DNSSEC Trust Anchor Publication for the Root Zone
RFC 7958
Document | Type |
RFC - Informational
(August 2016; Errata)
Was draft-jabley-dnssec-trust-anchor (individual)
|
|
---|---|---|---|
Authors | Joe Abley , Jakob Schlyter , Guillaume Bailey , Paul Hoffman | ||
Last updated | 2020-01-27 | ||
Stream | Independent Submission | ||
Formats | plain text html pdf htmlized (tools) htmlized with errata bibtex | ||
IETF conflict review | conflict-review-jabley-dnssec-trust-anchor | ||
Stream | ISE state | Published RFC | |
Consensus Boilerplate | Unknown | ||
Document shepherd | Adrian Farrel | ||
Shepherd write-up | Show (last changed 2016-05-31) | ||
IESG | IESG state | RFC 7958 (Informational) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | "Nevil Brownlee" <rfc-ise@rfc-editor.org> | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | RFC-Ed-Ack |
Independent Submission J. Abley Request for Comments: 7958 Dyn, Inc. Category: Informational J. Schlyter ISSN: 2070-1721 Kirei AB G. Bailey Independent P. Hoffman ICANN August 2016 DNSSEC Trust Anchor Publication for the Root Zone Abstract The root zone of the Domain Name System (DNS) has been cryptographically signed using DNS Security Extensions (DNSSEC). In order to obtain secure answers from the root zone of the DNS using DNSSEC, a client must configure a suitable trust anchor. This document describes the format and publication mechanisms IANA has used to distribute the DNSSEC trust anchors. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7958. Abley, et al. Informational [Page 1] RFC 7958 Root Zone Trust Anchor Publication August 2016 Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 2. IANA DNSSEC Root Zone Trust Anchor Formats and Semantics . . 4 2.1. Hashes in XML . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1. XML Syntax . . . . . . . . . . . . . . . . . . . . . 5 2.1.2. XML Semantics . . . . . . . . . . . . . . . . . . . . 5 2.1.3. Converting from XML to DS Records . . . . . . . . . . 7 2.1.4. XML Example . . . . . . . . . . . . . . . . . . . . . 8 2.2. Certificates . . . . . . . . . . . . . . . . . . . . . . 8 2.3. Certificate Signing Requests . . . . . . . . . . . . . . 9 3. Root Zone Trust Anchor Retrieval . . . . . . . . . . . . . . 9 3.1. Retrieving Trust Anchors with HTTPS and HTTP . . . . . . 9 4. Accepting DNSSEC Trust Anchors . . . . . . . . . . . . . . . 10 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 13 Appendix A. Historical Note . . . . . . . . . . . . . . . . . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 Abley, et al. Informational [Page 2] RFC 7958 Root Zone Trust Anchor Publication August 2016 1. Introduction The Domain Name System (DNS) is described in [RFC1034] and [RFC1035]. DNS Security Extensions (DNSSEC) are described in [RFC4033], [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702]. A discussion of operational practices relating to DNSSEC can be found in [RFC6781]. In the DNSSEC protocol, Resource Record Sets (RRSets) are signed cryptographically. This means that a response to a query contains signatures that allow the integrity and authenticity of the RRSet to be verified. DNSSEC signatures are validated by following a chain of signatures to a "trust anchor". The reason for trusting a trust anchor is outside the DNSSEC protocol, but having one or more trust anchors is required for the DNSSEC protocol to work. The publication of trust anchors for the root zone of the DNS is anShow full document text