%% You should probably cite draft-ietf-dnsop-dnssec-bootstrapping-07 instead of this revision. @techreport{ietf-dnsop-dnssec-bootstrapping-01, number = {draft-ietf-dnsop-dnssec-bootstrapping-01}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/01/}, author = {Peter Thomassen and Nils Wisiol}, title = {{Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator}}, pagetotal = 14, year = 2022, month = jun, day = 17, abstract = {This document introduces an in-band method for DNS operators to publish arbitrary information about the zones they are authoritative for, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated. Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay" ({[}RFC8078{]}). This document updates {[}RFC8078{]} and replaces its Section 3 with Section 3.2 of this document. {[} Ed note: This document is being collaborated on at https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/). The authors gratefully accept pull requests. {]}}, }