7
Network Working Group P. Nikander
8
Request for Comments: 5205 Ericsson Research NomadicLab
9
Category: Experimental J. Laganier
14
Host Identity Protocol (HIP) Domain Name System (DNS) Extension
18
This memo defines an Experimental Protocol for the Internet
19
community. It does not specify an Internet standard of any kind.
20
Discussion and suggestions for improvement are requested.
21
Distribution of this memo is unlimited.
25
This document specifies a new resource record (RR) for the Domain
26
Name System (DNS), and how to use it with the Host Identity Protocol
27
(HIP). This RR allows a HIP node to store in the DNS its Host
28
Identity (HI, the public component of the node public-private key
29
pair), Host Identity Tag (HIT, a truncated hash of its public key),
30
and the Domain Names of its rendezvous servers (RVSs).
58
Nikander & Laganier Experimental [Page 1]
60
RFC 5205 HIP DNS Extension April 2008
65
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
66
2. Conventions Used in This Document . . . . . . . . . . . . . . 3
67
3. Usage Scenarios . . . . . . . . . . . . . . . . . . . . . . . 4
68
3.1. Simple Static Singly Homed End-Host . . . . . . . . . . . 5
69
3.2. Mobile end-host . . . . . . . . . . . . . . . . . . . . . 6
70
4. Overview of Using the DNS with HIP . . . . . . . . . . . . . . 8
71
4.1. Storing HI, HIT, and RVS in the DNS . . . . . . . . . . . 8
72
4.2. Initiating Connections Based on DNS Names . . . . . . . . 8
73
5. HIP RR Storage Format . . . . . . . . . . . . . . . . . . . . 9
74
5.1. HIT Length Format . . . . . . . . . . . . . . . . . . . . 9
75
5.2. PK Algorithm Format . . . . . . . . . . . . . . . . . . . 9
76
5.3. PK Length Format . . . . . . . . . . . . . . . . . . . . . 10
77
5.4. HIT Format . . . . . . . . . . . . . . . . . . . . . . . . 10
78
5.5. Public Key Format . . . . . . . . . . . . . . . . . . . . 10
79
5.6. Rendezvous Servers Format . . . . . . . . . . . . . . . . 10
80
6. HIP RR Presentation Format . . . . . . . . . . . . . . . . . . 10
81
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
82
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12
83
8.1. Attacker Tampering with an Insecure HIP RR . . . . . . . . 12
84
8.2. Hash and HITs Collisions . . . . . . . . . . . . . . . . . 13
85
8.3. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 13
86
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
87
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
88
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
89
11.1. Normative references . . . . . . . . . . . . . . . . . . . 14
90
11.2. Informative references . . . . . . . . . . . . . . . . . . 15
114
Nikander & Laganier Experimental [Page 2]
116
RFC 5205 HIP DNS Extension April 2008
121
This document specifies a new resource record (RR) for the Domain
122
Name System (DNS) [RFC1034], and how to use it with the Host Identity
123
Protocol (HIP) [RFC5201]. This RR allows a HIP node to store in the
124
DNS its Host Identity (HI, the public component of the node public-
125
private key pair), Host Identity Tag (HIT, a truncated hash of its
126
HI), and the Domain Names of its rendezvous servers (RVSs) [RFC5204].
128
Currently, most of the Internet applications that need to communicate
129
with a remote host first translate a domain name (often obtained via
130
user input) into one or more IP address(es). This step occurs prior
131
to communication with the remote host, and relies on a DNS lookup.
133
With HIP, IP addresses are intended to be used mostly for on-the-wire
134
communication between end hosts, while most Upper Layer Protocols
135
(ULP) and applications use HIs or HITs instead (ICMP might be an
136
example of an ULP not using them). Consequently, we need a means to
137
translate a domain name into an HI. Using the DNS for this
138
translation is pretty straightforward: We define a new HIP resource
139
record. Upon query by an application or ULP for a name to IP address
140
lookup, the resolver would then additionally perform a name to HI
141
lookup, and use it to construct the resulting HI to IP address
142
mapping (which is internal to the HIP layer). The HIP layer uses the
143
HI to IP address mapping to translate HIs and HITs into IP addresses
146
The HIP Rendezvous Extension [RFC5204] allows a HIP node to be
147
reached via the IP address(es) of a third party, the node's
148
rendezvous server (RVS). An Initiator willing to establish a HIP
149
association with a Responder served by an RVS would typically
150
initiate a HIP exchange by sending an I1 towards the RVS IP address
151
rather than towards the Responder IP address. Consequently, we need
152
a means to find the name of a rendezvous server for a given host
155
This document introduces the new HIP DNS resource record to store the
156
Rendezvous Server (RVS), Host Identity (HI), and Host Identity Tag
159
2. Conventions Used in This Document
161
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
162
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
163
document are to be interpreted as described in RFC 2119 [RFC2119].
170
Nikander & Laganier Experimental [Page 3]
172
RFC 5205 HIP DNS Extension April 2008
177
In this section, we briefly introduce a number of usage scenarios
178
where the DNS is useful with the Host Identity Protocol.
180
With HIP, most applications and ULPs are unaware of the IP addresses
181
used to carry packets on the wire. Consequently, a HIP node could
182
take advantage of having multiple IP addresses for fail-over,
183
redundancy, mobility, or renumbering, in a manner that is transparent
184
to most ULPs and applications (because they are bound to HIs; hence,
185
they are agnostic to these IP address changes).
187
In these situations, for a node to be reachable by reference to its
188
Fully Qualified Domain Name (FQDN), the following information should
189
be stored in the DNS:
191
o A set of IP address(es) via A [RFC1035] and AAAA [RFC3596] RR sets
194
o A Host Identity (HI), Host Identity Tag (HIT), and possibly a set
195
of rendezvous servers (RVS) through HIP RRs.
197
When a HIP node wants to initiate communication with another HIP
198
node, it first needs to perform a HIP base exchange to set up a HIP
199
association towards its peer. Although such an exchange can be
200
initiated opportunistically, i.e., without prior knowledge of the
201
Responder's HI, by doing so both nodes knowingly risk man-in-the-
202
middle attacks on the HIP exchange. To prevent these attacks, it is
203
recommended that the Initiator first obtain the HI of the Responder,
204
and then initiate the exchange. This can be done, for example,
205
through manual configuration or DNS lookups. Hence, a new HIP RR is
208
When a HIP node is frequently changing its IP address(es), the
209
natural DNS latency for propagating changes may prevent it from
210
publishing its new IP address(es) in the DNS. For solving this
211
problem, the HIP Architecture [RFC4423] introduces rendezvous servers
212
(RVSs) [RFC5204]. A HIP host uses a rendezvous server as a
213
rendezvous point to maintain reachability with possible HIP
214
initiators while moving [RFC5206]. Such a HIP node would publish in
215
the DNS its RVS domain name(s) in a HIP RR, while keeping its RVS up-
216
to-date with its current set of IP addresses.
218
When a HIP node wants to initiate a HIP exchange with a Responder, it
219
will perform a number of DNS lookups. Depending on the type of
220
implementation, the order in which those lookups will be issued may
221
vary. For instance, implementations using HIT in APIs may typically
222
first query for HIP resource records at the Responder FQDN, while
226
Nikander & Laganier Experimental [Page 4]
228
RFC 5205 HIP DNS Extension April 2008
231
those using an IP address in APIs may typically first query for A
232
and/or AAAA resource records.
234
In the following, we assume that the Initiator first queries for HIP
235
resource records at the Responder FQDN.
237
If the query for the HIP type was responded to with a DNS answer with
238
RCODE=3 (Name Error), then the Responder's information is not present
239
in the DNS and further queries for the same owner name SHOULD NOT be
242
In case the query for the HIP records returned a DNS answer with
243
RCODE=0 (No Error) and an empty answer section, it means that no HIP
244
information is available at the responder name. In such a case, if
245
the Initiator has been configured with a policy to fallback to
246
opportunistic HIP (initiating without knowing the Responder's HI) or
247
plain IP, it would send out more queries for A and AAAA types at the
250
Depending on the combinations of answers, the situations described in
251
Section 3.1 and Section 3.2 can occur.
253
Note that storing HIP RR information in the DNS at an FQDN that is
254
assigned to a non-HIP node might have ill effects on its reachability
257
3.1. Simple Static Singly Homed End-Host
259
A HIP node (R) with a single static network attachment, wishing to be
260
reachable by reference to its FQDN (www.example.com), would store in
261
the DNS, in addition to its IP address(es) (IP-R), its Host Identity
262
(HI-R) and Host Identity Tag (HIT-R) in a HIP resource record.
264
An Initiator willing to associate with a node would typically issue
265
the following queries:
267
o QNAME=www.example.com, QTYPE=HIP
269
o (QCLASS=IN is assumed and omitted from the examples)
271
Which returns a DNS packet with RCODE=0 and one or more HIP RRs with
272
the HIT and HI (e.g., HIT-R and HI-R) of the Responder in the answer
282
Nikander & Laganier Experimental [Page 5]
284
RFC 5205 HIP DNS Extension April 2008
287
o QNAME=www.example.com, QTYPE=A QNAME=www.example.com, QTYPE=AAAA
289
Which returns DNS packets with RCODE=0 and one or more A or AAAA RRs
290
containing IP address(es) of the Responder (e.g., IP-R) in the answer
293
Caption: In the remainder of this document, for the sake of keeping
294
diagrams simple and concise, several DNS queries and answers
295
are represented as one single transaction, while in fact
296
there are several queries and answers flowing back and
297
forth, as described in the textual examples.
300
[www.example.com] +-----+
301
+-------------------------------->| |
303
| +-------------------------------| |
304
| | [HIP? A? ] +-----+
305
| | [www.example.com]
306
| | [HIP HIT-R HI-R ]
310
| |--------------I1------------->| |
311
| I |<-------------R1--------------| R |
312
| |--------------I2------------->| |
313
| |<-------------R2--------------| |
316
Static Singly Homed Host
318
The Initiator would then send an I1 to the Responder's IP addresses
323
A mobile HIP node (R) wishing to be reachable by reference to its
324
FQDN (www.example.com) would store in the DNS, possibly in addition
325
to its IP address(es) (IP-R), its HI (HI-R), HIT (HIT-R), and the
326
domain name(s) of its rendezvous server(s) (e.g., rvs.example.com) in
327
HIP resource record(s). The mobile HIP node also needs to notify its
328
rendezvous servers of any change in its set of IP address(es).
330
An Initiator willing to associate with such a mobile node would
331
typically issue the following queries:
333
o QNAME=www.example.com, QTYPE=HIP
338
Nikander & Laganier Experimental [Page 6]
340
RFC 5205 HIP DNS Extension April 2008
343
Which returns a DNS packet with RCODE=0 and one or more HIP RRs with
344
the HIT, HI, and RVS domain name(s) (e.g., HIT-R, HI-R, and
345
rvs.example.com) of the Responder in the answer section.
347
o QNAME=rvs.example.com, QTYPE=A QNAME=www.example.com, QTYPE=AAAA
349
Which returns DNS packets with RCODE=0 and one or more A or AAAA RRs
350
containing IP address(es) of the Responder's RVS (e.g., IP-RVS) in
357
[rvs.example.com] +-----+
358
+----------------------------------------->| |
360
| +----------------------------------------| |
362
| | [www.example.com ]
363
| | [HIP HIT-R HI-R rvs.example.com]
366
| | [rvs.example.com]
370
| | +------I1----->| RVS |-----I1------+
376
| |<---------------R1------------| |
377
| I |----------------I2----------->| R |
378
| |<---------------R2------------| |
383
The Initiator would then send an I1 to the RVS IP address (IP-RVS).
384
Following, the RVS will relay the I1 up to the mobile node's IP
385
address (IP-R), which will complete the HIP exchange.
394
Nikander & Laganier Experimental [Page 7]
396
RFC 5205 HIP DNS Extension April 2008
399
4. Overview of Using the DNS with HIP
401
4.1. Storing HI, HIT, and RVS in the DNS
403
For any HIP node, its Host Identity (HI), the associated Host
404
Identity Tag (HIT), and the FQDN of its possible RVSs can be stored
405
in a DNS HIP RR. Any conforming implementation may store a Host
406
Identity (HI) and its associated Host Identity Tag (HIT) in a DNS HIP
407
RDATA format. HI and HIT are defined in Section 3 of the HIP
408
specification [RFC5201].
410
Upon return of a HIP RR, a host MUST always calculate the HI-
411
derivative HIT to be used in the HIP exchange, as specified in
412
Section 3 of the HIP specification [RFC5201], while the HIT possibly
413
embedded along SHOULD only be used as an optimization (e.g., table
416
The HIP resource record may also contain one or more domain name(s)
417
of rendezvous server(s) towards which HIP I1 packets might be sent to
418
trigger the establishment of an association with the entity named by
419
this resource record [RFC5204].
421
The rendezvous server field of the HIP resource record stored at a
422
given owner name MAY include the owner name itself. A semantically
423
equivalent situation occurs if no rendezvous server is present in the
424
HIP resource record stored at that owner name. Such situations occur
427
o The host is mobile, and the A and/or AAAA resource record(s)
428
stored at its host name contain the IP address(es) of its
429
rendezvous server rather than its own one.
431
o The host is stationary, and can be reached directly at the IP
432
address(es) contained in the A and/or AAAA resource record(s)
433
stored at its host name. This is a degenerated case of rendezvous
434
service where the host somewhat acts as a rendezvous server for
437
An RVS receiving such an I1 would then relay it to the appropriate
438
Responder (the owner of the I1 receiver HIT). The Responder will
439
then complete the exchange with the Initiator, typically without
440
ongoing help from the RVS.
442
4.2. Initiating Connections Based on DNS Names
444
On a HIP node, a Host Identity Protocol exchange SHOULD be initiated
445
whenever a ULP attempts to communicate with an entity and the DNS
446
lookup returns HIP resource records.
450
Nikander & Laganier Experimental [Page 8]
452
RFC 5205 HIP DNS Extension April 2008
455
5. HIP RR Storage Format
457
The RDATA for a HIP RR consists of a public key algorithm type, the
458
HIT length, a HIT, a public key, and optionally one or more
459
rendezvous server(s).
462
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
463
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
464
| HIT length | PK algorithm | PK length |
465
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
469
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
471
+-+-+-+-+-+-+-+-+-+-+-+ +
475
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
477
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
479
~ Rendezvous Servers ~
481
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
485
The HIT length, PK algorithm, PK length, HIT, and Public Key fields
486
are REQUIRED. The Rendezvous Servers field is OPTIONAL.
488
5.1. HIT Length Format
490
The HIT length indicates the length in bytes of the HIT field. This
491
is an 8-bit unsigned integer.
493
5.2. PK Algorithm Format
495
The PK algorithm field indicates the public key cryptographic
496
algorithm and the implied public key field format. This is an 8-bit
497
unsigned integer. This document reuses the values defined for the
498
'algorithm type' of the IPSECKEY RR [RFC4025].
500
Presently defined values are listed in Section 9 for reference.
506
Nikander & Laganier Experimental [Page 9]
508
RFC 5205 HIP DNS Extension April 2008
511
5.3. PK Length Format
513
The PK length indicates the length in bytes of the Public key field.
514
This is a 16-bit unsigned integer in network byte order.
518
The HIT is stored as a binary value in network byte order.
520
5.5. Public Key Format
522
Both of the public key types defined in this document (RSA and DSA)
523
reuse the public key formats defined for the IPSECKEY RR [RFC4025].
525
The DSA key format is defined in RFC 2536 [RFC2536].
527
The RSA key format is defined in RFC 3110 [RFC3110] and the RSA key
528
size limit (4096 bits) is relaxed in the IPSECKEY RR [RFC4025]
531
5.6. Rendezvous Servers Format
533
The Rendezvous Servers field indicates one or more variable length
534
wire-encoded domain names of rendezvous server(s), as described in
535
Section 3.3 of RFC 1035 [RFC1035]. The wire-encoded format is self-
536
describing, so the length is implicit. The domain names MUST NOT be
537
compressed. The rendezvous server(s) are listed in order of
538
preference (i.e., first rendezvous server(s) are preferred), defining
539
an implicit order amongst rendezvous servers of a single RR. When
540
multiple HIP RRs are present at the same owner name, this implicit
541
order of rendezvous servers within an RR MUST NOT be used to infer a
542
preference order between rendezvous servers stored in different RRs.
544
6. HIP RR Presentation Format
546
This section specifies the representation of the HIP RR in a zone
549
The HIT length field is not represented, as it is implicitly known
550
thanks to the HIT field representation.
552
The PK algorithm field is represented as unsigned integers.
554
The HIT field is represented as the Base16 encoding [RFC4648] (a.k.a.
555
hex or hexadecimal) of the HIT. The encoding MUST NOT contain
556
whitespaces to distinguish it from the public key field.
562
Nikander & Laganier Experimental [Page 10]
564
RFC 5205 HIP DNS Extension April 2008
567
The Public Key field is represented as the Base64 encoding [RFC4648]
568
of the public key. The encoding MUST NOT contain whitespace(s) to
569
distinguish it from the Rendezvous Servers field.
571
The PK length field is not represented, as it is implicitly known
572
thanks to the Public key field representation containing no
575
The Rendezvous Servers field is represented by one or more domain
576
name(s) separated by whitespace(s).
578
The complete representation of the HPIHI record is:
580
IN HIP ( pk-algorithm
582
base64-encoded-public-key
585
rendezvous-server[n] )
587
When no RVSs are present, the representation of the HPIHI record is:
589
IN HIP ( pk-algorithm
591
base64-encoded-public-key )
595
In the examples below, the public key field containing no whitespace
596
is wrapped since it does not fit in a single line of this document.
598
Example of a node with HI and HIT but no RVS:
600
www.example.com. IN HIP ( 2 200100107B1A74DF365639CC39F1D578
601
AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p
602
9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQ
603
b1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D )
605
Example of a node with a HI, HIT, and one RVS:
607
www.example.com. IN HIP ( 2 200100107B1A74DF365639CC39F1D578
608
AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p
609
9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQ
610
b1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
618
Nikander & Laganier Experimental [Page 11]
620
RFC 5205 HIP DNS Extension April 2008
623
Example of a node with a HI, HIT, and two RVSs:
625
www.example.com. IN HIP ( 2 200100107B1A74DF365639CC39F1D578
626
AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p
627
9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQ
628
b1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
632
8. Security Considerations
634
This section contains a description of the known threats involved
635
with the usage of the HIP DNS Extension.
637
In a manner similar to the IPSECKEY RR [RFC4025], the HIP DNS
638
Extension allows for the provision of two HIP nodes with the public
639
keying material (HI) of their peer. These HIs will be subsequently
640
used in a key exchange between the peers. Hence, the HIP DNS
641
Extension introduces the same kind of threats that IPSECKEY does,
642
plus threats caused by the possibility given to a HIP node to
643
initiate or accept a HIP exchange using "opportunistic" or
644
"unpublished Initiator HI" modes.
646
A HIP node SHOULD obtain HIP RRs from a trusted party trough a secure
647
channel ensuring data integrity and authenticity of the RRs. DNSSEC
648
[RFC4033] [RFC4034] [RFC4035] provides such a secure channel.
649
However, it should be emphasized that DNSSEC only offers data
650
integrity and authenticity guarantees to the channel between the DNS
651
server publishing a zone and the HIP node. DNSSEC does not ensure
652
that the entity publishing the zone is trusted. Therefore, the RRSIG
653
signature of the HIP RRSet MUST NOT be misinterpreted as a
654
certificate binding the HI and/or the HIT to the owner name.
656
In the absence of a proper secure channel, both parties are
657
vulnerable to MitM and DoS attacks, and unrelated parties might be
658
subject to DoS attacks as well. These threats are described in the
661
8.1. Attacker Tampering with an Insecure HIP RR
663
The HIP RR contains public keying material in the form of the named
664
peer's public key (the HI) and its secure hash (the HIT). Both of
665
these are not sensitive to attacks where an adversary gains knowledge
666
of them. However, an attacker that is able to mount an active attack
667
on the DNS, i.e., tampers with this HIP RR (e.g., using DNS
668
spoofing), is able to mount Man-in-the-Middle attacks on the
669
cryptographic core of the eventual HIP exchange (Responder's HIP RR
670
rewritten by the attacker).
674
Nikander & Laganier Experimental [Page 12]
676
RFC 5205 HIP DNS Extension April 2008
679
The HIP RR may contain a rendezvous server domain name resolved into
680
a destination IP address where the named peer is reachable by an I1,
681
as per the HIP Rendezvous Extension [RFC5204]. Thus, an attacker
682
able to tamper with this RR is able to redirect I1 packets sent to
683
the named peer to a chosen IP address for DoS or MitM attacks. Note
684
that this kind of attack is not specific to HIP and exists
685
independently of whether or not HIP and the HIP RR are used. Such an
686
attacker might tamper with A and AAAA RRs as well.
688
An attacker might obviously use these two attacks in conjunction: It
689
will replace the Responder's HI and RVS IP address by its own in a
690
spoofed DNS packet sent to the Initiator HI, then redirect all
691
exchanged packets to him and mount a MitM on HIP. In this case, HIP
692
won't provide confidentiality nor Initiator HI protection from
695
8.2. Hash and HITs Collisions
697
As with many cryptographic algorithms, some secure hashes (e.g.,
698
SHA1, used by HIP to generate a HIT from an HI) eventually become
699
insecure, because an exploit has been found in which an attacker with
700
reasonable computation power breaks one of the security features of
701
the hash (e.g., its supposed collision resistance). This is why a
702
HIP end-node implementation SHOULD NOT authenticate its HIP peers
703
based solely on a HIT retrieved from the DNS, but SHOULD rather use
704
HI-based authentication.
708
In the absence of DNSSEC, the HIP RR is subject to the threats
709
described in RFC 3833 [RFC3833].
711
9. IANA Considerations
713
IANA has allocated one new RR type code (55) for the HIP RR from the
714
standard RR type space.
716
IANA does not need to open a new registry for public key algorithms
717
of the HIP RR because the HIP RR reuses "algorithms types" defined
718
for the IPSECKEY RR [RFC4025]. Presently defined values are shown
719
here for reference only:
730
Nikander & Laganier Experimental [Page 13]
732
RFC 5205 HIP DNS Extension April 2008
735
In the future, if a new algorithm is to be used for the HIP RR, a new
736
algorithm type and corresponding public key encoding should be
737
defined for the IPSECKEY RR. The HIP RR should reuse both the same
738
algorithm type and the same corresponding public key format as the
743
As usual in the IETF, this document is the result of a collaboration
744
between many people. The authors would like to thank the author
745
(Michael Richardson), contributors, and reviewers of the IPSECKEY RR
746
[RFC4025] specification, after which this document was framed. The
747
authors would also like to thank the following people, who have
748
provided thoughtful and helpful discussions and/or suggestions, that
749
have helped improve this document: Jeff Ahrenholz, Rob Austein, Hannu
750
Flinck, Olafur Gudmundsson, Tom Henderson, Peter Koch, Olaf Kolkman,
751
Miika Komu, Andrew McGregor, Erik Nordmark, and Gabriel Montenegro.
752
Some parts of this document stem from the HIP specification
757
11.1. Normative references
759
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
760
STD 13, RFC 1034, November 1987.
762
[RFC1035] Mockapetris, P., "Domain names - implementation and
763
specification", STD 13, RFC 1035, November 1987.
765
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
766
Requirement Levels", BCP 14, RFC 2119, March 1997.
768
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
769
Specification", RFC 2181, July 1997.
771
[RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
772
"DNS Extensions to Support IP Version 6", RFC 3596,
775
[RFC4025] Richardson, M., "A Method for Storing IPsec Keying
776
Material in DNS", RFC 4025, March 2005.
778
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
779
Rose, "DNS Security Introduction and Requirements",
780
RFC 4033, March 2005.
786
Nikander & Laganier Experimental [Page 14]
788
RFC 5205 HIP DNS Extension April 2008
791
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
792
Rose, "Resource Records for the DNS Security Extensions",
793
RFC 4034, March 2005.
795
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
796
Rose, "Protocol Modifications for the DNS Security
797
Extensions", RFC 4035, March 2005.
799
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
800
Encodings", RFC 4648, October 2006.
802
[RFC5201] Moskowitz, R., Nikander, P., Jokela, P., Ed., and T.
803
Henderson, "Host Identity Protocol", RFC 5201, April 2008.
805
[RFC5204] Laganier, J. and L. Eggert, "Host Identity Protocol (HIP)
806
Rendezvous Extension", RFC 5204, April 2008.
808
11.2. Informative references
810
[RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
811
(DNS)", RFC 2536, March 1999.
813
[RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
814
Name System (DNS)", RFC 3110, May 2001.
816
[RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain
817
Name System (DNS)", RFC 3833, August 2004.
819
[RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol
820
(HIP) Architecture", RFC 4423, May 2006.
822
[RFC5206] Henderson, T., Ed., "End-Host Mobility and Multihoming
823
with the Host Identity Protocol", RFC 5206, April 2008.
842
Nikander & Laganier Experimental [Page 15]
844
RFC 5205 HIP DNS Extension April 2008
850
Ericsson Research NomadicLab
855
EMail: pekka.nikander@nomadiclab.com
859
DoCoMo Communications Laboratories Europe GmbH
860
Landsberger Strasse 312
864
Phone: +49 89 56824 231
865
EMail: julien.ietf@laposte.net
866
URI: http://www.docomolab-euro.com/
898
Nikander & Laganier Experimental [Page 16]
900
RFC 5205 HIP DNS Extension April 2008
903
Full Copyright Statement
905
Copyright (C) The IETF Trust (2008).
907
This document is subject to the rights, licenses and restrictions
908
contained in BCP 78, and except as set forth therein, the authors
909
retain all their rights.
911
This document and the information contained herein are provided on an
912
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
913
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
914
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
915
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
916
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
917
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
919
Intellectual Property
921
The IETF takes no position regarding the validity or scope of any
922
Intellectual Property Rights or other rights that might be claimed to
923
pertain to the implementation or use of the technology described in
924
this document or the extent to which any license under such rights
925
might or might not be available; nor does it represent that it has
926
made any independent effort to identify any such rights. Information
927
on the procedures with respect to rights in RFC documents can be
928
found in BCP 78 and BCP 79.
930
Copies of IPR disclosures made to the IETF Secretariat and any
931
assurances of licenses to be made available, or the result of an
932
attempt made to obtain a general license or permission for the use of
933
such proprietary rights by implementers or users of this
934
specification can be obtained from the IETF on-line IPR repository at
935
http://www.ietf.org/ipr.
937
The IETF invites any interested party to bring to its attention any
938
copyrights, patents or patent applications, or other proprietary
939
rights that may cover technology that may be required to implement
940
this standard. Please address the information to the IETF at
954
Nikander & Laganier Experimental [Page 17]