Skip to main content

Delegation Signer (DS) Resource Record (RR)

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: Internet Architecture Board <>,
    RFC Editor <>, 
    dnsext mailing list <>, 
    dnsext chair <>
Subject: Protocol Action: 'Delegation Signer Resource Record' to 
         Proposed Standard 

The IESG has approved the following document:

- 'Delegation Signer Resource Record '
   <draft-ietf-dnsext-delegation-signer-16.txt> as a Proposed Standard

This document is the product of the DNS Extensions Working Group. 

The IESG contact persons are Thomas Narten and Mark Townsley.

A URL of this Internet-Draft is:

Ballot Text

Technical Summary
This document defines the Delegation Signer resource record (RR),
which replaces the DNSSEC KEY record chain of trust defined in the
original RFC 2535 DNSSEC protocol. The DS RR resides only at the
parent and identifies (and signs) the key(s) that the child uses to
self-sign its own KEY RRset. In contrast, the previously-used method,
which relied on a DNSSEC KEY record chain of trust, had a number of
operational issues, including that the same data was located in
different places within the DNS (parent and child), which led to
inconsistencies in practice, difficulties in updating signatures in
some cases, and complexity in resolvers. The DS RR is an explicit
statement about the delegation, rather than relying on inference.

Delegation Signer changes the semantics of some previously defined
DNSSEC operations and is not backwards compatible with RFC 2535.
Working Group Summary
There was consensus in the WG for this document.

Protocol Quality
This document has been reviewed for the IESG by Thomas Narten and Erik

RFC Editor Note