Skip to main content

Recommendations for DNSSEC Resolvers Operators

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Daniel Migault , Edward Lewis , Dan York
Last updated 2024-05-16 (Latest revision 2023-11-13)
Replaces draft-mglt-dnsop-dnssec-validator-requirements
RFC stream Independent Submission
Intended RFC status Informational
Additional resources GitHub Repository
Stream ISE state Response to Review Needed
Revised I-D Needed
Consensus boilerplate Unknown
Document shepherd (None)
Shepherd write-up Show Last changed 2022-10-16
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The DNS Security Extensions (DNSSEC) defines a process for validating received data and assert them authentic and complete as opposed to forged. While DNSSEC comes with some complexity, at least for non expert, that complexity is mostly abstracted by the resolver. As result, running a resolver with DNSSEC enabled only requires the operator to only follow a very limited set of recommendations. This document provides such recommendations.


Daniel Migault
Edward Lewis
Dan York

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)