Skip to main content

DNSSEC Operational Practices, Version 2
RFC 6781

Document Type RFC - Informational (December 2012) Errata
Obsoletes RFC 4641
Authors Olaf Kolkman , Matthijs Mekking , R. (Miek) Gieben
Last updated 2020-01-21
RFC stream Internet Engineering Task Force (IETF)
Formats
Additional resources Mailing list discussion
IESG Responsible AD Ron Bonica
Send notices to (None)
RFC 6781
gt;
    DS_K_1 ------------------------------------------------------->
    RRSIG_par(DS_K_1) -------------------------------------------->

   Child:
    SOA_0                SOA_1                SOA_2
    RRSIG_Z_1(SOA)       RRSIG_Z_1(SOA)       RRSIG_Z_1(SOA)
                         RRSIG_Z_2(SOA)       RRSIG_Z_2(SOA)

    DNSKEY_K_1           DNSKEY_K_1           DNSKEY_K_1
                                              DNSKEY_K_2
    DNSKEY_Z_1           DNSKEY_Z_1           DNSKEY_Z_1
                                              DNSKEY_Z_2
    RRSIG_K_1(DNSKEY)    RRSIG_K_1(DNSKEY)    RRSIG_K_1(DNSKEY)
                                              RRSIG_K_2(DNSKEY)

   ----------------------------------------------------------------
    new DS               revoke DNSKEY        DNSKEY removal
   ----------------------------------------------------------------
   Parent:
    SOA_1 ------------------------------------------------------->
    RRSIG_par(SOA) ---------------------------------------------->
    DS_K_2 ------------------------------------------------------>
    RRSIG_par(DS_K_2) ------------------------------------------->

   Child:
    -------------------> SOA_3                SOA_4
    -------------------> RRSIG_Z_1(SOA)       RRSIG_Z_1(SOA)
    -------------------> RRSIG_Z_2(SOA)       RRSIG_Z_2(SOA)

    -------------------> DNSKEY_K_1_REVOKED
    -------------------> DNSKEY_K_2           DNSKEY_K_2
    ------------------->
    -------------------> DNSKEY_Z_2           DNSKEY_Z_2
    -------------------> RRSIG_K_1(DNSKEY)
    -------------------> RRSIG_K_2(DNSKEY)    RRSIG_K_2(DNSKEY)

Kolkman, et al.               Informational                    [Page 65]
RFC 6781         DNSSEC Operational Practices, Version 2   December 2012

   ----------------------------------------------------------------
    RRSIGs removal
   ----------------------------------------------------------------
   Parent:
    ------------------------------------->
    ------------------------------------->
    ------------------------------------->
    ------------------------------------->

   Child:
    SOA_5
    RRSIG_Z_2(SOA)

    DNSKEY_K_2

    DNSKEY_Z_2

    RRSIG_K_2(DNSKEY)
   ----------------------------------------------------------------

                 Figure 13: RFC 5011 Style Algorithm Roll

   Also see Section 4.1.4.2.

   ----------------------------------------------------------------
    initial              new RRSIGs           new DNSKEY
   ----------------------------------------------------------------
   Parent:
    SOA_0 -------------------------------------------------------->
    RRSIG_par(SOA) ----------------------------------------------->
    DS_S_1 ------------------------------------------------------->
    RRSIG_par(DS_S_1) -------------------------------------------->

   Child:
    SOA_0                SOA_1                SOA_2
    RRSIG_S_1(SOA)
    RRSIG_Z_10(SOA)      RRSIG_Z_10(SOA)      RRSIG_Z_10(SOA)
                         RRSIG_S_2(SOA)       RRSIG_S_2(SOA)

    DNSKEY_S_1           DNSKEY_S_1           DNSKEY_S_1
    DNSKEY_Z_10          DNSKEY_Z_10          DNSKEY_Z_10
                                              DNSKEY_S_2
    RRSIG_S_1(DNSKEY)    RRSIG_S_1(DNSKEY)    RRSIG_S_1(DNSKEY)
                         RRSIG_S_2(DNSKEY)    RRSIG_S_2(DNSKEY)

Kolkman, et al.               Informational                    [Page 66]
RFC 6781         DNSSEC Operational Practices, Version 2   December 2012

   ----------------------------------------------------------------
    new DS               revoke DNSKEY        DNSKEY removal
   ----------------------------------------------------------------
   Parent:
    SOA_1 ------------------------------------------------------->
    RRSIG_par(SOA) ---------------------------------------------->
    DS_S_2 ------------------------------------------------------>
    RRSIG_par(DS_S_2) ------------------------------------------->

   Child:
    -------------------> SOA_3                SOA_4

    -------------------> RRSIG_Z_10(SOA)
    -------------------> RRSIG_S_2(SOA)       RRSIG_S_2(SOA)

    -------------------> DNSKEY_S_1_REVOKED
    -------------------> DNSKEY_Z_10
    -------------------> DNSKEY_S_2           DNSKEY_S_2
    -------------------> RRSIG_S_1(DNSKEY)    RRSIG_S_1(DNSKEY)
    -------------------> RRSIG_S_2(DNSKEY)    RRSIG_S_2(DNSKEY)

   ----------------------------------------------------------------
    RRSIGs removal
   ----------------------------------------------------------------
   Parent:
    ------------------------------------->
    ------------------------------------->
    ------------------------------------->
    ------------------------------------->

   Child:
    SOA_5

    RRSIG_S_2(SOA)

    DNSKEY_S_2

    RRSIG_S_2(DNSKEY)
   ----------------------------------------------------------------

            Figure 14: RFC 5011 Algorithm Roll in a Single-Type
                        Signing Scheme Environment

   Also see Section 4.1.4.3.

Kolkman, et al.               Informational                    [Page 67]
RFC 6781         DNSSEC Operational Practices, Version 2   December 2012

Appendix D.  Transition Figure for Changing DNS Operators

   The figure in this Appendix complements and illustrates the special
   case of changing DNS operators as described in Section 4.3.5.1.

Kolkman, et al.               Informational                    [Page 68]
RFC 6781         DNSSEC Operational Practices, Version 2   December 2012

    ------------------------------------------------------------
    new DS             |        pre-publish                    |
    ------------------------------------------------------------
    Parent:
     NS_A                            NS_A
     DS_A DS_B                       DS_A DS_B
    ------------------------------------------------------------
    Child at A:            Child at A:        Child at B:
     SOA_A0                 SOA_A1             SOA_B0
     RRSIG_Z_A(SOA)         RRSIG_Z_A(SOA)     RRSIG_Z_B(SOA)

     NS_A                   NS_A               NS_B
     RRSIG_Z_A(NS)          NS_B               RRSIG_Z_B(NS)
                            RRSIG_Z_A(NS)

     DNSKEY_Z_A             DNSKEY_Z_A         DNSKEY_Z_A
                            DNSKEY_Z_B         DNSKEY_Z_B
     DNSKEY_K_A             DNSKEY_K_A         DNSKEY_K_B
     RRSIG_K_A(DNSKEY)      RRSIG_K_A(DNSKEY)  RRSIG_K_A(DNSKEY)
                            RRSIG_K_B(DNSKEY)  RRSIG_K_B(DNSKEY)
    ------------------------------------------------------------

    ------------------------------------------------------------
          re-delegation                |   post-migration      |
    ------------------------------------------------------------
    Parent:
              NS_B                           NS_B
              DS_A DS_B                      DS_B
    ------------------------------------------------------------
    Child at A:        Child at B:           Child at B:

     SOA_A1             SOA_B0                SOA_B1
     RRSIG_Z_A(SOA)     RRSIG_Z_B(SOA)        RRSIG_Z_B(SOA)

     NS_A               NS_B                  NS_B
     NS_B               RRSIG_Z_B(NS)         RRSIG_Z_B(NS)
     RRSIG_Z_A(NS)

     DNSKEY_Z_A         DNSKEY_Z_A
     DNSKEY_Z_B         DNSKEY_Z_B            DNSKEY_Z_B
     DNSKEY_K_A         DNSKEY_K_B            DNSKEY_K_B
     RRSIG_K_A(DNSKEY)  RRSIG_K_B(DNSKEY)     RRSIG_K_B(DNSKEY)
    ------------------------------------------------------------

   Figure 15: An Alternative Rollover Approach for Cooperating Operators

Kolkman, et al.               Informational                    [Page 69]
RFC 6781         DNSSEC Operational Practices, Version 2   December 2012

Appendix E.  Summary of Changes from RFC 4641

   This document differs from RFC 4641 [RFC4641] in the following ways:

   o  Addressed the errata listed on
      <http://www.rfc-editor.org/errata_search.php?rfc=4641>.

   o  Recommended RSA/SHA-256 in addition to RSA/SHA-1.

   o  Did a complete rewrite of Section 3.5 of RFC 4641 (Section 3.4.2
      of this document), removing the table and suggesting a key size of
      1024 for keys in use for less than 8 years, issued up to at least
      2015.

   o  Removed the KSK for high-level zones consideration.

   o  Added text on algorithm rollover.

   o  Added text on changing (non-cooperating) DNS registrars.

   o  Did a significant rewrite of Section 3, whereby the argument is
      made that the timescales for rollovers are made purely on
      operational arguments.

   o  Added Section 5.

   o  Introduced Single-Type Signing Scheme terminology and made the
      arguments for the choice of a Single-Type Signing Scheme more
      explicit.

   o  Added a section about stand-by keys.

Kolkman, et al.               Informational                    [Page 70]
RFC 6781         DNSSEC Operational Practices, Version 2   December 2012

Authors' Addresses

   Olaf M. Kolkman
   NLnet Labs
   Science Park 400
   Amsterdam  1098 XH
   The Netherlands

   EMail: olaf@nlnetlabs.nl
   URI:   http://www.nlnetlabs.nl

   W. (Matthijs) Mekking
   NLnet Labs
   Science Park 400
   Amsterdam  1098 XH
   The Netherlands

   EMail: matthijs@nlnetlabs.nl
   URI:   http://www.nlnetlabs.nl

   R. (Miek) Gieben
   SIDN Labs
   Meander 501
   Arnhem  6825 MD
   The Netherlands

   EMail: miek.gieben@sidn.nl
   URI:   http://www.sidn.nl

Kolkman, et al.               Informational                    [Page 71]