Skip to main content

Delegation Information (Referrals) Signer for DNSSEC

Document Type Expired Internet-Draft (individual)
Author Kazunori Fujiwara
Last updated 2021-05-06 (Latest revision 2020-11-02)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text htmlized pdfized bibtex
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)
This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at:


DNSSEC does not protect delegation information, it contains NS RRSet on the parent side and glue records. This document defines delegation information signer (DiS) resource record for protecting the delegation information, by inserting on the parent side of zone cut to hold a hash of delegation information. The DiS resource record reuses the type code and wire format of DS resource record, and distinguishes it from existing DS RRSet by using a new digest type. This document also describes the usage of DiS resource record and shows the implications on security-aware resolvers. The definition and usage are compatible with current DNSSEC.


Kazunori Fujiwara

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)