Skip to main content

Definition and Use of DNSSEC Negative Trust Anchors

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: RFC Editor <>,
    dnsop mailing list <>,
    dnsop chair <>
Subject: Document Action: 'Definition and Use of DNSSEC Negative Trust Anchors' to Informational RFC (draft-ietf-dnsop-negative-trust-anchors-10.txt)

The IESG has approved the following document:
- 'Definition and Use of DNSSEC Negative Trust Anchors'
  (draft-ietf-dnsop-negative-trust-anchors-10.txt) as Informational RFC

This document is the product of the Domain Name System Operations Working

The IESG contact persons are Benoit Claise and Joel Jaeggli.

A URL of this Internet Draft is:

Ballot Text

Technical Summary

As DNS Security Extensions (DNSSEC) is being widely deployed, tools and processes are not fully mature. Creating a temporary object called Negative Trust Anchor to temporarily disable DNSSEC validation for misconfigured domains; thereby allowing DNS resolution to continue working.

Working Group Summary

The working group spent time reviewing the document, and several points were raised about the deployment of these trust anchors. However, all points raised involved clarification text which made the final document more robust. There were no decisions that were particularly rough.

Document Quality

 There were several editorial passes done during the timeframe, all of which cleared up the text. The document has a section on managing these Negative Trust Anchors, and laid out in a manner that operators of DNS zones will be able to use.  Additionally, there are examples from existing DNS tools in Appendix A.


The document shepherd is Tim Wicinski.

Responsible Area Director is Joel Jaeggli. 

RFC Editor Note