Protocol Action: 'Delegation Signer Resource Record' to Proposed Standard
The IESG <iesg-secretary@ietf.org> Mon, 25 August 2003 22:06 UTC
Received: from asgard.ietf.org (asgard.ietf.org [10.27.6.40]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA18685 for <ietf-announce-web-archive@odin.ietf.org>; Mon, 25 Aug 2003 18:06:46 -0400 (EDT)
Received: from majordomo by asgard.ietf.org with local (Exim 4.14) id 19rPAM-000124-Nj for ietf-announce-list@asgard.ietf.org; Mon, 25 Aug 2003 17:46:22 -0400
Received: from apache by asgard.ietf.org with local (Exim 4.14) id 19rP9Y-0000tL-I5; Mon, 25 Aug 2003 17:45:32 -0400
X-test-idtracker: no
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce:;
Cc: Internet Architecture Board <iab@iab.org>, RFC Editor <rfc-editor@rfc-editor.org>, namedroppers@ops.ietf.org
Subject: Protocol Action: 'Delegation Signer Resource Record' to Proposed Standard
Message-Id: <E19rP9Y-0000tL-I5@asgard.ietf.org>
Date: Mon, 25 Aug 2003 17:45:32 -0400
Sender: owner-ietf-announce@ietf.org
Precedence: bulk
The IESG has approved the Internet-Draft 'Delegation Signer Resource Record' <draft-ietf-dnsext-delegation-signer-15.txt> as a Proposed Standard. This document is the product of the DNS Extensions Working Group. The IESG contact persons are Thomas Narten and Margaret Wasserman. Technical Summary This document defines the Delegation Signer resource record (RR), which replaces the DNSSEC KEY record chain of trust defined in the original RFC 2535 DNSSEC protocol. The DS RR resides only at the parent and identifies (and signs) the key(s) that the child uses to self-sign its own KEY RRset. In contrast, the previously-used method, which relied on a DNSSEC KEY record chain of trust, had a number of operational issues, including that the same data was located in different places within the DNS (parent and child), which led to inconsistencies in practice, difficulties in updating signatures in some cases, and complexity in resolvers. The DS RR is an explicit statement about the delegation, rather than relying on inference. Delegation Signer changes the semantics of some previously defined DNSSEC operations and is not backwards compatible with RFC 2535. Working Group Summary There was consensus in the WG for this document. Protocol Quality This document has been reviewed for the IESG by Thomas Narten and Erik Nordmark.