Secure parent-child DNS update use cases

Document Type Expired Internet-Draft (individual)
Author Paul Wouters 
Last updated 2013-01-10 (latest revision 2012-07-09)
Stream (None)
Expired & archived
plain text xml pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


DNS zone administrators occasionally need to update data published by a parent zone, such as NS and DS records. Traditionally these updates have happened out-of-band: through DNS registrar interfaces, EPP, websites, or manually by operators. Some updates could also be done using DNS Dynamic Update [RFC2136]. The IETF's DNSOP working group is considering proposing additional mechanisms for such updates, possibly leveraging DNSSEC for authentication. This document presents some use cases to drive this design work.


Paul Wouters (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)