Skip to main content

A Root Key Trust Anchor Sentinel for DNSSEC

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc:, The IESG <>,,, Benno Overeinder <>,, Tim Wicinski <>,,
Subject: Protocol Action: 'A Root Key Trust Anchor Sentinel for DNSSEC' to Proposed Standard (draft-ietf-dnsop-kskroll-sentinel-17.txt)

The IESG has approved the following document:
- 'A Root Key Trust Anchor Sentinel for DNSSEC'
  (draft-ietf-dnsop-kskroll-sentinel-17.txt) as Proposed Standard

This document is the product of the Domain Name System Operations Working

The IESG contact persons are Warren Kumari, Ignas Bagdonas and Terry

A URL of this Internet Draft is:

Ballot Text

Technical Summary

   The DNS Security Extensions (DNSSEC) were developed to provide origin
   authentication and integrity protection for DNS data by using digital
   signatures.  These digital signatures can be verified by building a
   chain of trust starting from a trust anchor and proceeding down to a
   particular node in the DNS.  This document specifies a mechanism that
   will allow an end user and third parties to determine the trusted key
   state for the root key of the resolvers that handle that user's DNS
   queries.  Note that this method is only applicable for determining
   which keys are in the trust store for the root key.

Working Group Summary

This document has had a short history, and came about while working with ICANN on
  the KSK rollover process, as a way to assist tracking the addition and removal of DNSSEC

Document Quality

There are two different implementations of the design. 


Document Shepherd: Tim Wicinski 

Responsible Area Director: Terry Manderson

RFC Editor Note