{"draft":"draft-ietf-dnsop-maintain-ds-06","doc_id":"RFC8078","title":"Managing DS Records from the Parent via CDS\/CDNSKEY","authors":["O. Gudmundsson","P. Wouters"],"format":["ASCII","HTML"],"page_count":"10","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Domain Name System Operations","abstract":"RFC 7344 specifies how DNS trust can be maintained across key\r\nrollovers in-band between parent and child.  This document elevates\r\nRFC 7344 from Informational to Standards Track.  It also adds a\r\nmethod for initial trust setup and removal of a secure entry point.\r\n\r\nChanging a domain's DNSSEC status can be a complicated matter\r\ninvolving multiple unrelated parties.  Some of these parties, such as\r\nthe DNS operator, might not even be known by all the organizations\r\ninvolved.  The inability to disable DNSSEC via in-band signaling is\r\nseen as a problem or liability that prevents some DNSSEC adoption at\r\na large scale.  This document adds a method for in-band signaling of\r\nthese DNSSEC status changes.\r\n\r\nThis document describes reasonable policies to ease deployment of the\r\ninitial acceptance of new secure entry points (DS records).\r\n\r\nIt is preferable that operators collaborate on the transfer or move\r\nof a domain.  The best method is to perform a Key Signing Key (KSK)\r\nplus Zone Signing Key (ZSK) rollover.  If that is not possible, the\r\nmethod using an unsigned intermediate state described in this\r\ndocument can be used to move the domain between two parties.  This\r\nleaves the domain temporarily unsigned and vulnerable to DNS\r\nspoofing, but that is preferred over the alternative of validation\r\nfailures due to a mismatched DS and DNSKEY record.","pub_date":"March 2017","keywords":["dnssec","trust maintenance"],"obsoletes":[],"obsoleted_by":[],"updates":["RFC7344"],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC8078","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc8078"}