1 Internet Engineering Task Force (IETF)                         F. Dupont   
    2 Request for Comments: 8945                                           ISC   
    3 STD: 93                                                        S. Morris   
    4 Obsoletes: 2845, 4635                                       Unaffiliated   
    5 Category: Standards Track                                       P. Vixie   
    6 ISSN: 2070-1721                                                 Farsight   
    7                                                          D. Eastlake 3rd   
    8                                                                Futurewei   
    9                                                           O. Gudmundsson   
   10                                                               Cloudflare   
   11                                                            B. Wellington   
   12                                                                   Akamai   
   13                                                            November 2020   
   16           Secret Key Transaction Authentication for DNS (TSIG)             
   18 Abstract                                                                   
   20    This document describes a protocol for transaction-level                
   21    authentication using shared secrets and one-way hashing.  It can be     
   22    used to authenticate dynamic updates to a DNS zone as coming from an    
   23    approved client or to authenticate responses as coming from an          
   24    approved name server.                                                   
   26    No recommendation is made here for distributing the shared secrets;     
   27    it is expected that a network administrator will statically configure   
   28    name servers and clients using some out-of-band mechanism.              
   30    This document obsoletes RFCs 2845 and 4635.                             
   32 Status of This Memo                                                        
   34    This is an Internet Standards Track document.                           
   36    This document is a product of the Internet Engineering Task Force       
   37    (IETF).  It represents the consensus of the IETF community.  It has     
   38    received public review and has been approved for publication by the     
   39    Internet Engineering Steering Group (IESG).  Further information on     
   40    Internet Standards is available in Section 2 of RFC 7841.               
   42    Information about the current status of this document, any errata,      
   43    and how to provide feedback on it may be obtained at                    
   44    https://www.rfc-editor.org/info/rfc8945.                                
   46 Copyright Notice                                                           
   48    Copyright (c) 2020 IETF Trust and the persons identified as the         
   49    document authors.  All rights reserved.                                 
   51    This document is subject to BCP 78 and the IETF Trust's Legal           
   52    Provisions Relating to IETF Documents                                   
   53    (https://trustee.ietf.org/license-info) in effect on the date of        
   54    publication of this document.  Please review these documents            
   55    carefully, as they describe your rights and restrictions with respect   
   56    to this document.  Code Components extracted from this document must    
   57    include Simplified BSD License text as described in Section 4.e of      
   58    the Trust Legal Provisions and are provided without warranty as         
   59    described in the Simplified BSD License.                                
   61    This document may contain material from IETF Documents or IETF          
   62    Contributions published or made publicly available before November      
   63    10, 2008.  The person(s) controlling the copyright in some of this      
   64    material may not have granted the IETF Trust the right to allow         
   65    modifications of such material outside the IETF Standards Process.      
   66    Without obtaining an adequate license from the person(s) controlling    
   67    the copyright in such materials, this document may not be modified      
   68    outside the IETF Standards Process, and derivative works of it may      
   69    not be created outside the IETF Standards Process, except to format     
   70    it for publication as an RFC or to translate it into languages other    
   71    than English.                                                           
   73 Table of Contents                                                          
   75    1.  Introduction                                                        
   76      1.1.  Background                                                      
   77      1.2.  Protocol Overview                                               
   78      1.3.  Document History                                                
   79    2.  Key Words                                                           
   80    3.  Assigned Numbers                                                    
   81    4.  TSIG RR Format                                                      
   82      4.1.  TSIG RR Type                                                    
   83      4.2.  TSIG Record Format                                              
   84      4.3.  MAC Computation                                                 
   85        4.3.1.  Request MAC                                                 
   86        4.3.2.  DNS Message                                                 
   87        4.3.3.  TSIG Variables                                              
   88    5.  Protocol Details                                                    
   89      5.1.  Generation of TSIG on Requests                                  
   90      5.2.  Server Processing of Request                                    
   91        5.2.1.  Key Check and Error Handling                                
   92        5.2.2.  MAC Check and Error Handling                                
   93        5.2.3.  Time Check and Error Handling                               
   94        5.2.4.  Truncation Check and Error Handling                         
   95      5.3.  Generation of TSIG on Answers                                   
   96        5.3.1.  TSIG on TCP Connections                                     
   97        5.3.2.  Generation of TSIG on Error Returns                         
   98      5.4.  Client Processing of Answer                                     
   99        5.4.1.  Key Error Handling                                          
  100        5.4.2.  MAC Error Handling                                          
  101        5.4.3.  Time Error Handling                                         
  102        5.4.4.  Truncation Error Handling                                   
  103      5.5.  Special Considerations for Forwarding Servers                   
  104    6.  Algorithms and Identifiers                                          
  105    7.  TSIG Truncation Policy                                              
  106    8.  Shared Secrets                                                      
  107    9.  IANA Considerations                                                 
  108    10. Security Considerations                                             
  109      10.1.  Issue Fixed in This Document                                   
  110      10.2.  Why Not DNSSEC?                                                
  111    11. References                                                          
  112      11.1.  Normative References                                           
  113      11.2.  Informative References                                         
  114    Acknowledgements                                                        
  115    Authors' Addresses                                                      
  117 1.  Introduction                                                           
  119 1.1.  Background                                                           
  121    The Domain Name System (DNS) ([RFC1034] [RFC1035]) is a replicated      
  122    hierarchical distributed database system that provides information      
  123    fundamental to Internet operations, such as name-to-address             
  124    translation and mail-handling information.                              
  126    This document specifies use of a message authentication code (MAC),     
  127    generated using certain keyed hash functions, to provide an efficient   
  128    means of point-to-point authentication and integrity checking for DNS   
  129    transactions.  Such transactions include DNS update requests and        
  130    responses for which this can provide a lightweight alternative to the   
  131    secure DNS dynamic update protocol described by [RFC3007].              
  133    A further use of this mechanism is to protect zone transfers.  In       
  134    this case, the data covered would be the whole zone transfer            
  135    including any glue records sent.  The protocol described by DNSSEC      
  136    ([RFC4033], [RFC4034], [RFC4035]) does not protect glue records and     
  137    unsigned records.                                                       
  139    The authentication mechanism proposed here provides a simple and        
  140    efficient authentication between clients and servers, by using shared   
  141    secret keys to establish a trust relationship between two entities.     
  142    Such keys must be protected in a manner similar to private keys, lest   
  143    a third party masquerade as one of the intended parties (by forging     
  144    the MAC).  The proposal is unsuitable for general server-to-server      
  145    authentication and for servers that speak with many other servers,      
  146    since key management would become unwieldy with the number of shared    
  147    keys going up quadratically.  But it is suitable for many resolvers     
  148    on hosts that only talk to a few recursive servers.                     
  150 1.2.  Protocol Overview                                                    
  152    Secret Key Transaction Authentication makes use of signatures on        
  153    messages sent between the parties involved (e.g., resolver and          
  154    server).  These are known as "transaction signatures", or TSIG.  For    
  155    historical reasons, in this document, they are referred to as message   
  156    authentication codes (MACs).                                            
  158    Use of TSIG presumes prior agreement between the two parties involved   
  159    (e.g., resolver and server) as to any algorithm and key to be used.     
  160    The way that this agreement is reached is outside the scope of the      
  161    document.                                                               
  163    A DNS message exchange involves the sending of a query and the          
  164    receipt of one of more DNS messages in response.  For the query, the    
  165    MAC is calculated based on the hash of the contents and the agreed      
  166    TSIG key.  The MAC for the response is similar but also includes the    
  167    MAC of the query as part of the calculation.  Where a response          
  168    comprises multiple packets, the calculation of the MAC associated       
  169    with the second and subsequent packets includes in its inputs the MAC   
  170    for the preceding packet.  In this way, it is possible to detect any    
  171    interruption in the packet sequence, although not its premature         
  172    termination.                                                            
  174    The MAC is contained in a TSIG resource record included in the          
  175    additional section of the DNS message.                                  
  177 1.3.  Document History                                                     
  179    TSIG was originally specified by [RFC2845].  In 2017, two name server   
  180    implementations strictly following that document (and the related       
  181    [RFC4635]) were discovered to have security problems related to this    
  182    feature ([CVE-2017-3142], [CVE-2017-3143], [CVE-2017-11104]).  The      
  183    implementations were fixed, but to avoid similar problems in the        
  184    future, the two documents were updated and merged, producing this       
  185    revised specification for TSIG.                                         
  187    While TSIG implemented according to this RFC provides for enhanced      
  188    security, there are no changes in interoperability.  TSIG on the wire   
  189    is still the same mechanism described in [RFC2845]; only the checking   
  190    semantics have been changed.  See Section 10.1 for further details.     
  192 2.  Key Words                                                              
  194    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",     
  196    "OPTIONAL" in this document are to be interpreted as described in       
  197    BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all      
  198    capitals, as shown here.                                                
  200 3.  Assigned Numbers                                                       
  202    This document defines the following Resource Record (RR) type and       
  203    associated value:                                                       
  205       TSIG (250)                                                           
  207    In addition, the document also defines the following DNS RCODEs and     
  208    associated names:                                                       
  210       16 (BADSIG)                                                          
  211       17 (BADKEY)                                                          
  212       18 (BADTIME)                                                         
  213       22 (BADTRUNC)                                                        
  215    (See Section 2.3 of [RFC6895] concerning the assignment of the value    
  216    16 to BADSIG.)                                                          
  218    These RCODES may appear within the "Error" field of a TSIG RR.          
  220 4.  TSIG RR Format                                                         
  222 4.1.  TSIG RR Type                                                         
  224    To provide secret key authentication, we use an RR type whose           
  225    mnemonic is TSIG and whose type code is 250.  TSIG is a meta-RR and     
  226    MUST NOT be cached.  TSIG RRs are used for authentication between DNS   
  227    entities that have established a shared secret key.  TSIG RRs are       
  228    dynamically computed to cover a particular DNS transaction and are      
  229    not DNS RRs in the usual sense.                                         
  231    As the TSIG RRs are related to one DNS request/response, there is no    
  232    value in storing or retransmitting them; thus, the TSIG RR is           
  233    discarded once it has been used to authenticate a DNS message.          
  235 4.2.  TSIG Record Format                                                   
  237    The fields of the TSIG RR are described below.  All multi-octet         
  238    integers in the record are sent in network byte order (see              
  239    Section 2.3.2 of [RFC1035]).                                            
  241    NAME:  The name of the key used, in domain name syntax.  The name       
  242       should reflect the names of the hosts and uniquely identify the      
  243       key among a set of keys these two hosts may share at any given       
  244       time.  For example, if hosts A.site.example and B.example.net        
  245       share a key, possibilities for the key name include                  
  246       <id>.A.site.example, <id>.B.example.net, and                         
  247       <id>.A.site.example.B.example.net.  It should be possible for more   
  248       than one key to be in simultaneous use among a set of interacting    
  249       hosts.  This allows for periodic key rotation as per best            
  250       operational practices, as well as algorithm agility as indicated     
  251       by [RFC7696].                                                        
  253       The name may be used as a local index to the key involved, but it    
  254       is recommended that it be globally unique.  Where a key is just      
  255       shared between two hosts, its name actually need only be             
  256       meaningful to them, but it is recommended that the key name be       
  257       mnemonic and incorporate the names of participating agents or        
  258       resources as suggested above.                                        
  260    TYPE:  This MUST be TSIG (250: Transaction SIGnature).                  
  262    CLASS:  This MUST be ANY.                                               
  264    TTL:  This MUST be 0.                                                   
  266    RDLENGTH:  (variable)                                                   
  268    RDATA:  The RDATA for a TSIG RR consists of a number of fields,         
  269       described below:                                                     
  271                             1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3    
  272         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1    
  273        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   
  274        /                         Algorithm Name                        /   
  275        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   
  276        |                                                               |   
  277        |          Time Signed          +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   
  278        |                               |            Fudge              |   
  279        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   
  280        |          MAC Size             |                               /   
  281        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+             MAC               /   
  282        /                                                               /   
  283        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   
  284        |          Original ID          |            Error              |   
  285        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   
  286        |          Other Len            |                               /   
  287        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+           Other Data          /   
  288        /                                                               /   
  289        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   
  291    The contents of the RDATA fields are:                                   
  293    Algorithm Name:                                                         
  294       an octet sequence identifying the TSIG algorithm in the domain       
  295       name syntax.  (Allowed names are listed in Table 3.)  The name is    
  296       stored in the DNS name wire format as described in [RFC1034].  As    
  297       per [RFC3597], this name MUST NOT be compressed.                     
  299    Time Signed:                                                            
  300       an unsigned 48-bit integer containing the time the message was       
  301       signed as seconds since 00:00 on 1970-01-01 UTC, ignoring leap       
  302       seconds.                                                             
  304    Fudge:                                                                  
  305       an unsigned 16-bit integer specifying the allowed time difference    
  306       in seconds permitted in the Time Signed field.                       
  308    MAC Size:                                                               
  309       an unsigned 16-bit integer giving the length of the MAC field in     
  310       octets.  Truncation is indicated by a MAC Size less than the size    
  311       of the keyed hash produced by the algorithm specified by the         
  312       Algorithm Name.                                                      
  314    MAC:                                                                    
  315       a sequence of octets whose contents are defined by the TSIG          
  316       algorithm used, possibly truncated as specified by the MAC Size.     
  317       The length of this field is given by the MAC Size.  Calculation of   
  318       the MAC is detailed in Section 4.3.                                  
  320    Original ID:                                                            
  321       an unsigned 16-bit integer holding the message ID of the original    
  322       request message.  For a TSIG RR on a request, it is set equal to     
  323       the DNS message ID.  In a TSIG attached to a response -- or in       
  324       cases such as the forwarding of a dynamic update request -- the      
  325       field contains the ID of the original DNS request.                   
  327    Error:                                                                  
  328       in responses, an unsigned 16-bit integer containing the extended     
  329       RCODE covering TSIG processing.  In requests, this MUST be zero.     
  331    Other Len:                                                              
  332       an unsigned 16-bit integer specifying the length of the Other Data   
  333       field in octets.                                                     
  335    Other Data:                                                             
  336       additional data relevant to the TSIG record.  In responses, this     
  337       will be empty (i.e., Other Len will be zero) unless the content of   
  338       the Error field is BADTIME, in which case it will be a 48-bit        
  339       unsigned integer containing the server's current time as the         
  340       number of seconds since 00:00 on 1970-01-01 UTC, ignoring leap       
  341       seconds (see Section 5.2.3).  This document assigns no meaning to    
  342       its contents in requests.                                            
  344 4.3.  MAC Computation                                                      
  346    When generating or verifying the contents of a TSIG record, the data    
  347    listed in the rest of this section are passed, in the order listed      
  348    below, as input to MAC computation.  The data are passed in network     
  349    byte order or wire format, as appropriate and are fed into the          
  350    hashing function as a continuous octet sequence with no interfield      
  351    separator or padding.                                                   
  353 4.3.1.  Request MAC                                                        
  355    Only included in the computation of a MAC for a response message (or    
  356    the first message in a multi-message response), the validated request   
  357    MAC MUST be included in the MAC computation.  If the request MAC        
  358    failed to validate, an unsigned error message MUST be returned          
  359    instead (Section 5.3.2).                                                
  361    The request's MAC, comprising the following fields, is digested in      
  362    wire format:                                                            
  364       +==========+=========================+========================+      
  365       | Field    | Type                    | Description            |      
  366       +==========+=========================+========================+      
  367       | MAC Size | Unsigned 16-bit integer | in network byte order  |      
  368       +----------+-------------------------+------------------------+      
  369       | MAC Data | octet sequence          | exactly as transmitted |      
  370       +----------+-------------------------+------------------------+      
  372                            Table 1: Request's MAC                          
  374    Special considerations apply to the TSIG calculation for the second     
  375    and subsequent messages in a response that consists of multiple DNS     
  376    messages (e.g., a zone transfer).  These are described in               
  377    Section 5.3.1.                                                          
  379 4.3.2.  DNS Message                                                        
  381    In the MAC computation, the whole/complete DNS message in wire format   
  382    is used.                                                                
  384    When creating an outgoing message, the TSIG is based on the message     
  385    content before the TSIG RR has been added to the additional section     
  386    and before the DNS Message Header's ARCOUNT has been incremented to     
  387    include the TSIG RR.                                                    
  389    When verifying an incoming message, the TSIG is checked against the     
  390    message after the TSIG RR has been removed, the ARCOUNT decremented,    
  391    and the message ID replaced by the original message ID from the TSIG    
  392    if those IDs differ.  (This could happen, for example, when             
  393    forwarding a dynamic update request.)                                   
  395 4.3.3.  TSIG Variables                                                     
  397    Also included in the digest is certain information present in the       
  398    TSIG RR.  Adding this data provides further protection against an       
  399    attempt to interfere with the message.                                  
  401    +============+================+====================================+    
  402    | Source     | Field Name     | Notes                              |    
  403    +============+================+====================================+    
  404    | TSIG RR    | NAME           | Key name, in canonical wire format |    
  405    +------------+----------------+------------------------------------+    
  406    | TSIG RR    | CLASS          | MUST be ANY                        |    
  407    +------------+----------------+------------------------------------+    
  408    | TSIG RR    | TTL            | MUST be 0                          |    
  409    +------------+----------------+------------------------------------+    
  410    | TSIG RDATA | Algorithm Name | in canonical wire format           |    
  411    +------------+----------------+------------------------------------+    
  412    | TSIG RDATA | Time Signed    | in network byte order              |    
  413    +------------+----------------+------------------------------------+    
  414    | TSIG RDATA | Fudge          | in network byte order              |    
  415    +------------+----------------+------------------------------------+    
  416    | TSIG RDATA | Error          | in network byte order              |    
  417    +------------+----------------+------------------------------------+    
  418    | TSIG RDATA | Other Len      | in network byte order              |    
  419    +------------+----------------+------------------------------------+    
  420    | TSIG RDATA | Other Data     | exactly as transmitted             |    
  421    +------------+----------------+------------------------------------+    
  423                          Table 2: TSIG Variables                           
  425    The RR RDLENGTH and RDATA MAC Size are not included in the input to     
  426    MAC computation, since they are not guaranteed to be knowable before    
  427    the MAC is generated.                                                   
  429    The Original ID field is not included in this section, as it has        
  430    already been substituted for the message ID in the DNS header and       
  431    hashed.                                                                 
  433    For each label type, there must be a defined "Canonical wire format"    
  434    that specifies how to express a label in an unambiguous way.  For       
  435    label type 00, this is defined in Section 6.2 of [RFC4034].  The use    
  436    of label types other than 00 is not defined for this specification.     
  438  Time Values Used in TSIG Calculations                            
  440    The data digested includes the two timer values in the TSIG header in   
  441    order to defend against replay attacks.  If this were not done, an      
  442    attacker could replay old messages but update the Time Signed and       
  443    Fudge fields to make the message look new.  The two fields are          
  444    collectively named "TSIG Timers", and for the purpose of MAC            
  445    calculation, they are hashed in their wire format, in the following     
  446    order: first Time Signed, then Fudge.                                   
  448 5.  Protocol Details                                                       
  450 5.1.  Generation of TSIG on Requests                                       
  452    Once the outgoing record has been constructed, the client performs      
  453    the keyed hash (Hashed Message Authentication Code (HMAC))              
  454    computation, appends a TSIG record with the calculated MAC to the       
  455    additional section (incrementing the ARCOUNT to reflect the             
  456    additional RR), and transmits the request to the server.  This TSIG     
  457    record MUST be the only TSIG RR in the message and MUST be the last     
  458    record in the additional data section.  The client MUST store the MAC   
  459    and the key name from the request while awaiting an answer.             
  461    The digest components for a request are:                                
  463       DNS Message (request)                                                
  464       TSIG Variables (request)                                             
  466 5.2.  Server Processing of Request                                         
  468    If an incoming message contains a TSIG record, it MUST be the last      
  469    record in the additional section.  Multiple TSIG records are not        
  470    allowed.  If multiple TSIG records are detected or a TSIG record is     
  471    present in any other position, the DNS message is dropped and a         
  472    response with RCODE 1 (FORMERR) MUST be returned.  Upon receipt of a    
  473    message with exactly one correctly placed TSIG RR, a copy of the TSIG   
  474    RR is stored and the TSIG RR is removed from the DNS message and        
  475    decremented out of the DNS message header's ARCOUNT.                    
  477    If the TSIG RR cannot be interpreted, the server MUST regard the        
  478    message as corrupt and return a FORMERR to the server.  Otherwise,      
  479    the server is REQUIRED to return a TSIG RR in the response.             
  481    To validate the received TSIG RR, the server MUST perform the           
  482    following checks in the following order:                                
  484    1.  Check key                                                           
  486    2.  Check MAC                                                           
  488    3.  Check time values                                                   
  490    4.  Check truncation policy                                             
  492 5.2.1.  Key Check and Error Handling                                       
  494    If a non-forwarding server does not recognize the key or algorithm      
  495    used by the client (or recognizes the algorithm but does not            
  496    implement it), the server MUST generate an error response with RCODE    
  497    9 (NOTAUTH) and TSIG ERROR 17 (BADKEY).  This response MUST be          
  498    unsigned as specified in Section 5.3.2.  The server SHOULD log the      
  499    error.  (Special considerations apply to forwarding servers; see        
  500    Section 5.5.)                                                           
  502 5.2.2.  MAC Check and Error Handling                                       
  504    Using the information in the TSIG, the server MUST verify the MAC by    
  505    doing its own calculation and comparing the result with the MAC         
  506    received.  If the MAC fails to verify, the server MUST generate an      
  507    error response as specified in Section 5.3.2 with RCODE 9 (NOTAUTH)     
  508    and TSIG ERROR 16 (BADSIG).  This response MUST be unsigned, as         
  509    specified in Section 5.3.2.  The server SHOULD log the error.           
  511  MAC Truncation                                                   
  513    When space is at a premium and the strength of the full length of a     
  514    MAC is not needed, it is reasonable to truncate the keyed hash and      
  515    use the truncated value for authentication.  HMAC SHA-1 truncated to    
  516    96 bits is an option available in several IETF protocols, including     
  517    IPsec and TLS.  However, while this option is kept for backwards        
  518    compatibility, it may not provide a security level appropriate for      
  519    all cases in the modern environment.  In these cases, it is             
  520    preferable to use a hashing algorithm such as SHA-256-128, SHA-         
  521    384-192, or SHA-512-256 [RFC4868].                                      
  523    Processing of a truncated MAC follows these rules:                      
  525    If the MAC Size field is greater than the keyed hash output             
  526    length:  This case MUST NOT be generated and, if received, MUST cause   
  527       the DNS message to be dropped and RCODE 1 (FORMERR) to be            
  528       returned.                                                            
  530    If the MAC Size field equals the keyed hash output length:  The         
  531       entire keyed hash output is present and used.                        
  533    If the MAC Size field is less than the larger of 10 (octets) and        
  534    half the length of the hash function in use:  With the exception of     
  535       certain TSIG error messages described in Section 5.3.2, where it     
  536       is permitted that the MAC Size be zero, this case MUST NOT be        
  537       generated and, if received, MUST cause the DNS message to be         
  538       dropped and RCODE 1 (FORMERR) to be returned.                        
  540    Otherwise:  This is sent when the signer has truncated the keyed hash   
  541       output to an allowable length, as described in [RFC2104], taking     
  542       initial octets and discarding trailing octets.  TSIG truncation      
  543       can only be to an integral number of octets.  On receipt of a DNS    
  544       message with truncation thus indicated, the locally calculated MAC   
  545       is similarly truncated, and only the truncated values are compared   
  546       for authentication.  The request MAC used when calculating the       
  547       TSIG MAC for a reply is the truncated request MAC.                   
  549 5.2.3.  Time Check and Error Handling                                      
  551    If the server time is outside the time interval specified by the        
  552    request (which is the Time Signed value plus/minus the Fudge value),    
  553    the server MUST generate an error response with RCODE 9 (NOTAUTH) and   
  554    TSIG ERROR 18 (BADTIME).  The server SHOULD also cache the most         
  555    recent Time Signed value in a message generated by a key and SHOULD     
  556    return BADTIME if a message received later has an earlier Time Signed   
  557    value.  A response indicating a BADTIME error MUST be signed by the     
  558    same key as the request.  It MUST include the client's current time     
  559    in the Time Signed field, the server's current time (an unsigned        
  560    48-bit integer) in the Other Data field, and 6 in the Other Len         
  561    field.  This is done so that the client can verify a message with a     
  562    BADTIME error without the verification failing due to another BADTIME   
  563    error.  In addition, the Fudge field MUST be set to the fudge value     
  564    received from the client.  The data signed is specified in              
  565    Section 5.3.2.  The server SHOULD log the error.                        
  567    Caching the most recent Time Signed value and rejecting requests with   
  568    an earlier one could lead to valid messages being rejected if transit   
  569    through the network led to UDP packets arriving in a different order    
  570    to the one in which they were sent.  Implementations should be aware    
  571    of this possibility and be prepared to deal with it, e.g., by           
  572    retransmitting the rejected request with a new TSIG once outstanding    
  573    requests have completed or the time given by their Time Signed value    
  574    plus the Fudge value has passed.  If implementations do retry           
  575    requests in these cases, a limit SHOULD be placed on the maximum        
  576    number of retries.                                                      
  578 5.2.4.  Truncation Check and Error Handling                                
  580    If a TSIG is received with truncation that is permitted per             
  581    Section but the MAC is too short for the local policy in        
  582    force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be        
  583    returned.  The server SHOULD log the error.                             
  585 5.3.  Generation of TSIG on Answers                                        
  587    When a server has generated a response to a signed request, it signs    
  588    the response using the same algorithm and key.  The server MUST NOT     
  589    generate a signed response to a request if either the key is invalid    
  590    (e.g., key name or algorithm name are unknown) or the MAC fails         
  591    validation; see Section 5.3.2 for details of responding in these        
  592    cases.                                                                  
  594    It also MUST NOT generate a signed response to an unsigned request,     
  595    except in the case of a response to a client's unsigned TKEY request    
  596    if the secret key is established on the server side after the server    
  597    processed the client's request.  Signing responses to unsigned TKEY     
  598    requests MUST be explicitly specified in the description of an          
  599    individual secret key establishment algorithm [RFC3645].                
  601    The digest components used to generate a TSIG on a response are:        
  603       Request MAC                                                          
  604       DNS Message (response)                                               
  605       TSIG Variables (response)                                            
  607    (This calculation is different for the second and subsequent message    
  608    in a multi-message answer; see below.)                                  
  610    If addition of the TSIG record will cause the message to be             
  611    truncated, the server MUST alter the response so that a TSIG can be     
  612    included.  This response contains only the question and a TSIG          
  613    record, has the TC bit set, and has an RCODE of 0 (NOERROR).  At this   
  614    point, the client SHOULD retry the request using TCP (as per            
  615    Section 4.2.2 of [RFC1035]).                                            
  617 5.3.1.  TSIG on TCP Connections                                            
  619    A DNS TCP session, such as a zone transfer, can include multiple DNS    
  620    messages.  Using TSIG on such a connection can protect the connection   
  621    from an attack and provide data integrity.  The TSIG MUST be included   
  622    on all DNS messages in the response.  For backward compatibility, a     
  623    client that receives DNS messages and verifies TSIG MUST accept up to   
  624    99 intermediary messages without a TSIG and MUST verify that both the   
  625    first and last message contain a TSIG.                                  
  627    The first message is processed as a standard answer (see                
  628    Section 5.3), but subsequent messages have the following digest         
  629    components:                                                             
  631       Prior MAC (running)                                                  
  632       DNS Messages (any unsigned messages since the last TSIG)             
  633       TSIG Timers (current message)                                        
  635    The "Prior MAC" is the MAC from the TSIG attached to the last message   
  636    containing a TSIG.  "DNS Messages" comprises the concatenation (in      
  637    message order) of all messages after the last message that included a   
  638    TSIG and includes the current message.  "TSIG Timers" comprises the     
  639    Time Signed and Fudge fields (in that order) pertaining to the          
  640    message for which the TSIG was created; this means that the             
  641    successive TSIG records in the stream will have non-decreasing Time     
  642    Signed values.  Note that only the timers are included in the second    
  643    and subsequent messages, not all the TSIG variables.                    
  645    This allows the client to rapidly detect when the session has been      
  646    altered; at which point, it can close the connection and retry.  If a   
  647    client TSIG verification fails, the client MUST close the connection.   
  648    If the client does not receive TSIG records frequently enough (as       
  649    specified above), it SHOULD assume the connection has been hijacked,    
  650    and it SHOULD close the connection.  The client SHOULD treat this the   
  651    same way as they would any other interrupted transfer (although the     
  652    exact behavior is not specified).                                       
  654 5.3.2.  Generation of TSIG on Error Returns                                
  656    When a server detects an error relating to the key or MAC in the        
  657    incoming request, the server SHOULD send back an unsigned error         
  658    message (MAC Size == 0 and empty MAC).  It MUST NOT send back a         
  659    signed error message.                                                   
  661    If an error is detected relating to the TSIG validity period or the     
  662    MAC is too short for the local policy, the server SHOULD send back a    
  663    signed error message.  The digest components are:                       
  665       Request MAC (if the request MAC validated)                           
  666       DNS Message (response)                                               
  667       TSIG Variables (response)                                            
  669    The reason that the request MAC is not included in this MAC in some     
  670    cases is to make it possible for the client to verify the error.  If    
  671    the error is not a TSIG error, the response MUST be generated as        
  672    specified in Section 5.3.                                               
  674 5.4.  Client Processing of Answer                                          
  676    When a client receives a response from a server and expects to see a    
  677    TSIG, it first checks if the TSIG RR is present in the response.  If    
  678    not, the response is treated as having a format error and is            
  679    discarded.                                                              
  681    If the TSIG RR is present, the client performs the same checks as       
  682    described in Section 5.2.  If the TSIG RR is unsigned as specified in   
  683    Section 5.3.2 or does not validate, the message MUST be discarded       
  684    unless the RCODE is 9 (NOAUTH).  In this case, the client SHOULD        
  685    attempt to verify the response as if it were a TSIG error, as           
  686    described in the following subsections.                                 
  688    Regardless of the RCODE, a message containing a TSIG RR that is         
  689    unsigned as specified in Section 5.3.2 or that fails verification       
  690    SHOULD NOT be considered an acceptable response, as it may have been    
  691    spoofed or manipulated.  Instead, the client SHOULD log an error and    
  692    continue to wait for a signed response until the request times out.     
  694 5.4.1.  Key Error Handling                                                 
  696    If an RCODE on a response is 9 (NOTAUTH), but the response TSIG         
  697    validates and the TSIG key is recognized by the client but is           
  698    different from that used on the request, then this is a key-related     
  699    error.  The client MAY retry the request using the key specified by     
  700    the server.  However, this should never occur, as a server MUST NOT     
  701    sign a response with a different key to that used to sign the           
  702    request.                                                                
  704 5.4.2.  MAC Error Handling                                                 
  706    If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG),     
  707    this is a MAC-related error, and clients MAY retry the request with a   
  708    new request ID, but it would be better to try a different shared key    
  709    if one is available.  Clients SHOULD keep track of how many MAC         
  710    errors are associated with each key.  Clients SHOULD log this event.    
  712 5.4.3.  Time Error Handling                                                
  714    If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18           
  715    (BADTIME) or the current time does not fall in the range specified in   
  716    the TSIG record, then this is a time-related error.  This is an         
  717    indication that the client and server clocks are not synchronized.      
  718    In this case, the client SHOULD log the event.  DNS resolvers MUST      
  719    NOT adjust any clocks in the client based on BADTIME errors, but the    
  720    server's time in the Other Data field SHOULD be logged.                 
  722 5.4.4.  Truncation Error Handling                                          
  724    If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22           
  725    (BADTRUNC), then this is a truncation-related error.  The client MAY    
  726    retry with a lesser truncation up to the full HMAC output (no           
  727    truncation), using the truncation used in the response as a hint for    
  728    what the server policy allowed (Section 7).  Clients SHOULD log this    
  729    event.                                                                  
  731 5.5.  Special Considerations for Forwarding Servers                        
  733    A server acting as a forwarding server of a DNS message SHOULD check    
  734    for the existence of a TSIG record.  If the name on the TSIG is not     
  735    of a secret that the server shares with the originator, the server      
  736    MUST forward the message unchanged including the TSIG.  If the name     
  737    of the TSIG is of a key this server shares with the originator, it      
  738    MUST process the TSIG.  If the TSIG passes all checks, the forwarding   
  739    server MUST, if possible, include a TSIG of its own to the              
  740    destination or the next forwarder.  If no transaction security is       
  741    available to the destination and the message is a query, and if the     
  742    corresponding response has the AD flag (see [RFC4035]) set, the         
  743    forwarder MUST clear the AD flag before adding the TSIG to the          
  744    response and returning the result to the system from which it           
  745    received the query.                                                     
  747 6.  Algorithms and Identifiers                                             
  749    The only message digest algorithm specified in the first version of     
  750    these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321] and        
  751    [RFC2104]).  Although a review of its security some years ago           
  752    [RFC6151] concluded that "it may not be urgent to remove HMAC-MD5       
  753    from the existing protocols", with the availability of more secure      
  754    alternatives, the opportunity has been taken to make the                
  755    implementation of this algorithm optional.                              
  757    [RFC4635] added mandatory support in TSIG for SHA-1 [FIPS180-4]         
  758    [RFC3174].  SHA-1 collisions have been demonstrated [SHA1SHAMBLES],     
  759    so the MD5 security considerations described in Section 2 of            
  760    [RFC6151] apply to SHA-1 in a similar manner.  Although support for     
  761    hmac-sha1 in TSIG is still mandatory for compatibility reasons,         
  762    existing uses SHOULD be replaced with hmac-sha256 or other SHA-2        
  763    digest algorithms ([FIPS180-4], [RFC3874], [RFC6234]).                  
  765    Use of TSIG between two DNS agents is by mutual agreement.  That        
  766    agreement can include the support of additional algorithms and          
  767    criteria as to which algorithms and truncations are acceptable,         
  768    subject to the restriction and guidelines in Section  Key      
  769    agreement can be by the TKEY mechanism [RFC2930] or some other          
  770    mutually agreeable method.                                              
  772    Implementations that support TSIG MUST also implement HMAC SHA1 and     
  773    HMAC SHA256 and MAY implement gss-tsig and the other algorithms         
  774    listed below.  SHA-1 truncated to 96 bits (12 octets) SHOULD be         
  775    implemented.                                                            
  777       +==========================+================+=================+      
  778       | Algorithm Name           | Implementation | Use             |      
  779       +==========================+================+=================+      
  780       | HMAC-MD5.SIG-ALG.REG.INT | MAY            | MUST NOT        |      
  781       +--------------------------+----------------+-----------------+      
  782       | gss-tsig                 | MAY            | MAY             |      
  783       +--------------------------+----------------+-----------------+      
  784       | hmac-sha1                | MUST           | NOT RECOMMENDED |      
  785       +--------------------------+----------------+-----------------+      
  786       | hmac-sha224              | MAY            | MAY             |      
  787       +--------------------------+----------------+-----------------+      
  788       | hmac-sha256              | MUST           | RECOMMENDED     |      
  789       +--------------------------+----------------+-----------------+      
  790       | hmac-sha256-128          | MAY            | MAY             |      
  791       +--------------------------+----------------+-----------------+      
  792       | hmac-sha384              | MAY            | MAY             |      
  793       +--------------------------+----------------+-----------------+      
  794       | hmac-sha384-192          | MAY            | MAY             |      
  795       +--------------------------+----------------+-----------------+      
  796       | hmac-sha512              | MAY            | MAY             |      
  797       +--------------------------+----------------+-----------------+      
  798       | hmac-sha512-256          | MAY            | MAY             |      
  799       +--------------------------+----------------+-----------------+      
  801           Table 3: Algorithms for Implementations Supporting TSIG          
  803 7.  TSIG Truncation Policy                                                 
  805    As noted above, two DNS agents (e.g., resolver and server) must         
  806    mutually agree to use TSIG.  Implicit in such an "agreement" are        
  807    criteria as to acceptable keys, algorithms, and (with the extensions    
  808    in this document) truncations.  Local policies MAY require the          
  809    rejection of TSIGs, even though they use an algorithm for which         
  810    implementation is mandatory.                                            
  812    When a local policy permits acceptance of a TSIG with a particular      
  813    algorithm and a particular non-zero amount of truncation, it SHOULD     
  814    also permit the use of that algorithm with lesser truncation (a         
  815    longer MAC) up to the full keyed hash output.                           
  817    Regardless of a lower acceptable truncated MAC length specified by      
  818    local policy, a reply SHOULD be sent with a MAC at least as long as     
  819    that in the corresponding request.  Note, if the request specified a    
  820    MAC length longer than the keyed hash output, it will be rejected by    
  821    processing rules (Section, case 1).                             
  823    Implementations permitting multiple acceptable algorithms and/or        
  824    truncations SHOULD permit this list to be ordered by presumed           
  825    strength and SHOULD allow different truncations for the same            
  826    algorithm to be treated as separate entities in this list.  When so     
  827    implemented, policies SHOULD accept a presumed stronger algorithm and   
  828    truncation than the minimum strength required by the policy.            
  830 8.  Shared Secrets                                                         
  832    Secret keys are very sensitive information and all available steps      
  833    should be taken to protect them on every host on which they are         
  834    stored.  Generally, such hosts need to be physically protected.  If     
  835    they are multi-user machines, great care should be taken so that        
  836    unprivileged users have no access to keying material.  Resolvers        
  837    often run unprivileged, which means all users of a host would be able   
  838    to see whatever configuration data are used by the resolver.            
  840    A name server usually runs privileged, which means its configuration    
  841    data need not be visible to all users of the host.  For this reason,    
  842    a host that implements transaction-based authentication should          
  843    probably be configured with a "stub resolver" and a local caching and   
  844    forwarding name server.  This presents a special problem for            
  845    [RFC2136], which otherwise depends on clients to communicate only       
  846    with a zone's authoritative name servers.                               
  848    Use of strong, random shared secrets is essential to the security of    
  849    TSIG.  See [RFC4086] for a discussion of this issue.  The secret        
  850    SHOULD be at least as long as the keyed hash output [RFC2104].          

The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.

This RFC is included in the DNS RFCs annotation project whose home page is here.

GLOBAL V. Risk, ISC.orgBIND 9 implementation note2022-08-15

This RFC is implemented in BIND 9.18 (all versions).

  852 9.  IANA Considerations                                                    
  854    IANA maintains a registry of algorithm names to be used as "Algorithm   
  855    Names", as defined in Section 4.2 [IANA-TSIG].  Algorithm names are     
  856    text strings encoded using the syntax of a domain name.  There is no    
  857    structure to the names, and algorithm names are compared as if they     
  858    were DNS names, i.e., comparison is case insensitive.  Previous         
  859    specifications ([RFC2845] and [RFC4635]) defined values for the HMAC-   
  860    MD5 and some HMAC-SHA algorithms.  IANA has also registered "gss-       
  861    tsig" as an identifier for TSIG authentication where the                
  862    cryptographic operations are delegated to the Generic Security          
  863    Service (GSS) [RFC3645].  This document adds to the allowed             
  864    algorithms, and the registry has been updated with the names listed     
  865    in Table 3.                                                             
  867    New algorithms are assigned using the IETF Review policy defined in     
  868    [RFC8126].  The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like a    
  869    fully qualified domain name for historical reasons; other algorithm     
  870    names are simple, single-component names.                               
  872    IANA maintains a registry of RCODEs (error codes) (see [IANA-RCODEs],   
  873    including "TSIG Error values" to be used for "Error" values, as         
  874    defined in Section 4.2.  This document defines the RCODEs as            
  875    described in Section 3.  New error codes are assigned and specified     
  876    as in [RFC6895].                                                        
  878 10.  Security Considerations                                               
  880    The approach specified here is computationally much less expensive      
  881    than the signatures specified in DNSSEC.  As long as the shared         
  882    secret key is not compromised, strong authentication is provided        
  883    between two DNS systems, e.g., for the last hop from a local name       
  884    server to the user resolver or between primary and secondary name       
  885    servers.                                                                
  887    Recommendations for choosing and maintaining secret keys can be found   
  888    in [RFC2104].  If the client host has been compromised, the server      
  889    should suspend the use of all secrets known to that client.  If         
  890    possible, secrets should be stored in an encrypted form.  Secrets       
  891    should never be transmitted in the clear over any network.  This        
  892    document does not address the issue on how to distribute secrets        
  893    except that it mentions the possibilities of manual configuration and   
  894    the use of TKEY [RFC2930].  Secrets SHOULD NOT be shared by more than   
  895    two entities; any such additional sharing would allow any party         
  896    knowing the key to impersonate any other such party to members of the   
  897    group.                                                                  
  899    This mechanism does not authenticate source data, only its              
  900    transmission between two parties who share some secret.  The original   
  901    source data can come from a compromised zone master or can be           
  902    corrupted during transit from an authentic zone master to some          
  903    "caching forwarder".  However, if the server is faithfully performing   
  904    the full DNSSEC security checks, then only security-checked data will   
  905    be available to the client.                                             
  907    A Fudge value that is too large may leave the server open to replay     
  908    attacks.  A Fudge value that is too small may cause failures if         
  909    machines are not time synchronized or there are unexpected network      
  910    delays.  The RECOMMENDED value in most situations is 300 seconds.       
  912    To prevent cross-algorithm attacks, there SHOULD only be one            
  913    algorithm associated with any given key name.                           
  915    In several cases where errors are detected, an unsigned error message   
  916    must be returned.  This can allow for an attacker to spoof or           
  917    manipulate these responses.  Section 5.4 recommends logging these as    
  918    errors and continuing to wait for a signed response until the request   
  919    times out.                                                              
  921    Although the strength of an algorithm determines its security, there    
  922    have been some arguments that mild truncation can strengthen a MAC by   
  923    reducing the information available to an attacker.  However,            
  924    excessive truncation clearly weakens authentication by reducing the     
  925    number of bits an attacker has to try to break the authentication by    
  926    brute force [RFC2104].                                                  
  928    Significant progress has been made recently in cryptanalysis of hash    
  929    functions of the types used here.  While the results so far should      
  930    not affect HMAC, the stronger SHA-256 algorithm is being made           
  931    mandatory as a precaution.                                              
  933    See also the Security Considerations section of [RFC2104] from which    
  934    the limits on truncation in this RFC were taken.                        
  936 10.1.  Issue Fixed in This Document                                        
  938    When signing a DNS reply message using TSIG, the MAC computation uses   
  939    the request message's MAC as an input to cryptographically relate the   
  940    reply to the request.  The original TSIG specification [RFC2845]        
  941    required that the time values be checked before the request's MAC.      
  942    If the time was invalid, some implementations failed to carry out       
  943    further checks and could use an invalid request MAC in the signed       
  944    reply.                                                                  
  946    This document makes it mandatory that the request MAC is considered     
  947    to be invalid until it has been validated; until then, any answer       
  948    must be unsigned.  For this reason, the request MAC is now checked      
  949    before the time values.                                                 
  951 10.2.  Why Not DNSSEC?                                                     
  953    DNS has been extended by DNSSEC ([RFC4033], [RFC4034], and [RFC4035])   
  954    to provide for data origin authentication, and public key               
  955    distribution, all based on public key cryptography and public key       
  956    based digital signatures.  To be practical, this form of security       
  957    generally requires extensive local caching of keys and tracing of       
  958    authentication through multiple keys and signatures to a pre-trusted    
  959    locally configured key.                                                 
  961    One difficulty with the DNSSEC scheme is that common DNS                
  962    implementations include simple "stub" resolvers which do not have       
  963    caches.  Such resolvers typically rely on a caching DNS server on       
  964    another host.  It is impractical for these stub resolvers to perform    
  965    general DNSSEC authentication and they would naturally depend on        
  966    their caching DNS server to perform such services for them.  To do so   
  967    securely requires secure communication of queries and responses.        
  968    DNSSEC provides public key transaction signatures to support this,      
  969    but such signatures are very expensive computationally to generate.     
  970    In general, these require the same complex public key logic that is     
  971    impractical for stubs.                                                  
  973    A second area where use of straight DNSSEC public key based             
  974    mechanisms may be impractical is authenticating dynamic update          
  975    [RFC2136] requests.  DNSSEC provides for request signatures but with    
  976    DNSSEC they, like transaction signatures, require computationally       
  977    expensive public key cryptography and complex authentication logic.     
  978    Secure Domain Name System Dynamic Update ([RFC3007]) describes how      
  979    different keys are used in dynamically updated zones.                   
  981 11.  References                                                            
  983 11.1.  Normative References                                                
  985    [FIPS180-4]                                                             
  986               National Institute of Standards and Technology, "Secure      
  987               Hash Standard (SHS)", FIPS PUB 180-4,                        
  988               DOI 10.6028/NIST.FIPS.180-4, August 2015,                    
  989               <https://doi.org/10.6028/NIST.FIPS.180-4>.                   
  991    [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",   
  992               STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,       
  993               <https://www.rfc-editor.org/info/rfc1034>.                   
  995    [RFC1035]  Mockapetris, P., "Domain names - implementation and          
  996               specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,      
  997               November 1987, <https://www.rfc-editor.org/info/rfc1035>.    
  999    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate          
 1000               Requirement Levels", BCP 14, RFC 2119,                       
 1001               DOI 10.17487/RFC2119, March 1997,                            
 1002               <https://www.rfc-editor.org/info/rfc2119>.                   
 1004    [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.         
 1005               Wellington, "Secret Key Transaction Authentication for DNS   
 1006               (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000,           
 1007               <https://www.rfc-editor.org/info/rfc2845>.                   
 1009    [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record     
 1010               (RR) Types", RFC 3597, DOI 10.17487/RFC3597, September       
 1011               2003, <https://www.rfc-editor.org/info/rfc3597>.             
 1013    [RFC4635]  Eastlake 3rd, D., "HMAC SHA (Hashed Message Authentication   
 1014               Code, Secure Hash Algorithm) TSIG Algorithm Identifiers",    
 1015               RFC 4635, DOI 10.17487/RFC4635, August 2006,                 
 1016               <https://www.rfc-editor.org/info/rfc4635>.                   
 1018    [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC       
 1019               2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,     
 1020               May 2017, <https://www.rfc-editor.org/info/rfc8174>.         
 1022 11.2.  Informative References                                              
 1024    [CVE-2017-11104]                                                        
 1025               Common Vulnerabilities and Exposures, "CVE-2017-11104:       
 1026               Improper TSIG validity period check can allow TSIG           
 1027               forgery", June 2017, <https://cve.mitre.org/cgi-bin/         
 1028               cvename.cgi?name=CVE-2017-11104>.                            
 1030    [CVE-2017-3142]                                                         
 1031               Common Vulnerabilities and Exposures, "CVE-2017-3142: An     
 1032               error in TSIG authentication can permit unauthorized zone    
 1033               transfers", June 2017, <https://cve.mitre.org/cgi-bin/       
 1034               cvename.cgi?name=CVE-2017-3142>.                             
 1036    [CVE-2017-3143]                                                         
 1037               Common Vulnerabilities and Exposures, "CVE-2017-3143: An     
 1038               error in TSIG authentication can permit unauthorized         
 1039               dynamic updates", June 2017, <https://cve.mitre.org/cgi-     
 1040               bin/cvename.cgi?name=CVE-2017-3143>.                         
 1042    [IANA-RCODEs]                                                           
 1043               IANA, "DNS RCODEs",                                          
 1044               <https://www.iana.org/assignments/dns-parameters/>.          
 1046    [IANA-TSIG]                                                             
 1047               IANA, "TSIG Algorithm Names",                                
 1048               <https://www.iana.org/assignments/tsig-algorithm-names/>.    
 1050    [RFC1321]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,    
 1051               DOI 10.17487/RFC1321, April 1992,                            
 1052               <https://www.rfc-editor.org/info/rfc1321>.                   
 1054    [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-     
 1055               Hashing for Message Authentication", RFC 2104,               
 1056               DOI 10.17487/RFC2104, February 1997,                         
 1057               <https://www.rfc-editor.org/info/rfc2104>.                   
 1059    [RFC2136]  Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,      
 1060               "Dynamic Updates in the Domain Name System (DNS UPDATE)",    
 1061               RFC 2136, DOI 10.17487/RFC2136, April 1997,                  
 1062               <https://www.rfc-editor.org/info/rfc2136>.                   
 1064    [RFC2930]  Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY    
 1065               RR)", RFC 2930, DOI 10.17487/RFC2930, September 2000,        
 1066               <https://www.rfc-editor.org/info/rfc2930>.                   
 1068    [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic     
 1069               Update", RFC 3007, DOI 10.17487/RFC3007, November 2000,      
 1070               <https://www.rfc-editor.org/info/rfc3007>.                   
 1072    [RFC3174]  Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1   
 1073               (SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001,     
 1074               <https://www.rfc-editor.org/info/rfc3174>.                   
 1076    [RFC3645]  Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J.,    
 1077               and R. Hall, "Generic Security Service Algorithm for         
 1078               Secret Key Transaction Authentication for DNS (GSS-TSIG)",   
 1079               RFC 3645, DOI 10.17487/RFC3645, October 2003,                
 1080               <https://www.rfc-editor.org/info/rfc3645>.                   
 1082    [RFC3874]  Housley, R., "A 224-bit One-way Hash Function: SHA-224",     
 1083               RFC 3874, DOI 10.17487/RFC3874, September 2004,              
 1084               <https://www.rfc-editor.org/info/rfc3874>.                   
 1086    [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.      
 1087               Rose, "DNS Security Introduction and Requirements",          
 1088               RFC 4033, DOI 10.17487/RFC4033, March 2005,                  
 1089               <https://www.rfc-editor.org/info/rfc4033>.                   
 1091    [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.      
 1092               Rose, "Resource Records for the DNS Security Extensions",    
 1093               RFC 4034, DOI 10.17487/RFC4034, March 2005,                  
 1094               <https://www.rfc-editor.org/info/rfc4034>.                   
 1096    [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.      
 1097               Rose, "Protocol Modifications for the DNS Security           
 1098               Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,     
 1099               <https://www.rfc-editor.org/info/rfc4035>.                   
 1101    [RFC4086]  Eastlake 3rd, D., Schiller, J., and S. Crocker,              
 1102               "Randomness Requirements for Security", BCP 106, RFC 4086,   
 1103               DOI 10.17487/RFC4086, June 2005,                             
 1104               <https://www.rfc-editor.org/info/rfc4086>.                   
 1106    [RFC4868]  Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-     
 1107               384, and HMAC-SHA-512 with IPsec", RFC 4868,                 
 1108               DOI 10.17487/RFC4868, May 2007,                              
 1109               <https://www.rfc-editor.org/info/rfc4868>.                   
 1111    [RFC6151]  Turner, S. and L. Chen, "Updated Security Considerations     
 1112               for the MD5 Message-Digest and the HMAC-MD5 Algorithms",     
 1113               RFC 6151, DOI 10.17487/RFC6151, March 2011,                  
 1114               <https://www.rfc-editor.org/info/rfc6151>.                   
 1116    [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms   
 1117               (SHA and SHA-based HMAC and HKDF)", RFC 6234,                
 1118               DOI 10.17487/RFC6234, May 2011,                              
 1119               <https://www.rfc-editor.org/info/rfc6234>.                   
 1121    [RFC6895]  Eastlake 3rd, D., "Domain Name System (DNS) IANA             
 1122               Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,     
 1123               April 2013, <https://www.rfc-editor.org/info/rfc6895>.       
 1125    [RFC7696]  Housley, R., "Guidelines for Cryptographic Algorithm         
 1126               Agility and Selecting Mandatory-to-Implement Algorithms",    
 1127               BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015,      
 1128               <https://www.rfc-editor.org/info/rfc7696>.                   
 1130    [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for        
 1131               Writing an IANA Considerations Section in RFCs", BCP 26,     
 1132               RFC 8126, DOI 10.17487/RFC8126, June 2017,                   
 1133               <https://www.rfc-editor.org/info/rfc8126>.                   
 1135    [SHA1SHAMBLES]                                                          
 1136               Leurent, G. and T. Peyrin, "SHA-1 is a Shambles", January    
 1137               2020, <https://eprint.iacr.org/2020/014.pdf>.                
 1139 Acknowledgements                                                           
 1141    The security problem addressed by this document was reported by         
 1142    Clément Berthaux from Synacktiv.                                        
 1144    Peter van Dijk, Benno Overeinder, Willem Toroop, Ondrej Sury, Mukund    
 1145    Sivaraman, and Ralph Dolmans participated in the discussions that       
 1146    prompted this document.  Mukund Sivaraman, Martin Hoffman, and Tony     
 1147    Finch made extremely helpful suggestions concerning the structure and   
 1148    wording of the updated document.                                        
 1150    Stephen Morris would like to thank Internet Systems Consortium for      
 1151    its support of his participation in the creation of this document.      
 1153 Authors' Addresses                                                         
 1155    Francis Dupont                                                          
 1156    Internet Systems Consortium, Inc.                                       
 1157    PO Box 360                                                              
 1158    Newmarket, NH 03857                                                     
 1159    United States of America                                                
 1161    Email: Francis.Dupont@fdupont.fr                                        
 1164    Stephen Morris                                                          
 1165    Unaffiliated                                                            
 1166    United Kingdom                                                          
 1168    Email: sa.morris8@gmail.com                                             
 1171    Paul Vixie                                                              
 1172    Farsight Security Inc                                                   
 1173    Suite 180                                                               
 1174    177 Bovet Road                                                          
 1175    San Mateo, CA 94402                                                     
 1176    United States of America                                                
 1178    Email: paul@redbarn.org                                                 
 1181    Donald E. Eastlake 3rd                                                  
 1182    Futurewei Technologies                                                  
 1183    2386 Panoramic Circle                                                   
 1184    Apopka, FL 32703                                                        
 1185    United States of America                                                
 1187    Email: d3e3e3@gmail.com                                                 
 1190    Olafur Gudmundsson                                                      
 1191    Cloudflare                                                              
 1192    United States of America                                                
 1194    Email: olafur+ietf@cloudflare.com                                       
 1197    Brian Wellington                                                        
 1198    Akamai                                                                  
 1199    United States of America                                                
 1201    Email: bwelling@akamai.com