DNSSEC Validators DHCP Options

Document Type Expired Internet-Draft (individual)
Last updated 2014-04-24 (latest revision 2013-10-21)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


DNSSEC provides data integrity and authentication for DNSSEC validators. However, without valid trust anchor(s) and an acceptable value for the current time, DNSSEC validation cannot be performed. As a result, there are multiple cases where DNSSEC validation MUST NOT be performed. In addition, this list of exceptions is expected to become larger over time. Considering an increasing number of cases where DNSSEC is disabled adds complexity to the DNSSEC validator implementations and increases the vectors that disable security. This document assumes that DNSSEC adoption by end devices requires that end devices MUST be able to support a DNSSEC validation always set. This MUST be valid today as well as in the future. This document describes DHCP Options to provision the DHCP Client with valid trust anchors and time so DNSSEC validation can be performed.


Daniel Migault (mglt.ietf@gmail.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)