DNSSEC Validators Requirements

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Authors Daniel Migault  , Dan York  , Edward Lewis 
Last updated 2018-05-03 (latest revision 2017-10-30)
Replaced by draft-ietf-dnsop-dnssec-validator-requirements
Stream (None)
Expired & archived
pdf htmlized bibtex
Additional Resources
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


DNSSEC provides data integrity and source authentication to a basic DNS RReet. Given a RRset, a public key and a signature, a DNSSEC validator checks the signature, time constraints, and other, local, policies. In case of mismatch the RRSet is considered illegitimate and is rejected. Accuracy in DNSSEC validation, that is, avoiding false positives and catching true negatives, requires that both the signing process and validation process adhere to the protocol, which begins with external configuration parameters. This document describes requirements for a validator to be able to perform accurate validation.


Daniel Migault (daniel.migault@ericsson.com)
Dan York (york@isoc.org)
Edward Lewis (edward.lewis@icann.org)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)