Last Call: RFC 5011 (Automated Updates of DNS Security (DNSSEC) Trust Anchors) to Internet Standard

IESG Secretary <> Fri, 05 October 2012 14:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A61FD21F861E; Fri, 5 Oct 2012 07:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.483
X-Spam-Status: No, score=-102.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O9FqbREHG3ZT; Fri, 5 Oct 2012 07:48:02 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 2AD9921F8593; Fri, 5 Oct 2012 07:48:02 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: IESG Secretary <>
To: IETF Announcement List <>
Subject: Last Call: RFC 5011 (Automated Updates of DNS Security (DNSSEC) Trust Anchors) to Internet Standard
X-Test-IDTracker: no
X-IETF-IDTracker: 4.34
Message-ID: <>
Date: Fri, 05 Oct 2012 07:48:02 -0700
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IETF announcement list. No discussions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 05 Oct 2012 14:48:02 -0000

The IESG has received a request from the author to consider the
following document:
'Automated Updates of DNS Security (DNSSEC) Trust Anchors,' RFC 5011

as an Internet Standard.

RFC 6410 specifies 4 criteria for reclassifying a document as Internet

   (1) There are at least two independent interoperating implementations
       with widespread deployment and successful operational experience.

1. RFC 5011 support is built in to BIND, the most widely deployed DNS
   server/resolver as of version 9.7. 
2. RFC 5011 support is built in to MS Active

There appears to be sufficient support in zone signing tools for the
REVOKE bit. 

RFC5011 is specified as the root key rollover protocol.  Other zones
appear have adopted this astheir mechanism for updating their trust

RFC5011 is a hybrid of operational practices (by the zone owner to
signal key changes) and implementations (by the zone owner to sign new
keys and revocations, and by the client to automatically update the
trust store).

There appear to be more than two implementations on the client side.  

There is anecdotal evidence that successful operational key rollovers
have been made with this protocol.

   (2) There are no errata against the specification that would cause a
       new implementation to fail to interoperate with deployed ones.

There are no outstanding errata for RFC 5011.

   (3) There are no unused features in the specification that greatly
       increase implementation complexity.

There are no such unused features in RFC 5011.

   (4) If the technology required to implement the specification
       requires patented or otherwise controlled technology, then the
       set of implementations must demonstrate at least two independent,
       separate and successful uses of the licensing process.

The IPR claims against RFC 5011 are non-specific and do not appear to
have affected the implementation of the protocol.

Note that RFC 5011 does include normative references to RFC 3755, RFC
4033, RFC 4034 and RFC 4035 that will become down-refs if RFC 5011 is
reclassified as "Internet Standard."  These down-refs do not preclude
reclassification of RFC 5011 under the criteria of RFC 6410.
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the mailing lists by 2012-11-02. Exceptionally, comments may
be sent to instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.
The file can be obtained via 
IESG discussion can be tracked via