The WS resource record: dispersing trust in the DNSSEC root keys
draft-fanf-dnsop-trust-anchor-witnesses-00
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Author | Tony Finch | ||
Last updated | 2014-08-17 (Latest revision 2014-02-13) | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
At the moment the root DNSSEC key is a single point of trust and a single point of failure for the whole system. This memo describes a mechanism for dispersing trust in the root key. Witnesses vouch for the root trust anchor by publishing WS records in the DNS. Validators only update their root trust anchors if multiple witnesses agree. The root-witnesses.arpa zone enables a validator to bootstrap trust when it has no working trust anchors other than its witnesses.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)