DNSSEC Trust Anchor Publication for the Root Zone
RFC 7958

Versions
03
04
05
06
07
08
09
10
11
12
13
14
15
16


Document	Type	RFC - Informational (August 2016; No errata) Was draft-jabley-dnssec-trust-anchor (individual)
	Last updated	2016-08-31
	Stream	ISE
	Formats	plain text pdf html bibtex
	IETF conflict review	conflict-review-jabley-dnssec-trust-anchor
Stream	ISE state	Published RFC
	Consensus Boilerplate	Unknown
	Document shepherd	Nevil Brownlee
	Shepherd write-up	Show (last changed 2016-05-31)
IESG	IESG state	RFC 7958 (Informational)
	Telechat date
	Responsible AD	(None)
	Send notices to	"Nevil Brownlee" <rfc-ise@rfc-editor.org>
IANA	IANA review state	Version Changed - Review Needed
	IANA action state	RFC-Ed-Ack

Email authors IPR References Referenced by Nits

Independent Submission                                          J. Abley
Request for Comments: 7958                                     Dyn, Inc.
Category: Informational                                      J. Schlyter
ISSN: 2070-1721                                                 Kirei AB
                                                               G. Bailey
                                                             Independent
                                                              P. Hoffman
                                                                   ICANN
                                                             August 2016

           DNSSEC Trust Anchor Publication for the Root Zone

Abstract

   The root zone of the Domain Name System (DNS) has been
   cryptographically signed using DNS Security Extensions (DNSSEC).

   In order to obtain secure answers from the root zone of the DNS using
   DNSSEC, a client must configure a suitable trust anchor.  This
   document describes the format and publication mechanisms IANA has
   used to distribute the DNSSEC trust anchors.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7958.

Abley, et al.                 Informational                     [Page 1]
RFC 7958           Root Zone Trust Anchor Publication        August 2016

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Definitions . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  IANA DNSSEC Root Zone Trust Anchor Formats and Semantics  . .   4
     2.1.  Hashes in XML . . . . . . . . . . . . . . . . . . . . . .   4
       2.1.1.  XML Syntax  . . . . . . . . . . . . . . . . . . . . .   5
       2.1.2.  XML Semantics . . . . . . . . . . . . . . . . . . . .   5
       2.1.3.  Converting from XML to DS Records . . . . . . . . . .   7
       2.1.4.  XML Example . . . . . . . . . . . . . . . . . . . . .   8
     2.2.  Certificates  . . . . . . . . . . . . . . . . . . . . . .   8
     2.3.  Certificate Signing Requests  . . . . . . . . . . . . . .   9
   3.  Root Zone Trust Anchor Retrieval  . . . . . . . . . . . . . .   9
     3.1.  Retrieving Trust Anchors with HTTPS and HTTP  . . . . . .   9
   4.  Accepting DNSSEC Trust Anchors  . . . . . . . . . . . . . . .  10
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  11
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  11
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  13
   Appendix A.  Historical Note  . . . . . . . . . . . . . . . . . .  14
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  14

Abley, et al.                 Informational                     [Page 2]
RFC 7958           Root Zone Trust Anchor Publication        August 2016

1.  Introduction

   The Domain Name System (DNS) is described in [RFC1034] and [RFC1035].
   DNS Security Extensions (DNSSEC) are described in [RFC4033],
   [RFC4034], [RFC4035], [RFC4509], [RFC5155], and [RFC5702].

   A discussion of operational practices relating to DNSSEC can be found
   in [RFC6781].

   In the DNSSEC protocol, Resource Record Sets (RRSets) are signed
   cryptographically.  This means that a response to a query contains
   signatures that allow the integrity and authenticity of the RRSet to
   be verified.  DNSSEC signatures are validated by following a chain of
   signatures to a "trust anchor".  The reason for trusting a trust

Show full document text

DNSSEC Trust Anchor Publication for the Root ZoneRFC 7958

DNSSEC Trust Anchor Publication for the Root Zone
RFC 7958