{"draft":"draft-ietf-dnsop-dnssec-bootstrapping-11","doc_id":"RFC9615","title":"Automatic DNSSEC Bootstrapping Using Authenticated Signals from the Zone's Operator","authors":["P. Thomassen","N. Wisiol"],"format":["HTML","TEXT","PDF","XML"],"page_count":"12","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Domain Name System Operations","abstract":"This document introduces an in-band method for DNS operators to\r\npublish arbitrary information about the zones for which they are\r\nauthoritative, in an authenticated fashion and on a per-zone basis.\r\nThe mechanism allows managed DNS operators to securely announce\r\nDNSSEC key parameters for zones under their management, including for\r\nzones that are not currently securely delegated.\r\n\r\nWhenever DS records are absent for a zone's delegation, this signal\r\nenables the parent's registry or registrar to cryptographically\r\nvalidate the CDS\/CDNSKEY records found at the child's apex. The\r\nparent can then provision DS records for the delegation without\r\nresorting to out-of-band validation or weaker types of cross-checks\r\nsuch as \"Accept after Delay\".\r\n\r\nThis document establishes the DS enrollment method described in\r\nSection 4 of this document as the preferred method over those from\r\nSection 3 of RFC 8078. It also updates RFC 7344.","pub_date":"July 2024","keywords":["DNSSEC","bootstrapping","DS","CDS","CDNSKEY"],"obsoletes":[],"obsoleted_by":[],"updates":["RFC7344","RFC8078"],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC9615","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc9615"}