Skip to main content

DNSSEC Extension by Using PKIX Certificates

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Hyeonmin Lee , Taekyoung Kwon
Last updated 2023-09-09 (Latest revision 2023-03-08)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The Domain Name System Security Extensions (DNSSEC) were standardized a couple of decades ago but it has not been widely deployed. Thus, a vast majority of DNS messages in the real world are still vulnerable to various kinds of integrity attacks like cache poisoning attacks. This document describes a mechanism that extends the current DNSSEC protocol in such a way that guarantees the integrity of DNS messages using PKIX certificates without any dependencies on other entities in the DNS infrastructure.


Hyeonmin Lee
Taekyoung Kwon

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)