Skip to main content

DNSSEC Signature and Data Verification Semantics

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Ólafur Guðmundsson , Edward P. Lewis
Last updated 1997-12-04
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This draft discusses authorization models for DNSSEC that can be used to determine the relationship of a KEY RR and a DNS RRset in the validation process. Is this key trusted to sign for this data? Is this data trusted because it was signed by this key? This draft defines a number of different policies that can be used and what the signing authority of keys are in each. This draft also addresses what steps are recommended in the secure DNS resolution process and how the authorization policy is put to use. The ideas and definitions expressed here are based on the authors experience in implementing a reference secure resolver.


Ólafur Guðmundsson
Edward P. Lewis

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)