Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-01.txt

Peter Thomassen <> Fri, 17 June 2022 10:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 474E0C15AAC6 for <>; Fri, 17 Jun 2022 03:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.785
X-Spam-Status: No, score=-3.785 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-1.876, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XVyLf4KlBFsz for <>; Fri, 17 Jun 2022 03:17:34 -0700 (PDT)
Received: from ( [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DED00C14F729 for <>; Fri, 17 Jun 2022 03:17:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From :References:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=5jICnxRc1ktaG3C7+YR+n1+snCiWpwVu3su1yhrR3f0=; b=Ac+ptyYv2XZPBz0lHZdFv72ZyC GEGkQ/TwS2LRmd+1ppvDmbPLe+ZTKRtdPzLwIfYWdcbplCnE7Ehn8ipfxElFm5e8lBeVlWOxacXym w0w17ixxYT7uAVneRpMubmfdu9EDvMlE8+wIp/cIDJnss7Q7g18ol6MXFR2GO6zCpJcNHzD4O3GQS SM5ElWx7Yo8RJ2D/IilylIEU/8+qxOMdAtNQ1fD3cWh+OwtBYbANa6IfIQ5bJ/4Nzftnk1mAfKFc0 7xU4KOLHIAPOI36cgmfC/sOAMN6q2NtmsICDrrmuIl6+2gwUP7Dat2JeHvbQcPtvRbwvLlaXrO5hZ MtwPKvvA==;
Received: from ([] helo=[]) by with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <>) id 1o292h-00062W-SC for; Fri, 17 Jun 2022 12:17:32 +0200
Message-ID: <>
Date: Fri, 17 Jun 2022 12:17:31 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
References: <>
From: Peter Thomassen <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-01.txt
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Jun 2022 10:17:39 -0000


We have addressed the WG's feedback from the Interim on May 24, and also addressed remaining outstanding issues (mainly editorial).

 From the authors' perspective, the protocol draft is now "final" (in the sense, that no action items remain). We would appreciate the group's thorough feedback, and -- if the group feels like it -- proceed to WG Last Call

The most significant changes are:

> Introduced Signaling Type prefix (_dsboot), renamed Signaling Name infix from _dsauth to _signal.
> Allow bootstrapping when some (not all) NS hostnames are in bailiwick.

Due to the first change, DS signaling records now live at names such as:

Other changes are:

> Clarified Operational Recommendations according to operator feedback.
> Turn loose Security Considerations points into coherent text.
> Do no longer suggest NSEC-walking Signaling Domains. (It does not work well due to the Signaling Type prefix. What's more, it's unclear who would do this: Parents know there delegations and can do a targeted scan; others are not interested.)
> Editorial changes.
> Added IANA request.

On other news, Cloudflare has announced production deployment of the protocol on all their signed domains (see slide 10 of Christian's slides at


On 6/17/22 12:06, wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations WG of the IETF.
>          Title           : Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator
>          Authors         : Peter Thomassen
>                            Nils Wisiol
> 	Filename        : draft-ietf-dnsop-dnssec-bootstrapping-01.txt
> 	Pages           : 14
> 	Date            : 2022-06-17
> Abstract:
>     This document introduces an in-band method for DNS operators to
>     publish arbitrary information about the zones they are authoritative
>     for, in an authenticated fashion and on a per-zone basis.  The
>     mechanism allows managed DNS operators to securely announce DNSSEC
>     key parameters for zones under their management, including for zones
>     that are not currently securely delegated.
>     Whenever DS records are absent for a zone's delegation, this signal
>     enables the parent's registry or registrar to cryptographically
>     validate the CDS/CDNSKEY records found at the child's apex.  The
>     parent can then provision DS records for the delegation without
>     resorting to out-of-band validation or weaker types of cross-checks
>     such as "Accept after Delay" ([RFC8078]).
>     This document updates [RFC8078] and replaces its Section 3 with
>     Section 3.2 of this document.
>     [ Ed note: This document is being collaborated on at
>     (
>     The authors gratefully accept pull requests. ]
> The IETF datatracker status page for this draft is:
> There is also an HTML version available at:
> A diff from the previous version is available at:
> Internet-Drafts are also available by rsync at
> _______________________________________________
> DNSOP mailing list

Like our community service? đź’›
Please consider donating at

deSEC e.V.
Kyffhäuserstr. 5
10781 Berlin

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525