DS Algorithms for Securing NS and Glue
draft-dickson-dnsop-ds-hack-02
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Author | Brian Dickson | ||
Last updated | 2022-03-23 (Latest revision 2021-09-19) | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
This Internet Draft proposes a mechanism to encode relevant data for NS records on the parental side of a zone cut by encoding them in DS records based on a new DNSKEY algorithm. Since DS records are signed by the parent, this creates a method for validation of the otherwise unsigned delegation records. Notably, support for updating DS records in a parent zone is already present (by necessity) in the Registry-Registrar-Registrant (RRR) provisioning system, EPP. Thus, no changes to the EPP protocol are needed, and no changes to registry database or publication systems upstream of the DNS zones published by top level domains (TLDs). This NS validation mechanism is beneficial if the name server _names_ need to be validated prior to use.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)