Delegation Signer (DS) Resource Record (RR)
RFC 3658
Document Type RFC - Proposed Standard (December 2003; No errata)
Obsoleted by RFC 4035, RFC 4033, RFC 4034
Updated by RFC 3755
Last updated 2015-10-14
Stream IETF
Formats plain text pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3658 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Thomas Narten
IESG note Please start last call.
Send notices to <okolkman@ripe.net>
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                     O. Gudmundsson
Request for Comments: 3658                                 December 2003
Updates: 3090, 3008, 2535, 1035
Category: Standards Track

              Delegation Signer (DS) Resource Record (RR)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   The delegation signer (DS) resource record (RR) is inserted at a zone
   cut (i.e., a delegation point) to indicate that the delegated zone is
   digitally signed and that the delegated zone recognizes the indicated
   key as a valid zone key for the delegated zone.  The DS RR is a
   modification to the DNS Security Extensions definition, motivated by
   operational considerations.  The intent is to use this resource
   record as an explicit statement about the delegation, rather than
   relying on inference.

   This document defines the DS RR, gives examples of how it is used and
   describes the implications on resolvers.  This change is not
   backwards compatible with RFC 2535.  This document updates RFC 1035,
   RFC 2535, RFC 3008 and RFC 3090.

Gudmundsson                 Standards Track                     [Page 1]
RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003

Table of Contents

   1.  Introduction. . . . . . . . . . . . . . . . . . . . . . . . .   3
       1.2.  Reserved Words. . . . . . . . . . . . . . . . . . . . .   4
   2.  Specification of the Delegation key Signer. . . . . . . . . .   4
       2.1.  Delegation Signer Record Model. . . . . . . . . . . . .   4
       2.2.  Protocol Change . . . . . . . . . . . . . . . . . . . .   5
             2.2.1.  RFC 2535 2.3.4 and 3.4: Special Considerations
                     at Delegation Points  . . . . . . . . . . . . .   6
                     2.2.1.1. Special processing for DS queries. . .   6
                     2.2.1.2. Special processing when child and an
                              ancestor share nameserver. . . . . . .   7
                     2.2.1.3. Modification on use of KEY RR in the
                              construction of Responses. . . . . . .   8
             2.2.2.  Signer's Name (replaces RFC3008 section 2.7). .   9
             2.2.3.  Changes to RFC 3090 . . . . . . . . . . . . . .   9
                     2.2.3.1. RFC 3090: Updates to section 1:
                              Introduction . . . . . . . . . . . . .   9
                     2.2.3.2. RFC 3090 section 2.1: Globally
                              Secured. . . . . . . . . . . . . . . .  10
                     2.2.3.3. RFC 3090 section 3: Experimental
                              Status . . . . . . . . . . . . . . . .  10
             2.2.4.  NULL KEY elimination. . . . . . . . . . . . . .  10
       2.3.  Comments on Protocol Changes. . . . . . . . . . . . . .  10
       2.4.  Wire Format of the DS record. . . . . . . . . . . . . .  11
             2.4.1.  Justifications for Fields . . . . . . . . . . .  12
       2.5.  Presentation Format of the DS Record. . . . . . . . . .  12
       2.6.  Transition Issues for Installed Base. . . . . . . . . .  12
             2.6.1.  Backwards compatibility with RFC 2535 and
                     RFC 1035. . . . . . . . . . . . . . . . . . . .  12
       2.7.  KEY and corresponding DS record example . . . . . . . .  13
   3.  Resolver. . . . . . . . . . . . . . . . . . . . . . . . . . .  14
       3.1.  DS Example" . . . . . . . . . . . . . . . . . . . . . .  14
       3.2.  Resolver Cost Estimates for DS Records" . . . . . . . .  15
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .  15
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  16
   6.  Intellectual Property Statement . . . . . . . . . . . . . . .  16
   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  17
   8.  References. . . . . . . . . . . . . . . . . . . . . . . . . .  17
       8.1.  Normative References. . . . . . . . . . . . . . . . . .  17
       8.2.  Informational References. . . . . . . . . . . . . . . .  17
   9.  Author's Address. . . . . . . . . . . . . . . . . . . . . . .  18
   10. Full Copyright Statement. . . . . . . . . . . . . . . . . . .  19

Gudmundsson                 Standards Track                     [Page 2]
RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003

1.  Introduction

   Familiarity with the DNS system [RFC1035], DNS security extensions
   [RFC2535], and DNSSEC terminology [RFC3090] is important.

   Experience shows that when the same data can reside in two
   administratively different DNS zones, the data frequently gets out of
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools