Skip to main content

DNSSEC Opt-in for Large Zones

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Mark Kosters
Last updated 2001-03-06 (Latest revision 2000-11-20)
RFC stream (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


In order for DNSSEC to be deployed operationally with large zones and little operational impact, there needs to be included a mechanism that allows for the separation of secure versus unsecure views of zones. This needs to be done in a transparent fashion that allows DNSSEC to be deployed in an incremental manner. This document proposes the use of an extended RCODE to signify that a DNSSEC-aware requestor may have to re-query for the information, if and only if, the delegation is not yet secure. Thus, one can maintain two views of the zone and expand the DNSSEC zone as demand warrants.


Mark Kosters

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)