This document defines the Delegation Signer resource record (RR),
which replaces the DNSSEC KEY record chain of trust defined in the
original RFC 2535 DNSSEC protocol. The DS RR resides only at the
parent and identifies (and signs) the key(s) that the child uses to
self-sign its own KEY RRset. In contrast, the previously-used method,
which relied on a DNSSEC KEY record chain of trust, had a number of
operational issues, including that the same data was located in
different places within the DNS (parent and child), which led to
inconsistencies in practice, difficulties in updating signatures in
some cases, and complexity in resolvers. The DS RR is an explicit
statement about the delegation, rather than relying on inference.
Delegation Signer changes the semantics of some previously defined
DNSSEC operations and is not backwards compatible with RFC 2535.
Working Group Summary
There was consensus in the WG for this document.
This document has been reviewed for the IESG by Thomas Narten and Erik