Dear DNSOP,
This draft introduces automatic bootstrapping of DNSSEC delegations. The
previous version has been presented at IETF 112, and the new version
incorporates the feedback gathered there (and on this list before the meeting).
Changes (taken from Appendix, with additional notes):
- Clarified importance of record cleanup by moving paragraph up.
# this is Section 4.1
- Pointed out limitations.
# this is (new) Section 3.4
- Replace [RFC8078] Section 3 with our Section 3.2.
# It was proposed to deprecate RFC 8078 Section 3.3 ("Accept after Delay").
Replacing all of Section 3 is one way of doing this. Of course, we can limit the update
to Section 3.3.
- Changed _boot label to _dsauth.
# based on a proposal to switch to _dsbootstrap, but I like _dsauth better :-)
- Removed hashing of Child name components in Signaling Names.
# as discussed at the meeting
- Editorial changes.
Looking forward to the next steps!
Thanks,
Peter
-------- Forwarded Message --------
Subject: New Version Notification for
draft-thomassen-dnsop-dnssec-bootstrapping-03.txt
Date: Mon, 29 Nov 2021 15:57:25 -0800
From: internet-dra...@ietf.org
To: Nils Wisiol <n...@desec.io>, Peter Thomassen <pe...@desec.io>
A new version of I-D, draft-thomassen-dnsop-dnssec-bootstrapping-03.txt
has been successfully submitted by Peter Thomassen and posted to the
IETF repository.
Name: draft-thomassen-dnsop-dnssec-bootstrapping
Revision: 03
Title: Automatic DNSSEC Bootstrapping using Authenticated Signals from
the Zone's Operator
Document date: 2021-11-29
Group: Individual Submission
Pages: 14
URL:
https://www.ietf.org/archive/id/draft-thomassen-dnsop-dnssec-bootstrapping-03.txt
Status:
https://datatracker.ietf.org/doc/draft-thomassen-dnsop-dnssec-bootstrapping/
Html:
https://www.ietf.org/archive/id/draft-thomassen-dnsop-dnssec-bootstrapping-03.html
Htmlized:
https://datatracker.ietf.org/doc/html/draft-thomassen-dnsop-dnssec-bootstrapping
Diff:
https://www.ietf.org/rfcdiff?url2=draft-thomassen-dnsop-dnssec-bootstrapping-03
Abstract:
This document introduces an in-band method for DNS operators to
publish arbitrary information about the zones they are authoritative
for, in an authenticated fashion and on a per-zone basis. The
mechanism allows managed DNS operators to securely announce DNSSEC
key parameters for zones under their management, including for zones
that are not currently securely delegated.
Whenever DS records are absent for a zone's delegation, this signal
enables the parent's registry or registrar to cryptographically
validate the CDS/CDNSKEY records found at the child's apex. The
parent can then provision DS records for the delegation without
resorting to out-of-band validation or weaker types of cross-checks
such as "Accept after Delay" ([RFC8078]).
This document updates [RFC8078] and replaces its Section 3 with
Section 3.2 of this document.
[ Ed note: Text inside square brackets ([]) is additional background
information, answers to frequently asked questions, general musings,
etc. They will be removed before publication. This document is
being collaborated on at https://github.com/desec-io/draft-thomassen-
dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft-
thomassen-dnsop-dnssec-bootstrapping/). The most recent version of
the document, open issues, etc. should all be available there. The
authors gratefully accept pull requests. ]
The IETF Secretariat
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
