Compromised-key Digest Signature (CKDS) Introduction and Requirement

Document Type Expired Internet-Draft (individual)
Last updated 2012-12-07 (latest revision 2012-06-05)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


DNS Security Extensions (DNSSEC) is widely deployed at TLD and other important domain names currently. DNSSEC is an effective method to provide security protection for end users in the network. DNSSEC needs a lot of operations to maintain the chain of trust, like DNSKEY rollover operations periodically. But the chain of trust could be broken if the operator of domain replaces the old key immediately in a emergency rollover operation when the key is compromised. The break will make the domain and his sub-domains invisible in a short time if the data in the cache of resolver is right, on the contrary, the fake RR in the cache of resolver may be "valid" if the resolver is under the attack from hackers. This document introduces the compromised-key digest signature (CKDS) resource record to mitigate the impact of invalidation which is due to emergency rollover from the authoritative name server.


Haikuo Zhang (
Likun Zhang (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)