RFC 9615

Automatic DNSSEC Bootstrapping Using Authenticated Signals from the Zone's Operator, July 2024

File formats:

icon for HTML icon for text file icon for v3pdf icon for XML icon for inline errata
Also available: XML file for editing
 
Status:
PROPOSED STANDARD
Updates:
RFC 7344, RFC 8078
Authors:
P. Thomassen
N. Wisiol
Stream:
IETF
Source:
dnsop (ops)

Cite this RFC: TXT  |  XML  |   BibTeX

DOI:  https://doi.org/10.17487/RFC9615

Discuss this RFC: Send questions or comments to the mailing list dnsop@ietf.org

Other actions: View Errata  |  Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 9615


Abstract

This document introduces an in-band method for DNS operators to publish arbitrary information about the zones for which they are authoritative, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated.

Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay".

This document establishes the DS enrollment method described in Section 4 of this document as the preferred method over those from Section 3 of RFC 8078. It also updates RFC 7344.


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.




Advanced Search