The DELEGATION_ONLY DNSKEY flag
draft-ietf-dnsop-delegation-only-02
Document | Type |
Expired Internet-Draft
(dnsop WG)
Expired & archived
|
|
---|---|---|---|
Authors | Paul Wouters , Wes Hardaker | ||
Last updated | 2024-10-05 (Latest revision 2021-02-21) | ||
Replaces | draft-pwouters-powerbind | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Intended RFC status | (None) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | Dead WG Document | |
Document shepherd | (None) | ||
IESG | IESG state | Expired | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
This document introduces a new DNSKEY flag called DELEGATION_ONLY that indicates that this zone will only produce delegation responses for data outside of its own apex (or _underscore labels). That is, the Answer Section for queries that do not involve the apex (or _underscore labels) of the zone is empty, and only glue records in the Authority Section and Additional Section will be acceptable data in the response message. Additionally, it indicates that it is not expected that the parent of this delegation-only zone bypasses or removes the delegation to this zone. DNSSEC Validating Resolvers can use this flag to mark any data that violates the DELEGATION_ONLY policy as Bogus.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)