Skip to main content

DNS Security (DNSSEC) Opt-In
RFC 4956

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: Internet Architecture Board <>,
    RFC Editor <>, 
    dnsext mailing list <>, 
    dnsext chair <>
Subject: Document Action: 'DNSSEC Opt-In' to Experimental RFC 

The IESG has approved the following document:

- 'DNSSEC Opt-In '
   <draft-ietf-dnsext-dnssec-opt-in-10.txt> as an Experimental RFC

This document is the product of the DNS Extensions Working Group. 

The IESG contact persons are Mark Townsley and Jari Arkko.

A URL of this Internet-Draft is:

Ballot Text

Technical Summary

opt-in is a method to disable the authenticated denial of existence
for a range of domain names in a zone. It has been developed to
generate a sparse set of NSEC RRs in a zone that contains mostly
delegations i.e. to opt-in the secure delegations. The span of
delegations for which authenticated denial is not available is still
indicated using an NSEC resource record.  'NSEC-bit' in the type
bitmap of the NSEC RDATA is used to signal the different semantic of
the opt-in type NSEC RR.

opt-in is a methodology that is backwards incompatible with DNSSEC; in
order to perform a trial the methodology described in
draft-ietf-dnsext-dnssec-experiments is applied.

   Working Group Summary

A couple of years ago this document had thourough technical review
around 2002. This version of the document has been slightly updated
to reflect changes to DNSSEC since 2002 and to turn it into an experiment
of the form described in draft-ietf-dnsext-dnssec-experiments.

During the development of the OPT-IN spec before and in 2002 there has
been in depth review and feedback by several core members of the working
group. At that time the consensus was that the document was
technologically solid but there was no consent the mechanism.

This time around the views of many folk have changed and they do not have
any problems with the OPT-IN technology going forward as an experiment.
The same functionality is introduced work currently in DNSEXT NSEC3.

Document Quality

The document has been reviewed by

Scott Rose 

Mark Kosters
he is one of the initial editors)

Rodney Joffe

and dnsext chair Olaf Kolkman.

There has been some discussion after we advanced the document in which it
became clear that Ed Lewis also reviewed the document and supported
experimental status.


RFC Editor Note