Search RFCs
RFC 8078
Managing DS Records from the Parent via CDS/CDNSKEY,March 2017
- File formats:
- Status:
- PROPOSED STANDARD
- Updates:
- RFC 7344
- Updated by:
- RFC 9615
- Authors:
- O. Gudmundsson
P. Wouters - Stream:
- IETF
- Source:
- dnsop (ops)
Cite this RFC:TXT | XML | BibTeX
DOI: https://doi.org/10.17487/RFC8078
Discuss this RFC: Send questions or comments to the mailing listdnsop@ietf.org
Other actions:View Errata | Submit Errata | Find IPR Disclosures from the IETF | View History of RFC 8078
Abstract
RFC 7344 specifies how DNS trust can be maintained across keyrollovers in-band between parent and child. This document elevatesRFC 7344 from Informational to Standards Track. It also adds amethod for initial trust setup and removal of a secure entry point.
Changing a domain's DNSSEC status can be a complicated matterinvolving multiple unrelated parties. Some of these parties, such asthe DNS operator, might not even be known by all the organizationsinvolved. The inability to disable DNSSEC via in-band signaling isseen as a problem or liability that prevents some DNSSEC adoption ata large scale. This document adds a method for in-band signaling ofthese DNSSEC status changes.
This document describes reasonable policies to ease deployment of theinitial acceptance of new secure entry points (DS records).
It is preferable that operators collaborate on the transfer or moveof a domain. The best method is to perform a Key Signing Key (KSK)plus Zone Signing Key (ZSK) rollover. If that is not possible, themethod using an unsigned intermediate state described in thisdocument can be used to move the domain between two parties. Thisleaves the domain temporarily unsigned and vulnerable to DNSspoofing, but that is preferred over the alternative of validationfailures due to a mismatched DS and DNSKEY record.
For the definition ofStatus,seeRFC 2026.
For the definition ofStream, seeRFC 8729.