Session-baseed Authentication for DNS: DNSSEC-S

Document Type Expired Internet-Draft (individual)
Authors Paul Hoffman  , Matt Larson 
Last updated 2017-12-30 (latest revision 2017-06-28)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


DNSSEC as defined in RFCs 4033, 4034, and 4035 is based on authenticated messages. That design has allowed DNSSEC to be deployed at the upper levels of the DNS tree, but operational issues with message-based authentication has caused lower levels fo the DNS tree to mostly forego DNSSEC. This document extends DNSSEC with a second type of authentication, based on session authentication from TLS, that is easier to deploy by some (but certainly not all) authoritative DNS servers. The goal is to have many more zones be DNSSEC-enabled. Note that this document does _not_ replace current DNSSEC. A validating resolver needs to implement all of traditional DNSSEC, and might also implement the protocol defined here. A server might protect the contents of DNS zones for which it is authoritative with traditional DNSSEC, with the protocol defined here, or both. The protocol defined here is only useful for some authoritative servers, and is explicitly not useful for others. *** Notice for -00 *** This -00 draft is meant to engender discussion, particularly to find out if there is a good use case for this proposal. This draft is definitely not considered ready for consideration in an IETF WG.


Paul Hoffman (
Matt Larson (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)