Skip to main content

Establishing an Appropriate Root Zone DNSSEC Trust Anchor at Startup

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Joe Abley , Dave Knight
Last updated 2018-09-20 (Latest revision 2018-03-19)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


Domain Name System Security Extensions (DNSSEC) allow cryptographic signatures to be used to validate responses received from the Domain Name System (DNS). A DNS client which validates such signatures is known as a validator. The choice of appropriate root zone trust anchor for a validator is expected to vary over time as the corresponding cryptographic keys used in DNSSEC are changed. This document provides guidance on how validators might determine an appropriate trust anchor for the root zone to use at start-up, or when other mechanisms intended to allow key rollover to be tolerated gracefully are not available.


Joe Abley
Dave Knight

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)