<?xmlversion="1.0"?> <!-- This template is for creating an Internet Draft using xml2rfc, which is available here: http://xml.resource.org. -->version="1.0" encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd"> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <!-- used by XSLT processors --> <!-- For a complete list and description of processing instructions (PIs), please see http://xml.resource.org/authoring/README.html. --> <!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use. (Here they are set differently than their defaults in xml2rfc v1.32) --> <?rfc strict="yes" ?> <!-- give errors regarding ID-nits and DTD validation --> <!-- control the table of contents (ToC) --> <?rfc toc="yes"?> <?rfc tocappendix="yes"?> <!-- generate a ToC --> <?rfc tocdepth="3"?> <!-- the number of levels of subsections in ToC. default: 3 --> <!-- control references --> <?rfc symrefs="yes"?> <!-- use symbolic references tags, i.e, [RFC2119] instead of [1] --> <?rfc sortrefs="yes" ?> <!-- sort the reference entries alphabetically --> <!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) --> <?rfc compact="yes" ?> <!-- do not start each main section on a new page --> <?rfc subcompact="no" ?> <!-- keep one blank line between list items --> <!-- end of list of popular I-D processing instructions --> <?rfc comments="no" ?> <?rfc inline="yes" ?> <!-- includes pre RFC 5378 (2008) material -->"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" consensus="true" docName="draft-ietf-dnsop-rfc2845bis-09" number="8945" ipr="pre5378Trust200902" obsoletes="2845, 4635">updates="" xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 2.46.0 --> <front> <title abbrev="DNS TSIG">Secret Key Transaction Authentication for DNS (TSIG)</title> <seriesInfo name="RFC" value="8945"/> <seriesInfo name="STD" value="93"/> <author fullname="Francis Dupont" initials="F" surname="Dupont"> <organization abbrev="ISC">Internet Systems Consortium, Inc.</organization> <address> <postal> <street>PO Box 360</street> <city>Newmarket</city> <region>NH</region> <code>03857</code> <country>United States of America</country> </postal> <email>Francis.Dupont@fdupont.fr</email> </address> </author> <author fullname="Stephen Morris" initials="S" surname="Morris"> <organizationabbrev="ISC">Internet Systems Consortium, Inc.</organization>abbrev="Unaffiliated">Unaffiliated</organization> <address> <postal><street>PO Box 360</street> <city>Newmarket</city> <region>NH</region> <code>03857</code><country>UnitedStates of America</country>Kingdom</country> </postal> <email>sa.morris8@gmail.com</email> </address> </author> <author fullname="Paul Vixie" initials="P" surname="Vixie"> <organization abbrev="Farsight">Farsight Security Inc</organization> <address> <postal> <street>177 BovetRoad, Suite 180</street>Road</street> <extaddr>Suite 180</extaddr> <city>San Mateo</city> <region>CA</region> <code>94402</code> <country>United States of America</country> </postal> <email>paul@redbarn.org</email> </address> </author> <author fullname="Donald E. Eastlake 3rd" initials="D" surname="Eastlake 3rd"> <organization abbrev="Futurewei">Futurewei Technologies</organization> <address> <postal> <street>2386 Panoramic Circle</street> <city>Apopka</city> <region>FL</region> <code>32703</code> <country>United States of America</country> </postal> <email>d3e3e3@gmail.com</email> </address> </author> <author fullname="Olafur Gudmundsson" initials="O" surname="Gudmundsson"> <organization abbrev="Cloudflare">Cloudflare</organization> <address> <postal> <street/><city>San Francisco</city> <region>CA</region> <code>94107</code><city></city> <region></region> <code></code> <country>United States of America</country> </postal> <email>olafur+ietf@cloudflare.com</email> </address> </author> <author fullname="Brian Wellington" initials="B" surname="Wellington"> <organization abbrev="Akamai">Akamai</organization> <address> <postal> <street/> <country>United States of America</country> </postal> <email>bwelling@akamai.com</email> </address> </author><date/><date year="2020" month="November" /> <area>Operations and Management Area</area> <workgroup>Internet Engineering Task Force</workgroup> <abstract> <t>This document describes a protocol fortransaction leveltransaction-level authentication using shared secrets andone wayone-way hashing. It can be used to authenticate dynamic updates to a DNS zone as coming from an approvedclient,client or to authenticate responses as coming from an approved name server.</t> <t>No recommendation is made here for distributing the sharedsecrets:secrets; it is expected that a network administrator will statically configure name servers and clients using someout of bandout-of-band mechanism.</t> <t>This document obsoletesRFC2845RFCs 2845 andRFC4635.</t>4635.</t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <sectiontitle="Background">numbered="true" toc="default"> <name>Background</name> <t>The Domain Name System(DNS, <xref target="RFC1034"/>,(DNS) (<xref target="RFC1034" format="default"/> <xreftarget="RFC1035"/>)target="RFC1035" format="default"/>) is a replicated hierarchical distributed database system that provides information fundamental to Internet operations, such asname to addressname-to-address translation andmail handlingmail-handling information.</t> <t>This document specifies use of a message authentication code (MAC), generated using certain keyed hash functions, to provide an efficient means of point-to-point authentication and integrity checking for DNS transactions. Such transactions include DNS update requests and responses for which this can provide a lightweight alternative to the secure DNS dynamic update protocol described by <xreftarget="RFC3007"/>.</t>target="RFC3007" format="default"/>.</t> <t>A further use of this mechanism is to protect zone transfers. In thiscasecase, the data covered would be the whole zone transfer including any glue records sent. The protocol described by DNSSEC (<xreftarget="RFC4033"/>,target="RFC4033" format="default"/>, <xreftarget="RFC4034"/>,target="RFC4034" format="default"/>, <xreftarget="RFC4035"/>)target="RFC4035" format="default"/>) does not protect glue records and unsigned records.</t> <t>The authentication mechanism proposed here provides a simple and efficient authentication between clients and servers, by using shared secret keys to establish a trust relationship between two entities. Such keys must be protected in a manner similar to private keys, lest a third party masquerade as one of the intended parties (by forging the MAC). The proposal is unsuitable for generalserver to serverserver-to-server authentication and for serverswhichthat speak with many other servers, since key management would become unwieldy with the number of shared keys going up quadratically. But it is suitable for many resolvers on hosts that only talk to a few recursive servers.</t> </section> <sectiontitle="Protocol Overview">numbered="true" toc="default"> <name>Protocol Overview</name> <t>Secret Key Transaction Authentication makes use of signatures on messages sent between the parties involved(e.g.(e.g., resolver and server). These are known as "transaction signatures", or TSIG. For historical reasons, in thisdocumentdocument, they are referred to as message authentication codes(MAC).</t>(MACs).</t> <t>Use of TSIG presumes prior agreement between the two parties involved (e.g., resolver and server) as to any algorithm and key to be used. The way that this agreement is reached is outside the scope of the document.</t> <t>A DNS message exchange involves the sending of a query and the receipt of one of more DNS messages in response. For the query, the MAC is calculated based on the hash of the contents and the agreed TSIG key. The MAC for the response issimilar,similar but also includes the MAC of the query as part of the calculation. Where a response comprises multiple packets, the calculation of the MAC associated with the second and subsequent packets includes in its inputs the MAC for the preceding packet. In thiswayway, it is possible to detect any interruption in the packet sequence, although not its premature termination.</t> <t>The MAC is contained in a TSIG resource record included in theAdditional Sectionadditional section of the DNS message.</t> </section> <sectiontitle="Document History">numbered="true" toc="default"> <name>Document History</name> <t>TSIG was originally specified by <xreftarget="RFC2845"/>.target="RFC2845" format="default"/>. In 2017, twonameservername server implementations strictly following that document (and the related <xreftarget="RFC4635"/>)target="RFC4635" format="default"/>) were discovered to have security problems related to this feature (<xreftarget="CVE-2017-3142"/>,target="CVE-2017-3142" format="default"/>, <xreftarget="CVE-2017-3143"/>,target="CVE-2017-3143" format="default"/>, <xreftarget="CVE-2017-11104"/>).target="CVE-2017-11104" format="default"/>). The implementations werefixed but,fixed, but to avoid similar problems in the future, the two documents were updated and merged, producing this revised specification for TSIG.</t> <t>While TSIG implemented according to this RFC provides for enhanced security, there are no changes in interoperability. TSIGison the wire is still the same mechanism described in <xreftarget="RFC2845"/>;target="RFC2845" format="default"/>; only the checking semantics have been changed. See <xreftarget="issuesfixed"/>target="issuesfixed" format="default"/> for further details.</t> </section> </section> <sectiontitle="Key Words" anchor="keywords"> <t>Theanchor="keywords" numbered="true" toc="default"> <name>Key Words</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> </section> <sectiontitle="Assigned Numbers" anchor="numbers">anchor="numbers" numbered="true" toc="default"> <name>Assigned Numbers</name> <t>This document defines the followingRRResource Record (RR) type and associated value:</t><t><list style="hanging" hangIndent="6"> <t>TSIG (250)</t> </list></t><ul empty="true"> <li>TSIG (250)</li> </ul> <t>In addition, the document also defines the following DNS RCODEs and associated names:</t><t><list style="hanging" hangIndent="6"> <t>16 (BADSIG)<vspace/> 17 (BADKEY)<vspace/> 18 (BADTIME)<vspace/> 22 (BADTRUNC)</t> </list></t><ul empty="true" spacing="compact"> <li>16 (BADSIG)</li> <li>17 (BADKEY)</li> <li>18 (BADTIME)</li> <li>22 (BADTRUNC)</li> </ul> <t>(See <xreftarget="RFC6895"/> Section 2.3target="RFC6895" sectionFormat="of" section="2.3"/> concerning the assignment of the value 16 to BADSIG.)</t> <t>These RCODES may appear within the "Error" field of a TSIG RR.</t> </section> <sectiontitle="TSIGnumbered="true" toc="default"> <name>TSIG RRFormat">Format</name> <sectiontitle="TSIGnumbered="true" toc="default"> <name>TSIG RRType">Type</name> <t>To provide secret key authentication, we use an RR type whose mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR andMUST NOT<bcp14>MUST NOT</bcp14> be cached. TSIG RRs are used for authentication between DNS entities that have established a shared secret key. TSIG RRs are dynamically computed to cover a particular DNS transaction and are not DNS RRs in the usual sense.</t> <t>As the TSIG RRs are related to one DNS request/response, there is no value in storing or retransmittingthem, thusthem; thus, the TSIG RR is discarded once it has been used to authenticate a DNS message.</t> </section> <sectiontitle="TSIGanchor="format" numbered="true" toc="default"> <name>TSIG RecordFormat" anchor="format">Format</name> <t>The fields of the TSIG RR are described below.As is usual, allAll multi-octet integers in the record are sent in network byte order (see <xreftarget="RFC1035"/> 2.3.2).</t> <t><list style="hanging" hangIndent="6"> <t hangText="NAME">Thetarget="RFC1035" sectionFormat="of" section="2.3.2"/>).</t> <dl newline="false" spacing="normal"> <dt>NAME:</dt> <dd><t>The name of the key used, in domain name syntax. The name should reflect the names of the hosts and uniquely identify the key among a set of keys these two hosts may share at any given time. For example, if hosts A.site.example and B.example.net share a key, possibilities for the key name include <id>.A.site.example, <id>.B.example.net, and <id>.A.site.example.B.example.net. It should be possible for more than one key to be in simultaneous use among a set of interacting hosts. This allows for periodic key rotation as per best operational practices, as well as algorithm agility as indicated by <xreftarget="BCP201"/>.</t>target="RFC7696" format="default"/>.</t> <t>The name may be used as a local index to the keyinvolvedinvolved, but it is recommended that it be globally unique. Where a key is just shared between two hosts, its name actually need only be meaningful tothemthem, but it is recommended that the key name be mnemonic andincorporatesincorporate the names of participating agents or resources as suggestedabove.</t> <t hangText="TYPE">This MUSTabove.</t></dd> <dt>TYPE:</dt> <dd>This <bcp14>MUST</bcp14> be TSIG (250: TransactionSIGnature)</t> <t hangText="CLASS">This MUST be ANY</t> <t hangText="TTL">This MUST be 0</t> <t hangText="RdLen">(variable)</t> <t hangText="RDATA">TheSIGnature).</dd> <dt>CLASS:</dt> <dd>This <bcp14>MUST</bcp14> be ANY.</dd> <dt>TTL:</dt> <dd>This <bcp14>MUST</bcp14> be 0.</dd> <dt>RDLENGTH:</dt> <dd>(variable)</dd> <dt>RDATA:</dt> <dd>The RDATA for a TSIG RR consists of a number of fields, describedbelow:</t> </list></t> <figure><artwork>below:</dd> </dl> <artwork name="" type="" align="left" alt=""><![CDATA[ 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / Algorithm Name / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Time Signed +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Fudge | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC Size | / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MAC / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Original ID | Error | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Other Len | / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+</artwork></figure> <t><list style="hanging" hangIndent="6">]]></artwork> <t>The contents of the RDATA fieldsare: <list style="symbols"> <t>Algorithm Name - aare:</t> <dl newline="true" spacing="normal"> <dt>Algorithm Name:</dt> <dd>an octet sequence identifying the TSIG algorithmnamein the domain name syntax. (Allowed names are listed in <xreftarget="allowed-algorithms"/>.)target="allowed-algorithms" format="default"/>.) The name is stored in the DNS name wire format as described in <xreftarget="RFC1034"/>.target="RFC1034" format="default"/>. As per <xreftarget="RFC3597"/>,target="RFC3597" format="default"/>, this nameMUST NOT<bcp14>MUST NOT</bcp14> becompressed.</t> <t>Time Signed - ancompressed.</dd> <dt>Time Signed:</dt> <dd>an unsigned 48-bit integer containing the time the message was signed as seconds since 00:00 on 1970-01-01 UTC, ignoring leapseconds.</t> <t>Fudge - anseconds.</dd> <dt>Fudge:</dt> <dd>an unsigned 16-bit integer specifying the allowed time difference in seconds permitted in the Time Signedfield.</t> <t>MAC Size - anfield.</dd> <dt>MAC Size:</dt> <dd>an unsigned 16-bit integer giving the length of the MAC field in octets. Truncation is indicated by a MACsizeSize less than the size of the keyed hash produced by the algorithm specified by the AlgorithmName.</t> <t>MAC - aName.</dd> <dt>MAC:</dt> <dd>a sequence of octets whose contents are defined by the TSIG algorithm used, possibly truncated as specified by the MAC Size. The length of this field is given by theMacMAC Size. Calculation of the MAC is detailed in <xreftarget="mac_computation"/>.</t> <t>Original ID - Antarget="mac_computation" format="default"/>.</dd> <dt>Original ID:</dt> <dd>an unsigned 16-bit integer holding the message ID of the original request message. For a TSIG RR on a request, it is set equal to the DNS message ID. In a TSIG attached to a response--- or in cases such as the forwarding of a dynamic update request--- the field contains the ID of the original DNSrequest.</t> <t>Error - inrequest.</dd> <dt>Error:</dt> <dd>in responses, an unsigned 16-bit integer containing the extended RCODE covering TSIG processing. In requests, thisMUST<bcp14>MUST</bcp14> bezero.</t> <t>Other Len - anzero.</dd> <dt>Other Len:</dt> <dd>an unsigned 16-bit integer specifying the length of the"Other Data"Other Data field inoctets.</t> <t>Other Data - additionaloctets.</dd> <dt>Other Data:</dt> <dd>additional data relevant to the TSIG record. In responses, this will be empty(i.e. "Other Len"(i.e., Other Len will be zero) unless the content of the Error field is BADTIME, in which case it will be a 48-bit unsigned integer containing the server's current time as the number of seconds since 00:00 on 1970-01-01 UTC, ignoring leap seconds (see <xreftarget="time_check"/>).target="time_check" format="default"/>). This document assigns no meaning to its contents inrequests.</t> </list> </t> </list></t>requests.</dd> </dl> </section> <sectiontitle="MAC Computation" anchor="mac_computation">anchor="mac_computation" numbered="true" toc="default"> <name>MAC Computation</name> <t>When generating or verifying the contents of a TSIG record, the data listed in the rest of this section are passed, in the order listed below, as input to MAC computation. The data are passed in network byte order or wire format, asappropriate,appropriate and are fed into the hashing function as a continuous octet sequence with nointer-fieldinterfield separator or padding.</t> <sectiontitle="Request MAC">numbered="true" toc="default"> <name>Request MAC</name> <t>Only included in the computation of a MAC for a response message (or the first message in a multi-message response), the validated request MACMUST<bcp14>MUST</bcp14> be included in the MAC computation. If the request MAC failed to validate, an unsigned error messageMUST<bcp14>MUST</bcp14> be returnedinstead.instead (<xreftarget="on_error"/>).</t>target="on_error" format="default"/>).</t> <t>The request's MAC, comprising the following fields, is digested in wire format:</t><texttable style="headers"> <ttcol>Field</ttcol> <ttcol>Type</ttcol> <ttcol>Description</ttcol> <c>MAC Length</c> <c>Unsigned<table anchor="mac-field" align="center"> <name>Request's MAC</name> <thead> <tr> <th align="left">Field</th> <th align="left">Type</th> <th align="left">Description</th> </tr> </thead> <tbody> <tr> <td align="left">MAC Size</td> <td align="left">Unsigned 16-bitinteger</c> <c>ininteger</td> <td align="left">in network byteorder</c> <c>MAC Data</c> <c>octet sequence</c> <c>exactly as transmitted</c> </texttable>order</td> </tr> <tr> <td align="left">MAC Data</td> <td align="left">octet sequence</td> <td align="left">exactly as transmitted</td> </tr> </tbody> </table> <t>Special considerations apply to the TSIG calculation for the second and subsequent messages in a response that consists of multiple DNS messages(e.g.(e.g., a zone transfer). These are described in <xreftarget="tcp"/>.</t>target="tcp" format="default"/>.</t> </section> <sectiontitle="DNS Message"> <t>The DNS message used innumbered="true" toc="default"> <name>DNS Message</name> <t>In the MACcomputation is a whole and completecomputation, the whole/complete DNS message in wireformat.</t>format is used.</t> <t>When creatinga TSIG, itan outgoing message, the TSIG is based on the message content before the TSIG RR has been added to the additionaldatasection and before the DNS Message Header's ARCOUNTfieldhas been incremented tocontaininclude the TSIG RR.</t> <t>When verifying an incoming message,itthe TSIG is checked against the message after the TSIG RR has beenremoved andremoved, the ARCOUNTfield decremented. Ifdecremented, and the message IDdiffers from the original message ID,replaced by the original message IDis substituted forfrom themessage ID.TSIG if those IDs differ. (This could happen, for example, when forwarding a dynamic update request.)</t> </section> <sectiontitle="TSIG Variables">numbered="true" toc="default"> <name>TSIG Variables</name> <t>Also included in the digest is certain information present in the TSIG RR. Adding this data provides further protection against an attempt to interfere with the message.</t><texttable style="headers" anchor="tisg-field-names"> <ttcol>Source</ttcol> <ttcol>Field Name</ttcol> <ttcol>Notes</ttcol> <c>TSIG RR</c> <c>NAME</c> <c>Key<table anchor="tisg-field-names" align="center"> <name>TSIG Variables</name> <thead> <tr> <th align="left">Source</th> <th align="left">Field Name</th> <th align="left">Notes</th> </tr> </thead> <tbody> <tr> <td align="left">TSIG RR</td> <td align="left">NAME</td> <td align="left">Key name, in canonical wireformat</c> <c>TSIG RR</c> <c>CLASS</c> <c>(Always ANY in the current specification)</c> <c>TSIG RR</c> <c>TTL</c> <c>(Always 0 in the current specification)</c> <c>TSIG RDATA</c> <c>Algorithm Name</c> <c>informat</td> </tr> <tr> <td align="left">TSIG RR</td> <td align="left">CLASS</td> <td align="left"><bcp14>MUST</bcp14> be ANY</td> </tr> <tr> <td align="left">TSIG RR</td> <td align="left">TTL</td> <td align="left"><bcp14>MUST</bcp14> be 0</td> </tr> <tr> <td align="left">TSIG RDATA</td> <td align="left">Algorithm Name</td> <td align="left">in canonical wireformat</c> <c>TSIG RDATA</c> <c>Time Signed</c> <c>informat</td> </tr> <tr> <td align="left">TSIG RDATA</td> <td align="left">Time Signed</td> <td align="left">in network byteorder</c> <c>TSIG RDATA</c> <c>Fudge</c> <c>inorder</td> </tr> <tr> <td align="left">TSIG RDATA</td> <td align="left">Fudge</td> <td align="left">in network byteorder</c> <c>TSIG RDATA</c> <c>Error</c> <c>inorder</td> </tr> <tr> <td align="left">TSIG RDATA</td> <td align="left">Error</td> <td align="left">in network byteorder</c> <c>TSIG RDATA</c> <c>Other Len</c> <c>inorder</td> </tr> <tr> <td align="left">TSIG RDATA</td> <td align="left">Other Len</td> <td align="left">in network byteorder</c> <c>TSIG RDATA</c> <c>Other Data</c> <c>exactly as transmitted</c> </texttable>order</td> </tr> <tr> <td align="left">TSIG RDATA</td> <td align="left">Other Data</td> <td align="left">exactly as transmitted</td> </tr> </tbody> </table> <t>The RRRDLENRDLENGTH and RDATA MACLengthSize are not included in the input to MACcomputationcomputation, since they are not guaranteed to be knowable before the MAC is generated.</t> <t>The Original ID field is not included in this section, as it has already been substituted for the message ID in the DNS header and hashed.</t> <t>For each label type, there must be a defined "Canonical wire format" that specifies how to express a label in an unambiguous way. For label type 00, this is defined in <xreftarget="RFC4034"/> Section 6.2.target="RFC4034" sectionFormat="of" section="6.2"/>. The use of label types other than 00 is not defined for this specification.</t> <sectiontitle="Timenumbered="true" toc="default"> <name>Time Values Used in TSIGCalculations">Calculations</name> <t>The data digested includes the two timer values in the TSIG header in order to defend against replay attacks. If this were not done, an attacker could replay old messages but update the"Time Signed"Time Signed and"Fudge"Fudge fields to make the message look new.This data isThe two fields are collectively named "TSIG Timers", and for the purpose of MAC calculation, they are hashed in their"on the wire"wire format, in the following order: first Time Signed, then Fudge.</t> </section> </section> </section> </section> <sectiontitle="Protocol Details" anchor="details">anchor="details" numbered="true" toc="default"> <name>Protocol Details</name> <sectiontitle="Generationnumbered="true" toc="default"> <name>Generation of TSIG onRequests">Requests</name> <t>Once the outgoing record has been constructed, the client performs the keyed hash(HMAC)(Hashed Message Authentication Code (HMAC)) computation, appends a TSIG record with the calculated MAC to theAdditional Dataadditional section (incrementing the ARCOUNT to reflect the additional RR), and transmits the request to the server. This TSIG recordMUST<bcp14>MUST</bcp14> be the only TSIG RR in the message andMUST<bcp14>MUST</bcp14> be the last record in theAdditional Dataadditional data section. The clientMUST<bcp14>MUST</bcp14> store the MAC and the key name from the request while awaiting an answer.</t> <t>The digest components for a request are:</t><t><list style="empty"> <t>DNS<ul empty="true" spacing="compact"> <li>DNS Message(request)<vspace/> TSIG(request)</li> <li>TSIG Variables(request)</t> </list></t>(request)</li> </ul> </section> <sectiontitle="Serveranchor="request_processing" numbered="true" toc="default"> <name>Server Processing ofRequest" anchor="request_processing">Request</name> <t>If an incoming message contains a TSIG record, itMUST<bcp14>MUST</bcp14> be the last record in the additional section. Multiple TSIG records are not allowed. If multiple TSIG records are detected or a TSIG record is present in any other position, the DNS message is dropped and a response with RCODE 1 (FORMERR)MUST<bcp14>MUST</bcp14> be returned. Upon receipt of a message with exactly one correctly placed TSIG RR, a copy of the TSIG RR isstored,stored and the TSIG RR is removed from the DNSMessage,message and decremented out of the DNS message header's ARCOUNT.</t> <t>If the TSIG RR cannot be interpreted, the serverMUST<bcp14>MUST</bcp14> regard the message as corrupt and return a FORMERR to the server.OtherwiseOtherwise, the server isREQUIRED<bcp14>REQUIRED</bcp14> to return a TSIG RR in the response.</t> <t>To validate the received TSIG RR, the serverMUST<bcp14>MUST</bcp14> perform the following checks in the following order:</t><t><list style="hanging"> <t>1. Check KEY<vspace/> 2. Check MAC<vspace/> 3. Check TIME values<vspace/> 4. Check Truncation policy</t> </list></t><ol type="1" spacing="normal"> <li>Check key</li> <li>Check MAC</li> <li>Check time values</li> <li>Check truncation policy</li> </ol> <sectiontitle="Keynumbered="true" toc="default"> <name>Key Check and ErrorHandling">Handling</name> <t>If a non-forwarding server does not recognize the key or algorithm used by the client (or recognizes the algorithm but does not implement it), the serverMUST<bcp14>MUST</bcp14> generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 17 (BADKEY). This responseMUST<bcp14>MUST</bcp14> be unsigned as specified in <xreftarget= "on_error"/>.target="on_error" format="default"/>. The serverSHOULD<bcp14>SHOULD</bcp14> log the error. (Special considerations apply to forwardingservers,servers; see <xreftarget="forwarding"/>.)</t>target="forwarding" format="default"/>.)</t> </section> <sectiontitle="MACnumbered="true" toc="default"> <name>MAC Check and ErrorHandling">Handling</name> <t>Using the information in the TSIG, the serverMUST<bcp14>MUST</bcp14> verify the MAC by doing its own calculation and comparing the result with the MAC received. If the MAC fails to verify, the serverMUST<bcp14>MUST</bcp14> generate an error response as specified in <xreftarget="on_error"/>target="on_error" format="default"/> with RCODE 9 (NOTAUTH) and TSIG ERROR 16 (BADSIG). This responseMUST<bcp14>MUST</bcp14> beunsignedunsigned, as specified in <xreftarget="on_error"/>.target="on_error" format="default"/>. The serverSHOULD<bcp14>SHOULD</bcp14> log the error.</t> <sectiontitle="MAC Truncation" anchor="trunc">anchor="trunc" numbered="true" toc="default"> <name>MAC Truncation</name> <t>When space is at a premium and the strength of the full length of a MAC is not needed, it is reasonable to truncate the keyed hash and use the truncated value for authentication. HMAC SHA-1 truncated to 96 bits is an option available in several IETF protocols, including IPsec and TLS. However, while this option is kept for backwards compatibility, it may not provide a security level appropriate for all cases in the modern environment. In these cases, it is preferable to use a hashing algorithm such as SHA-256-128,SHA-384-192SHA-384-192, or SHA-512-256 <xreftarget="RFC4868"/>.target="RFC4868" format="default"/>. </t> <t>Processing of a truncated MAC follows these rules:</t><t><list style="numbers"> <t>If "MAC size"<dl spacing="normal"> <dt>If the MAC Size field is greater than the keyed hash outputlength: <vspace/><vspace/> Thislength:</dt><dd>This caseMUST NOT<bcp14>MUST NOT</bcp14> be generated and, if received,MUST<bcp14>MUST</bcp14> cause the DNS message to be dropped and RCODE 1 (FORMERR) to bereturned. </t> <t>If "MAC size"returned.</dd> <dt>If the MAC Size field equals the keyed hash outputlength: <vspace/><vspace/> Thelength:</dt><dd>The entireoutputkeyed hash output is present andused. </t> <t>"MAC size"used.</dd> <dt>If the MAC Size field is less than the larger of 10 (octets) and half the length of the hash function inuse: <vspace/><vspace/> Withuse:</dt><dd>With the exception of certain TSIG error messages described in <xreftarget="on_error"/>,target="on_error" format="default"/>, where it is permitted that the MACsizeSize be zero, this caseMUST NOT<bcp14>MUST NOT</bcp14> be generated and, if received,MUST<bcp14>MUST</bcp14> cause the DNS message to be dropped and RCODE 1 (FORMERR) to bereturned. </t> <t>Otherwise: <vspace/><vspace/> Thisreturned.</dd> <dt>Otherwise:</dt><dd>This is sent when the signer has truncated the keyed hash output to an allowable length, as described in <xreftarget="RFC2104"/>,target="RFC2104" format="default"/>, taking initial octets and discarding trailing octets. TSIG truncation can only be to an integral number of octets. On receipt of a DNS message with truncation thus indicated, the locally calculated MAC is similarlytruncatedtruncated, and only the truncated values are compared for authentication. The request MAC used when calculating the TSIG MAC for a reply is the truncated requestMAC. </t> </list></t>MAC.</dd> </dl> </section> </section> <sectiontitle="Timeanchor="time_check" numbered="true" toc="default"> <name>Time Check and ErrorHandling" anchor="time_check">Handling</name> <t>If the server time is outside the time interval specified by the request (whichis:is the TimeSigned,Signed value plus/minusFudge),the Fudge value), the serverMUST<bcp14>MUST</bcp14> generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18 (BADTIME). The serverSHOULD<bcp14>SHOULD</bcp14> also cache the most recent Time Signed value in a message generated by akey,key andSHOULD<bcp14>SHOULD</bcp14> return BADTIME if a message received later has an earlier Time Signed value. A response indicating a BADTIME errorMUST<bcp14>MUST</bcp14> be signed by the same key as the request. ItMUST<bcp14>MUST</bcp14> include the client's current time in the Time Signed field, the server's current time (an unsigned 48-bit integer) in the Other Data field, and 6 in the Other Len field. This is done so that the client can verify a message with a BADTIME error without the verification failing due to another BADTIME error. In addition, the Fudge fieldMUST<bcp14>MUST</bcp14> be set to the fudge value received from the client. The data signed is specified in <xreftarget="on_error"/>.target="on_error" format="default"/>. The serverSHOULD<bcp14>SHOULD</bcp14> log the error.</t> <t>Caching the most recent Time Signed value and rejecting requests with an earlier one could lead to valid messages being rejected if transit through the network led to UDP packets arriving in a different order to the one in which they were sent. Implementations should be aware of this possibility and be prepared to deal with it,e.g.e.g., by retransmitting the rejected request with a new TSIG once outstanding requests have completed or the time given by their Time Signed value plusfudgethe Fudge value has passed. If implementations do retry requests in these cases, a limitSHOULD<bcp14>SHOULD</bcp14> be placed on the maximum number of retries.</t> </section> <sectiontitle="Truncationanchor="trunc_check" numbered="true" toc="default"> <name>Truncation Check and ErrorHandling" anchor="trunc_check">Handling</name> <t>If a TSIG is received with truncation that is permittedunderper <xreftarget="trunc"/> abovetarget="trunc" format="default"/> but the MAC is too short for the local policy in force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC)MUST<bcp14>MUST</bcp14> be returned. The serverSHOULD<bcp14>SHOULD</bcp14> log the error.</t> </section> </section> <sectiontitle="Generationanchor="answers" numbered="true" toc="default"> <name>Generation of TSIG onAnswers" anchor="answers">Answers</name> <t>When a server has generated a response to a signed request, it signs the response using the same algorithm and key. The serverMUST NOT<bcp14>MUST NOT</bcp14> generate a signed response to a request if either theKEYkey is invalid(e.g.(e.g., key name or algorithm name areunknown),unknown) or the MAC failsvalidation:validation; see <xreftarget="on_error"/>target="on_error" format="default"/> for details of responding in these cases.</t> <t>It alsoMUST NOT not<bcp14>MUST NOT</bcp14> generate a signed response to an unsigned request, except in the case of a response to a client's unsigned TKEY request if the secret key is established on the server side after the server processed the client's request. Signing responses to unsigned TKEY requestsMUST<bcp14>MUST</bcp14> be explicitly specified in the description of an individual secret key establishment algorithm <xreftarget="RFC3645"/>.</t>target="RFC3645" format="default"/>.</t> <t>The digest components used to generate a TSIG on a response are:</t><t><list style="empty"> <t>Request MAC<vspace/> DNS<ul empty="true" spacing="compact"> <li>Request MAC</li> <li>DNS Message(response)<vspace/> TSIG(response)</li> <li>TSIG Variables(response)</t> </list></t>(response)</li> </ul> <t>(This calculation is different for the second and subsequent message in a multi-messageanswer,answer; see below.)</t> <t>If addition of the TSIG record will cause the message to be truncated, the serverMUST<bcp14>MUST</bcp14> alter the response so that a TSIG can be included. This responseconsists ofcontains only the question and a TSIG record,andhas the TC bitsetset, and has an RCODE of 0 (NOERROR).The client SHOULD atAt thispointpoint, the client <bcp14>SHOULD</bcp14> retry the request using TCP (as per <xreftarget="RFC1035"/> 4.2.2).</t>target="RFC1035" sectionFormat="of" section="4.2.2"/>).</t> <sectiontitle="TSIGanchor="tcp" numbered="true" toc="default"> <name>TSIG on TCPConnections" anchor="tcp">Connections</name> <t>A DNS TCPsessionsession, such as a zonetransfertransfer, can include multiple DNS messages. Using TSIG on such a connection can protect the connection from an attack and provide data integrity. The TSIGMUST<bcp14>MUST</bcp14> be included on all DNS messages in the response. For backward compatibility, a clientwhichthat receives DNS messages and verifies TSIGMUST<bcp14>MUST</bcp14> accept up to 99 intermediary messages without a TSIG andMUST<bcp14>MUST</bcp14> verify that both the first and last message contain a TSIG.</t> <t>The first message is processed as a standard answer (see <xreftarget="answers"/>)target="answers" format="default"/>), but subsequent messages have the following digest components:</t><t><list style="empty"> <t>Prior<ul empty="true" spacing="compact"> <li>Prior MAC(running)<vspace/> DNS(running)</li> <li>DNS Messages (any unsigned messages since the lastTSIG)<vspace/> TSIGTSIG)</li> <li>TSIG Timers (currentmessage)</t> </list></t>message)</li> </ul> <t>The "Prior MAC" is the MAC from the TSIG attached to the last message containing a TSIG. "DNS Messages" comprises the concatenation (in message order) of all messages after the last message that included a TSIG and includes the current message. "TSIGtimers"Timers" comprises the"Time Signed"Time Signed and"Fudge"Fudge fields (in that order) pertaining to the message for which the TSIGis being created:was created; this means that the successive TSIG records in the stream will have non-decreasing"Time Signed" fields.Time Signed values. Note that only the timers are included in the second and subsequent messages, not all the TSIG variables.</t> <t>This allows the client to rapidly detect when the session has been altered; at whichpointpoint, it can close the connection and retry. If a client TSIG verification fails, the clientMUST<bcp14>MUST</bcp14> close the connection. If the client does not receive TSIG records frequently enough (as specifiedabove)above), itSHOULD<bcp14>SHOULD</bcp14> assume the connection has beenhijackedhijacked, and itSHOULD<bcp14>SHOULD</bcp14> close the connection. The clientSHOULD<bcp14>SHOULD</bcp14> treat this the same way as they would any other interrupted transfer (although the exact behavior is not specified).</t> </section> <sectiontitle="Generationanchor="on_error" numbered="true" toc="default"> <name>Generation of TSIG on ErrorReturns" anchor="on_error">Returns</name> <t>When a server detects an error relating to the key or MAC in the incoming request, the serverSHOULD<bcp14>SHOULD</bcp14> send back an unsigned error message (MACsizeSize == 0 and empty MAC). ItMUST NOT<bcp14>MUST NOT</bcp14> send back a signed error message.</t> <t>If an error is detected relating to the TSIG validity period or the MAC is too short for the local policy, the serverSHOULD<bcp14>SHOULD</bcp14> send back a signed error message. The digest components are:</t><t><list style="empty"> <t>Request<ul empty="true" spacing="compact"> <li>Request MAC (if the request MACvalidated)<vspace/> DNSvalidated)</li> <li>DNS Message(response)<vspace/> TSIG(response)</li> <li>TSIG Variables(response)</t> </list></t>(response)</li> </ul> <t>The reason that the request MAC is not included in this MAC in some cases is to make it possible for the client to verify the error. If the error is not a TSIGerrorerror, the responseMUST<bcp14>MUST</bcp14> be generated as specified in <xreftarget="answers"/>.</t>target="answers" format="default"/>.</t> </section> </section> <sectiontitle="Clientanchor="client_proc_answer" numbered="true" toc="default"> <name>Client Processing ofAnswer" anchor="client_proc_answer">Answer</name> <t>When a client receives a response from a server and expects to see a TSIG, it first checks if the TSIG RR is present in the response. If not, the response is treated as having a format error and is discarded.</t> <t>If the TSIG RR is present, the client performs the same checks as described in <xreftarget="request_processing"/>.target="request_processing" format="default"/>. If the TSIG RR is unsigned as specified in <xreftarget="on_error"/>target="on_error" format="default"/> or does not validate, the messageMUST<bcp14>MUST</bcp14> be discarded unless the RCODE is 9 (NOAUTH). In this case, the clientSHOULD<bcp14>SHOULD</bcp14> attempt to verify the response as if it were a TSIG error, as described in the following subsections.</t> <t>Regardless of the RCODE, a message containing a TSIG RR that is unsigned as specified in <xreftarget="on_error"/>target="on_error" format="default"/> orwhichthat fails verificationSHOULD NOT<bcp14>SHOULD NOT</bcp14> be considered an acceptableresponseresponse, as it may have been spoofed or manipulated. Instead, the clientSHOULD<bcp14>SHOULD</bcp14> log an error and continue to wait for a signed response until the request times out.</t> <sectiontitle="Keynumbered="true" toc="default"> <name>Key ErrorHandling">Handling</name> <t>If an RCODE on a response is 9 (NOTAUTH), but the response TSIG validates and the TSIG key is recognized by the client but is different from that used on the request, then this is aKey Error.key-related error. The clientMAY<bcp14>MAY</bcp14> retry the request using the key specified by the server. However, this should never occur, as a serverMUST NOT<bcp14>MUST NOT</bcp14> sign a response with a different key to that used to sign the request.</t> </section> <sectiontitle="MACnumbered="true" toc="default"> <name>MAC ErrorHandling">Handling</name> <t>If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG), this is aMACMAC-related error, andclient MAYclients <bcp14>MAY</bcp14> retry the request with a new requestIDID, but it would be better to try a different shared key if one is available. ClientsSHOULD<bcp14>SHOULD</bcp14> keep track of how many MAC errors are associated with each key. ClientsSHOULD<bcp14>SHOULD</bcp14> log this event.</t> </section> <sectiontitle="Timenumbered="true" toc="default"> <name>Time ErrorHandling">Handling</name> <t>If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18(BADTIME),(BADTIME) or the current time does not fall in the range specified in the TSIG record, then this is aTimetime-related error. This is an indication that the client and server clocks are not synchronized. In thiscasecase, the clientSHOULD<bcp14>SHOULD</bcp14> log the event. DNS resolversMUST NOT<bcp14>MUST NOT</bcp14> adjust any clocks in the client based on BADTIME errors, but the server's time in the Other Data fieldSHOULD<bcp14>SHOULD</bcp14> be logged.</t> </section> <sectiontitle="Truncationanchor="trunc_err" numbered="true" toc="default"> <name>Truncation ErrorHandling" anchor="trunc_err">Handling</name> <t>If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22(BADTRUNC)(BADTRUNC), then this is aTruncationtruncation-related error. The clientMAY<bcp14>MAY</bcp14> retry with a lesser truncation up to the full HMAC output (no truncation), using the truncation used in the response as a hint for what the server policy allowed (<xreftarget="trunc_pol"/>).target="trunc_pol" format="default"/>). ClientsSHOULD<bcp14>SHOULD</bcp14> log this event.</t> </section> </section> <sectiontitle="Specialanchor="forwarding" numbered="true" toc="default"> <name>Special Considerations for ForwardingServers" anchor="forwarding">Servers</name> <t>A server acting as a forwarding server of a DNS messageSHOULD<bcp14>SHOULD</bcp14> check for the existence of a TSIG record. If the name on the TSIG is not of a secret that the server shares with theoriginatororiginator, the serverMUST<bcp14>MUST</bcp14> forward the message unchanged including the TSIG. If the name of the TSIG is of a key this server shares with the originator, itMUST<bcp14>MUST</bcp14> process the TSIG. If the TSIG passes all checks, the forwarding serverMUST,<bcp14>MUST</bcp14>, if possible, include a TSIG of itsown,own to the destination or the next forwarder. If no transaction security is available to the destination and the message is aquery then,query, and if the corresponding response has the AD flag (see <xreftarget="RFC4035"/>)target="RFC4035" format="default"/>) set, the forwarderMUST<bcp14>MUST</bcp14> clear the AD flag before adding the TSIG to the response and returning the result to the system from which it received the query.</t> </section> </section> <sectiontitle="Algorithmsanchor="algorithm_id" numbered="true" toc="default"> <name>Algorithms andIdentifiers" anchor="algorithm_id">Identifiers</name> <t>The only message digest algorithm specified in the first version of these specifications <xreftarget="RFC2845"/>target="RFC2845" format="default"/> was "HMAC-MD5" (see <xreftarget="RFC1321"/>,target="RFC1321" format="default"/> and <xreftarget="RFC2104"/>).target="RFC2104" format="default"/>). Although a review of its security some years ago <xreftarget="RFC6151"/>target="RFC6151" format="default"/> concluded that "it may not be urgent to remove HMAC-MD5 from the existing protocols", with the availability of more securealternativesalternatives, the opportunity has been taken to make the implementation of this algorithm optional. </t> <t><xreftarget="RFC4635"/>target="RFC4635" format="default"/> added mandatory support in TSIG for SHA-1 <xreftarget="FIPS180-4"/>,target="FIPS180-4" format="default"/> <xreftarget="RFC3174"/>.target="RFC3174" format="default"/>. SHA-1 collisions have been demonstrated <xreftarget="SHA1SHAMBLES"/>target="SHA1SHAMBLES" format="default"/>, so the MD5 security considerations described insection 2 of<xreftarget="RFC6151"/>target="RFC6151" sectionFormat="of" section="2"/> apply to SHA-1 in a similar manner. Although support for hmac-sha1 in TSIG is still mandatory for compatibility reasons, existing usesSHOULD<bcp14>SHOULD</bcp14> be replaced with hmac-sha256 or other SHA-2 digest algorithms (<xref target="FIPS180-4" format="default"/>, <xreftarget="FIPS180-4"/>, <xref target="RFC3874"/>,target="RFC3874" format="default"/>, <xreftarget="RFC6234"/>.</t>target="RFC6234" format="default"/>).</t> <t>Use of TSIG between two DNS agents is by mutual agreement. That agreement can include the support of additional algorithms and criteria as to which algorithms and truncations are acceptable, subject to the restriction and guidelines in <xreftarget="trunc"/> above.target="trunc" format="default"/>. Key agreement can be by the TKEY mechanism <xreftarget="RFC2930"/>target="RFC2930" format="default"/> or some other mutually agreeable method.</t> <t>Implementations that support TSIGMUST<bcp14>MUST</bcp14> also implement HMAC SHA1 and HMAC SHA256 andMAY<bcp14>MAY</bcp14> implement gss-tsig and the other algorithms listed below. SHA-1 truncated to 96 bits (12 octets)SHOULD<bcp14>SHOULD</bcp14> be implemented.</t><!-- <texttable style="headers" anchor="allowed_algs"> <ttcol>Requirement</ttcol> <ttcol>Name</ttcol> <c>Optional</c> <c>HMAC-MD5.SIG-ALG.REG.INT</c> <c>Optional</c> <c>gss-tsig</c> <c>Mandatory</c> <c>hmac-sha1</c> <c>Optional</c> <c>hmac-sha224</c> <c>Optional</c> <c>hmac-sha256-128</c> <c>Mandatory</c> <c>hmac-sha256</c> <c>Optional</c> <c>hmac-sha384-192</c> <c>Optional</c> <c>hmac-sha384</c> <c>Optional</c> <c>hmac-sha512-256</c> <c>Optional</c> <c>hmac-sha512</c> </texttable> --> <texttable style="headers" anchor="allowed-algorithms"> <ttcol>Name</ttcol> <ttcol>Implementation</ttcol> <ttcol>Use</ttcol> <c>HMAC-MD5.SIG-ALG.REG.INT</c> <c>MAY</c> <c>MUST NOT</c> <c>gss-tsig</c> <c>MAY</c> <c>MAY</c> <c>hmac-sha1</c> <c>MUST</c> <c>NOT RECOMMENDED</c> <c>hmac-sha224</c> <c>MAY</c> <c>MAY</c> <c>hmac-sha256</c> <c>MUST</c> <c>RECOMMENDED</c> <c>hmac-sha256-128</c> <c>MAY</c> <c>MAY</c> <c>hmac-sha384</c> <c>MAY</c> <c>MAY</c> <c>hmac-sha384-192</c> <c>MAY</c> <c>MAY</c> <c>hmac-sha512</c> <c>MAY</c> <c>MAY</c> <c>hmac-sha512-256</c> <c>MAY</c> <c>MAY</c> </texttable><table anchor="allowed-algorithms" align="center"> <name>Algorithms for Implementations Supporting TSIG</name> <thead> <tr> <th align="left">Algorithm Name</th> <th align="left">Implementation</th> <th align="left">Use</th> </tr> </thead> <tbody> <tr> <td align="left">HMAC-MD5.SIG-ALG.REG.INT</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MUST NOT</bcp14></td> </tr> <tr> <td align="left">gss-tsig</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">hmac-sha1</td> <td align="left"><bcp14>MUST</bcp14></td> <td align="left"><bcp14>NOT RECOMMENDED</bcp14></td> </tr> <tr> <td align="left">hmac-sha224</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">hmac-sha256</td> <td align="left"><bcp14>MUST</bcp14></td> <td align="left"><bcp14>RECOMMENDED</bcp14></td> </tr> <tr> <td align="left">hmac-sha256-128</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">hmac-sha384</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">hmac-sha384-192</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">hmac-sha512</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> <tr> <td align="left">hmac-sha512-256</td> <td align="left"><bcp14>MAY</bcp14></td> <td align="left"><bcp14>MAY</bcp14></td> </tr> </tbody> </table> </section> <sectiontitle="TSIGanchor="trunc_pol" numbered="true" toc="default"> <name>TSIG TruncationPolicy" anchor="trunc_pol">Policy</name> <t>As noted above, two DNS agents (e.g., resolver and server) must mutually agree to use TSIG. Implicit in such an "agreement" are criteria as to acceptablekeyskeys, algorithms, andalgorithms and, with(with the extensions in thisdocument,document) truncations. Local policiesMAY<bcp14>MAY</bcp14> require the rejection of TSIGs, even though they use an algorithm for which implementation is mandatory.</t> <t>When a local policy permits acceptance of a TSIG with a particular algorithm and a particular non-zero amount of truncation, itSHOULD<bcp14>SHOULD</bcp14> also permit the use of that algorithm with lesser truncation (a longer MAC) up to the full keyed hash output.</t> <t>Regardless of a lower acceptable truncated MAC length specified by local policy, a replySHOULD<bcp14>SHOULD</bcp14> be sent with a MAC at least as long as that in the corresponding request.NoteNote, if the request specified a MAC length longer than the keyed hashoutputoutput, it will be rejected by processing rules<xref target="trunc"/>(<xref target="trunc" format="default"/>, case1.</t>1).</t> <t>Implementations permitting multiple acceptable algorithms and/or truncationsSHOULD<bcp14>SHOULD</bcp14> permit this list to be ordered by presumed strength andSHOULD<bcp14>SHOULD</bcp14> allow different truncations for the same algorithm to be treated as separate entities in this list. When so implemented, policiesSHOULD<bcp14>SHOULD</bcp14> accept a presumed stronger algorithm and truncation than the minimum strength required by the policy.</t> </section> <sectiontitle="Shared Secrets">numbered="true" toc="default"> <name>Shared Secrets</name> <t>Secret keys are very sensitive information and all available steps should be taken to protect them on every host on which they are stored.GenerallyGenerally, such hosts need to be physically protected. If they are multi-user machines, great care should be taken so that unprivileged users have no access to keying material. Resolvers often run unprivileged, which means all users of a host would be able to see whatever configuration dataisare used by the resolver.</t> <t>A name server usually runs privileged, which means its configuration data need not be visible to all users of the host. For this reason, a host that implements transaction-based authentication should probably be configured with a "stub resolver" and a local caching and forwarding name server. This presents a special problem for <xreftarget="RFC2136"/>target="RFC2136" format="default"/>, which otherwise depends on clients to communicate only with a zone's authoritative name servers.</t> <t>Use ofstrongstrong, random shared secrets is essential to the security of TSIG. See <xreftarget="RFC4086"/>target="RFC4086" format="default"/> for a discussion of this issue. The secretSHOULD<bcp14>SHOULD</bcp14> be at least as long as the keyed hash output <xreftarget="RFC2104"/>.</t>target="RFC2104" format="default"/>.</t> </section> <sectiontitle="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>IANA maintains a registry of algorithm names to be used as "AlgorithmNames"Names", as defined in <xreftarget="format"/>.target="format" format="default"/> <xref target="IANA-TSIG"/>. Algorithm names are text strings encoded using the syntax of a domain name. There is no structure to the names, and algorithm names are compared as if they were DNS names, i.e., comparison is case insensitive. Previous specifications<xref target="RFC2845"/>(<xref target="RFC2845" format="default"/> and <xreftarget="RFC4635"/>target="RFC4635" format="default"/>) defined values for the HMAC-MD5 and some HMAC-SHA algorithms. IANA has also registered "gss-tsig" as an identifier for TSIG authentication where the cryptographic operations are delegated to the Generic Security Service (GSS) <xreftarget="RFC3645"/>.target="RFC3645" format="default"/>. This document adds to the allowed algorithms, and the registryshould behas been updated with the names listed in <xreftarget="allowed-algorithms"/>.</t>target="allowed-algorithms" format="default"/>.</t> <t>New algorithms are assigned using the IETF Review policy defined in <xreftarget="RFC8126"/>.target="RFC8126" format="default"/>. The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like afully-qualifiedfully qualified domain name for historical reasons; other algorithm names are simple, single-component names.</t> <t>IANA maintains a registry ofRCODESRCODEs (errorcodes),codes) (see <xref target="IANA-RCODEs"/>, including "TSIG Error values" to be used for "Error"valuesvalues, as defined in <xreftarget="format"/>.target="format" format="default"/>. This document defines the RCODEs as described in <xref target="numbers"/>. New error codes are assigned and specified as in <xreftarget="RFC6895"/>.</t>target="RFC6895" format="default"/>.</t> </section> <sectiontitle="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>The approach specified here is computationally much less expensive than the signatures specified in DNSSEC. As long as the shared secret key is not compromised, strong authentication is provided between two DNS systems, e.g., for the last hop from a local name server to the userresolver,resolver or between primary and secondarynameservers.</t>name servers.</t> <t>Recommendations for choosing and maintaining secret keys can be found in <xreftarget="RFC2104"/>.target="RFC2104" format="default"/>. If the client host has been compromised, the server should suspend the use of all secrets known to that client. If possible, secrets should be stored in an encrypted form. Secrets should never be transmitted in the clear over any network. This document does not address the issue on how to distribute secrets except that it mentions the possibilities of manual configuration and the use of TKEY <xreftarget="RFC2930"/>.target="RFC2930" format="default"/>. SecretsSHOULD NOT<bcp14>SHOULD NOT</bcp14> be shared by more than two entities; any such additional sharing would allow any party knowing the key to impersonate any other such party to members of the group.</t> <t>This mechanism does not authenticate source data, only its transmission between two parties who share some secret. The original source data can come from a compromised zone master or can be corrupted during transit from an authentic zone master to some "cachingforwarder."forwarder". However, if the server is faithfully performing the full DNSSEC security checks, then onlysecurity checkedsecurity-checked data will be available to the client.</t> <t>AfudgeFudge value that is too large may leave the server open to replay attacks. AfudgeFudge value that is too small may cause failures if machines are not time synchronized or there are unexpected network delays. TheRECOMMENDED<bcp14>RECOMMENDED</bcp14> value in most situations is 300 seconds.</t> <t>To prevent cross-algorithm attacks, thereSHOULD<bcp14>SHOULD</bcp14> only be one algorithm associated with any given key name.</t> <t>In several cases where errors are detected, an unsigned error message must be returned. This can allow for an attacker to spoof or manipulate these responses. <xreftarget="client_proc_answer"/>target="client_proc_answer" format="default"/> recommends logging these as errors and continuing to wait for a signed response until the request times out.</t> <t>Although the strength of an algorithm determines its security, there have been some arguments that mild truncation can strengthen a MAC by reducing the information available to an attacker. However, excessive truncation clearly weakens authentication by reducing the number of bits an attacker has to try to break the authentication by brute force <xreftarget="RFC2104"/>.</t>target="RFC2104" format="default"/>.</t> <t>Significant progress has been made recently in cryptanalysis of hash functions of the types used here. While the results so far should not affect HMAC, the stronger SHA-256 algorithm is being made mandatory as a precaution.</t> <t>See also the Security Considerations section of <xreftarget="RFC2104"/>target="RFC2104" format="default"/> from which the limits on truncation in this RFC were taken.</t> <sectiontitle="Issueanchor="issuesfixed" numbered="true" toc="default"> <name>Issue Fixed inthis Document" anchor="issuesfixed">This Document</name> <t>When signing a DNS reply message using TSIG, the MAC computation uses the request message's MAC as an input to cryptographically relate the reply to the request. The original TSIG specification <xreftarget="RFC2845"/>target="RFC2845" format="default"/> required that theTIMEtime values be checked before the request's MAC. If theTIMEtime was invalid, some implementations failed to carry out further checks and could use an invalid request MAC in the signed reply.</t> <t>This document makes itamandatory that the request MAC is considered to be invalid until it has beenvalidated:validated; until then, any answer must be unsigned. For this reason, the request MAC is now checked before theTIME value.</t>time values.</t> </section> <sectiontitle="Why not DNSSEC?"> <t>These extracts from the original document <xref target="RFC2845"/> (updated to reference current standards) analyze DNSSEC in order to justify the introduction of TSIG.</t> <t><list style="empty" hangIndent="10">numbered="true" toc="default"> <name>Why Not DNSSEC?</name> <t>DNS hasrecentlybeen extended by DNSSEC (<xreftarget="RFC4033"/>,target="RFC4033" format="default"/>, <xreftarget="RFC4034"/>target="RFC4034" format="default"/>, and <xreftarget="RFC4035"/>)target="RFC4035" format="default"/>) to provide for data origin authentication, and public key distribution, all based on public key cryptography and public key based digital signatures. To be practical, this form of security generally requires extensive local caching of keys and tracing of authentication through multiple keys and signatures to a pre-trusted locally configured key.</t> <t>One difficulty with the DNSSEC scheme is that common DNS implementations include simple "stub" resolvers which do not have caches. Such resolvers typically rely on a caching DNS server on another host. It is impractical for these stub resolvers to perform general DNSSEC authentication and they would naturally depend on their caching DNS server to perform such services for them. To do so securely requires secure communication of queries and responses. DNSSEC provides public key transaction signatures to support this, but such signatures are very expensive computationally to generate. In general, these require the same complex public key logic that is impractical for stubs.</t></list></t> <t>and</t> <t><list style="empty" hangIndent="10"><t>A second area where use of straight DNSSEC public key based mechanisms may be impractical is authenticating dynamic update <xreftarget="RFC2136"/>target="RFC2136" format="default"/> requests. DNSSEC provides for request signatures but with DNSSEC they, like transaction signatures, require computationally expensive public key cryptography and complex authentication logic. Secure Domain Name System Dynamic Update (<xreftarget="RFC3007"/>)target="RFC3007" format="default"/>) describes how different keys are used in dynamically updated zones.</t></list></t></section> </section> </middle> <back><references title="Normative References"><references> <name>References</name> <references> <name>Normative References</name> <reference anchor="FIPS180-4" target=""> <front> <title>Secure Hash Standard (SHS)</title> <seriesInfo name="FIPS" value="PUB 180-4"/> <author> <organization>National Institute of Standards and Technology</organization> </author> <date month="August" year="2015"/> </front> <seriesInfoname="FIPS" value="PUB 180-4"/>name="DOI" value="10.6028/NIST.FIPS.180-4"/> </reference><?rfc include="reference.RFC.1034.xml"?> <?rfc include="reference.RFC.1035.xml"?> <?rfc include="reference.RFC.2119.xml"?> <?rfc include="reference.RFC.2845.xml"?> <?rfc include="reference.RFC.3597.xml"?> <?rfc include="reference.RFC.4635.xml"?> <?rfc include="reference.RFC.8174.xml"?><xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2845.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3597.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4635.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references><references title="Informative References"> <!--<references> <name>Informative References</name> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7696.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.1321.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2104.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2136.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2930.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3007.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3174.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3645.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3874.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4033.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4034.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4035.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4868.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6151.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6234.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6895.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <referenceanchor="FIPS202" target=""> <front> <title>SHA-3 Standard</title> <author> <organization>National Institute of Standards and Technology</organization> </author> <date month="August" year="2015"/> </front> <seriesInfo name="FIPS" value="PUB 202"/> </reference> --> <reference anchor="BCP201" target="https://www.rfc-editor.org/info/bcp201"> <front> <title>Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms</title> <author initials="R." surname="Housley" fullname="R. Housley"> <organization/> </author> <date year="2015" month="November"/> </front> <seriesInfo name="BCP" value="201"/> <seriesInfo name="RFC" value="7696"/> <seriesInfo name="DOI" value="10.17487/RFC7696"/> </reference> <?rfc include="reference.RFC.1321.xml"?> <?rfc include="reference.RFC.2104.xml"?> <?rfc include="reference.RFC.2136.xml"?> <?rfc include="reference.RFC.2930.xml"?> <?rfc include="reference.RFC.3007.xml"?> <?rfc include="reference.RFC.3174.xml"?> <?rfc include="reference.RFC.3645.xml"?> <?rfc include="reference.RFC.3874.xml"?> <?rfc include="reference.RFC.4033.xml"?> <?rfc include="reference.RFC.4034.xml"?> <?rfc include="reference.RFC.4035.xml"?> <?rfc include="reference.RFC.4086.xml"?> <?rfc include="reference.RFC.4868.xml"?> <?rfc include="reference.RFC.6151.xml"?> <?rfc include="reference.RFC.6234.xml"?> <?rfc include="reference.RFC.6895.xml"?> <?rfc include="reference.RFC.8126.xml"?> <reference anchor="CVE-2017-3142" target="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142">anchor="CVE-2017-3142" target="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142"> <front> <title>CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers</title> <author> <organization>Common Vulnerabilities and Exposures</organization> </author> <date month="June" year="2017"/> </front> </reference> <reference anchor="CVE-2017-3143" target="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143"> <front> <title>CVE-2017-3143: An error in TSIG authentication can permit unauthorized dynamic updates</title> <author> <organization>Common Vulnerabilities and Exposures</organization> </author> <date month="June" year="2017"/> </front> </reference> <reference anchor="CVE-2017-11104" target="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11104"> <front> <title>CVE-2017-11104: Improper TSIG validity period check can allow TSIG forgery</title> <author> <organization>Common Vulnerabilities and Exposures</organization> </author> <date month="June" year="2017"/> </front> </reference> <reference anchor="SHA1SHAMBLES" target="https://eprint.iacr.org/2020/014.pdf"> <front> <title>SHA-1 is a Shambles</title> <author surname="Leurent"initials="G"/>initials="G" fullname="Gaetan Leurent"/> <author surname="Peyrin"initials="T"/>initials="T" fullname="Thomas Peyrin"/> <date month="January" year="2020"/> </front> </reference><!--<referenceanchor="TRANCOLL" target="https://eprint.iacr.org/2020/014.pdf">anchor="IANA-TSIG" target="https://www.iana.org/assignments/tsig-algorithm-names/"> <front><title>SHA-1 is a Shambles</title> <author surname="Leurent" initials="G"/> <author surname="Peyrin" initials="T"/> <date month="January" year="2016"/><title>TSIG Algorithm Names</title> <author><organization>IANA</organization></author> </front> </reference>--><reference anchor="IANA-RCODEs" target="https://www.iana.org/assignments/dns-parameters/"> <front> <title>DNS RCODEs</title> <author><organization>IANA</organization></author> </front> </reference> </references> </references> <sectiontitle="Acknowledgments" anchor="acks"> <t>This document consolidates and updates the earlier documents by the authors of <xref target="RFC2845"/> (Paul Vixie, Olafur Gudmundsson, Donald E. Eastlake 3rd and Brian Wellington) and <xref target="RFC4635"/> (Donald E. Eastlake 3rd).</t>anchor="acks" numbered="false" toc="default"> <name>Acknowledgements</name> <t>The security problem addressed by this document was reported byClement Berthaux<contact fullname="Clément Berthaux"/> from Synacktiv.</t><t>Note for the RFC Editor (to be removed before publication): the first 'e' in Clement is a fact a small 'e' with acute, unicode code U+00E9. I do not know if xml2rfc supports non ASCII characters so I prefer to not experiment with it. BTW I am French too so I can help if you have questions like correct spelling...</t> <t>Peter<t><contact fullname="Peter vanDijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund Sivaraman and Ralph DolmansDijk"/>, <contact fullname="Benno Overeinder"/>, <contact fullname="Willem Toroop"/>, <contact fullname="Ondrej Sury"/>, <contact fullname="Mukund Sivaraman"/>, and <contact fullname="Ralph Dolmans"/> participated in the discussions that prompted this document.Mukund Sivaraman, Martin Hoffman and Tony Finch<contact fullname="Mukund Sivaraman"/>, <contact fullname="Martin Hoffman"/>, and <contact fullname="Tony Finch"/> made extremely helpful suggestions concerning the structure and wording of the updated document.</t><!-- If we get the reporter correctly spelled we can try<t>Stephen Morris would like tofix some others here: I can't believe unicode is not requiredthank Internet Systems Consortium forat least another name! --> </section> <section title="Change History (to be removed before publication)"> <t>RFC EDITOR: Please remove this appendix before publication.</t> <t>draft-dupont-dnsop-rfc2845bis-00</t> <t><list> <t><xref target="RFC4635"/> was merged.</t> <t>Authorsits support oforiginal documents were moved to Acknowledgments (<xref target="acks"/>).</t> <t><xref target="keywords"/> was updated to <xref target="RFC8174"/> style.</t> <t>Spit references into normative and informative references and updated them.</t> <t>Added a text explaining why this document was writtenhis participation in theAbstract and at the beginning of the introduction.</t> <t>Clarified the layout of TSIG RDATA.</t> <t>Moved the text about using DNSSEC from the Introduction to the end of Security Considerations.</t> <t>Added the security clarifications: <list style="numbers"> <t>Emphasized that MAC is invalid until it is successfully validated.</t> <t>Added requirement that a request MAC that has not been successfully validated MUST NOT be included into a response.</t> <t>Added requirement that a request that has not been validated MUST NOT generate a signed response.</t> <t>Added note about MAC too short for the local policy to <xref target="on_error"/>.</t> <t>Changed the order of server checks and swapped corresponding sections.</t> <t>Removed the truncation size limit "also case" as it does not apply and added confusion.</t> <t>Relocated the error provision for TSIG truncation to the new <xref target="trunc_check"/>. Moved from RCODE 22 to RCODE 9 and TSIG ERROR 22, i.e., aligned with other TSIG error cases.</t> <t>Added <xref target="trunc_err"/> about truncation error handling by clients.</t> <t>Removed the limit to HMAC output in replies as a request which specified a MAC length longer than the HMAC output is invalid according to the first processing rule in <xref target="trunc"/>.</t> <t>Promoted the requirement that a secret length should be at least as long as the HMAC output to a SHOULD <xref target="RFC2119"/> key word.</t> <t>Added a short text to explain the security issue.</t> </list></t> </list></t> <t>draft-dupont-dnsop-rfc2845bis-01</t> <t><list> <t>Improved wording (post-publication comments).</t> <t>Specialized and renamed the "TSIG on TCP connection" (<xref target="tcp"/>) to "TSIG on zone transfer over a TCP connection". Added a SHOULD for a TSIG in each message (was envelope) for new implementations.</t> <!-- No other usage than zone transfer --> <!-- Is a current implementation not adding a TSIG to each message --> </list></t> <t>draft-ietf-dnsop-rfc2845bis-00</t> <t><list> <t>Adopted by the IETF DNSOP working group: title updated and version counter reset to 00.</t> </list></t> <t>draft-ietf-dnsop-rfc2845bis-01</t> <t><list> <t>Relationship between protocol change and principle of assuming the request MAC is invalid until validated clarified. (Jinmei Tatuya)</t> <t>Cross reference to considerations for forwarding servers added. (Bob Harold)</t> <t>Added text from <xref target="RFC3645"/> concerning the signing behavior if a secret key is added during a multi-message exchange.</t> <t>Added reference to <xref target="RFC6895"/>.</t> <t>Many improvements in the wording.</t> <t>Added RFC 2845 authors as co-authorscreation of this document.</t></list></t> <t>draft-ietf-dnsop-rfc2845bis-02</t> <t><list> <t>Added a recommendation to copy time fields in BADKEY errors. (Mark Andrews)</t> </list></t> <t>draft-ietf-dnsop-rfc2845bis-03</t> <t><list> <t>Further changes as a result of comments by Mukund Sivaraman.</t> <t>Miscellaneous changes to wording.</t> </list></t> <t>draft-ietf-dnsop-rfc2845bis-04</t> <t><list> <t>Major restructuring as a result of comprehensive review by Martin Hoffman. Amongst the more significant changes: <list style="symbols"> <t>More comprehensive introduction.</t> <t>Merged "Protocol Description" and "Protocol Details" sections.</t> <t>Reordered sections so as to follow message exchange through "client "sending", "server receipt", "server sending", "client receipt".</t> <t>Added miscellaneous clarifications.</t> </list></t> </list></t> <t>draft-ietf-dnsop-rfc2845bis-05</t> <t><list> <t>Make implementation of HMAC-MD5 optional.</t> <t>Require that the Fudge field in BADTIME response be equal to the Fudge field received from the client.</t> <t>Added comment concerning the handling of BADTIME messages due to out of order packet reception.</t> </list></t> <t>draft-ietf-dnsop-rfc2845bis-06</t> <t><list> <t>Wording changes and minor corrections after feedback.</t> </list></t> <t>draft-ietf-dnsop-rfc2845bis-07</t> <t><list> <t>Updated text about use of hmac-sha1 using suggestion from Tony Finch.</t> <t>Corrected name of review policy used for new algorithms.</t> </list></t> <t>draft-ietf-dnsop-rfc2845bis-08</t> <t><list> <t>Addressed comments from IESG review. These can be found at https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc2845bis/ballot. Significant changes are: <list style="symbols"> <t>Added references to CVEs that initiated this draft.</t> <t>Added reference to paper describing SHA1 collisions.</t> <t>Modified some paragraphs to remove language that has not "aged well".</t> <t>Mentioned that multiple keys allows for periodic key rotation.</t> <t>Noted that TSIG detects interruption of packet sequence but not premature termination.</t> <t>Added new algorithms to the algorithm list.</t> <t>Marked hmac-sha224 as NOT RECOMMENDED.</t> <t>Added recommendation that there should only be one algorithm for each key.</t> <t>Added some paragraphs to the security recommendations section.</t> </list></t> <t>Other changes: <list style="symbols"> <t>Explicitly define contents Error field in requests. State that "Other Data" currently has no meaning in requests.</t> <t>Reworked the section on client processing of response to remove ambiguity.</t> <t>Section on TSIG over TCP now mentions zone transfer as an example, rather than the entire section being about zone transfers.</t> <t>Note that quote from RFC2845 in "What is DNSSEC?" section has been edited to refer to the latest standards.</t> </list></t> </list></t> <t>draft-ietf-dnsop-rfc2845bis-09</t> <t><list> <t>Change use of hmac-224 from NOT RECOMMENDED to MAY.</t> </list></t></section> </back> </rfc>