database logo graphic

STD 74

RFC 5011

"Automated Updates of DNS Security (DNSSEC) Trust Anchors", September 2007

Canonical URL:
http://www.rfc-editor.org/rfc/rfc5011.txt
This document is also available in this non-normative format: PDF.
Status:
INTERNET STANDARD (changed from PROPOSED STANDARD January 2013)
Author:
M. StJohns
Stream:
IETF
Source:
dnsext (int)

Cite this RFC: TXT  |  XML

Other actions: Find Errata (if any)  |  Submit Errata  |  Find IPR Disclosures from the IETF


Abstract

This document describes a means for automated, authenticated, and authorized updating of DNSSEC "trust anchors". The method provides protection against N-1 key compromises of N keys in the trust point key set. Based on the trust established by the presence of a current anchor, other anchors may be added at the same place in the hierarchy, and, ultimately, supplant the existing anchor(s). This mechanism will require changes to resolver management behavior (but not resolver resolution behavior), and the addition of a single flag bit to the DNSKEY record. [STANDARDS-TRACK]


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 4844.


Go to the RFC Editor Homepage.