summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3645.txt
blob: 61266786a547bd9dc1ce18b0dfc8b17550fe7bc7 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
Network Working Group                                            S. Kwan
Request for Comments: 3645                                       P. Garg
Updates: 2845                                                  J. Gilroy
Category: Standards Track                                      L. Esibov
                                                             J. Westhead
                                                         Microsoft Corp.
                                                                 R. Hall
                                                     Lucent Technologies
                                                            October 2003


                 Generic Security Service Algorithm for
        Secret Key Transaction Authentication for DNS (GSS-TSIG)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   The Secret Key Transaction Authentication for DNS (TSIG) protocol
   provides transaction level authentication for DNS.  TSIG is
   extensible through the definition of new algorithms.  This document
   specifies an algorithm based on the Generic Security Service
   Application Program Interface (GSS-API) (RFC2743).  This document
   updates RFC 2845.

















Kwan, et al.                Standards Track                     [Page 1]
^L
RFC 3645                        GSS-TSIG                    October 2003


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Algorithm Overview . . . . . . . . . . . . . . . . . . . . . .  3
       2.1.  GSS Details. . . . . . . . . . . . . . . . . . . . . . .  4
       2.2.  Modifications to the TSIG protocol (RFC 2845). . . . . .  4
   3.  Client Protocol Details. . . . . . . . . . . . . . . . . . . .  5
       3.1.  Negotiating Context. . . . . . . . . . . . . . . . . . .  5
           3.1.1.  Call GSS_Init_sec_context. . . . . . . . . . . . .  6
           3.1.2.  Send TKEY Query to Server. . . . . . . . . . . . .  8
           3.1.3.  Receive TKEY Query-Response from Server. . . . . .  8
       3.2.  Context Established. . . . . . . . . . . . . . . . . . . 11
           3.2.1.  Terminating a Context. . . . . . . . . . . . . . . 11
   4.  Server Protocol Details. . . . . . . . . . . . . . . . . . . . 12
       4.1.  Negotiating Context. . . . . . . . . . . . . . . . . . . 12
           4.1.1.  Receive TKEY Query from Client . . . . . . . . . . 12
           4.1.2.  Call GSS_Accept_sec_context. . . . . . . . . . . . 12
           4.1.3.  Send TKEY Query-Response to Client . . . . . . . . 13
       4.2.  Context Established. . . . . . . . . . . . . . . . . . . 15
           4.2.1.  Terminating a Context. . . . . . . . . . . . . . . 15
   5.  Sending and Verifying Signed Messages. . . . . . . . . . . . . 15
       5.1.  Sending a Signed Message - Call GSS_GetMIC . . . . . . . 15
       5.2.  Verifying a Signed Message - Call GSS_VerifyMIC. . . . . 16
   6.  Example usage of GSS-TSIG algorithm. . . . . . . . . . . . . . 18
   7.  Security Considerations. . . . . . . . . . . . . . . . . . . . 22
   8.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 22
   9.  Conformance. . . . . . . . . . . . . . . . . . . . . . . . . . 22
   10. Intellectual Property Statement. . . . . . . . . . . . . . . . 23
   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
       12.1.  Normative References. . . . . . . . . . . . . . . . . . 24
       12.2.  Informative References. . . . . . . . . . . . . . . . . 24
   13. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
   14. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 26

1.  Introduction

   The Secret Key Transaction Authentication for DNS (TSIG) [RFC2845]
   protocol was developed to provide a lightweight authentication and
   integrity of messages between two DNS entities, such as client and
   server or server and server.  TSIG can be used to protect dynamic
   update messages, authenticate regular message or to off-load
   complicated DNSSEC [RFC2535] processing from a client to a server and
   still allow the client to be assured of the integrity of the answers.







Kwan, et al.                Standards Track                     [Page 2]
^L
RFC 3645                        GSS-TSIG                    October 2003


   The TSIG protocol [RFC2845] is extensible through the definition of
   new algorithms.  This document specifies an algorithm based on the
   Generic Security Service Application Program Interface (GSS-API)
   [RFC2743].  GSS-API is a framework that provides an abstraction of
   security to the application protocol developer.  The security
   services offered can include authentication, integrity, and
   confidentiality.

   The GSS-API framework has several benefits:

   *  Mechanism and protocol independence.  The underlying mechanisms
      that realize the security services can be negotiated on the fly
      and varied over time.  For example, a client and server MAY use
      Kerberos [RFC1964] for one transaction, whereas that same server
      MAY use SPKM [RFC2025] with a different client.

   *  The protocol developer is removed from the responsibility of
      creating and managing a security infrastructure.  For example, the
      developer does not need to create new key distribution or key
      management systems.  Instead the developer relies on the security
      service mechanism to manage this on its behalf.

   The scope of this document is limited to the description of an
   authentication mechanism only.  It does not discuss and/or propose an
   authorization mechanism.  Readers that are unfamiliar with GSS-API
   concepts are encouraged to read the characteristics and concepts
   section of [RFC2743] before examining this protocol in detail.  It is
   also assumed that the reader is familiar with [RFC2845], [RFC2930],
   [RFC1034] and [RFC1035].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
   "RECOMMENDED", and "MAY" in this document are to be interpreted as
   described in BCP 14, RFC 2119 [RFC2119].

2.  Algorithm Overview

   In GSS, client and server interact to create a "security context".
   The security context can be used to create and verify transaction
   signatures on messages between the two parties.  A unique security
   context is required for each unique connection between client and
   server.

   Creating a security context involves a negotiation between client and
   server.  Once a context has been established, it has a finite
   lifetime for which it can be used to secure messages.  Thus there are
   three states of a context associated with a connection:





Kwan, et al.                Standards Track                     [Page 3]
^L
RFC 3645                        GSS-TSIG                    October 2003


                              +----------+
                              |          |
                              V          |
                      +---------------+  |
                      | Uninitialized |  |
                      |               |  |
                      +---------------+  |
                              |          |
                              V          |
                      +---------------+  |
                      | Negotiating   |  |
                      | Context       |  |
                      +---------------+  |
                              |          |
                              V          |
                      +---------------+  |
                      | Context       |  |
                      | Established   |  |
                      +---------------+  |
                              |          |
                              +----------+

   Every connection begins in the uninitialized state.

2.1.  GSS Details

   Client and server MUST be locally authenticated and have acquired
   default credentials before using this protocol as specified in
   Section 1.1.1 "Credentials" in RFC 2743 [RFC2743].

   The GSS-TSIG algorithm consists of two stages:

   I.  Establish security context.  The Client and Server use the
       GSS_Init_sec_context and GSS_Accept_sec_context APIs to generate
       the tokens that they pass to each other using [RFC2930] as a
       transport mechanism.

   II. Once the security context is established it is used to generate
       and verify signatures using GSS_GetMIC and GSS_VerifyMIC APIs.
       These signatures are exchanged by the Client and Server as a part
       of the TSIG records exchanged in DNS messages sent between the
       Client and Server, as described in [RFC2845].

2.2.  Modifications to the TSIG protocol (RFC 2845)

   Modification to RFC 2845 allows use of TSIG through signing server's
   response in an explicitly specified place in multi message exchange
   between two DNS entities even if client's request wasn't signed.



Kwan, et al.                Standards Track                     [Page 4]
^L
RFC 3645                        GSS-TSIG                    October 2003


   Specifically, Section 4.2 of RFC 2845 MUST be modified as follows:

   Replace:
      "The server MUST not generate a signed response to an unsigned
      request."

   With:
      "The server MUST not generate a signed response to an unsigned
      request, except in case of response to client's unsigned TKEY
      query if secret key is established on server side after server
      processed client's query.  Signing responses to unsigned TKEY
      queries MUST be explicitly specified in the description of an
      individual secret key establishment algorithm."

3.  Client Protocol Details

   A unique context is required for each server to which the client
   sends secure messages.  A context is identified by a context handle.
   A client maintains a mapping of servers to handles:

      (target_name, key_name, context_handle)

   The value key_name also identifies a context handle.  The key_name is
   the owner name of the TKEY and TSIG records sent between a client and
   a server to indicate to each other which context MUST be used to
   process the current request.

   DNS client and server MAY use various underlying security mechanisms
   to establish security context as described in sections 3 and 4.  At
   the same time, in order to guarantee interoperability between DNS
   clients and servers that support GSS-TSIG it is REQUIRED that
   security mechanism used by client enables use of Kerberos v5 (see
   Section 9 for more information).

3.1.  Negotiating Context

   In GSS, establishing a security context involves the passing of
   opaque tokens between the client and the server.  The client
   generates the initial token and sends it to the server.  The server
   processes the token and if necessary, returns a subsequent token to
   the client.  The client processes this token, and so on, until the
   negotiation is complete.  The number of times the client and server
   exchange tokens depends on the underlying security mechanism.  A
   completed negotiation results in a context handle.







Kwan, et al.                Standards Track                     [Page 5]
^L
RFC 3645                        GSS-TSIG                    October 2003


   The TKEY resource record [RFC2930] is used as the vehicle to transfer
   tokens between client and server.  The TKEY record is a general
   mechanism for establishing secret keys for use with TSIG.  For more
   information, see [RFC2930].

3.1.1.  Call GSS_Init_sec_context

   To obtain the first token to be sent to a server, a client MUST call
   GSS_Init_sec_context API.

   The following input parameters MUST be used.  The outcome of the call
   is indicated with the output values below.  Consult Sections 2.2.1,
   "GSS_Init_sec_context call", of [RFC2743] for syntax definitions.

   INPUTS
     CREDENTIAL HANDLE claimant_cred_handle = NULL (NULL specifies "use
         default").  Client MAY instead specify some other valid
         handle to its credentials.
     CONTEXT HANDLE input_context_handle  = 0
     INTERNAL NAME  targ_name             = "DNS@<target_server_name>"
     OBJECT IDENTIFIER mech_type          = Underlying security
         mechanism chosen by implementers.  To guarantee
         interoperability of the implementations of the GSS-TSIG
         mechanism client MUST specify a valid underlying security
         mechanism that enables use of Kerberos v5 (see Section 9 for
         more information).
     OCTET STRING   input_token           = NULL
     BOOLEAN        replay_det_req_flag   = TRUE
     BOOLEAN        mutual_req_flag       = TRUE
     BOOLEAN        deleg_req_flag        = TRUE
     BOOLEAN        sequence_req_flag     = TRUE
     BOOLEAN        anon_req_flag         = FALSE
     BOOLEAN        integ_req_flag        = TRUE
     INTEGER        lifetime_req          = 0 (0 requests a default
         value).  Client MAY instead specify another upper bound for the
         lifetime of the context to be established in seconds.
     OCTET STRING   chan_bindings         = Any valid channel bindings
         as specified in Section 1.1.6 "Channel Bindings" in [RFC2743]

   OUTPUTS
     INTEGER        major_status
     CONTEXT HANDLE output_context_handle
     OCTET STRING   output_token
     BOOLEAN        replay_det_state
     BOOLEAN        mutual_state
     INTEGER        minor_status
     OBJECT IDENTIFIER mech_type
     BOOLEAN        deleg_state



Kwan, et al.                Standards Track                     [Page 6]
^L
RFC 3645                        GSS-TSIG                    October 2003


     BOOLEAN        sequence_state
     BOOLEAN        anon_state
     BOOLEAN        trans_state
     BOOLEAN        prot_ready_state
     BOOLEAN        conf_avail
     BOOLEAN        integ_avail
     INTEGER        lifetime_rec

   If returned major_status is set to one of the following errors:

     GSS_S_DEFECTIVE_TOKEN
     GSS_S_DEFECTIVE_CREDENTIAL
     GSS_S_BAD_SIG (GSS_S_BAD_MIC)
     GSS_S_NO_CRED
     GSS_S_CREDENTIALS_EXPIRED
     GSS_S_BAD_BINDINGS
     GSS_S_OLD_TOKEN
     GSS_S_DUPLICATE_TOKEN
     GSS_S_NO_CONTEXT
     GSS_S_BAD_NAMETYPE
     GSS_S_BAD_NAME
     GSS_S_BAD_MECH
     GSS_S_FAILURE

   then the client MUST abandon the algorithm and MUST NOT use the GSS-
   TSIG algorithm to establish this security context.  This document
   does not prescribe which other mechanism could be used to establish a
   security context.  Next time when this client needs to establish
   security context, the client MAY use GSS-TSIG algorithm.

   Success values of major_status are GSS_S_CONTINUE_NEEDED and
   GSS_S_COMPLETE.  The exact success code is important during later
   processing.

   The values of replay_det_state and mutual_state indicate if the
   security package provides replay detection and mutual authentication,
   respectively.  If returned major_status is GSS_S_COMPLETE AND one or
   both of these values are FALSE, the client MUST abandon this
   algorithm.

   Client's behavior MAY depend on other OUTPUT parameters according to
   the policy local to the client.

   The handle output_context_handle is unique to this negotiation and is
   stored in the client's mapping table as the context_handle that maps
   to target_name.





Kwan, et al.                Standards Track                     [Page 7]
^L
RFC 3645                        GSS-TSIG                    October 2003


3.1.2.  Send TKEY Query to Server

   An opaque output_token returned by GSS_Init_sec_context is
   transmitted to the server in a query request with QTYPE=TKEY.  The
   token itself will be placed in a Key Data field of the RDATA field in
   the TKEY resource record in the additional records section of the
   query.  The owner name of the TKEY resource record set queried for
   and the owner name of the supplied TKEY resource record in the
   additional records section MUST be the same.  This name uniquely
   identifies the security context to both the client and server, and
   thus the client SHOULD use a value which is globally unique as
   described in [RFC2930].  To achieve global uniqueness, the name MAY
   contain a UUID/GUID [ISO11578].

      TKEY Record
        NAME = client-generated globally unique domain name string
               (as described in [RFC2930])
        RDATA
           Algorithm Name      = gss-tsig
           Mode                = 3 (GSS-API negotiation - per [RFC2930])
           Key Size            = size of output_token in octets
           Key Data            = output_token

   The remaining fields in the TKEY RDATA, i.e., Inception, Expiration,
   Error, Other Size and Data Fields, MUST be set according to
   [RFC2930].

   The query is transmitted to the server.

   Note: if the original client call to GSS_Init_sec_context returned
   any major_status other than GSS_S_CONTINUE_NEEDED or GSS_S_COMPLETE,
   then the client MUST NOT send TKEY query.  Client's behavior in this
   case is described above in Section 3.1.1.

3.1.3.  Receive TKEY Query-Response from Server

   Upon the reception of the TKEY query the DNS server MUST respond
   according to the description in Section 4.  This section specifies
   the behavior of the client after it receives the matching response to
   its query.

   The next processing step depends on the value of major_status from
   the most recent call that client performed to GSS_Init_sec_context:
   either GSS_S_COMPLETE or GSS_S_CONTINUE.







Kwan, et al.                Standards Track                     [Page 8]
^L
RFC 3645                        GSS-TSIG                    October 2003


3.1.3.1.  Value of major_status == GSS_S_COMPLETE

   If the last call to GSS_Init_sec_context yielded a major_status value
   of GSS_S_COMPLETE and a non-NULL output_token was sent to the server,
   then the client side component of the negotiation is complete and the
   client is awaiting confirmation from the server.

   Confirmation is in the form of a query response with RCODE=NOERROR
   and with the last client supplied TKEY record in the answer section
   of the query.  The response MUST be signed with a TSIG record.  Note
   that the server is allowed to sign a response to unsigned client's
   query due to modification to the RFC 2845 specified in Section 2.2
   above.  The signature in the TSIG record MUST be verified using the
   procedure detailed in section 5, Sending and Verifying Signed
   Messages.  If the response is not signed, OR if the response is
   signed but the signature is invalid, then an attacker has tampered
   with the message in transit or has attempted to send the client a
   false response.  In this case, the client MAY continue waiting for a
   response to its last TKEY query until the time period since the
   client sent last TKEY query expires.  Such a time period is specified
   by the policy local to the client.  This is a new option that allows
   the DNS client to accept multiple answers for one query ID and select
   one (not necessarily the first one) based on some criteria.

   If the signature is verified, the context state is advanced to
   Context Established.  Proceed to section 3.2 for usage of the
   security context.

3.1.3.2.  Value of major_status == GSS_S_CONTINUE_NEEDED

   If the last call to GSS_Init_sec_context yielded a major_status value
   of GSS_S_CONTINUE_NEEDED, then the negotiation is not yet complete.
   The server will return to the client a query response with a TKEY
   record in the Answer section.  If the DNS message error is not
   NO_ERROR or error field in the TKEY record is not 0 (i.e., no error),
   then the client MUST abandon this negotiation sequence.  The client
   MUST delete an active context by calling GSS_Delete_sec_context
   providing the associated context_handle.  The client MAY repeat the
   negotiation sequence starting with the uninitialized state as
   described in section 3.1.  To prevent infinite looping the number of
   attempts to establish a security context MUST be limited to ten or
   less.

   If the DNS message error is NO_ERROR and the error field in the TKEY
   record is 0 (i.e., no error), then the client MUST pass a token
   specified in the Key Data field in the TKEY resource record to





Kwan, et al.                Standards Track                     [Page 9]
^L
RFC 3645                        GSS-TSIG                    October 2003


   GSS_Init_sec_context using the same parameters values as in previous
   call except values for CONTEXT HANDLE input_context_handle and OCTET
   STRING input_token as described below:

   INPUTS
     CONTEXT HANDLE input_context_handle  = context_handle (this is the
          context_handle corresponding to the key_name which is the
          owner name of the TKEY record in the answer section in the
          TKEY query response)

     OCTET STRING   input_token           = token from Key field of
                                            TKEY record

   Depending on the following OUTPUT values of GSS_Init_sec_context

        INTEGER        major_status
        OCTET STRING   output_token

   the client MUST take one of the following actions:

   If OUTPUT major_status is set to one of the following values:

        GSS_S_DEFECTIVE_TOKEN
        GSS_S_DEFECTIVE_CREDENTIAL
        GSS_S_BAD_SIG (GSS_S_BAD_MIC)
        GSS_S_NO_CRED
        GSS_S_CREDENTIALS_EXPIRED
        GSS_S_BAD_BINDINGS
        GSS_S_OLD_TOKEN
        GSS_S_DUPLICATE_TOKEN
        GSS_S_NO_CONTEXT
        GSS_S_BAD_NAMETYPE
        GSS_S_BAD_NAME
        GSS_S_BAD_MECH
        GSS_S_FAILURE

   the client MUST abandon this negotiation sequence.  This means that
   the client MUST delete an active context by calling
   GSS_Delete_sec_context providing the associated context_handle.  The
   client MAY repeat the negotiation sequence starting with the
   uninitialized state as described in section 3.1.  To prevent infinite
   looping the number of attempts to establish a security context MUST
   be limited to ten or less.

   If OUTPUT major_status is GSS_S_CONTINUE_NEEDED OR GSS_S_COMPLETE
   then client MUST act as described below.





Kwan, et al.                Standards Track                    [Page 10]
^L
RFC 3645                        GSS-TSIG                    October 2003


   If the response from the server was signed, and the OUTPUT
   major_status is GSS_S_COMPLETE,then the signature in the TSIG record
   MUST be verified using the procedure detailed in section 5, Sending
   and Verifying Signed Messages.  If the signature is invalid, then the
   client MUST abandon this negotiation sequence.  This means that the
   client MUST delete an active context by calling
   GSS_Delete_sec_context providing the associated context_handle.  The
   client MAY repeat the negotiation sequence starting with the
   uninitialized state as described in section 3.1.  To prevent infinite
   looping the number of attempts to establish a security context MUST
   be limited to ten or less.

   If major_status is GSS_S_CONTINUE_NEEDED the negotiation is not yet
   finished.  The token output_token MUST be passed to the server in a
   TKEY record by repeating the negotiation sequence beginning with
   section 3.1.2.  The client MUST place a limit on the number of
   continuations in a context negotiation to prevent endless looping.
   Such limit SHOULD NOT exceed value of 10.

   If major_status is GSS_S_COMPLETE and output_token is non-NULL, the
   client-side component of the negotiation is complete but the token
   output_token MUST be passed to the server by repeating the
   negotiation sequence beginning with section 3.1.2.

   If major_status is GSS_S_COMPLETE and output_token is NULL, context
   negotiation is complete.  The context state is advanced to Context
   Established.  Proceed to section 3.2 for usage of the security
   context.

3.2.  Context Established

   When context negotiation is complete, the handle context_handle MUST
   be used for the generation and verification of transaction
   signatures.

   The procedures for sending and receiving signed messages are
   described in section 5, Sending and Verifying Signed Messages.

3.2.1.  Terminating a Context

   When the client is not intended to continue using the established
   security context, the client SHOULD delete an active context by
   calling GSS_Delete_sec_context providing the associated
   context_handle, AND client SHOULD delete the established context on
   the DNS server by using TKEY RR with the Mode field set to 5, i.e.,
   "key deletion" [RFC2930].





Kwan, et al.                Standards Track                    [Page 11]
^L
RFC 3645                        GSS-TSIG                    October 2003


4.  Server Protocol Details

   As on the client-side, the result of a successful context negotiation
   is a context handle used in future generation and verification of the
   transaction signatures.

   A server MAY be managing several contexts with several clients.
   Clients identify their contexts by providing a key name in their
   request.  The server maintains a mapping of key names to handles:

      (key_name, context_handle)

4.1.  Negotiating Context

   A server MUST recognize TKEY queries as security context negotiation
   messages.

4.1.1.  Receive TKEY Query from Client

   Upon receiving a query with QTYPE = TKEY, the server MUST examine
   whether the Mode and Algorithm Name fields of the TKEY record in the
   additional records section of the message contain values of 3 and
   gss-tsig, respectively.  If they do, then the (key_name,
   context_handle) mapping table is searched for the key_name matching
   the owner name of the TKEY record in the additional records section
   of the query.  If the name is found in the table and the security
   context for this name is established and not expired, then the server
   MUST respond to the query with BADNAME error in the TKEY error field.
   If the name is found in the table and the security context is not
   established, the corresponding context_handle is used in subsequent
   GSS operations.  If the name is found but the security context is
   expired, then the server deletes this security context, as described
   in Section 4.2.1, and interprets this query as a start of new
   security context negotiation and performs operations described in
   Section 4.1.2 and 4.1.3.  If the name is not found, then the server
   interprets this query as a start of new security context negotiation
   and performs operations described in Section 4.1.2 and 4.1.3.

4.1.2.  Call GSS_Accept_sec_context

   The server performs its side of a context negotiation by calling
   GSS_Accept_sec_context.  The following input parameters MUST be used.
   The outcome of the call is indicated with the output values below.
   Consult Sections 2.2.2 "GSS_Accept_sec_context call" of the RFC 2743
   [RFC2743] for syntax definitions.






Kwan, et al.                Standards Track                    [Page 12]
^L
RFC 3645                        GSS-TSIG                    October 2003


   INPUTS
     CONTEXT HANDLE input_context_handle  = 0 if new negotiation,
                                            context_handle matching
                                         key_name if ongoing negotiation
     OCTET STRING   input_token           = token specified in the Key
           field from TKEY RR (from Additional records Section of
           the client's query)

     CREDENTIAL HANDLE acceptor_cred_handle = NULL (NULL specifies "use
           default").  Server MAY instead specify some other valid
           handle to its credentials.
     OCTET STRING   chan_bindings          = Any valid channel bindings
           as specified in Section 1.1.6 "Channel Bindings" in [RFC2743]

   OUTPUTS
     INTEGER        major_status
     CONTEXT_HANDLE output_context_handle
     OCTET STRING   output_token
     INTEGER        minor_status
     INTERNAL NAME  src_name
     OBJECT IDENTIFIER  mech_type
     BOOLEAN        deleg_state
     BOOLEAN        mutual_state
     BOOLEAN        replay_det_state
     BOOLEAN        sequence_state
     BOOLEAN        anon_state
     BOOLEAN        trans_state
     BOOLEAN        prot_ready_state
     BOOLEAN        conf_avail
     BOOLEAN        integ_avail
     INTEGER        lifetime_rec
     CONTEXT_HANDLE delegated_cred_handle

   If this is the first call to GSS_Accept_sec_context in a new
   negotiation, then output_context_handle is stored in the server's
   key-mapping table as the context_handle that maps to the name of the
   TKEY record.

4.1.3.  Send TKEY Query-Response to Client

   The server MUST respond to the client with a TKEY query response with
   RCODE = NOERROR, that contains a TKEY record in the answer section.

   If OUTPUT major_status is one of the following errors the error field
   in the TKEY record set to BADKEY.






Kwan, et al.                Standards Track                    [Page 13]
^L
RFC 3645                        GSS-TSIG                    October 2003


        GSS_S_DEFECTIVE_TOKEN
        GSS_S_DEFECTIVE_CREDENTIAL
        GSS_S_BAD_SIG (GSS_S_BAD_MIC)
        GSS_S_DUPLICATE_TOKEN
        GSS_S_OLD_TOKEN
        GSS_S_NO_CRED
        GSS_S_CREDENTIALS_EXPIRED
        GSS_S_BAD_BINDINGS
        GSS_S_NO_CONTEXT
        GSS_S_BAD_MECH
        GSS_S_FAILURE

   If OUTPUT major_status is set to  GSS_S_COMPLETE or
   GSS_S_CONTINUE_NEEDED then server MUST act as described below.

   If major_status is GSS_S_COMPLETE the server component of the
   negotiation is finished.  If output_token is non-NULL, then it MUST
   be returned to the client in a Key Data field of the RDATA in TKEY.
   The error field in the TKEY record is set to NOERROR.  The message
   MUST be signed with a TSIG record as described in section 5, Sending
   and Verifying Signed Messages.  Note that server is allowed to sign a
   response to unsigned client's query due to modification to the RFC
   2845 specified in Section 2.2 above.  The context state is advanced
   to Context Established.  Section 4.2 discusses the usage of the
   security context.

   If major_status is GSS_S_COMPLETE and output_token is NULL, then the
   TKEY record received from the client MUST be returned in the Answer
   section of the response.  The message MUST be signed with a TSIG
   record as described in section 5, Sending and Verifying Signed
   Messages.  Note that server is allowed to sign a response to unsigned
   client's query due to modification to the RFC 2845 specified in
   section 2.2 above.  The context state is advanced to Context
   Established.  Section 4.2 discusses the usage of the security
   context.

   If major_status is GSS_S_CONTINUE_NEEDED, the server component of the
   negotiation is not yet finished.  The server responds to the TKEY
   query with a standard query response, placing in the answer section a
   TKEY record containing output_token in the Key Data RDATA field.  The
   error field in the TKEY record is set to NOERROR.  The server MUST
   limit the number of times that a given context is allowed to repeat,
   to prevent endless looping.  Such limit SHOULD NOT exceed value of
   10.







Kwan, et al.                Standards Track                    [Page 14]
^L
RFC 3645                        GSS-TSIG                    October 2003


   In all cases, except if major_status is GSS_S_COMPLETE and
   output_token is NULL, other TKEY record fields MUST contain the
   following values:

        NAME = key_name
        RDATA
           Algorithm Name      = gss-tsig
           Mode                = 3 (GSS-API negotiation - per [RFC2930])
           Key Size            = size of output_token in octets

   The remaining fields in the TKEY RDATA, i.e., Inception, Expiration,
   Error, Other Size and Data Fields, MUST be set according to
   [RFC2930].

4.2.  Context Established

   When context negotiation is complete, the handle context_handle is
   used for the generation and verification of transaction signatures.
   The handle is valid for a finite amount of time determined by the
   underlying security mechanism.  A server MAY unilaterally terminate a
   context at any time (see section 4.2.1).

   Server SHOULD limit the amount of memory used to cache established
   contexts.

   The procedures for sending and receiving signed messages are given in
   section 5, Sending and Verifying Signed Messages.

4.2.1.  Terminating a Context

   A server can terminate any established context at any time.  The
   server MAY hint to the client that the context is being deleted by
   including a TKEY RR in a response with the Mode field set to 5, i.e.,
   "key deletion" [RFC2930].  An active context is deleted by calling
   GSS_Delete_sec_context providing the associated context_handle.

5.  Sending and Verifying Signed Messages

5.1.  Sending a Signed Message - Call GSS_GetMIC

   The procedure for sending a signature-protected message is specified
   in [RFC2845].  The data to be passed to the signature routine
   includes the whole DNS message with specific TSIG variables appended.
   For the exact format, see [RFC2845].  For this protocol, use the
   following TSIG variable values:






Kwan, et al.                Standards Track                    [Page 15]
^L
RFC 3645                        GSS-TSIG                    October 2003


      TSIG Record
        NAME = key_name that identifies this context
        RDATA
           Algorithm Name = gss-tsig

   Assign the remaining fields in the TSIG RDATA appropriate values as
   described in [RFC2845].

   The signature is generated by calling GSS_GetMIC.  The following
   input parameters MUST be used.  The outcome of the call is indicated
   with the output values specified below.  Consult Sections 2.3.1
   "GSS_GetMIC call" of the RFC 2743[RFC2743] for syntax definitions.

   INPUTS
     CONTEXT HANDLE context_handle = context_handle for key_name
     OCTET STRING   message        = outgoing message plus TSIG
                                     variables (per [RFC2845])
     INTEGER qop_req               = 0 (0 requests a default
         value).  Caller MAY instead specify other valid value (for
         details see Section 1.2.4 in [RFC2743])

   OUTPUTS
     INTEGER        major_status
     INTEGER        minor_status
     OCTET STRING   per_msg_token

   If major_status is GSS_S_COMPLETE, then signature generation
   succeeded.  The signature in per_msg_token is inserted into the
   Signature field of the TSIG RR and the message is transmitted.

   If major_status is GSS_S_CONTEXT_EXPIRED, GSS_S_CREDENTIALS_EXPIRED
   or GSS_S_FAILURE the caller MUST delete the security context, return
   to the uninitialized state and SHOULD negotiate a new security
   context, as described above in Section 3.1

   If major_status is GSS_S_NO_CONTEXT, the caller MUST remove the entry
   for key_name from the (target_ name, key_name, context_handle)
   mapping table, return to the uninitialized state and SHOULD negotiate
   a new security context, as described above in Section 3.1

   If major_status is GSS_S_BAD_QOP, the caller SHOULD repeat the
   GSS_GetMIC call with allowed QOP value.  The number of such
   repetitions MUST be limited to prevent infinite loops.

5.2.  Verifying a Signed Message - Call GSS_VerifyMIC

   The procedure for verifying a signature-protected message is
   specified in [RFC2845].



Kwan, et al.                Standards Track                    [Page 16]
^L
RFC 3645                        GSS-TSIG                    October 2003


   The NAME of the TSIG record determines which context_handle maps to
   the context that MUST be used to verify the signature.  If the NAME
   does not map to an established context, the server MUST send a
   standard TSIG error response to the client indicating BADKEY in the
   TSIG error field (as described in [RFC2845]).

   For the GSS algorithm, a signature is verified by using
   GSS_VerifyMIC:

   INPUTS
     CONTEXT HANDLE context_handle = context_handle for key_name
     OCTET STRING   message        = incoming message plus TSIG
                                     variables (per [RFC2845])
     OCTET STRING   per_msg_token  = Signature field from TSIG RR

   OUTPUTS
     INTEGER        major_status
     INTEGER        minor_status
     INTEGER        qop_state

   If major_status is GSS_S_COMPLETE, the signature is authentic and the
   message was delivered intact.  Per [RFC2845], the timer values of the
   TSIG record MUST also be valid before considering the message to be
   authentic.  The caller MUST not act on the request or response in the
   message until these checks are verified.

   When a server is processing a client request, the server MUST send a
   standard TSIG error response to the client indicating BADKEY in the
   TSIG error field as described in [RFC2845], if major_status is set to
   one of the following values

        GSS_S_DEFECTIVE_TOKEN
        GSS_S_BAD_SIG (GSS_S_BAD_MIC)
        GSS_S_DUPLICATE_TOKEN
        GSS_S_OLD_TOKEN
        GSS_S_UNSEQ_TOKEN
        GSS_S_GAP_TOKEN
        GSS_S_CONTEXT_EXPIRED
        GSS_S_NO_CONTEXT
        GSS_S_FAILURE

   If the timer values of the TSIG record are invalid, the message MUST
   NOT be considered authentic.  If this error checking fails when a
   server is processing a client request, the appropriate error response
   MUST be sent to the client according to [RFC2845].






Kwan, et al.                Standards Track                    [Page 17]
^L
RFC 3645                        GSS-TSIG                    October 2003


6.  Example usage of GSS-TSIG algorithm

   This Section describes an example where a Client, client.example.com,
   and a Server, server.example.com, establish a security context
   according to the algorithm described above.

  I.  Client initializes security context negotiation

  To establish a security context with a server, server.example.com, the
  Client calls GSS_Init_sec_context with the following parameters.
  (Note that some INPUT and OUTPUT parameters not critical for this
  algorithm are not described in this example.)

     CONTEXT HANDLE input_context_handle  = 0
     INTERNAL NAME  targ_name             = "DNS@server.example.com"
     OCTET STRING   input_token           = NULL
     BOOLEAN        replay_det_req_flag   = TRUE
     BOOLEAN        mutual_req_flag       = TRUE

  The OUTPUTS parameters returned by GSS_Init_sec_context include
     INTEGER        major_status = GSS_S_CONTINUE_NEEDED
     CONTEXT HANDLE output_context_handle context_handle
     OCTET STRING   output_token output_token
     BOOLEAN        replay_det_state = TRUE
     BOOLEAN        mutual_state = TRUE

  Client verifies that replay_det_state and mutual_state values are
  TRUE.  Since the major_status is GSS_S_CONTINUE_NEEDED, which is a
  success OUTPUT major_status value, client stores context_handle that
  maps to "DNS@server.example.com" and proceeds to the next step.

  II.  Client sends a query with QTYPE = TKEY to server

  Client sends a query with QTYPE = TKEY for a client-generated globally
  unique domain name string, 789.client.example.com.server.example.com.
  Query contains a TKEY record in its Additional records section with
  the following fields.  (Note that some fields not specific to this
  algorithm are not specified.)

     NAME = 789.client.example.com.server.example.com.
     RDATA
        Algorithm Name      = gss-tsig
        Mode                = 3 (GSS-API negotiation - per [RFC2930])
        Key Size            = size of output_token in octets
        Key Data            = output_token






Kwan, et al.                Standards Track                    [Page 18]
^L
RFC 3645                        GSS-TSIG                    October 2003


  After the key_name 789.client.example.com.server.example.com.
  is generated it is stored in the client's (target_name, key_name,
  context_handle) mapping table.

  III.  Server receives a query with QTYPE = TKEY

  When server receives a query with QTYPE = TKEY, the server verifies
  that Mode and Algorithm fields in the TKEY record in the Additional
  records section of the query are set to 3 and "gss-tsig" respectively.
  It finds that the key_name 789.client.example.com.server.example.com.
  is not listed in its (key_name, context_handle) mapping table.

  IV.  Server calls GSS_Accept_sec_context

  To continue security context negotiation server calls
  GSS_Accept_sec_context with the following parameters.  (Note that
  some INPUT and OUTPUT parameters not critical for this algorithm
  are not described in this example.)

   INPUTS
     CONTEXT HANDLE input_context_handle  = 0
     OCTET STRING   input_token           = token specified in the Key
                              field from TKEY RR (from Additional
                              records section of the client's query)

  The OUTPUTS parameters returned by GSS_Accept_sec_context include
     INTEGER        major_status = GSS_S_CONTINUE_NEEDED
     CONTEXT_HANDLE output_context_handle context_handle
     OCTET STRING   output_token output_token

  Server stores the mapping of the
  789.client.example.com.server.example.com. to OUTPUT context_handle
  in its (key_name, context_handle) mapping table.

  V.  Server responds to the TKEY query

  Since the major_status = GSS_S_CONTINUE_NEEDED in the last server's
  call to GSS_Accept_sec_context, the server responds to the TKEY query
  placing in the answer section a TKEY record containing output_token in
  the Key Data RDATA field.  The error field in the TKEY record is set
  to 0.  The RCODE in the query response is set to NOERROR.

  VI.  Client processes token returned by server

  When the client receives the TKEY query response from the server, the
  client calls GSS_Init_sec_context with the following parameters.
  (Note that some INPUT and OUTPUT parameters not critical for this
  algorithm are not described in this example.)



Kwan, et al.                Standards Track                    [Page 19]
^L
RFC 3645                        GSS-TSIG                    October 2003


     CONTEXT HANDLE input_context_handle  = the context_handle stored
          in the client's mapping table entry (DNS@server.example.com.,
          789.client.example.com.server.example.com., context_handle)
     INTERNAL NAME  targ_name             = "DNS@server.example.com"
     OCTET STRING   input_token           = token from Key field of TKEY
          record from the Answer section of the server's response
     BOOLEAN        replay_det_req_flag   = TRUE
     BOOLEAN        mutual_req_flag       = TRUE

  The OUTPUTS parameters returned by GSS_Init_sec_context include
     INTEGER        major_status = GSS_S_COMPLETE
     CONTEXT HANDLE output_context_handle = context_handle
     OCTET STRING   output_token = output_token
     BOOLEAN        replay_det_state = TRUE
     BOOLEAN        mutual_state = TRUE

  Since the major_status is set to GSS_S_COMPLETE the client side
  security context is established, but since the output_token is not
  NULL client MUST send a TKEY query to the server as described below.

  VII.  Client sends a query with QTYPE = TKEY to server

  Client sends to the server a TKEY query for the
  789.client.example.com.server.example.com. name.  Query contains a
  TKEY record in its Additional records section with the following
  fields.  (Note that some INPUT and OUTPUT parameters not critical to
  this algorithm are not described in this example.)

     NAME = 789.client.example.com.server.example.com.
     RDATA
        Algorithm Name      = gss-tsig
        Mode                = 3 (GSS-API negotiation - per [RFC2930])
        Key Size            = size of output_token in octets
        Key Data            = output_token

  VIII.  Server receives a TKEY query

  When the server receives a TKEY query, the server verifies that Mode
  and Algorithm fields in the TKEY record in the Additional records
  section of the query are set to 3 and gss-tsig, respectively.  It
  finds that the key_name 789.client.example.com.server.example.com. is
  listed in its (key_name, context_handle) mapping table.









Kwan, et al.                Standards Track                    [Page 20]
^L
RFC 3645                        GSS-TSIG                    October 2003


  IX.  Server calls GSS_Accept_sec_context

  To continue security context negotiation server calls
  GSS_Accept_sec_context with the following parameters (Note that some
  INPUT and OUTPUT parameters not critical for this algorithm are not
  described in this example)

   INPUTS
     CONTEXT HANDLE input_context_handle  = context_handle from the
           (789.client.example.com.server.example.com., context_handle)
           entry in the server's mapping table
     OCTET STRING   input_token           = token specified in the Key
           field of TKEY RR (from Additional records Section of
           the client's query)

  The OUTPUTS parameters returned by GSS_Accept_sec_context include
     INTEGER        major_status = GSS_S_COMPLETE
     CONTEXT_HANDLE output_context_handle = context_handle
     OCTET STRING   output_token = NULL

  Since major_status = GSS_S_COMPLETE, the security context on the
  server side is established, but the server still needs to respond to
  the client's TKEY query, as described below.  The security context
  state is advanced to Context Established.

  X.  Server responds to the TKEY query

  Since the major_status = GSS_S_COMPLETE in the last server's call to
  GSS_Accept_sec_context and the output_token is NULL, the server
  responds to the TKEY query placing in the answer section a TKEY record
  that was sent by the client in the Additional records section of the
  client's latest TKEY query.  In addition, this server places a
  TSIG record in additional records section of its response.  Server
  calls GSS_GetMIC to generate a signature to include it in the TSIG
  record.  The server specifies the following GSS_GetMIC INPUT
  parameters:

     CONTEXT HANDLE context_handle = context_handle from the
           (789.client.example.com.server.example.com., context_handle)
           entry in the server's mapping table
     OCTET STRING   message        = outgoing message plus TSIG
                                   variables (as described in [RFC2845])

  The OUTPUTS parameters returned by GSS_GetMIC include
     INTEGER        major_status = GSS_S_COMPLETE
     OCTET STRING   per_msg_token

  Signature field in the TSIG record is set to per_msg_token.



Kwan, et al.                Standards Track                    [Page 21]
^L
RFC 3645                        GSS-TSIG                    October 2003


  XI.  Client processes token returned by server

  Client receives the TKEY query response from the server.  Since the
  major_status was GSS_S_COMPLETE in the last client's call to
  GSS_Init_sec_context, the client verifies that the server's response
  is signed.  To validate the signature, the client calls
  GSS_VerifyMIC with the following parameters:

   INPUTS
     CONTEXT HANDLE context_handle = context_handle for
                  789.client.example.com.server.example.com. key_name
     OCTET STRING   message        = incoming message plus TSIG
                                  variables (as described in [RFC2845])
     OCTET STRING   per_msg_token  = Signature field from TSIG RR
                  included in the server's query response

  Since the OUTPUTS parameter major_status = GSS_S_COMPLETE, the
  signature is validated, security negotiation is complete and the
  security context state is advanced to Context Established.  These
  client and server will use the established security context to sign
  and validate the signatures when they exchange packets with each
  other until the context expires.

7.  Security Considerations

   This document describes a protocol for DNS security using GSS-API.
   The security provided by this protocol is only as effective as the
   security provided by the underlying GSS mechanisms.

   All the security considerations from RFC 2845, RFC 2930 and RFC 2743
   apply to the protocol described in this document.

8.  IANA Considerations

   The IANA has reserved the TSIG Algorithm name gss-tsig for the use in
   the Algorithm fields of TKEY and TSIG resource records.  This
   Algorithm name refers to the algorithm described in this document.
   The requirement to have this name registered with IANA is specified
   in RFC 2845.

9.  Conformance

   The GSS API using SPNEGO [RFC2478] provides maximum flexibility to
   choose the underlying security mechanisms that enables security
   context negotiation.  GSS API using SPNEGO [RFC2478] enables client
   and server to negotiate and choose such underlying security
   mechanisms on the fly.  To support such flexibility, DNS clients and
   servers SHOULD specify SPNEGO mech_type in their GSS API calls.  At



Kwan, et al.                Standards Track                    [Page 22]
^L
RFC 3645                        GSS-TSIG                    October 2003


   the same time, in order to guarantee interoperability between DNS
   clients and servers that support GSS-TSIG it is required that

   -  DNS servers specify SPNEGO mech_type
   -  GSS APIs called by DNS client support Kerberos v5
   -  GSS APIs called by DNS server support SPNEGO [RFC2478] and
      Kerberos v5.

   In addition to these, GSS APIs used by DNS client and server MAY also
   support other underlying security mechanisms.

10.  Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.  Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.

11.  Acknowledgements

   The authors of this document would like to thank the following people
   for their contribution to this specification:  Chuck Chan, Mike
   Swift, Ram Viswanathan, Olafur Gudmundsson, Donald E. Eastlake, 3rd
   and Erik Nordmark.












Kwan, et al.                Standards Track                    [Page 23]
^L
RFC 3645                        GSS-TSIG                    October 2003


12.  References

12.1.  Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2478] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API
             Negotiation Mechanism", RFC 2478, December 1998.

   [RFC2743] Linn, J., "Generic Security Service Application Program
             Interface, Version 2 , Update 1", RFC 2743, January 2000.

   [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D. and B.
             Wellington, "Secret Key Transaction Authentication for DNS
             (TSIG)", RFC 2845, May 2000.

   [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
             RR)", RFC 2930, September 2000.

12.2.  Informative References


   [ISO11578] "Information technology", "Open Systems Interconnection",
              "Remote Procedure Call", ISO/IEC 11578:1996,
              http://www.iso.ch/cate/d2229.html.

   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
             STD 13, RFC 1034, November 1987.

   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
             Specification", STD 13, RFC 1034, November 1987.

   [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC
             1964, June 1996.

   [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
             (SPKM)", RFC 2025, October 1996.

   [RFC2137] Eastlake 3rd, D., "Secure Domain Name System Dynamic
             Update", RFC 2137, April 1997.

   [RFC2535] Eastlake 3rd, D., "Domain Name System Security Extensions",
             RFC 2535, March 1999.







Kwan, et al.                Standards Track                    [Page 24]
^L
RFC 3645                        GSS-TSIG                    October 2003


13.  Authors' Addresses

   Stuart Kwan
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA
   EMail: skwan@microsoft.com

   Praerit Garg
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA
   EMail: praeritg@microsoft.com

   James Gilroy
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA
   EMail: jamesg@microsoft.com

   Levon Esibov
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA
   EMail: levone@microsoft.com

   Randy Hall
   Lucent Technologies
   400 Lapp Road
   Malvern PA 19355
   USA
   EMail: randyhall@lucent.com

   Jeff Westhead
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA
   EMail: jwesth@microsoft.com








Kwan, et al.                Standards Track                    [Page 25]
^L
RFC 3645                        GSS-TSIG                    October 2003


14.  Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Kwan, et al.                Standards Track                    [Page 26]
^L