Skip to main content

Session-baseed Authentication for DNS: DNSSEC-S

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Paul E. Hoffman , Matt Larson
Last updated 2017-12-30 (Latest revision 2017-06-28)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


DNSSEC as defined in RFCs 4033, 4034, and 4035 is based on authenticated messages. That design has allowed DNSSEC to be deployed at the upper levels of the DNS tree, but operational issues with message-based authentication has caused lower levels fo the DNS tree to mostly forego DNSSEC. This document extends DNSSEC with a second type of authentication, based on session authentication from TLS, that is easier to deploy by some (but certainly not all) authoritative DNS servers. The goal is to have many more zones be DNSSEC-enabled. Note that this document does _not_ replace current DNSSEC. A validating resolver needs to implement all of traditional DNSSEC, and might also implement the protocol defined here. A server might protect the contents of DNS zones for which it is authoritative with traditional DNSSEC, with the protocol defined here, or both. The protocol defined here is only useful for some authoritative servers, and is explicitly not useful for others. *** Notice for -00 *** This -00 draft is meant to engender discussion, particularly to find out if there is a good use case for this proposal. This draft is definitely not considered ready for consideration in an IETF WG.


Paul E. Hoffman
Matt Larson

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)