The DELEGATION_ONLY DNSKEY flag
draft-ietf-dnsop-delegation-only-01
Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Expired & archived
|
|
---|---|---|---|
Authors | Paul Wouters , Wes Hardaker | ||
Last updated | 2021-01-14 (Latest revision 2020-07-13) | ||
Replaces | draft-pwouters-powerbind | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Document shepherd | (None) | ||
IESG | IESG state | Expired | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
This document introduces a new DNSKEY flag called DELEGATION_ONLY that indicates that this zone will only produce delegation responses for data outside of its own apex (or _underscore labels). That is, the Answer Section for queries that do not involve the apex (or _underscore labels) of the zone is empty, and only glue records in the Authority Section and Additional Section will be acceptable data in the response message. Additionally, it indicates that it is not expected that the parent of this delegation-only zone bypasses or removes the delegation to this zone. DNSSEC Validating Resolvers can use this flag to mark any data that violates the DELEGATION_ONLY policy as Bogus.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)