We introduce and discuss an authenticated in-band method for automatic signaling of a DNS zone's delegation signer information from the zone's DNS operator. In standard (single-signer) setups, the zone's registrar or registry may subsequently use this signal for automatic DS record provisioning in the parent zone. In multi-signer scenarios (RFC 8901), the method may be used to securely distribute a new signing party's keying material to existing parties. Finally, we discuss prospects and practicality of the protocol by measuring and analyzing the prevalence of the prerequisites needed for deployment.
|20 Minutes Presentation ( inc 5 Minutes Q&A)