Multi-Signer DNSSEC Models
RFC 8901, “Multi-Signer DNSSEC Models”, is an Informational document published in September 2020 by S. Huque, P. Aras, J. Dickinson, J. Vcelak, D. Blacka. The canonical text is published by the RFC Editor.
Abstract
Many enterprises today employ the service of multiple DNS providers to distribute their authoritative DNS service. Deploying DNSSEC in such an environment may present some challenges, depending on the configuration and feature set in use. In particular, when each DNS provider independently signs zone data with their own keys, additional key-management mechanisms are necessary. This document presents deployment models that accommodate this scenario and describes these key-management requirements. These models do not require any changes to the behavior of validating resolvers, nor do they impose the new key-management requirements on authoritative servers not involved in multi-signer configurations.
What “Informational” means
Published for the general information of the community. It does not define an IETF standard and carries no standards-track status.
The canonical text of RFC 8901 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 8900 IP Fragmentation Considered Fragile
- RFC 8902 TLS Authentication Using Intelligent Transport System Certificates
- RFC 8899 Packetization Layer Path MTU Discovery for Datagram Transports
- RFC 8898 Third-Party Token-Based Authentication and Authorization for Session Initiation Protocol
- RFC 8904 DNS Whitelist Email Authentication Method Extension
- RFC 8897 Requirements for Resource Public Key Infrastructure Relying Parties
- RFC 8905 The 'payto' URI Scheme for Payments
- RFC 8896 Application-Layer Traffic Optimization Cost Calendar