDG+14H5yriRuCDK3m7GvwxMo+ggV 0k3Po9LD5wWSIi1N ) ; key id = 22004
Security of the procedure
The propagation of a public key via DNS is only sufficiently secure if the corresponding KEY-RR is digitally signed by a SIG resource record and the DNS request is secured by DNSSEC . Propagation through an X.509 certificate is even more secure, but much more complex and expensive.
Web links
- RFC 2535 - DNS Security Extension