Multi-Signer DNSSEC Models
RFC 8901

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: warren@kumari.net, dnsop@ietf.org, dnsop-chairs@ietf.org, benno@NLnetLabs.nl, rfc-editor@rfc-editor.org, Benno Overeinder <benno@NLnetLabs.nl>, draft-ietf-dnsop-multi-provider-dnssec@ietf.org, The IESG <iesg@ietf.org>
Subject: Document Action: 'Multi Signer DNSSEC models' to Informational RFC (draft-ietf-dnsop-multi-provider-dnssec-05.txt)

The IESG has approved the following document:
- 'Multi Signer DNSSEC models'
  (draft-ietf-dnsop-multi-provider-dnssec-05.txt) as Informational RFC

This document is the product of the Domain Name System Operations Working
Group.

The IESG contact persons are Warren Kumari and Robert Wilton.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-multi-provider-dnssec/


Technical Summary

The draft documents operational models for deploying DNSSEC signed
zones across multiple DNS providers to distribute their authoritative
DNS service.  It presents challenges depending on the configuration
and feature set in use, and presents several deployment models that
may be suitable.


Working Group Summary

The document has been reviewed and discussed on the DNSOP mailing list
and during DNSOP workgroup meetings.  Contributions were done by a
relative small number of interested folks, feedback by the WG was
promptly integrated in the document.  No points of difficulty or
controversy appeared and consensus was quick.  There has been good
consensus during the WGLC period.

External parties (DNS zone owners and DNS providers) have architected
the DNSSEC multi-provider model in their operations and use it in
their daily job (e.g., see DNSOP mailing list, email thread “[DNSOP]
Working Group Last Call for draft-ietf-dnsop-multi-provider-dnssec”.)


Document Quality

The document is of good quality, and describes a real issue and (real world) operational advice on how to deal with this.
The security section mentions the need for strong authentication to
protect DNSSEC key material, but although the usefulness of the
warning, this is beyond the scope of the document.

The document shepherd has no specific concerns or issues with the
document or with the WG process.  The shepherd stands behind the
document and thinks the document is ready for publication.


Personnel

Document Shepherd: Benno Overeinder
Area Director: Warren Kumari