The Zone Referral Key

Document Type Expired Internet-Draft (individual)
Authors John Gilmore  , Edward Lewis 
Last updated 1998-05-28
Stream (None)
Intended RFC status (None)
Expired & archived
plain text pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


A new type of key is defined to address the problems of performance in large delegeted zones and issues of liability of registrars with regards to the storing of public keys belonging to zone cuts. This new key type also brings DNSSEC more in line with the DNS treatment of zone cuts and speeds recovery in handling key exposure. The new type of key is a referral record that is stored, signed, at the parent zone's place for the delegation point. A resolver receiving this record is being informed that there are genuine public keys at the child's authoritative name servers. The parent no longer needs to store the child's public keys locally.


John Gilmore (
Edward Lewis (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)