Skip to main content

DNSSEC automation
draft-ietf-dnsop-dnssec-automation-03

Document Type Expired Internet-Draft (dnsop WG)
Expired & archived
Authors Ulrich Wisser , Shumon Huque , Johan Stenstam
Last updated 2025-04-22 (Latest revision 2024-10-19)
Replaces draft-wisser-dnssec-automation
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status Informational
Formats
Reviews
Additional resources GitHub Repository
Mailing list discussion
Stream WG state In WG Last Call
Document shepherd Benno Overeinder
IESG IESG state Expired
Consensus boilerplate Yes
Telechat date (None)
Responsible AD (None)
Send notices to benno@NLnetLabs.nl

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

This document describes an algorithm and protocol to automate the setup, operations, and decomissioning of Multi-Signer DNSSEC [RFC8901] configurations. It employs Model 2 of the multi-signer specification, where each operator has their own distinct KSK and ZSK sets (or CSK sets), Managing DS Records from the Parent via CDS/ CDNSKEY [RFC8078], and Child-to-Parent Synchronization in DNS [RFC7477] to accomplish this.

Authors

Ulrich Wisser
Shumon Huque
Johan Stenstam

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)