DNSSEC Trust Anchor Publication for the Root Zone
RFC 7958

Document Type RFC - Informational (August 2016; No errata)
Last updated 2016-08-31
Stream ISE
Formats plain text pdf html bibtex
IETF conflict review conflict-review-jabley-dnssec-trust-anchor
Stream ISE state Published RFC
Consensus Boilerplate Unknown
Document shepherd Nevil Brownlee
Shepherd write-up Show (last changed 2016-05-31)
IESG IESG state RFC 7958 (Informational)
Telechat date
Responsible AD (None)
Send notices to "Nevil Brownlee" <rfc-ise@rfc-editor.org>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Independent Submission                                          J. Abley
Request for Comments: 7958                                     Dyn, Inc.
Category: Informational                                      J. Schlyter
ISSN: 2070-1721                                                 Kirei AB
                                                               G. Bailey
                                                             Independent
                                                              P. Hoffman
                                                                   ICANN
                                                             August 2016

           DNSSEC Trust Anchor Publication for the Root Zone

Abstract

   The root zone of the Domain Name System (DNS) has been
   cryptographically signed using DNS Security Extensions (DNSSEC).

   In order to obtain secure answers from the root zone of the DNS using
   DNSSEC, a client must configure a suitable trust anchor.  This
   document describes the format and publication mechanisms IANA has
   used to distribute the DNSSEC trust anchors.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7958.

Abley, et al.                 Informational                     [Page 1]
RFC 7958           Root Zone Trust Anchor Publication        August 2016

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Definitions . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  IANA DNSSEC Root Zone Trust Anchor Formats and Semantics  . .   4
     2.1.  Hashes in XML . . . . . . . . . . . . . . . . . . . . . .   4
       2.1.1.  XML Syntax  . . . . . . . . . . . . . . . . . . . . .   5
       2.1.2.  XML Semantics . . . . . . . . . . . . . . . . . . . .   5
       2.1.3.  Converting from XML to DS Records . . . . . . . . . .   7
       2.1.4.  XML Example . . . . . . . . . . . . . . . . . . . . .   8
     2.2.  Certificates  . . . . . . . . . . . . . . . . . . . . . .   8
     2.3.  Certificate Signing Requests  . . . . . . . . . . . . . .   9
   3.  Root Zone Trust Anchor Retrieval  . . . . . . . . . . . . . .   9
     3.1.  Retrieving Trust Anchors with HTTPS and HTTP  . . . . . .   9
   4.  Accepting DNSSEC Trust Anchors  . . . . . . . . . . . . . . .  10
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  11
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  11
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  13
   Appendix A.  Historical Note  . . . . . . . . . . . . . . . . . .  14
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  14

Abley, et al.                 Informational                     [Page 2]
RFC 7958           Root Zone Trust Anchor Publication        August 2016

1.  Introduction

   The Domain Name System (DNS) is described in [RFC1034] and [RFC1035].
   DNS Security Extensions (DNSSEC) are described in [RFC4033],
   [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702].

   A discussion of operational practices relating to DNSSEC can be found
   in [RFC6781].

   In the DNSSEC protocol, Resource Record Sets (RRSets) are signed
   cryptographically.  This means that a response to a query contains
   signatures that allow the integrity and authenticity of the RRSet to
   be verified.  DNSSEC signatures are validated by following a chain of
   signatures to a "trust anchor".  The reason for trusting a trust
Show full document text