DNSSEC Trust Anchor Publication for the Root Zone
draft-jabley-dnssec-trust-anchor-07

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 7958.
Authors Joe Abley , Jakob Schlyter , Guillaume Bailey
Last updated 2013-06-10
RFC stream (None)
Formats
txt htmlized pdf bibtex bibxml
IETF conflict review conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor, conflict-review-jabley-dnssec-trust-anchor
Additional resources
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Became RFC 7958 (Informational)
Telechat date (None)
Responsible AD (None)
Send notices to (None)
Email authors IPR References Referenced by Nits Search email archive
draft-jabley-dnssec-trust-anchor-07 

Appendix A.  Trust Anchor Publication Document Schema

   A Relax NG Compact Schema for the documents used to publish trust
   anchors can be found in Figure 1.

   datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"

   start = element TrustAnchor {
       attribute id { xsd:string },
       attribute source { xsd:string },
       element Zone { xsd:string },

       keydigest+
   }

   keydigest = element KeyDigest {
       attribute id { xsd:string },
       attribute validFrom { xsd:dateTime },
       attribute validUntil { xsd:dateTime }?,

       element KeyTag {
               xsd:nonNegativeInteger { maxInclusive = "65535" } },
       element Algorithm {
               xsd:nonNegativeInteger { maxInclusive = "255" } },
       element DigestType {
               xsd:nonNegativeInteger { maxInclusive = "255" } },
       element Digest { xsd:hexBinary },

       element Certificate {
               attribute source { xsd:string },
               empty
       }+
   }

                                 Figure 1

Abley, et al.           Expires December 13, 2013              [Page 14]
Internet-Draft     Root Zone Trust Anchor Publication          June 2013

Appendix B.  Example Signed Trust Anchor Set

   Figure 2 describes two trust anchors for the root zone such as might
   be retrieved using the URL
   <https://data.iana.org/root-anchors/root-anchors.xml>.

   <?xml version="1.0" encoding="UTF-8"?>

   <TrustAnchor
       id="AD42165F-B099-4778-8F42-D34A1D41FD93"
       source="http://data.iana.org/root-anchors/root-anchors.xml">

       <Zone>.</Zone>

       <KeyDigest id="42"
                  validFrom="2010-07-01T00:00:00-00:00"
                  validUntil="2010-08-01T00:00:00-00:00">
           <KeyTag>34291</KeyTag>
           <Algorithm>5</Algorithm>
           <DigestType>1</DigestType>
           <Digest>c8cb3d7fe518835490af8029c23efbce6b6ef3e2</Digest>
       </KeyDigest>

       <KeyDigest id="53"
                  validFrom="2010-08-01T00:00:00-00:00">
           <KeyTag>12345</KeyTag>
           <Algorithm>5</Algorithm>
           <DigestType>1</DigestType>
           <Digest>a3cf809dbdbc835716ba22bdc370d2efa50f21c7</Digest>
           <Certificate
             source="http://data.iana.org/root-anchors/Kexample1.crt"/>
           <Certificate
             source="http://data.iana.org/root-anchors/Kexample2.crt"/>
       </KeyDigest>

   </TrustAnchor>

                                 Figure 2

Abley, et al.           Expires December 13, 2013              [Page 15]
Internet-Draft     Root Zone Trust Anchor Publication          June 2013

Appendix C.  ASN.1 Module for DNS Resource Record

   ResourceRecord
     { iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-dns-resource-record(70) }

   DEFINITIONS IMPLICIT TAGS ::=

   BEGIN

   -- EXPORTS ALL --

   IMPORTS

   caseIgnoreMatch FROM SelectedAttributeTypes
       { joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 4 }

   ;

   iana OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
       dod(6) internet(1) private(4) enterprise(1) 1000 }

   iana-dns OBJECT IDENTIFIER ::= { iana 53 }

   resourceRecord ATTRIBUTE ::= {
       WITH SYNTAX IA5String
       EQUALITY MATCHING RULE caseIgnoreIA5Match
       ID iana-dns
   }

   END

Abley, et al.           Expires December 13, 2013              [Page 16]
Internet-Draft     Root Zone Trust Anchor Publication          June 2013

Appendix D.  Historical Note

   The first KSK for use in the root zone of the DNS was generated at a
   key ceremony at an ICANN Key Management Facility (KMF) in Culpeper,
   Virginia, USA on 2010-06-16.  This key entered production during a
   second key ceremony held at an ICANN KMF in El Segundo, California,
   USA on 2010-07-12.  The resulting trust anchor was first published on
   2010-07-15.

Abley, et al.           Expires December 13, 2013              [Page 17]
Internet-Draft     Root Zone Trust Anchor Publication          June 2013

Appendix E.  About this Document

   [RFC Editor: please remove this section, including all subsections,
   prior to publication.]

E.1.  Discussion

   This document is not the product of any IETF working group.  However,
   communities interested in similar technical work can be found at the
   IETF in the DNSOP and DNSEXT working groups.

   The team responsible for deployment of DNSSEC in the root zone can be
   reached at rootsign@icann.org.

   The authors also welcome feedback sent to them directly.

E.2.  Document History

E.2.1.  draft-jabley-dnssec-trust-anchor-00

   This document is based on earlier documentation used within and
   published by the team responsible for DNSSEC deployment in the root
   zone.  This is the first revision circulated with the intention of
   publication in the RFC series.

E.2.2.  draft-jabley-dnssec-trust-anchor-01

   Incorporated initial community suggestions.  Editorial improvements.
   Allocate OID and clean up syntax of ASN.1 module.

E.2.3.  draft-jabley-dnssec-trust-anchor-02

   Draft expired.

E.2.4.  draft-jabley-dnssec-trust-anchor-04

   Added the optional <Certificate> element to the XML schema to provide
   a mechanism for locating external X.509 certificates relating to a
   particular key.

E.2.5.  draft-jabley-dnssec-trust-anchor-05

   Update author address.

E.2.6.  draft-jabley-dnssec-trust-anchor-06

   Update references.

Abley, et al.           Expires December 13, 2013              [Page 18]
Internet-Draft     Root Zone Trust Anchor Publication          June 2013

E.2.7.  draft-jabley-dnssec-trust-anchor-07

   Minor changes based on review by Paul Hoffman.

Abley, et al.           Expires December 13, 2013              [Page 19]
Internet-Draft     Root Zone Trust Anchor Publication          June 2013

Authors' Addresses

   Joe Abley
   ICANN
   12025 Waterfront Drive, Suite 300
   Los Angeles, CA  90094-2536
   US

   Phone: +1 519 670 9327
   Email: joe.abley@icann.org

   Jakob Schlyter
   Kirei AB

   Email: jakob@kirei.se

   Guy Bailey
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   US

   Phone: +1 425 538 6153 x86153
   Email: gubailey@microsoft.com

Abley, et al.           Expires December 13, 2013              [Page 20]