DNSSEC protected routing announcements for BGP

Document Type Expired Internet-Draft (individual)
Authors Lutz Donnerhacke  , Wouter Wijngaards 
Last updated 2008-05-05
Stream (None)
Intended RFC status (None)
Expired & archived
plain text pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document describes an infrastructure for real time verification of routes reveived via BGP4. Some DNS query types are introduced to check the origin of a prefix and validity of the AS path. The crypto part can be offloaded from the routing engine by sending a DNS query and checking the AD bit in the DNS response. The proposal depends on the DNS scalability and caching mechanisms as well as PKI introduced by DNSSEC.


Lutz Donnerhacke (lutz@iks-jena.de)
Wouter Wijngaards (wouter@nlnetlabs.nl)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)