The EDNS Key Tag Option

Document Type Replaced Internet-Draft (dnsop WG)
Author Duane Wessels 
Last updated 2015-12-05 (latest revision 2015-07-29)
Replaced by RFC 8145
Stream Internet Engineering Task Force (IETF)
Intended RFC status Proposed Standard
Expired & archived
plain text xml htmlized pdfized bibtex
Stream WG state Adopted by a WG
Document shepherd Tim Wicinski
IESG IESG state Replaced by draft-ietf-dnsop-edns-key-tag
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to "Tim Wicinski" <>

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The DNS Security Extensions (DNSSEC) were developed to provide origin authentication and integrity protection for DNS data by using digital signatures. These digital signatures can be verified by building a chain-of-trust starting from a trust anchor and proceeding down to a particular node in the DNS. This document specifies a way for validating end-system resolvers to signal to a server which keys are referenced in their chain-of-trust. The extensions allow zone administrators to monitor the progress of rollovers in a DNSSEC- signed zone.


Duane Wessels (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)