Definition
A TKEY (Transaction Key) record is a type of DNS resource record defined in RFC 2930 that facilitates the establishment of shared secret keys between DNS clients and servers. The record enables authenticated key exchange for subsequent secure DNS transactions, such as those protected by TSIG (Transaction SIGnature) or other DNS security mechanisms.
Overview
The TKEY RR is used within the Domain Name System (DNS) to negotiate cryptographic keys and to convey the parameters of a key‑exchange protocol. It is primarily employed in environments where DNS messages require authentication and integrity protection, allowing parties to agree on a secret without pre‑shared keys. The TKEY mechanism can operate with various key‑establishment protocols, including the Diffie‑Hellman exchange, GSS‑API (Generic Security Services Application Program Interface), and plain text key distribution.
Typical usage scenarios include:
- Initiating a secure session between a DNS resolver and an authoritative server for TSIG‑signed updates.
- Supporting dynamic DNS updates that require authenticated communication.
- Providing a foundation for experiments and extensions in DNS security.
Etymology/Origin
The abbreviation “TKEY” derives from “Transaction Key,” reflecting its purpose of establishing a cryptographic key for a DNS transaction. The concept was introduced by the Internet Engineering Task Force (IETF) within the DNS Security Extensions (DNSSEC) working group and formalized in RFC 2930 titled “Secret Key Establishment for DNS (TKEY RR)” published in August 2000.
Characteristics
- Record Type Code: 249 (decimal) in the DNS RR type space.
- RR Format: The TKEY record consists of the following fields, listed in order:
- Algorithm Name – domain name indicating the key‑establishment algorithm (e.g.,
gss-tsig.,dh,domainkey.). - Inception – 32‑bit unsigned integer representing the time the key becomes valid (in UNIX epoch format).
- Expiration – 32‑bit unsigned integer indicating when the key expires.
- Mode – 16‑bit unsigned integer defining the key‑exchange mode (e.g.,
0for server‑assigned key,1for client‑assigned key,2for diffie‑hellman,3for GSS‑API).
5 Error – 16‑bit unsigned integer conveying error codes if the key establishment fails. - Key Size – 16‑bit unsigned integer specifying the length of the key data field.
- Key Data – Variable‑length octet string containing the key material or key‑exchange data as dictated by the selected algorithm.
- Algorithm Name – domain name indicating the key‑establishment algorithm (e.g.,
- Security Considerations: The TKEY RR does not itself provide confidentiality; it only establishes a secret that can be used by subsequent security mechanisms such as TSIG. Proper handling of key lifetimes, algorithm selection, and authentication of the initial request are critical to prevent replay or man‑in‑the‑middle attacks.
- Interoperability: Support for TKEY varies among DNS implementations. Common DNS server software (e.g., BIND, NSD) includes optional support, while many recursive resolvers rely on pre‑shared keys and TSIG without employing TKEY.
Related Topics
- DNSSEC – suite of extensions to DNS that provide data origin authentication and integrity.
- TSIG (Transaction SIGnature) – mechanism that uses shared secret keys to authenticate individual DNS messages.
- SIG(0) – an earlier DNS security method using public‑key signatures, superseded in practice by DNSSEC.
- RFC 2845 – specification of TSIG.
- RFC 2930 – original specification of the TKEY RR.
- Diffie‑Hellman key exchange – a widely used algorithm for establishing shared secrets.
- GSS‑API – a generic security interface that can be employed as a TKEY algorithm.
- Dynamic DNS (DDNS) – protocol for updating DNS records in real time, often secured with TSIG/TKEY.
This entry summarizes the established technical definition and usage of the TKEY record as documented in IETF standards and associated literature.