KEY Resource Record

from Wikipedia, the free encyclopedia

KEY Resource Records are used to propagate public keys through DNS . KEY records were used in the context of DNSSEC (DNS Security), but were replaced by the almost identical DNSKEY resource records from 2004 .

background

Today, public key systems are considered to be powerful and versatile encryption methods . The owner of a key, for example, signs a message with the private key known only to himself . A recipient can verify this signature with the aid of the corresponding public key and thus ensure that the message actually originates from the sender and that it is unadulterated.

A basic problem of public key systems is the distribution of public keys: How does a user make his public key known to the world? The procedure described here uses DNS. The owner of the key stores it as KEY-RR on a publicly accessible DNS server. Everyone who needs the public key of this user sends a corresponding DNS request. He then receives the public key in response. The procedure thus corresponds to the propagation of IP addresses.

construction

A KEY-RR consists of the following fields:

Label
Name of the owner of the key
Class
only IN permitted
Type
KEY
Flags
additional information such as B. host, zone or user key
protocol
1 = TLS , 2 = email , 3 = DNSSEC , 4 = IPsec , 255 = all
Encryption method
1 = MD5 , 2 = Diffie Hellman , 3 = DSA
key

example

child.example IN KEY (
                       256                ; Zonenschlüssel 
                       3                  ; dnssec
                       3                  ; DSA-Verschlüsselung
                       BOPdJjdc/ZQWCVA/ONz6LjvugMnB2KKL3F1D2i9Gdrpi
                       rcWRKS2DfRn5KiMM2HQXBHv0ZdkFs/tmjg7rYxrN+bzB
                       NrlwfU5RMjioi67PthD07EHbZjwoZ5sKC2BZ/M596hyg
                       fx5JAvbIWBQVF+ztiuCnWCkbGvVXwsmE+odINCur+o+E
                       jA9hF06LqTviUJKqTxisQO5OHM/0ufNenzIbijJPTXbU
                       cF3vW+CMlX+AUPLSag7YnhWaEu7BLCKfg3vJVw9mtaN2
                       W3oWPRdebGUf/QfyVKXoWD6zDLByCZh4wKvpcwgAsel4
                       bO5LVe7s8qstSxqrwzmvaZ5XYOMZFbN7CXtutiswAkb0
                       pkehIYime6IRkDwWDG+14H5yriRuCDK3m7GvwxMo+ggV
                       0k3Po9LD5wWSIi1N ) ; key id = 22004

Security of the procedure

The propagation of a public key via DNS is only sufficiently secure if the corresponding KEY-RR is digitally signed by a SIG resource record and the DNS request is secured by DNSSEC . Propagation through an X.509 certificate is even more secure, but much more complex and expensive.

Web links