Technical Summary
This document introduces an in-band method for DNS operators to
publish arbitrary information about the zones they are authoritative
for, in an authenticated fashion and on a per-zone basis. The
mechanism allows managed DNS operators to securely announce DNSSEC
key parameters for zones under their management, including for zones
that are not currently securely delegated.
Whenever DS records are absent for a zone's delegation, this signal
enables the parent's registry or registrar to cryptographically
validate the CDS/CDNSKEY records found at the child's apex. The
parent can then provision DS records for the delegation without
resorting to out-of-band validation or weaker types of cross-checks
such as "Accept after Delay".
This document deprecates the DS enrollment methods described in
Section 3 of RFC 8078 in favor of Section 4 of this document, and
also updates RFC 7344.
Working Group Summary
The working group consensus was strong, and work was done
to improve the examples and the implementation section.
Document Quality
Document quality is good - implementations exist and are documented,
and testing has been done to confirm interoperability.
Personnel
Tim Wicinski is DS.
Warren "Ace" Kumari is RAD!!!!!!!1!!11!