Skip to main content

Automated Updates of DNS Security (DNSSEC) Trust Anchors
RFC 5011

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: Internet Architecture Board <>,
    RFC Editor <>, 
    dnsext mailing list <>, 
    dnsext chair <>
Subject: Protocol Action: 'Automated Updates of DNSSEC Trust 
         Anchors' to Proposed Standard 

The IESG has approved the following document:

- 'Automated Updates of DNSSEC Trust Anchors '
   <draft-ietf-dnsext-trustupdate-timers-07.txt> as a Proposed Standard

This document is the product of the DNS Extensions Working Group. 

The IESG contact persons are Mark Townsley and Jari Arkko.

A URL of this Internet-Draft is:

Ballot Text

Technical Summary
The document describes a means for automatically updating public
keys that are configured in DNSSEC aware resolvers. New
trust-anchors are configured when signatures over them can be
validated using the previous trust-anchors. By introducing explicit
revocation and a delay mechanism the chances of an attacker
introducing a mala fide trust-anchor after a key compromise are
mitigated, albeit not solved.
Working Group Summary
There is a broad consensus that this solution provides a workable
key-rollover. The working group is aware of IPR issues. There 
have been a number of well-documented reviews and comment on 
this document, please see the PROTO statement for a detailed
Protocol Quality
There are no implementations yet. The chairs are aware of at least
1 and maybe 2 independent organizations that plan on
implementing. At least one implementer has done in-depth review
during last call.

The chairs are of the opinion that after implementations are
written there is probably millage in documenting operational

Note to RFC Editor

Please append the following to the Security Considerations section: 

"Security considerations for trust anchor rollover not specific to
this protocol are discussed in [ID.ietf-dnsext-rollover-requirements]"

and add this to the informative references:

         Eland, H., Mundy R., Crocker, S., and S. Krishnaswamy,
         "Requirements related to DNSSEC Trust Anchor Rollover",
         (work in progress), November 2006.

RFC Editor Note