This document describes the DNS security extensions (commonly called "DNSSEC") that are
specified RFCs 4033, 4034, 4035, and a handful of others. One purpose is to introduce
all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC.
This document does not update any of those RFCs.
Another purpose is to move DNSSEC to Best Current Practice status.¶
This document is currently maintained at https://github.com/paulehoffman/draft-hoffman-dnssec.
Issues and pull requests are welcomed.¶
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF). Note that other groups may also distribute working
documents as Internet-Drafts. The list of current Internet-Drafts is
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 12 February 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.¶
The core specification for what we know as DNSSEC (the combination of [RFC4033],
[RFC4034], and [RFC4035]) describes a set of protocols that provide origin
authentication to data in the DNS. [RFC6840] updates and extends those core RFCs,
but does not fundamentally change the way that DNSSEC works.¶
This document lists many (but not all) of the RFCs that should be considered by someone
creating an implementation of, or someone deploying, modern DNSSEC.
It uses terminology from those documents without defining that terminology.
It also points to the relevant IANA registries that relate to DNSSEC.
It does not, however, point to standards that rely on zones needing to be signed by DNSSEC.¶
The DNSSEC set of protocols is widely considered the best current practice for adding
origin authentication of data in the DNS. To date, no standards-track RFCs offer any other
method for such origin authentication of data in the DNS.¶
Some observers note that, more than 15 years after the DNSSEC specification was published,
it is still not widely deployed. Recent estimates are that fewer than 10% of the domain names
used for web sites are signed, and only around a third of queries to recursive resolvers
are validated. However, this low level of implementation does not affect whether DNSSEC
is a best current practice; it just indicates that the value of deploying DNSSEC is often
considered lower than the cost.
Nonetheless, the significant deployment of DNSSEC beneath some top-level domains (TLDs),
and the near-universal deployment of DNSSEC for the TLDs in the DNS root zone,
demonstrate that DNSSEC is suitable for implementation by both ordinary and highly sophisticated domain owners.¶
Developers of validating resolvers and authoritative servers,
as well as operators of operators of validating resolvers and authoritative servers,
need to know the parts of the DNSSEC protocol that would affect them.
They should read the DNSSEC core documents, and probably at least be familiar
with the extensions.
Developers will probably need to be very familiar with the algorithm documents as well.¶
As a side note, some of the DNSSEC-related RFCs have significant errata, so reading the
RFCs should also include looking for the related errata.¶
What we today call "DNSSEC" is formally version 3 of the DNSSEC specification.
However, earlier versions of DNSSEC were thinly deployed and significantly less
visible than the current DNSSEC specification. Throughout this document, "DNSSEC"
means version 3 of the protocol initially defined in [RFC4033], [RFC4034], and [RFC4035].¶
The three initial core documents generally cover different topics:¶
[RFC4033] is an overview of DNSSEC, including how it might change the resolution of DNS queries.¶
[RFC4034] specifies the DNS resource records used in DNSSEC.
It obsoletes many RFCs for earlier versions of DNSSEC.¶
[RFC4035] covers the modifications to the DNS protocol incurred by DNSSEC.
These include signing zones, serving signed zones, resolving in light of
DNSSEC, and authenticating DNSSEC-signed data.¶
At the time this set of core documents was published, someone could create a DNSSEC
implementation of signing software, of an DNSSEC-aware authoritative server, and/or
a DNSSEC-aware recursive resolver from the three core documents, the many documents that update them, plus a few older
RFCs specifying the cryptography used. Those two older documents are:¶
[RFC2536] defines how to use the DSA signature algorithm (although refers to other
documents for the details).
DSA was thinly implemented and can safely be ignored by DNSSEC implementations¶
[RFC3110] defines how to use the RSA signature algorithm (although refers to other
documents for the details).
RSA is still the most popular signing algorithm for DNSSEC.¶
It is important to note that later RFCs update the core documents. As just one example,
[RFC9077] changes how TTL values are calculated in DNSSEC processing.¶
As with any major protocol, developers and operators discovered issues with the original
core documents over the years.
[RFC6840] is an omnibus update to the original core documents and thus itself has
become a core document.
In addition to covering new requirements from new DNSSEC RFCs, it describes many important
security and interoperability issues that arose during the deployment of the initial
specifications, particularly after the DNS root was signed in 2010.
It also lists some errors in the examples of the core specifications.¶
[RFC6840] brings a few additions into the core of DNSSEC.
It makes NSEC3 [RFC5155] as much a part of DNSSEC as NSEC is.
It also makes the SHA-2 hash function defined in [RFC4509] and [RFC5702] part of the core as well.¶
Cryptography improves over time, and new algorithms get adopted by various Internet protocols.
Two new signing algorithms have been adopted by the DNSSEC community: ECDSA [RFC6605] and EdDSA [RFC8080].
The GOST signing algorithm [RFC5933] was also adopted, but has seen very limited use, likely
because it is a national algorithm specific to a very small number of countries.¶
Implementation developers who want to know which algorithms to implement in DNSSEC software
should refer to [RFC8624].
Note that this specification is only about what algorithms should and should not be included
in implementations: it is not advice for which algorithms that zone operators should and
should not sign with, nor which algorithms recursive resolver operators should or should not
The DNSSEC community has extended the DNSSEC core and the cryptographic algorithms both
in terms of describing good operational practices and in new protocols. Some of the
RFCs that describe these extensions include:¶
[RFC5011] describes a method to help resolvers update their DNSSEC trust anchors in an
automated fashion. This method was used in 2018 to update the DNS root trust anchor.¶
[RFC6781] is a compendium of operational practices that may not be obvious from reading
just the core specifications.¶
[RFC7344] describes using the CDS and CDNSKEY resource records to help automate the maintenance
of DS records in the parents of signed zones.¶
[RFC8078] extends [RFC7344] by showing how to do initial setup of trusted relationships
between signed parent and child zones.¶
[RFC8198] describes how a validating resolver can emit fewer queries in signed zones that
use NSEC and NSEC3 for negative caching.¶
[RFC9077] updates [RFC8198] with respect to the time-to-live (TTL) fields in signed records.¶
The documents listed above constitute the core of DNSSEC, the additional cryptographic algorithms,
and the major extensions to DNSSEC.
This section lists some additional documents that someone interested in implementing or operating
DNSSEC might find of value.¶
[RFC4470] "describes how to construct DNSSEC NSEC resource records that cover a smaller range of
names than called for by [RFC4034]".¶
[RFC6975] "specifies a way for validating end-system resolvers to signal to a server which digital signature
and hash algorithms they support".¶
[RFC7129] "provides additional background commentary and some context for the NSEC and NSEC3
mechanisms used by DNSSEC to provide authenticated denial-of-existence responses".
This background is particularly important for understanding NSEC and NSEC3 usage.¶
[RFC7583] "describes the issues surrounding the timing of events in the rolling of a key in a DNSSEC-secured zone".¶
[RFC7646] "defines Negative Trust Anchors (NTAs), which can be used to mitigate DNSSEC validation failures by disabling
DNSSEC validation at specified domains".¶
[RFC7958] "describes the format and publication mechanisms IANA has used to distribute the DNSSEC trust anchors".¶
[RFC8027] "describes problems that a Validating DNS resolver, stub-resolver, or application might run into within
a non-compliant infrastructure".¶
[RFC8145] "specifies two different ways for validating resolvers to signal to a server which keys are
referenced in their chain of trust".¶
[RFC8499] is a list of terminology used when talking about the DNS; sections 10 and 11 cover DNSSEC.¶
[RFC8509] "specifies a mechanism that will allow an end user and third parties to determine the trusted key
state for the root key of the resolvers that handle that user's DNS queries".¶
[RFC8901] "presents deployment models that accommodate this scenario [when each DNS
provider independently signs zone data with their own keys] and describes these key-management requirements".¶
[RFC9276] "provides guidance on setting NSEC3 parameters based on recent operational
There will certainly be other RFCs related to DNSSEC that are published after this one.¶
Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, , <https://www.rfc-editor.org/info/rfc5933>.
Ebersman, P., Kumari, W., Griffiths, C., Livingood, J., and R. Weber, "Definition and Use of DNSSEC Negative Trust Anchors", RFC 7646, DOI 10.17487/RFC7646, , <https://www.rfc-editor.org/info/rfc7646>.