| rfc9718.original | rfc9718.txt | |||
|---|---|---|---|---|
| Network Working Group J. Abley | Internet Engineering Task Force (IETF) J. Abley | |||
| Internet-Draft Cloudflare | Request for Comments: 9718 Cloudflare | |||
| Obsoletes: 7958 (if approved) J. Schlyter | Obsoletes: 7958 J. Schlyter | |||
| Intended status: Informational Kirei AB | Category: Informational Kirei AB | |||
| Expires: 8 March 2025 G. Bailey | ISSN: 2070-1721 G. Bailey | |||
| Independent | Independent | |||
| P. Hoffman | P. Hoffman | |||
| ICANN | ICANN | |||
| 4 September 2024 | January 2025 | |||
| DNSSEC Trust Anchor Publication for the Root Zone | DNSSEC Trust Anchor Publication for the Root Zone | |||
| draft-ietf-dnsop-rfc7958bis-06 | ||||
| Abstract | Abstract | |||
| The root zone of the global Domain Name System (DNS) is | The root zone of the global Domain Name System (DNS) is | |||
| cryptographically signed using DNS Security Extensions (DNSSEC). | cryptographically signed using DNS Security Extensions (DNSSEC). | |||
| In order to obtain secure answers from the root zone of the DNS using | In order to obtain secure answers from the root zone of the DNS using | |||
| DNSSEC, a client must configure a suitable trust anchor. This | DNSSEC, a client must configure a suitable trust anchor. This | |||
| document describes the format and publication mechanisms IANA uses to | document describes the format and publication mechanisms IANA uses to | |||
| distribute the DNSSEC trust anchors. | distribute the DNSSEC trust anchors. | |||
| This document obsoletes RFC 7958. | This document obsoletes RFC 7958. | |||
| About This Document | ||||
| This note is to be removed before publishing as an RFC. | ||||
| Status information for this document may be found at | ||||
| https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/. | ||||
| Source for this draft and an issue tracker can be found at | ||||
| https://github.com/paulehoffman/draft-bash-rfc7958bis. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This document is not an Internet Standards Track specification; it is | |||
| provisions of BCP 78 and BCP 79. | published for informational purposes. | |||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Not all documents | |||
| approved by the IESG are candidates for any level of Internet | ||||
| Standard; see Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 8 March 2025. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9718. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction | |||
| 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Definitions | |||
| 2. IANA DNSSEC Root Zone Trust Anchor Format and Semantics . . . 4 | 2. IANA DNSSEC Root Zone Trust Anchor Format and Semantics | |||
| 2.1. XML Syntax . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.1. XML Syntax | |||
| 2.2. XML Semantics . . . . . . . . . . . . . . . . . . . . . . 5 | 2.2. XML Semantics | |||
| 2.3. XML Example . . . . . . . . . . . . . . . . . . . . . . . 7 | 2.3. XML Example | |||
| 3. Root Zone Trust Anchor Retrieval . . . . . . . . . . . . . . 8 | 3. Root Zone Trust Anchor Retrieval | |||
| 3.1. Retrieving Trust Anchors with HTTPS and HTTP . . . . . . 8 | 3.1. Retrieving Trust Anchors with HTTPS and HTTP | |||
| 3.2. Accepting DNSSEC Trust Anchors . . . . . . . . . . . . . 9 | 3.2. Accepting DNSSEC Trust Anchors | |||
| 3.3. Changes in the Trust Model for Distribution . . . . . . . 9 | 3.3. Changes in the Trust Model for Distribution | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 4. Security Considerations | |||
| 4.1. Security Considerations for Relying Parties . . . . . . . 10 | 4.1. Security Considerations for Relying Parties | |||
| 4.1.1. validUntil . . . . . . . . . . . . . . . . . . . . . 10 | 4.1.1. validUntil | |||
| 4.1.2. Comparison of Digest and a publickeyinfo . . . . . . 10 | 4.1.2. Comparison of Digest and publickeyinfo | |||
| 4.1.3. Different Outputs from Processing the Trust Anchor | 4.1.3. Different Outputs from Processing the Trust Anchor File | |||
| File . . . . . . . . . . . . . . . . . . . . . . . . 11 | 5. IANA Considerations | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 6. References | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 6.1. Normative References | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 11 | 6.2. Informative References | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 12 | Appendix A. Changes from RFC 7958 | |||
| Appendix A. Changes from RFC 7958 . . . . . . . . . . . . . . . 13 | Appendix B. Historical Note | |||
| Appendix B. Historical Note . . . . . . . . . . . . . . . . . . 13 | Acknowledgements | |||
| Appendix C. Acknowledgemwents . . . . . . . . . . . . . . . . . 14 | Authors' Addresses | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | ||||
| 1. Introduction | 1. Introduction | |||
| The global Domain Name System (DNS) is described in [RFC1034] and | The global Domain Name System (DNS) is described in [RFC1034] and | |||
| [RFC1035]. DNS Security Extensions (DNSSEC) are described in | [RFC1035]. DNS Security Extensions (DNSSEC) are described in | |||
| [RFC9364]. | [RFC9364]. | |||
| In the DNSSEC protocol, Resource Record Sets (RRSets) are signed | In the DNSSEC protocol, Resource Record Sets (RRSets) are signed | |||
| cryptographically. This means that a response to a query contains | cryptographically. This means that a response to a query contains | |||
| signatures that allow the integrity and authenticity of the RRSet to | signatures that allow the integrity and authenticity of the RRSet to | |||
| skipping to change at page 3, line 25 ¶ | skipping to change at line 103 ¶ | |||
| signatures to a "trust anchor". The reason for trusting a trust | signatures to a "trust anchor". The reason for trusting a trust | |||
| anchor is outside the DNSSEC protocol, but having one or more trust | anchor is outside the DNSSEC protocol, but having one or more trust | |||
| anchors is required for the DNSSEC protocol to work. | anchors is required for the DNSSEC protocol to work. | |||
| The publication of trust anchors for the root zone of the DNS is an | The publication of trust anchors for the root zone of the DNS is an | |||
| IANA function performed by ICANN, through its affiliate Public | IANA function performed by ICANN, through its affiliate Public | |||
| Technical Identifiers (PTI). A detailed description of corresponding | Technical Identifiers (PTI). A detailed description of corresponding | |||
| key management practices can be found in [DPS]. | key management practices can be found in [DPS]. | |||
| This document describes the formats and distribution methods of | This document describes the formats and distribution methods of | |||
| DNSSEC trust anchors that is used by IANA for the root zone of the | DNSSEC trust anchors that are used by IANA for the root zone of the | |||
| DNS. Other organizations might have different formats and mechanisms | DNS. Other organizations might have different formats and mechanisms | |||
| for distributing DNSSEC trust anchors for the root zone; however, | for distributing DNSSEC trust anchors for the root zone; however, | |||
| most operators and software vendors have chosen to rely on the IANA | most operators and software vendors have chosen to rely on the IANA | |||
| trust anchors. | trust anchors. | |||
| The formats and distribution methods described in this document are a | The formats and distribution methods described in this document are a | |||
| complement to, not a substitute for, the automated DNSSEC trust | complement to, not a substitute for, the automated DNSSEC trust | |||
| anchor update protocol described in [RFC5011]. That protocol allows | anchor update protocol described in [RFC5011]. That protocol allows | |||
| for secure in-band succession of trust anchors when trust has already | for secure in-band succession of trust anchors when trust has already | |||
| been established. This document describes one way to establish an | been established. This document describes one way to establish an | |||
| initial trust anchor that can be used by [RFC5011]. | initial trust anchor that can be used by the mechanism defined in | |||
| [RFC5011]. | ||||
| This document obsoletes [RFC7958]. | This document obsoletes [RFC7958]. | |||
| 1.1. Definitions | 1.1. Definitions | |||
| The term "trust anchor" is used in many different contexts in the | The term "trust anchor" is used in many different contexts in the | |||
| security community. Many of the common definitions conflict because | security community. Many of the common definitions conflict because | |||
| they are specific to a specific system, such as just for DNSSEC or | they are specific to a specific system, such as just for DNSSEC or | |||
| just for S/MIME messages. | just for S/MIME messages. | |||
| In cryptographic systems with hierarchical structure, a trust anchor | In cryptographic systems with hierarchical structure, a trust anchor | |||
| is an authoritative entity for which trust is assumed and not | is an authoritative entity for which trust is assumed and not | |||
| derived. The format of the entity differs in different systems, but | derived. The format of the entity differs in different systems, but | |||
| the basic idea, the decision to trust this entity is made outside of | all common uses of the term "trust anchor" share the basic idea that | |||
| the system that relies on it, is common to all the common uses of the | the decision to trust this entity is made outside of the system that | |||
| term "trust anchor". | relies on it. | |||
| The root zone trust anchor formats published by IANA are defined in | The root zone trust anchor formats published by IANA are defined in | |||
| Section 2. [RFC4033] defines a trust anchor as "A configured DNSKEY | Section 2. [RFC4033] defines a trust anchor as a "configured DNSKEY | |||
| RR or DS RR hash of a DNSKEY RR". Note that the formats defined here | RR or DS RR hash of a DNSKEY RR". Note that the formats defined here | |||
| do not match the definition of "trust anchor" from [RFC4033]; | do not match the definition of "trust anchor" from [RFC4033]; | |||
| however, a system that wants to convert the trusted material from | however, a system that wants to convert the trusted material from | |||
| IANA into a Delegation Signer (DS) RR can do so. | IANA into a Delegation Signer (DS) RR can do so. | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. IANA DNSSEC Root Zone Trust Anchor Format and Semantics | 2. IANA DNSSEC Root Zone Trust Anchor Format and Semantics | |||
| IANA publishes trust anchors for the root zone as an XML document | IANA publishes trust anchors for the root zone as an XML | |||
| that contains the hashes of the DNSKEY records and optionally the | [W3C.REC-xml11-20060816] document that contains the hashes of the | |||
| keys from the DNSKEY records. | DNSKEY records and optionally the keys from the DNSKEY records. | |||
| This format and the semantics associated are described in the rest of | This format and the associated semantics are described in the rest of | |||
| this section. | this section. | |||
| Note that the XML document can have XML comments. For example, IANA | Note that the XML document can have XML comments. For example, IANA | |||
| might use these comments to add pointers to important information on | might use these comments to add pointers to important information on | |||
| the IANA web site. XML comments are only used as human-readable | the IANA website. XML comments are only used as human-readable | |||
| commentary, not extensions to the grammar. | commentary, not extensions to the grammar. | |||
| The XML document contains a set of hashes for the DNSKEY records that | The XML document contains a set of hashes for the DNSKEY records that | |||
| can be used to validate the root zone. The hashes are consistent | can be used to validate the root zone. The hashes are consistent | |||
| with the defined presentation format of a DS resource. | with the defined presentation format of a DS resource. | |||
| The XML document also can contain the keys and flags from the DNSKEY | The XML document can also contain the keys and flags from the DNSKEY | |||
| records. The keys and flags are consistent with the defined | records. The keys and flags are consistent with the defined | |||
| presentation format of a DNSKEY resource. | presentation format of a DNSKEY resource. | |||
| Note that the hashes are mandatory in the syntax, but the keys are | Note that the hashes are mandatory in the syntax, but the keys are | |||
| optional. | optional. | |||
| 2.1. XML Syntax | 2.1. XML Syntax | |||
| A RELAX NG Compact Schema [RELAX-NG] for the documents used to | Below is the RELAX NG Compact Schema [RELAX-NG] for the documents | |||
| publish trust anchors is: | used to publish trust anchors: | |||
| datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes" | datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes" | |||
| start = element TrustAnchor { | start = element TrustAnchor { | |||
| attribute id { xsd:string }, | attribute id { xsd:string }, | |||
| attribute source { xsd:string }, | attribute source { xsd:string }, | |||
| element Zone { xsd:string }, | element Zone { xsd:string }, | |||
| keydigest+ | keydigest+ | |||
| } | } | |||
| skipping to change at page 5, line 41 ¶ | skipping to change at line 212 ¶ | |||
| element Flags { | element Flags { | |||
| xsd:nonNegativeInteger { maxInclusive = "65535" } } | xsd:nonNegativeInteger { maxInclusive = "65535" } } | |||
| 2.2. XML Semantics | 2.2. XML Semantics | |||
| The TrustAnchor element is the container for all of the trust anchors | The TrustAnchor element is the container for all of the trust anchors | |||
| in the file. | in the file. | |||
| The id attribute in the TrustAnchor element is an opaque string that | The id attribute in the TrustAnchor element is an opaque string that | |||
| identifies the set of trust anchors. Its value has no particular | identifies the set of trust anchors. Its value has no particular | |||
| semantics. Note that the id element in the TrustAnchor element is | semantics. Note that the id attribute in the TrustAnchor element is | |||
| different than the id element in the KeyDigest element, described | different than the id attribute in the KeyDigest element described | |||
| below. | below. | |||
| The source attribute in the TrustAnchor element gives information | The source attribute in the TrustAnchor element gives information | |||
| about where to obtain the TrustAnchor container. It is likely to be | about where to obtain the TrustAnchor container. It is likely to be | |||
| a URL and is advisory only. | a URL and is advisory only. | |||
| The Zone element in the TrustAnchor element states to which DNS zone | The Zone element in the TrustAnchor element states to which DNS zone | |||
| this container applies. The element is in presentation format as | this container applies. The Zone element is in presentation format | |||
| specified in [RFC1035], including the trailing dot. The root zone is | as specified in [RFC1035], including the trailing dot. The root zone | |||
| indicated by a single period (.) character without any quotation | is indicated by a single period (.) character without any quotation | |||
| marks. | marks. | |||
| The TrustAnchor element contains one or more KeyDigest elements. | The TrustAnchor element contains one or more KeyDigest elements. | |||
| Each KeyDigest element represents the digest of a past, current, or | Each KeyDigest element represents the digest of a past, current, or | |||
| potential future DNSKEY record of the zone defined in the Zone | potential future DNSKEY record of the zone defined in the Zone | |||
| element. The values for the elements in the KeyDigest element are | element. The values for the elements in the KeyDigest element are | |||
| defined in [RFC4034]. The IANA registries for these values are | defined in [RFC4034]. The IANA registries for DNSSEC-related values | |||
| described in [RFC9157]. | are described in [RFC9157]. | |||
| The id attribute in the KeyDigest element is an opaque string that | The id attribute in the KeyDigest element is an opaque string that | |||
| identifies the hash. Note that the id element in the KeyDigest | identifies the hash. Note that the id attribute in the KeyDigest | |||
| element is different than the id element in the TrustAnchor element | element is different than the id attribute in the TrustAnchor element | |||
| described above. | described above. | |||
| The validFrom and validUntil attributes in the KeyDigest element | The validFrom and validUntil attributes in the KeyDigest element | |||
| specify the range of times that the KeyDigest element can be used as | specify the range of times that the KeyDigest element can be used as | |||
| a trust anchor. | a trust anchor. | |||
| The KeyTag element in the KeyDigest element contains the key tag for | The KeyTag element in the KeyDigest element contains the key tag for | |||
| the DNSKEY record represented in this KeyDigest. | the DNSKEY record represented in this KeyDigest. | |||
| The Algorithm element in the KeyDigest element contains the DNSSEC | The Algorithm element in the KeyDigest element contains the DNSSEC | |||
| skipping to change at page 6, line 44 ¶ | skipping to change at line 259 ¶ | |||
| The DigestType element in the KeyDigest element contains the DNSSEC | The DigestType element in the KeyDigest element contains the DNSSEC | |||
| digest algorithm identifier for the DNSKEY record represented in this | digest algorithm identifier for the DNSKEY record represented in this | |||
| KeyDigest. | KeyDigest. | |||
| The Digest element in the KeyDigest element contains the hexadecimal | The Digest element in the KeyDigest element contains the hexadecimal | |||
| representation of the hash for the DNSKEY record represented in this | representation of the hash for the DNSKEY record represented in this | |||
| KeyDigest. | KeyDigest. | |||
| The publickeyinfo named pattern in the KeyDigest element contains two | The publickeyinfo named pattern in the KeyDigest element contains two | |||
| mandatory elements: the base64 representation of the public key for | mandatory elements: the base64 representation of the public key for | |||
| the DNSKEY record represented in this KeyDigest, and the flags of the | the DNSKEY record represented in this KeyDigest and the flags of the | |||
| DNSKEY record represented in this KeyDigest. The publickeyinfo named | DNSKEY record represented in this KeyDigest. The publickeyinfo named | |||
| pattern is optional and is new in this version of the specification. | pattern is optional and is new in this specification. It can be | |||
| It can be useful when IANA has a trust anchor that has not yet been | useful when IANA has a trust anchor that has not yet been published | |||
| published in the DNS root, and for calculating a comparison to the | in the DNS root and for calculating a comparison to the Digest | |||
| Digest element. | element. | |||
| 2.3. XML Example | 2.3. XML Example | |||
| The following is an example of what the trust anchor file might look | The following is an example of what the trust anchor file might look | |||
| like. The full public key is only given for the trust anchor that | like. The full public key is only given for a trust anchor that does | |||
| does not have a validFrom ttime in the past. | not have a validFrom time in the past. | |||
| <?xml version="1.0" encoding="UTF-8"?> | <?xml version="1.0" encoding="UTF-8"?> | |||
| <TrustAnchor id="E9724F53-1851-4F86-85E5-F1392102940B" | <TrustAnchor id="E9724F53-1851-4F86-85E5-F1392102940B" | |||
| source="http://data.iana.org/root-anchors/root-anchors.xml"> | source="http://data.iana.org/root-anchors/root-anchors.xml"> | |||
| <Zone>.</Zone> | <Zone>.</Zone> | |||
| <KeyDigest id="Kjqmt7v" | <KeyDigest id="Kjqmt7v" | |||
| validFrom="2010-07-15T00:00:00+00:00" | validFrom="2010-07-15T00:00:00+00:00" | |||
| validUntil="2019-01-11T00:00:00+00:00"> <!-- This key | validUntil="2019-01-11T00:00:00+00:00"> <!-- This key | |||
| is no longer valid, since validUntil is in the past --> | is no longer valid, since validUntil is in the past --> | |||
| <KeyTag>19036</KeyTag> | <KeyTag>19036</KeyTag> | |||
| skipping to change at page 8, line 4 ¶ | skipping to change at line 314 ¶ | |||
| <!-- The following is called "KSK-2024" as a shorthand name --> | <!-- The following is called "KSK-2024" as a shorthand name --> | |||
| <KeyDigest id="Kmyv6jo" validFrom="2024-07-18T00:00:00+00:00"> | <KeyDigest id="Kmyv6jo" validFrom="2024-07-18T00:00:00+00:00"> | |||
| <KeyTag>38696</KeyTag> | <KeyTag>38696</KeyTag> | |||
| <Algorithm>8</Algorithm> | <Algorithm>8</Algorithm> | |||
| <DigestType>2</DigestType> | <DigestType>2</DigestType> | |||
| <Digest> | <Digest> | |||
| 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16 | 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16 | |||
| </Digest> | </Digest> | |||
| </KeyDigest> | </KeyDigest> | |||
| </TrustAnchor> | </TrustAnchor> | |||
| The DS RRset derived from this example would be: | ||||
| The DS RRset derived from this example is: | ||||
| . IN DS 20326 8 2 | . IN DS 20326 8 2 | |||
| E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D | E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D | |||
| . IN DS 38696 8 2 | . IN DS 38696 8 2 | |||
| 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16 | 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16 | |||
| Note that this DS record set only has two records. The potential | Note that this DS record set only has two records. A potential third | |||
| third record, the one that would have included the key tag 19036, is | record, one that includes the key tag 19036, is already invalid based | |||
| already invalid based on the validUntil attribute's value and is thus | on the validUntil attribute's value and is thus not part of the trust | |||
| not part of the trust anchor set. | anchor set. | |||
| The DNSKEY RRset derived from this example would be: | The DNSKEY RRset derived from this example is: | |||
| . IN DNSKEY 257 3 8 | . IN DNSKEY 257 3 8 | |||
| AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 | AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 | |||
| +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv | +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv | |||
| ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF | ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF | |||
| 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e | 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e | |||
| oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd | oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd | |||
| RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN | RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN | |||
| R1AkUTV74bU= | R1AkUTV74bU= | |||
| Note that this DNSKEY record set only has one record. One potential | Note that this DNSKEY record set only has one record. A potential | |||
| second record, the one that would have been based on the key tag | second record, one based on the key tag 19036, is already invalid | |||
| 19036, is already invalid based on the validUntil attribute's value | based on the validUntil attribute's value and is thus not part of the | |||
| and is thus not part of the trust anchor set. The other potential | trust anchor set. Another potential second record, one based on the | |||
| second record, the one that would have been based on the key tag | key tag 38696, does not contain the optional publickeyinfo named | |||
| 38696, does not contain the optional publickeyinfo named pattern and | pattern; therefore, the DNSKEY record for it cannot be calculated. | |||
| therefore the DNSKEY record for it cannot be calculated. | ||||
| 3. Root Zone Trust Anchor Retrieval | 3. Root Zone Trust Anchor Retrieval | |||
| 3.1. Retrieving Trust Anchors with HTTPS and HTTP | 3.1. Retrieving Trust Anchors with HTTPS and HTTP | |||
| Trust anchors are available for retrieval using HTTPS and HTTP. | Trust anchors are available for retrieval using HTTPS and HTTP. | |||
| In this section, all URLs are given using the "https:" scheme. If | In this section, all URLs are given using the "https:" scheme. If | |||
| HTTPS cannot be used, replace the "https:" scheme with "http:". | HTTPS cannot be used, replace the "https:" scheme with "http:". | |||
| The URL for retrieving the set of hashes in the XML file described in | The URL for retrieving the set of hashes in the XML document | |||
| Section 2 is <https://data.iana.org/root-anchors/root-anchors.xml>. | described in Section 2 is <https://data.iana.org/root-anchors/root- | |||
| anchors.xml>. | ||||
| 3.2. Accepting DNSSEC Trust Anchors | 3.2. Accepting DNSSEC Trust Anchors | |||
| A validator operator can choose whether or not to accept the trust | A validator operator can choose whether or not to accept the trust | |||
| anchors described in this document using whatever policy they want. | anchors described in this document using whatever policy they want. | |||
| In order to help validator operators verify the content and origin of | In order to help validator operators verify the content and origin of | |||
| trust anchors they receive, IANA uses digital signatures that chain | trust anchors they receive, IANA uses digital signatures that chain | |||
| to an ICANN-controlled Certificate Authority (CA) over the trust | to an ICANN-controlled Certificate Authority (CA) over the trust | |||
| anchor data. | anchor data. | |||
| It is important to note that the ICANN CA is not a DNSSEC trust | It is important to note that the ICANN CA is not a DNSSEC trust | |||
| anchor. Instead, it is an optional mechanism for verifying the | anchor. Instead, it is an optional mechanism for verifying the | |||
| content and origin of the XML and certificate trust anchors. | content and origin of the XML and certificate trust anchors. | |||
| The content and origin of the XML file can be verified using a | The content and origin of the XML document can be verified using a | |||
| digital signature on the file. IANA provides a detached | digital signature on the file. IANA provides a detached | |||
| Cryptographic Message Syntax (CMS) [RFC5652] signature that chains to | Cryptographic Message Syntax (CMS) [RFC5652] signature that chains to | |||
| the ICANN CA with the XML file. | the ICANN CA with the XML document. This can be useful for validator | |||
| This can be useful for validator operators who have received a copy | operators who have received a copy of the ICANN CA's public key in a | |||
| of the ICANN CA's public key in a trusted out-of-band fashion. The | trusted out-of-band fashion. The URL for a detached CMS signature | |||
| URL for a detached CMS signature for the XML file is | for the XML document is <https://data.iana.org/root-anchors/root- | |||
| <https://data.iana.org/root-anchors/root-anchors.p7s>. | anchors.p7s>. | |||
| Another method IANA uses to help validator operators verify the | Another method IANA uses to help validator operators verify the | |||
| content and origin of trust anchors they receive is to use the | content and origin of trust anchors they receive is to use the | |||
| Transport Layer Security (TLS) protocol for distributing the trust | Transport Layer Security (TLS) protocol for distributing the trust | |||
| anchors. Currently, the CA used for data.iana.org is well known, | anchors. Currently, the CA used for "data.iana.org" is well known, | |||
| that is, one that is a WebTrust-accredited CA. If a system | that is, one that is a WebTrust-accredited CA. If a system | |||
| retrieving the trust anchors trusts the CA that IANA uses for the | retrieving the trust anchors trusts the CA that IANA uses for the | |||
| "data.iana.org" web server, HTTPS SHOULD be used instead of HTTP in | "data.iana.org" web server, HTTPS SHOULD be used instead of HTTP in | |||
| order to have assurance of data origin. | order to have assurance of data origin. | |||
| 3.3. Changes in the Trust Model for Distribution | 3.3. Changes in the Trust Model for Distribution | |||
| IANA used to distribute the trust anchors as a self-signed PGP | IANA used to distribute trust anchors as a self-signed Pretty Good | |||
| message and as a self-issued certificate signing request; this was | Privacy (PGP) message and as a self-issued certificate signing | |||
| described in [RFC7958]. This document removes those methods because | request; this was described in [RFC7958]. This document removes | |||
| they relied on a trust model that mixed out-of-band trust of | those methods because they rely on a trust model that mixes out-of- | |||
| authentication keys with out-of-band trust of the DNSSEC root keys. | band trust of authentication keys with out-of-band trust of the | |||
| Note, however, that cryptographic assurance for the contents of the | DNSSEC root keys. Note, however, that cryptographic assurance for | |||
| trust anchor now comes from the web PKI or the ICANN CA as described | the contents of the trust anchor now comes from the Web PKI or the | |||
| in Section 3.2. This cryptographic assurance is bolstered by | ICANN CA as described in Section 3.2. This cryptographic assurance | |||
| informal comparisons made by users of the trust anchors, such as | is bolstered by informal comparisons made by users of the trust | |||
| software vendors comparing the trust anchor files they are using. | anchors, such as software vendors comparing the trust anchor files | |||
| they are using. | ||||
| 4. Security Considerations | 4. Security Considerations | |||
| This document describes how DNSSEC trust anchors for the root zone of | This document describes how DNSSEC trust anchors for the root zone of | |||
| the DNS are published. Many DNSSEC clients will only configure IANA- | the DNS are published. Many DNSSEC clients will only configure IANA- | |||
| issued trust anchors for the DNS root to perform validation. As a | issued trust anchors for the DNS root to perform validation. As a | |||
| consequence, reliable publication of trust anchors is important. | consequence, reliable publication of trust anchors is important. | |||
| This document aims to specify carefully the means by which such trust | This document aims to specify carefully the means by which such trust | |||
| anchors are published, with the goal of making it easier for those | anchors are published, with the goal of making it easier for those | |||
| trust anchors to be integrated into user environments. Some of the | trust anchors to be integrated into user environments. Some of the | |||
| methods described (such as accessing over the web with or without | methods described (such as accessing over the Web with or without | |||
| verifying the signature on the file) have different security | verifying the signature on the file) have different security | |||
| properties; users of the trust anchor file need to consider these | properties; users of the trust anchor file need to consider these | |||
| when choosing whether to load the set of trust anchors. | when choosing whether to load the set of trust anchors. | |||
| 4.1. Security Considerations for Relying Parties | 4.1. Security Considerations for Relying Parties | |||
| The body of this document does not specify any particular behavior | The body of this document does not specify any particular behavior | |||
| for relying parties. In specific, it does not say how a relying | for relying parties. Specifically, it does not say how a relying | |||
| party should treat the trust anchor file as a whole. However, some | party should treat the trust anchor file as a whole. However, some | |||
| of the contents of the trust anchor file require particular attention | of the contents of the trust anchor file require particular attention | |||
| for relying parties. | for relying parties. | |||
| 4.1.1. validUntil | 4.1.1. validUntil | |||
| Note that the validUntil attribute of the KeyDigest element is | Note that the validUntil attribute of the KeyDigest element is | |||
| optional. If the relying party is using a trust anchor that has a | optional. If the relying party is using a trust anchor that has a | |||
| KeyDigest element that does not have a validUntil attribute, it can | KeyDigest element that does not have a validUntil attribute, it can | |||
| change to a trust anchor with a KeyDigest element that does have a | change to a trust anchor with a KeyDigest element that does have a | |||
| validUntil attribute, as long as that trust anchor's validUntil | validUntil attribute, as long as that trust anchor's validUntil | |||
| attribute is in the future and the KeyTag, Algorithm, DigestType, and | attribute is in the future and the KeyTag, Algorithm, DigestType, and | |||
| Digest elements of the KeyDigest are the same as the previous trust | Digest elements of the KeyDigest are the same as those in the | |||
| anchor. | previous trust anchor. | |||
| Relying parties SHOULD NOT use a KeyDigest outside of the time range | Relying parties SHOULD NOT use a KeyDigest outside of the time range | |||
| given in the validFrom and validUntil attributes. | given in the validFrom and validUntil attributes. | |||
| 4.1.2. Comparison of Digest and a publickeyinfo | 4.1.2. Comparison of Digest and publickeyinfo | |||
| A KeyDigest element can contain both a Digest and a publickeyinfo | A KeyDigest element can contain both a Digest and a publickeyinfo | |||
| named pattern. If the Digest element would not be a proper DS record | named pattern. If the Digest element would not be a proper DS record | |||
| for a DNSKEY record represented by the publickeyinfo named pattern, | for a DNSKEY record represented by the publickeyinfo named pattern, | |||
| relying parties MUST NOT use that KeyDigest as a trust anchor. A | relying parties MUST NOT use that KeyDigest as a trust anchor. A | |||
| relying party that wants to make such a comparison needs to marshall | relying party that wants to make such a comparison needs to marshal | |||
| the elements of the DNSKEY record that became the DS record using the | the elements of the DNSKEY record that became the DS record using the | |||
| algorithm specified in Section 5.1.4 of [RFC4034]. | algorithm specified in Section 5.1.4 of [RFC4034]. | |||
| Relying parties need to implement trust anchor matching carefully. A | Relying parties need to implement trust anchor matching carefully. A | |||
| single trust anchor represented by a KeyDigest element can | single trust anchor represented by a KeyDigest element can | |||
| potentially change its Digest and KeyTag values between two versions | potentially change its Digest and KeyTag values between two versions | |||
| of the trust anchor file, for example when the key is revoked or the | of the trust anchor file, for example, when the key is revoked or the | |||
| flag value changes for some other reason. Relying parties which fail | flag value changes for some other reason. Relying parties that fail | |||
| to take this property into account are at risk of using an incorrect | to take this property into account are at risk of using an incorrect | |||
| set of trust anchors. | set of trust anchors. | |||
| 4.1.3. Different Outputs from Processing the Trust Anchor File | 4.1.3. Different Outputs from Processing the Trust Anchor File | |||
| Relying parties that require the optional publickeyinfo named pattern | Relying parties that require the optional publickeyinfo named pattern | |||
| to create trust anchors will store fewer trust anhcors than those | to create trust anchors will store fewer trust anchors than those | |||
| that only require a Digest element. Thus, two systems processing the | that only require a Digest element. Thus, two systems processing the | |||
| same trust anchor file can end up with a different set of trust | same trust anchor file can end up with a different set of trust | |||
| anchors. | anchors. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| Each time IANA produces a new trust anchor, it MUST publish that | Each time IANA produces a new trust anchor, it MUST publish that | |||
| trust anchor using the format described in this document. | trust anchor using the format described in this document. | |||
| IANA MAY delay the publication of a new trust anchor for operational | IANA MAY delay the publication of a new trust anchor for operational | |||
| reasons, such as having a newly-created key in multiple facilities. | reasons, such as having a newly created key in multiple facilities. | |||
| When a trust anchor that was previously published is no longer | When a trust anchor that was previously published is no longer | |||
| suitable for use, IANA MUST update the trust anchor document | suitable for use, IANA MUST update the trust anchor file accordingly | |||
| accordingly by setting a validUntil date for that trust anchor. The | by setting a validUntil date for that trust anchor. The validUntil | |||
| validUntil attribute that is added MAY be a date in the past or in | attribute that is added MAY be a date in the past or in the future, | |||
| the future, depending on IANA's operational choices. | depending on IANA's operational choices. | |||
| More information about IANA's policies and procedures for how the | More information about IANA's policies and procedures for how the | |||
| cryptographic keys for the DNS root zone are managed (also known as | cryptographic keys for the DNS root zone are managed (also known as | |||
| "DNSSEC Practice Statements" or "DPSs") can be found at | "DNSSEC Practice Statements" or "DPSs") can be found at | |||
| https://www.iana.org/dnssec/procedures (https://www.iana.org/dnssec/ | <https://www.iana.org/dnssec/procedures>. | |||
| procedures). | ||||
| [RFC7958] defined id-mod-dns-resource-record, value 70, which was | [RFC7958] defined id-mod-dns-resource-record, value 70, which was | |||
| added to the the "SMI Security for PKIX Module Identifier" registry. | added to the "SMI Security for PKIX Module Identifier" registry. | |||
| This document no longer uses that identifier. | This document does not use that identifier. | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | |||
| <https://www.rfc-editor.org/rfc/rfc1034>. | <https://www.rfc-editor.org/info/rfc1034>. | |||
| [RFC1035] Mockapetris, P., "Domain names - implementation and | [RFC1035] Mockapetris, P., "Domain names - implementation and | |||
| specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, | specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, | |||
| November 1987, <https://www.rfc-editor.org/rfc/rfc1035>. | November 1987, <https://www.rfc-editor.org/info/rfc1035>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "DNS Security Introduction and Requirements", | Rose, "DNS Security Introduction and Requirements", | |||
| RFC 4033, DOI 10.17487/RFC4033, March 2005, | RFC 4033, DOI 10.17487/RFC4033, March 2005, | |||
| <https://www.rfc-editor.org/rfc/rfc4033>. | <https://www.rfc-editor.org/info/rfc4033>. | |||
| [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Resource Records for the DNS Security Extensions", | Rose, "Resource Records for the DNS Security Extensions", | |||
| RFC 4034, DOI 10.17487/RFC4034, March 2005, | RFC 4034, DOI 10.17487/RFC4034, March 2005, | |||
| <https://www.rfc-editor.org/rfc/rfc4034>. | <https://www.rfc-editor.org/info/rfc4034>. | |||
| [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) | [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) | |||
| Trust Anchors", STD 74, RFC 5011, DOI 10.17487/RFC5011, | Trust Anchors", STD 74, RFC 5011, DOI 10.17487/RFC5011, | |||
| September 2007, <https://www.rfc-editor.org/rfc/rfc5011>. | September 2007, <https://www.rfc-editor.org/info/rfc5011>. | |||
| [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||
| RFC 5652, DOI 10.17487/RFC5652, September 2009, | RFC 5652, DOI 10.17487/RFC5652, September 2009, | |||
| <https://www.rfc-editor.org/rfc/rfc5652>. | <https://www.rfc-editor.org/info/rfc5652>. | |||
| [RFC7958] Abley, J., Schlyter, J., Bailey, G., and P. Hoffman, | [RFC7958] Abley, J., Schlyter, J., Bailey, G., and P. Hoffman, | |||
| "DNSSEC Trust Anchor Publication for the Root Zone", | "DNSSEC Trust Anchor Publication for the Root Zone", | |||
| RFC 7958, DOI 10.17487/RFC7958, August 2016, | RFC 7958, DOI 10.17487/RFC7958, August 2016, | |||
| <https://www.rfc-editor.org/rfc/rfc7958>. | <https://www.rfc-editor.org/info/rfc7958>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC9157] Hoffman, P., "Revised IANA Considerations for DNSSEC", | [RFC9157] Hoffman, P., "Revised IANA Considerations for DNSSEC", | |||
| RFC 9157, DOI 10.17487/RFC9157, December 2021, | RFC 9157, DOI 10.17487/RFC9157, December 2021, | |||
| <https://www.rfc-editor.org/rfc/rfc9157>. | <https://www.rfc-editor.org/info/rfc9157>. | |||
| [RFC9364] Hoffman, P., "DNS Security Extensions (DNSSEC)", BCP 237, | [RFC9364] Hoffman, P., "DNS Security Extensions (DNSSEC)", BCP 237, | |||
| RFC 9364, DOI 10.17487/RFC9364, February 2023, | RFC 9364, DOI 10.17487/RFC9364, February 2023, | |||
| <https://www.rfc-editor.org/rfc/rfc9364>. | <https://www.rfc-editor.org/info/rfc9364>. | |||
| [W3C.REC-xml11-20060816] | ||||
| Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., | ||||
| Yergeau, F., and J. Cowan, "Extensible Markup Language | ||||
| (XML) 1.1 (Second Edition)", W3C Recommendation REC- | ||||
| xml11-20060816, 16 August 2006, | ||||
| <https://www.w3.org/TR/2006/REC-xml11-20060816>. | ||||
| 6.2. Informative References | 6.2. Informative References | |||
| [DPS] Root Zone KSK Operator Policy Management Authority, | [DPS] Root Zone KSK Operator Policy Management Authority, | |||
| "DNSSEC Practice Statement for the Root Zone KSK | "DNSSEC Practice Statement for the Root Zone KSK | |||
| Operator", n.d., <https://www.iana.org/dnssec/procedures>. | Operator", <https://www.iana.org/dnssec/procedures>. | |||
| [RELAX-NG] Clark, J., "RELAX NG Compact Syntax", 2002, | [RELAX-NG] Clark, J., "RELAX NG Compact Syntax", OASIS Committee | |||
| <https://www.oasis-open.org/committees/relax-ng/compact- | Specification, November 2002, <https://www.oasis- | |||
| 20021121.html>. | open.org/committees/relax-ng/compact-20021121.html>. | |||
| Appendix A. Changes from RFC 7958 | Appendix A. Changes from RFC 7958 | |||
| This version of the document includes the following changes: | This document includes the following changes: | |||
| * There is a significant technical change from erratum 5932 | * Made a significant technical change per Erratum ID 5932 | |||
| <https://www.rfc-editor.org/errata/eid5932>. This is in the | <https://www.rfc-editor.org/errata/eid5932>. This change is in | |||
| seventh paragraph of Section 2.2. | the seventh paragraph of Section 2.2. | |||
| * Added the optional publickeyinfo named pattern with two mandatory | * Added the optional publickeyinfo named pattern with two mandatory | |||
| elements, PublicKey and Flags. | elements, PublicKey and Flags. | |||
| * Removed the certificates and certificate signing mechanisms. | * Removed the certificates and certificate signing mechanisms. | |||
| * Removed the detached OpenPGP signature mechanism. | * Removed the detached OpenPGP signature mechanism. | |||
| * The reference to the DNSSEC Practice Statement [DPS] was updated. | * Updated the reference to the DNSSEC Practice Statement [DPS]. | |||
| * Say explicitly that the XML documents might have XML comments in | * Stated explicitly that the XML documents might have XML comments | |||
| them. | in them. | |||
| * Clarified the use of the detached CMS signature. | * Clarified the use of the detached CMS signature. | |||
| * Updated the IANA Considerations section to indicate requirements | * Updated the IANA Considerations section to indicate requirements | |||
| on IANA. | on IANA. | |||
| * Simplified the description of using the validFrom and validUntil | * Simplified the description of using the validFrom and validUntil | |||
| attributes. | attributes. | |||
| * Added new security considerations. | * Added new security considerations. | |||
| * There was a bit of editorial cleanup. | * Made some editorial changes. | |||
| Appendix B. Historical Note | Appendix B. Historical Note | |||
| The first KSK for use in the root zone of the DNS was generated at a | The first Key Signing Key (KSK) for use in the root zone of the DNS | |||
| key ceremony at the ICANN Key Management Facility (KMF) in Culpeper, | was generated at a key ceremony at the ICANN Key Management Facility | |||
| Virginia, USA on 2010-06-16. This key entered production during a | (KMF) in Culpeper, Virginia, USA on 2010-06-16. This key entered | |||
| second key ceremony held at an ICANN KMF in El Segundo, California, | production during a second key ceremony held at an ICANN KMF in El | |||
| USA on 2010-07-12. The resulting trust anchor was first published on | Segundo, California, USA on 2010-07-12. The resulting trust anchor | |||
| 2010-07-15. | was first published on 2010-07-15. | |||
| The second KSK for use in the root zone of the DNS was generated at | The second KSK for use in the root zone of the DNS was generated at | |||
| key ceremony #27 at the ICANN KMF in Culpeper, Virginia, USA on | key ceremony #27 at the ICANN KMF in Culpeper, Virginia, USA on | |||
| 2016-10-27. This key entered production during key ceremony #28 held | 2016-10-27. This key entered production during key ceremony #28 held | |||
| at the ICANN KMF in El Segundo, California, USA on 2017-02-02. The | at the ICANN KMF in El Segundo, California, USA on 2017-02-02. The | |||
| resulting trust anchor was first published on 2018-11-11. | resulting trust anchor was first published on 2018-11-11. | |||
| More information about the key ceremonies, including full records of | More information about the key ceremonies, including full records of | |||
| previous ceremonies and plans for future ceremonies, can be found at | previous ceremonies and plans for future ceremonies, can be found at | |||
| <https://www.iana.org/dnssec/ceremonies>. | <https://www.iana.org/dnssec/ceremonies>. | |||
| Appendix C. Acknowledgemwents | Acknowledgements | |||
| Many pioneers paved the way for the deployment of DNSSEC in the root | Many pioneers paved the way for the deployment of DNSSEC in the root | |||
| zone of the DNS, and the authors hereby acknowledge their substantial | zone of the DNS, and the authors hereby acknowledge their substantial | |||
| collective contribution. | collective contribution. | |||
| RFC 7958 incorporated suggestions made by Alfred Hoenes and Russ | RFC 7958 incorporated suggestions made by Alfred Hoenes and Russ | |||
| Housley, whose contributions are appreciated. | Housley, whose contributions are appreciated. | |||
| Authors' Addresses | Authors' Addresses | |||
| End of changes. 66 change blocks. | ||||
| 171 lines changed or deleted | 168 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||