RFC 9615 · PROPOSED STANDARD · 2024 SUN · 14 JUN 2026

Automatic DNSSEC Bootstrapping Using Authenticated Signals from the Zone's Operator

By P. Thomassen, N. Wisiol · Published July 2024 · DOI 10.17487/RFC9615

Overview

RFC 9615, “Automatic DNSSEC Bootstrapping Using Authenticated Signals from the Zone's Operator”, is a Proposed Standard document published in July 2024 by P. Thomassen, N. Wisiol. It updates RFC 7344, RFC 8078. The canonical text is published by the RFC Editor.

Abstract

This document introduces an in-band method for DNS operators to publish arbitrary information about the zones for which they are authoritative, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated.

Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay".

This document establishes the DS enrollment method described in Section 4 of this document as the preferred method over those from Section 3 of RFC 8078. It also updates RFC 7344.

Abstract as published in the RFC, via rfc-editor.org.

What “Proposed Standard” means

An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.

Read this RFC

The canonical text of RFC 9615 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.

Read on rfc-editor.org Plain text › HTML › IETF Datatracker › DOI link ›

Relationships to other RFCs

This RFC updates: RFC 7344 RFC 8078

Other RFCs from 2024

Abstract

What “Proposed Standard” means

Who Is Online