September 8, 2021
UTC timezone
OARConline 35a begins 15:00 UTC today 8 September

Authenticated Bootstrapping of DNSSEC Delegations

Sep 8, 2021, 4:20 PM
Standard Presentation Online Workshop OARConline 35a


Peter Thomassen (deSEC)


We introduce and discuss an authenticated in-band method for automatic signaling of a DNS zone's delegation signer information from the zone's DNS operator. In standard (single-signer) setups, the zone's registrar or registry may subsequently use this signal for automatic DS record provisioning in the parent zone. In multi-signer scenarios (RFC 8901), the method may be used to securely distribute a new signing party's keying material to existing parties. Finally, we discuss prospects and practicality of the protocol by measuring and analyzing the prevalence of the prerequisites needed for deployment.

Talk Duration 20 Minutes Presentation ( inc 5 Minutes Q&A)

Primary authors

Peter Thomassen (deSEC) Nils Wisiol (deSEC)

Presentation materials