An In-Band Rollover Mechanism and an Out-Of-Band Priming Method for DNSSEC Trust Anchors
draft-ietf-dnsext-trustupdate-threshold-01
| Document | Type | Expired Internet-Draft (dnsext WG) | |
|---|---|---|---|
| Author | Johan Ihren | ||
| Last updated | 2005-10-27 | ||
| Stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | (None) | ||
| Formats |
Expired & archived
plain text
htmlized
pdfized
bibtex
|
||
| Stream | WG state | WG Document | |
| Document shepherd | (None) | ||
| IESG | IESG state | Expired | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
https://www.ietf.org/archive/id/draft-ietf-dnsext-trustupdate-threshold-01.txt
Abstract
The DNS Security Extensions (DNSSEC) works by validating so called chains of authority. The start of these chains of authority are usually public keys that are anchored in the DNS clients. These keys are known as the so called trust anchors. This memo describes a method how these client trust anchors can be replaced using the DNS validation and querying mechanisms (in-band) when the key pairs used for signing by zone owner are rolled. This memo also describes a method to establish the validity of trust anchors for initial configuration, or priming, using out of band mechanisms.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)