Storing Certificates in the Domain Name System (DNS)
simon@josefsson.orgCryptographic public keys are frequently published, and their
authenticity is demonstrated by certificates. A CERT resource
record (RR) is defined so that such certificates and related
certificate revocation lists can be stored in the Domain Name
System (DNS).This document obsoletes RFC 2538.Public keys are frequently published in the form of a
certificate, and their authenticity is commonly demonstrated by
certificates and related certificate revocation lists (CRLs). A
certificate is a binding, through a cryptographic digital
signature, of a public key, a validity interval and/or conditions,
and identity, authorization, or other information. A certificate
revocation list is a list of certificates that are revoked, and of
incidental information, all signed by the signer (issuer) of the
revoked certificates. Examples are X.509 certificates/CRLs in the
X.500 directory system or OpenPGP certificates/revocations used by
OpenPGP software.Section 2 specifies a CERT resource record (RR) for the storage
of certificates in the Domain Name System .Section 3 discusses appropriate owner names for CERT RRs.Sections 4, 7, and 8 cover performance, security, and IANA
considerations, respectively.Section 9 explains the changes in this document compared to RFC
2538.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in .The CERT resource record (RR) has the structure given below. Its
RR type code is 37.The type field is the certificate type as defined in Section 2.1
below.The key tag field is the 16-bit value computed for the key
embedded in the certificate, using the RRSIG Key Tag algorithm
described in Appendix B of . This field
is used as an efficiency measure to pick which CERT RRs may be
applicable to a particular key. The key tag can be calculated for
the key in question, and then only CERT RRs with the same key tag
need to be examined. Note that two different keys can have the
same key tag. However, the key MUST be transformed to the format
it would have as the public key portion of a DNSKEY RR before the
key tag is computed. This is only possible if the key is
applicable to an algorithm and complies to limits (such as key
size) defined for DNS security. If it is not, the algorithm field
MUST be zero and the tag field is meaningless and SHOULD be
zero.The algorithm field has the same meaning as the algorithm field
in DNSKEY and RRSIG RRs , except that a
zero algorithm field indicates that the algorithm is unknown to a
secure DNS, which may simply be the result of the algorithm not
having been standardized for DNSSEC .The following values are defined or reserved:These values represent the initial content of the IANA
registry; see Section 8.The PKIX type is reserved to indicate an X.509 certificate
conforming to the profile defined by the IETF PKIX working group
. The certificate section will start
with a one-octet unsigned OID length and then an X.500 OID
indicating the nature of the remainder of the certificate
section (see Section 2.3, below). (NOTE: X.509 certificates do
not include their X.500 directory-type-designating OID as a
prefix.)The SPKI and ISPKI types are reserved to indicate the SPKI
certificate format , for use when the
SPKI documents are moved from experimental status. The format
for these two CERT RR types will need to be specified later.The PGP type indicates an OpenPGP packet as described in
and its extensions and successors.
This is used to transfer public key material and revocation
signatures. The data is binary and MUST NOT be encoded into an
ASCII armor. An implementation SHOULD process transferable
public keys as described in Section 10.1 of
, but it MAY handle additional OpenPGP
packets.The ACPKIX type indicates an Attribute Certificate format
.The IPKIX and IACPKIX types indicate a URL that will serve the
content that would have been in the "certificate, CRL, or URL"
field of the corresponding type (PKIX or ACPKIX, respectively).The IPGP type contains both an OpenPGP fingerprint for the key
in question, as well as a URL. The certificate portion of the
IPGP CERT RR is defined as a one-octet fingerprint length,
followed by the OpenPGP fingerprint, followed by the URL. The
OpenPGP fingerprint is calculated as defined in RFC 2440
. A zero-length fingerprint or a
zero-length URL are legal, and indicate URL-only IPGP data or
fingerprint-only IPGP data, respectively. A zero-length
fingerprint and a zero-length URL are meaningless and
invalid.The IPKIX, ISPKI, IPGP, and IACPKIX types are known as
"indirect". These types MUST be used when the content is too
large to fit in the CERT RR and MAY be used at the implementer's
discretion. They SHOULD NOT be used where the DNS message is
512 octets or smaller and could thus be expected to fit a UDP
packet.The URI private type indicates a certificate format defined by
an absolute URI. The certificate portion of the CERT RR MUST
begin with a NUL-terminated URI and
the data after the NUL is the private format certificate itself.
The URI SHOULD be such that a retrieval from it will lead to
documentation on the format of the certificate. Recognition of
private certificate types need not be based on URI equality but
can use various forms of pattern matching so that, for example,
subtype or version information can also be encoded into the
URI.The OID private type indicates a private format certificate
specified by an ISO OID prefix. The certificate section will
start with a one-octet unsigned OID length and then a
BER-encoded OID indicating the nature of the remainder of the
certificate section. This can be an X.509 certificate format or
some other format. X.509 certificates that conform to the IETF
PKIX profile SHOULD be indicated by the PKIX type, not the OID
private type. Recognition of private certificate types need not
be based on OID equality but can use various forms of pattern
matching such as OID prefix.The RDATA portion of a CERT RR has the type field as an
unsigned decimal integer or as a mnemonic symbol as listed in
Section 2.1, above.The key tag field is represented as an unsigned decimal
integer.The algorithm field is represented as an unsigned decimal
integer or a mnemonic symbol as listed in .The certificate/CRL portion is represented in base 64
and may be divided into any number of
white-space-separated substrings, down to single base-64 digits,
which are concatenated to obtain the full signature. These
substrings can span lines using the standard parenthesis.Note that the certificate / CRL portion may have internal
sub-fields, but these do not appear in the master file
representation. For example, with type 254, there will be an
OID size, an OID, and then the certificate/CRL proper. However,
only a single logical base-64 string will appear in the text
representation.OIDs have been defined in connection with the X.500 directory
for user certificates, certification authority certificates,
revocations of certification authority, and revocations of user
certificates. The following table lists the OIDs, their BER
encoding, and their length-prefixed hex format for use in CERT
RRs:It is recommended that certificate CERT RRs be stored under a
domain name related to their subject, i.e., the name of the entity
intended to control the private key corresponding to the public
key being certified. It is recommended that certificate
revocation list CERT RRs be stored under a domain name related to
their issuer.Following some of the guidelines below may result in DNS names
with characters that require DNS quoting as per Section 5.1 of RFC
1035 .The choice of name under which CERT RRs are stored is important
to clients that perform CERT queries. In some situations, the
clients may not know all information about the CERT RR object it
wishes to retrieve. For example, a client may not know the
subject name of an X.509 certificate, or the email address of the
owner of an OpenPGP key. Further, the client might only know the
hostname of a service that uses X.509 certificates or the Key ID
of an OpenPGP key.Therefore, two owner name guidelines are defined: content-based
owner names and purpose-based owner names. A content-based owner
name is derived from the content of the CERT RR data; for example,
the Subject field in an X.509 certificate or the User ID field in
OpenPGP keys. A purpose-based owner name is a name that a client
retrieving CERT RRs ought to know already; for example, the host
name of an X.509 protected service or the Key ID of an OpenPGP
key. The content-based and purpose-based owner name may be the
same; for example, when a client looks up a key based on the From:
address of an incoming email.Implementations SHOULD use the purpose-based owner name
guidelines described in this document and MAY use CNAME RRs at
content-based owner names (or other names), pointing to the
purpose-based owner name..
Note that this section describes an application-based mapping
from the name space used in a certificate to the name space used
by DNS. The DNS does not infer any relationship amongst CERT
resource records based on similarities or differences of the DNS
owner name(s) of CERT resource records. For example, if multiple
labels are used when mapping from a CERT identifier to a domain
name, then care must be taken in understanding wildcard record
synthesis.Some X.509 versions, such as the PKIX profile of X.509
, permit multiple names to be
associated with subjects and issuers under "Subject Alternative
Name" and "Issuer Alternative Name". For example, the PKIX
profile has such Alternate Names with an ASN.1 specification as
follows:The recommended locations of CERT storage are as follows, in priority
order:If a domain name is included in the identification in the
certificate or CRL, that ought to be used.If a domain name is not included but an IP address is
included, then the translation of that IP address into the
appropriate inverse domain name ought to be used.If neither of the above is used, but a URI containing a
domain name is present, that domain name ought to be used.If none of the above is included but a character string name
is included, then it ought to be treated as described below
for OpenPGP names.If none of the above apply, then the distinguished name (DN)
ought to be mapped into a domain name as specified in
.Example 1: An X.509v3 certificate is issued to /CN=John Doe
/DC=Doe/DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative Names
of (a) string "John (the Man) Doe", (b) domain name john-doe.com,
and (c) URI <https://www.secure.john-doe.com:8080/>. The
storage locations recommended, in priority order, would bejohn-doe.com,www.secure.john-doe.com, andDoe.com.xy.Example 2: An X.509v3 certificate is issued to /CN=James
Hacker/L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate
names of (a) domain name widget.foo.example, (b) IPv4 address
10.251.13.201, and (c) string "James Hacker
<hacker@mail.widget.foo.example>". The storage
locations recommended, in priority order, would bewidget.foo.example,201.13.251.10.in-addr.arpa, andhacker.mail.widget.foo.example.Due to the difficulty for clients that do not already possess a
certificate to reconstruct the content-based owner name,
purpose-based owner names are recommended in this section.
Recommendations for purpose-based owner names vary per scenario.
The following table summarizes the purpose-based X.509 CERT RR
owner name guidelines for use with S/MIME , SSL/TLS , and IPsec
:An alternate approach for IPsec is to store raw public keys
.OpenPGP signed keys (certificates) use a general character
string User ID . However, it is
recommended by OpenPGP that such names include the RFC 2822
email address of the party, as in
"Leslie Example <Leslie@host.example>". If such a format
is used, the CERT ought to be under the standard translation of
the email address into a domain name, which would be
leslie.host.example in this case. If no RFC 2822 name can be
extracted from the string name, no specific domain name is
recommended.If a user has more than one email address, the CNAME type can
be used to reduce the amount of data stored in the DNS. For
example:Applications that receive an OpenPGP packet containing
encrypted or signed data but do not know the email address of
the sender will have difficulties constructing the correct owner
name and cannot use the content-based owner name guidelines.
However, these clients commonly know the key fingerprint or the
Key ID. The key ID is found in OpenPGP packets, and the key
fingerprint is commonly found in auxiliary data that may be
available. In this case, use of an owner name identical to the
key fingerprint and the key ID expressed in hexadecimal
is recommended. For example:If the same key material is stored for several owner names, the
use of CNAME may help avoid data duplication. Note that CNAME
is not always applicable, because it maps one owner name to the
other for all purposes, which may be sub-optimal when two keys
with the same Key ID are stored.These types are stored under the same owner names, both
purpose- and content-based, as the PKIX, SPKI, PGP, and ACPKIX
types.The Domain Name System (DNS) protocol was designed for small
transfers, typically below 512 octets. While larger transfers
will perform correctly and work is underway to make larger
transfers more efficient, it is still advisable at this time that
every reasonable effort be made to minimize the size of
certificates stored within the DNS. Steps that can be taken may
include using the fewest possible optional or extension fields and
using short field values for necessary variable-length fields.The RDATA field in the DNS protocol may only hold data of size
65535 octets (64kb) or less. This means that each CERT RR MUST NOT
contain more than 64kb of payload, even if the corresponding
certificate or certificate revocation list is larger. This
document addresses this by defining "indirect" data types for each
normal type.Deploying CERT RRs to support digitally signed email changes the
access patterns of DNS lookups from per-domain to per-user. If
digitally signed email and a key/certificate lookup based on CERT
RRs are deployed on a wide scale, this may lead to an increased
DNS load, with potential performance and cache effectiveness
consequences. Whether or not this load increase will be
noticeable is not known.The majority of this document is copied verbatim from RFC 2538,
by Donald Eastlake 3rd and Olafur Gudmundsson.Thanks to David Shaw and Michael Graff for their contributions to
earlier works that motivated, and served as inspiration for, this
document.This document was improved by suggestions and comments from
Olivier Dubuisson, Scott Hollenbeck, Russ Housley, Peter Koch,
Olaf M. Kolkman, Ben Laurie, Edward Lewis, John Loughney, Allison
Mankin, Douglas Otis, Marcos Sanz, Pekka Savola, Jason Sloderbeck,
Samuel Weiler, Florian Weimer, and the IANA. No doubt the list is
incomplete. We apologize to anyone we left out.By definition, certificates contain their own authenticating
signatures. Thus, it is reasonable to store certificates in
non-secure DNS zones or to retrieve certificates from DNS with DNS
security checking not implemented or deferred for efficiency. The
results may be trusted if the certificate chain is verified back
to a known trusted key and this conforms with the user's security
policy.Alternatively, if certificates are retrieved from a secure DNS
zone with DNS security checking enabled and are verified by DNS
security, the key within the retrieved certificate may be trusted
without verifying the certificate chain if this conforms with the
user's security policy.If an organization chooses to issue certificates for its
employees, placing CERT RR's in the DNS by owner name, and if
DNSSEC (with NSEC) is in use, it is possible for someone to
enumerate all employees of the organization. This is usually not
considered desirable, for the same reason that enterprise phone
listings are not often publicly published and are even marked
confidential.Using the URI type introduces another level of indirection that
may open a new vulnerability. One method of securing that
indirection is to include a hash of the certificate in the URI
itself.If DNSSEC is used, then the non-existence of a CERT RR and,
consequently, certificates or revocation lists can be securely
asserted. Without DNSSEC, this is not possible.The IANA has created a new registry for CERT RR: certificate
types. The initial contents of this registry is:Certificate types 0x0000 through 0x00FF (255) and 0xFF00 (65280)
through 0xFFFF (65535) can only be assigned by an IETF standards
action . This document assigns 0x0001
through 0x0008 and 0x00FD (253) and 0x00FE (254). Certificate
types 0x0100 (256) through 0xFEFF (65279) are assigned through
IETF Consensus based on RFC
documentation of the certificate type. The availability of
private types under 0x00FD (253) and 0x00FE (254) ought to satisfy
most requirements for proprietary or private types.The CERT RR reuses the DNS Security Algorithm Numbers registry.
In particular, the CERT RR requires that algorithm number 0 remain
reserved, as described in Section 2. The IANA will reference the
CERT RR as a user of this registry and value 0, in particular.Editorial changes to conform with new document requirements,
including splitting reference section into two parts and
updating the references to point at latest versions, and to
add some additional references.Improve terminology. For example replace "PGP" with "OpenPGP",
to align with RFC 2440.In Section 2.1, clarify that OpenPGP public key data are
binary, not the ASCII armored format, and reference 10.1 in
RFC 2440 on how to deal with OpenPGP keys, and acknowledge
that implementations may handle additional packet types.Clarify that integers in the representation format are
decimal.Replace KEY/SIG with DNSKEY/RRSIG etc, to align with
DNSSECbis terminology. Improve reference for Key Tag
Algorithm calculations.Add examples that suggest use of CNAME to reduce bandwidth.In Section 3, appended the last paragraphs that discuss
"content-based" vs "purpose-based" owner names. Add Section
3.2 for purpose-based X.509 CERT owner names, and Section 3.4
for purpose-based OpenPGP CERT owner names.Added size considerations.The SPKI types has been reserved, until RFC 2692/2693 is
moved from the experimental status.Added indirect types IPKIX, ISPKI, IPGP, and IACPKIX.An IANA registry of CERT type values was created.Regarding the portion of this document that was written by Simon
Josefsson ("the author", for the remainder of this section), the
author makes no guarantees and is not responsible for any damage
resulting from its use. The author grants irrevocable permission
to anyone to use, modify, and distribute it in any way that does
not diminish the rights of anyone else to use, modify, and
distribute it, provided that redistributed derivative works do not
contain misleading author or version information. Derivative
works need not be licensed under similar terms.