rfc3645.txt

非常好的dns解析软件

  fields.  (Note that some INPUT and OUTPUT parameters not critical to
  this algorithm are not described in this example.)

     NAME = 789.client.example.com.server.example.com.
     RDATA
        Algorithm Name      = gss-tsig
        Mode                = 3 (GSS-API negotiation - per [RFC2930])
        Key Size            = size of output_token in octets
        Key Data            = output_token

  VIII.  Server receives a TKEY query

  When the server receives a TKEY query, the server verifies that Mode
  and Algorithm fields in the TKEY record in the Additional records
  section of the query are set to 3 and gss-tsig, respectively.  It
  finds that the key_name 789.client.example.com.server.example.com. is
  listed in its (key_name, context_handle) mapping table.









Kwan, et al.                Standards Track                    [Page 20]

RFC 3645                        GSS-TSIG                    October 2003


  IX.  Server calls GSS_Accept_sec_context

  To continue security context negotiation server calls
  GSS_Accept_sec_context with the following parameters (Note that some
  INPUT and OUTPUT parameters not critical for this algorithm are not
  described in this example)

   INPUTS
     CONTEXT HANDLE input_context_handle  = context_handle from the
           (789.client.example.com.server.example.com., context_handle)
           entry in the server's mapping table
     OCTET STRING   input_token           = token specified in the Key
           field of TKEY RR (from Additional records Section of
           the client's query)

  The OUTPUTS parameters returned by GSS_Accept_sec_context include
     INTEGER        major_status = GSS_S_COMPLETE
     CONTEXT_HANDLE output_context_handle = context_handle
     OCTET STRING   output_token = NULL

  Since major_status = GSS_S_COMPLETE, the security context on the
  server side is established, but the server still needs to respond to
  the client's TKEY query, as described below.  The security context
  state is advanced to Context Established.

  X.  Server responds to the TKEY query

  Since the major_status = GSS_S_COMPLETE in the last server's call to
  GSS_Accept_sec_context and the output_token is NULL, the server
  responds to the TKEY query placing in the answer section a TKEY record
  that was sent by the client in the Additional records section of the
  client's latest TKEY query.  In addition, this server places a
  TSIG record in additional records section of its response.  Server
  calls GSS_GetMIC to generate a signature to include it in the TSIG
  record.  The server specifies the following GSS_GetMIC INPUT
  parameters:

     CONTEXT HANDLE context_handle = context_handle from the
           (789.client.example.com.server.example.com., context_handle)
           entry in the server's mapping table
     OCTET STRING   message        = outgoing message plus TSIG
                                   variables (as described in [RFC2845])

  The OUTPUTS parameters returned by GSS_GetMIC include
     INTEGER        major_status = GSS_S_COMPLETE
     OCTET STRING   per_msg_token

  Signature field in the TSIG record is set to per_msg_token.



Kwan, et al.                Standards Track                    [Page 21]

RFC 3645                        GSS-TSIG                    October 2003


  XI.  Client processes token returned by server

  Client receives the TKEY query response from the server.  Since the
  major_status was GSS_S_COMPLETE in the last client's call to
  GSS_Init_sec_context, the client verifies that the server's response
  is signed.  To validate the signature, the client calls
  GSS_VerifyMIC with the following parameters:

   INPUTS
     CONTEXT HANDLE context_handle = context_handle for
                  789.client.example.com.server.example.com. key_name
     OCTET STRING   message        = incoming message plus TSIG
                                  variables (as described in [RFC2845])
     OCTET STRING   per_msg_token  = Signature field from TSIG RR
                  included in the server's query response

  Since the OUTPUTS parameter major_status = GSS_S_COMPLETE, the
  signature is validated, security negotiation is complete and the
  security context state is advanced to Context Established.  These
  client and server will use the established security context to sign
  and validate the signatures when they exchange packets with each
  other until the context expires.

7.  Security Considerations

   This document describes a protocol for DNS security using GSS-API.
   The security provided by this protocol is only as effective as the
   security provided by the underlying GSS mechanisms.

   All the security considerations from RFC 2845, RFC 2930 and RFC 2743
   apply to the protocol described in this document.

8.  IANA Considerations

   The IANA has reserved the TSIG Algorithm name gss-tsig for the use in
   the Algorithm fields of TKEY and TSIG resource records.  This
   Algorithm name refers to the algorithm described in this document.
   The requirement to have this name registered with IANA is specified
   in RFC 2845.

9.  Conformance

   The GSS API using SPNEGO [RFC2478] provides maximum flexibility to
   choose the underlying security mechanisms that enables security
   context negotiation.  GSS API using SPNEGO [RFC2478] enables client
   and server to negotiate and choose such underlying security
   mechanisms on the fly.  To support such flexibility, DNS clients and
   servers SHOULD specify SPNEGO mech_type in their GSS API calls.  At



Kwan, et al.                Standards Track                    [Page 22]

RFC 3645                        GSS-TSIG                    October 2003


   the same time, in order to guarantee interoperability between DNS
   clients and servers that support GSS-TSIG it is required that

   -  DNS servers specify SPNEGO mech_type
   -  GSS APIs called by DNS client support Kerberos v5
   -  GSS APIs called by DNS server support SPNEGO [RFC2478] and
      Kerberos v5.

   In addition to these, GSS APIs used by DNS client and server MAY also
   support other underlying security mechanisms.

10.  Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.  Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.

11.  Acknowledgements

   The authors of this document would like to thank the following people
   for their contribution to this specification:  Chuck Chan, Mike
   Swift, Ram Viswanathan, Olafur Gudmundsson, Donald E. Eastlake, 3rd
   and Erik Nordmark.












Kwan, et al.                Standards Track                    [Page 23]

RFC 3645                        GSS-TSIG                    October 2003


12.  References

12.1.  Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2478] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API
             Negotiation Mechanism", RFC 2478, December 1998.

   [RFC2743] Linn, J., "Generic Security Service Application Program
             Interface, Version 2 , Update 1", RFC 2743, January 2000.

   [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D. and B.
             Wellington, "Secret Key Transaction Authentication for DNS
             (TSIG)", RFC 2845, May 2000.

   [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
             RR)", RFC 2930, September 2000.

12.2.  Informative References


   [ISO11578] "Information technology", "Open Systems Interconnection",
              "Remote Procedure Call", ISO/IEC 11578:1996,
              http://www.iso.ch/cate/d2229.html.

   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
             STD 13, RFC 1034, November 1987.

   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
             Specification", STD 13, RFC 1034, November 1987.

   [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC
             1964, June 1996.

   [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
             (SPKM)", RFC 2025, October 1996.

   [RFC2137] Eastlake 3rd, D., "Secure Domain Name System Dynamic
             Update", RFC 2137, April 1997.

   [RFC2535] Eastlake 3rd, D., "Domain Name System Security Extensions",
             RFC 2535, March 1999.







Kwan, et al.                Standards Track                    [Page 24]

RFC 3645                        GSS-TSIG                    October 2003


13.  Authors' Addresses

   Stuart Kwan
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA
   EMail: skwan@microsoft.com

   Praerit Garg
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA
   EMail: praeritg@microsoft.com

   James Gilroy
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA
   EMail: jamesg@microsoft.com

   Levon Esibov
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA
   EMail: levone@microsoft.com

   Randy Hall
   Lucent Technologies
   400 Lapp Road
   Malvern PA 19355
   USA
   EMail: randyhall@lucent.com

   Jeff Westhead
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA
   EMail: jwesth@microsoft.com








Kwan, et al.                Standards Track                    [Page 25]

RFC 3645                        GSS-TSIG                    October 2003


14.  Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Kwan, et al.                Standards Track                    [Page 26]