Feb 8 – 9, 2020
Hyatt Regency San Francisco
America/Los_Angeles timezone

Improving DNSSEC Provisioning with 3rd Party DNS Providers

Feb 8, 2020, 4:50 PM
Bayview Room (Hyatt Regency San Francisco)

Bayview Room

Hyatt Regency San Francisco

5 Embarcadero Center San Francisco CA 94111 United States
Lightning Talk Lightning Talks Lightning Talks


Shumon Huque (Salesforce)


A group of DNS engineers have formed a design team to look at improving DNSSEC Provisioning with 3rd party DNS providers. Two issues are being looked at:

  1. DNSSEC requires the registry to have a DS record associated with the zone. When 3rd party DNS providers generate the key(s) and sign the zone, there is no well defined path for providing the DS record to the registry. (Some ccTLDs are implementing RFC 8078.)

  2. If multiple 3rd party DNS providers are serving the same zone, each is signing with its own key, they each need to include the ZSKs (or CSKs) of the other providers. “Multi-Signer DNSSEC Models” defines the general scheme, but there is no well defined protocol for coordination of the cross-signing process between the providers.

We'll briefly discuss the planned work and tell you how to get involved.

Talk Duration Lightning Talk 5 Minutes

Primary authors

Shumon Huque (Salesforce) Steve Crocker (Shinkuro)

Presentation materials