Managing DS Records from the Parent via CDS/CDNSKEY (RFC8078)
Original Publication Date: 2017-Mar-01
Included in the Prior Art Database: 2017-Mar-11
Internet Society Requests For Comment (RFCs)
O. Gudmundsson: AUTHOR [+2]
CDS (Child DS) and CDNSKEY (Child DNSKEY) [RFC7344] records are used to signal changes in secure entry points. This is one method to maintain delegations that can be used when the DNS operator has no other way to inform the parent that changes are needed. This document elevates [RFC7344] from Informational to Standards Track.
Internet Engineering Task Force (IETF) O. Gudmundsson Request for Comments: 8078 CloudFlare Updates: 7344 P. Wouters Category: Standards Track Red Hat ISSN: 2070-1721 March 2017
Managing DS Records from the Parent via CDS/CDNSKEY
RFC 7344 specifies how DNS trust can be maintained across key rollovers in-band between parent and child. This document elevates RFC 7344 from Informational to Standards Track. It also adds a method for initial trust setup and removal of a secure entry point.
Changing a domain's DNSSEC status can be a complicated matter involving multiple unrelated parties. Some of these parties, such as the DNS operator, might not even be known by all the organizations involved. The inability to disable DNSSEC via in-band signaling is seen as a problem or liability that prevents some DNSSEC adoption at a large scale. This document adds a method for in-band signaling of these DNSSEC status changes.
This document describes reasonable policies to ease deployment of the initial acceptance of new secure entry points (DS records).
It is preferable that operators collaborate on the transfer or move of a domain. The best method is to perform a Key Signing Key (KSK) plus Zone Signing Key (ZSK) rollover. If that is not possible, the method using an unsigned intermediate state described in this document can be used to move the domain between two parties. This leaves the domain temporarily unsigned and vulnerable to DNS spoofing, but that is preferred over the alternative of validation failures due to a mismatched DS and DNSKEY record.
Gudmundsson & Wouters Standards Track [Page 1]
RFC 8078 Managing DS Records March 2017
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8078.
Copyright (c) 2017 IETF Trust and the persons identif...