blank.gif (43 bytes)

Church Of The
Swimming Elephant

4.1.4 Transaction and Request SIGs Connected: An Internet Encyclopedia
4.1.4 Transaction and Request SIGs

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 2065
Up: 4. The SIG Resource Record
Up: 4.1 SIG RDATA Format
Prev: 4.1.3 Zone Transfer (AXFR) SIG
Next: 4.2 SIG RRs in the Construction of Responses

4.1.4 Transaction and Request SIGs

4.1.4 Transaction and Request SIGs

A response message from a security aware server may optionally contain a special SIG as the last item in the additional information section to authenticate the transaction.

This SIG has a "type covered" field of zero, which is not a valid RR type. It is calculated by using a "data" (see Section 4.1.2) of the entire preceding DNS reply message, including DNS header but not the IP header, concatenated with the entire DNS query message that produced this response, including the query's DNS header but not its IP header. That is

        data = full response (less final transaction SIG) | full query

Verification of the transaction SIG (which is signed by the server host key, not the zone key) by the requesting resolver shows that the query and response were not tampered with in transit, that the response corresponds to the intended query, and that the response comes from the queried server.

A DNS request may be optionally signed by including one or more SIGs at the end of the query. Such SIGs are identified by having a "type covered" field of zero. They sign the preceding DNS request message including DNS header but not including the IP header or at the begining or any preceding request SIGs at the end. Such request SIGs are included in the "data" used to form any optional response transaction SIG.

WARNING: Request SIGs are unnecessary for currently defined queries and will cause almost all existing DNS servers to completely ignore a query. However, such SIGs may be needed to authenticate future DNS secure dynamic update or other requests.

Next: 4.2 SIG RRs in the Construction of Responses

Connected: An Internet Encyclopedia
4.1.4 Transaction and Request SIGs


Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!

Service Details

Have you gone to church today?
All pages ©1999, 2000, 2001, 2002, 2003 Church of the Swimming Elephant unless otherwise stated
Church of the Swimming Elephant©1999, 2000, 2001, 2002, 2003 is a wholly owned subsidiary of Packetderm, LLC.

Packetderm, LLC
210 Park Ave #308
Worcester, MA 01609