Technical Summary
As the DNS Security (DNSSEC) specifications have evolved, the syntax
and semantics of the DNSSEC resource records (RRs) have changed. Many
deployed nameservers understand variants of these semantics.
Dangerous interactions can occur when a resolver that understands an
earlier version of these semantics queries an authoritative server
that understands the newer Delegation Signer RR semantics, including
at least one failure scenario that will cause an unsecured zone to be
unresolvable. This document changes the type codes and mnemonics of
the DNSSEC RRs (SIG, KEY, and NXT) for the newest version of these RRs
to avoid those interactions. Using new type codes ensures that older
and newer resolvers can easily distinguish which variant of these RRs
have been implemented and how they should be interpreted.
Working Group Summary
There was consensus in the WG for this option. Note that this document
is part of the overall DNSEXT plan of issuing individual updates to
the DNSSEC RFCs; when all the changes have been completed, a revised
version of 2535 will be issued tht incorportes all the changes.
Protocol Quality
This document has been reviewed for the IESG by Thomas Narten and Erik
Nordmark.