An In-Band Rollover Mechanism and an Out-Of-Band Priming Method for DNSSEC Trust Anchors
draft-ietf-dnsext-trustupdate-threshold-01

 
Document Type Expired Internet-Draft (dnsext WG)
Last updated 2005-10-27
Stream IETF
Intended RFC status (None)
Formats
Expired & archived
plain text pdf html
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

Email authors IPR 2 References Referenced by Nits Search lists

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-ietf-dnsext-trustupdate-threshold-01.txt

Abstract

The DNS Security Extensions (DNSSEC) works by validating so called chains of authority. The start of these chains of authority are usually public keys that are anchored in the DNS clients. These keys are known as the so called trust anchors. This memo describes a method how these client trust anchors can be replaced using the DNS validation and querying mechanisms (in-band) when the key pairs used for signing by zone owner are rolled. This memo also describes a method to establish the validity of trust anchors for initial configuration, or priming, using out of band mechanisms.

Authors

Johan Ihren (johani@autonomica.se)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)