Automated Updates of DNS Security Trust Anchors
RFC 5011, “Automated Updates of DNS Security Trust Anchors”, is an Internet Standard document published in September 2007 by M. StJohns. The canonical text is published by the RFC Editor.
Abstract
This document describes a means for automated, authenticated, and authorized updating of DNSSEC "trust anchors". The method provides protection against N-1 key compromises of N keys in the trust point key set. Based on the trust established by the presence of a current anchor, other anchors may be added at the same place in the hierarchy, and, ultimately, supplant the existing anchor(s).
This mechanism will require changes to resolver management behavior (but not resolver resolution behavior), and the addition of a single flag bit to the DNSKEY record. [STANDARDS-TRACK]
What “Internet Standard” means
A mature, widely-implemented specification that has completed the full IETF standards process — the highest maturity level on the standards track.
The canonical text of RFC 5011 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 5010 The Dynamic Host Configuration Protocol Version 4 Relay Agent Flags Suboption
- RFC 5009 Private Header Extension to the Session Initiation Protocol for Authorization of Early Media
- RFC 5013 The Dublin Core Metadata Element Set
- RFC 5008 Suite B in Secure/Multipurpose Internet Mail Extensions
- RFC 5014 IPv6 Socket API for Source Address Selection
- RFC 5007 DHCPv6 Leasequery
- RFC 5015 Bidirectional Protocol Independent Multicast
- RFC 5006 IPv6 Router Advertisement Option for DNS Configuration