Skip to main content

Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator
draft-thomassen-dnsop-dnssec-bootstrapping-03

Document Type Replaced Internet-Draft (dnsop WG)
Authors Peter Thomassen , Nils Wisiol
Last updated 2022-04-18 (Latest revision 2021-11-29)
Replaced by draft-ietf-dnsop-dnssec-bootstrapping
Stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Formats
Expired & archived
Additional resources GitHub Repository
Related Implementations
Mailing list discussion
Stream WG state Adopted by a WG
Document shepherd (None)
IESG IESG state Replaced by draft-ietf-dnsop-dnssec-bootstrapping
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

This document introduces an in-band method for DNS operators to publish arbitrary information about the zones they are authoritative for, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated. Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay" ([RFC8078]). This document updates [RFC8078] and replaces its Section 3 with Section 3.2 of this document. [ Ed note: Text inside square brackets ([]) is additional background information, answers to frequently asked questions, general musings, etc. They will be removed before publication. This document is being collaborated on at https://github.com/desec-io/draft-thomassen- dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft- thomassen-dnsop-dnssec-bootstrapping/). The most recent version of the document, open issues, etc. should all be available there. The authors gratefully accept pull requests. ]

Authors

Peter Thomassen
Nils Wisiol

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)