Protocol Action: 'Automated Updates of DNSSEC Trust Anchors' to Internet Standard (RFC 5011)

IESG Secretary <> Thu, 03 January 2013 17:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A78611E809C; Thu, 3 Jan 2013 09:32:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100
X-Spam-Status: No, score=-100 tagged_above=-999 required=5 tests=[USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ayJKpYgccLvs; Thu, 3 Jan 2013 09:32:30 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id CE0F721F86D2; Thu, 3 Jan 2013 09:32:30 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: IESG Secretary <>
To: IETF Announcement List <>
Subject: Protocol Action: 'Automated Updates of DNSSEC Trust Anchors' to Internet Standard (RFC 5011)
X-Test-IDTracker: no
X-IETF-IDTracker: 4.37
Message-ID: <>
Date: Thu, 03 Jan 2013 09:32:30 -0800
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IETF announcement list. No discussions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Jan 2013 17:32:31 -0000

The IESG has approved the following document:

- 'Automated Updates of DNS Security (DNSSEC) Trust Anchors,'
   RFC 5011 as an Internet Standard.

This document is the product of the DNS Extensions Working Group. 

A URL of this document is:


   This document describes a means for automated, authenticated, and
   authorized updating of DNSSEC "trust anchors".  The method provides
   protection against N-1 key compromises of N keys in the trust point
   key set.  Based on the trust established by the presence of a current
   anchor, other anchors may be added at the same place in the
   hierarchy, and, ultimately, supplant the existing anchor(s).

   This mechanism will require changes to resolver management behavior
   (but not resolver resolution behavior), and the addition of a single
   flag bit to the DNSKEY record.