Skip to content

Commit 1cf9f89

Browse files
author
ietf-corpus-bot
committed
auto-ingest: ietf-elements backfill — 193 new elements (2026-07-12)
1 parent 51c2f45 commit 1cf9f89

193 files changed

Lines changed: 1731 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
document: rfc-9615
2+
kind: design-rationale
3+
summary: On-demand triggers (like notifications) are preferred over timer-based triggers (such as daily scans) because timer-based mechanisms exhibit undesirable properties with respect to processing delay and scaling. Both child DNS operators and parental agents are encouraged to use on-demand triggers to reduce delays and scanning traffic.
4+
section: "4.3"
5+
topics:
6+
- dns
7+
extracted_by: claude-sonnet-4-6
8+
extracted_at: "2026-07-12"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-9615
2+
kind: design-rationale
3+
summary: Signaling domains SHOULD be delegated as standalone zones so that the signaling zone apex coincides with the signaling domain (e.g., _signal.ns1.example.net). This ensures that bootstrapping activities do not require modifications to the zone containing the nameserver hostname.
4+
section: "5.1"
5+
rfc2119_level: SHOULD
6+
topics:
7+
- dns
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-07-12"
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
document: rfc-9615
2+
kind: design-rationale
3+
summary: The protocol is designed as a generic signaling mechanism, not just for DNSSEC bootstrapping. The '_dsboot' signaling type is one application; other applications could include publishing operational metadata or API endpoints. This generality is why the mechanism uses a signaling type label to namespace different use cases.
4+
section: "1"
5+
topics:
6+
- dns
7+
extracted_by: claude-sonnet-4-6
8+
extracted_at: "2026-07-12"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-9615
2+
kind: interoperability-note
3+
summary: DNSSEC bootstrapping does not work for fully in-domain delegations because no preexisting chain of trust to the child domain exists during bootstrapping. A workaround is to temporarily add an out-of-domain nameserver to the NS RRset and remove it after bootstrapping is complete, potentially using CSYNC records (RFC 7477).
4+
section: "4.4"
5+
topics:
6+
- dns
7+
- security
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-07-12"
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
document: rfc-9615
2+
kind: interoperability-note
3+
summary: The DS enrollment methods in Section 3 of RFC 8078 are less secure than the method in this document. Child DNS operators and parental agents wishing to use CDS/CDNSKEY records for initial DS enrollment SHOULD support the authentication protocol described in this document instead.
4+
section: "2"
5+
rfc2119_level: SHOULD
6+
topics:
7+
- dns
8+
- security
9+
extracted_by: claude-sonnet-4-6
10+
extracted_at: "2026-07-12"
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
document: rfc-9615
2+
kind: interoperability-note
3+
summary: The protocol does not support unusually long child domain names or NS hostnames, as fully qualified signaling names must be valid DNS names subject to the label count and length requirements of RFC 1035 Section 3.1.
4+
section: "4.4"
5+
topics:
6+
- dns
7+
extracted_by: claude-sonnet-4-6
8+
extracted_at: "2026-07-12"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-9615
2+
kind: interoperability-note
3+
summary: This document updates RFC 7344 by removing the apex-only location restriction for CDS/CDNSKEY records (Section 4.1 of RFC 7344), enabling use of these record types at non-apex owner names for DNSSEC bootstrapping signaling.
4+
section: "2"
5+
topics:
6+
- dns
7+
- security
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-07-12"
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
document: rfc-9615
2+
kind: normative-requirement
3+
summary: A signaling RRset MUST be signed with the corresponding signaling zone's key(s), and its contents MUST be identical to the corresponding CDS/CDNSKEY RRset published at the child's apex.
4+
section: "4.1"
5+
rfc2119_level: MUST
6+
topics:
7+
- dns
8+
- security
9+
- crypto
10+
extracted_by: claude-sonnet-4-6
11+
extracted_at: "2026-07-12"
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
document: rfc-9615
2+
kind: normative-requirement
3+
summary: Each signaling zone MUST be signed and be validatable by the parental agent, i.e., have a valid publicly resolvable DNSSEC chain of trust. This is typically achieved by securely delegating each signaling zone.
4+
section: "3.1"
5+
rfc2119_level: MUST
6+
topics:
7+
- dns
8+
- security
9+
- crypto
10+
extracted_by: claude-sonnet-4-6
11+
extracted_at: "2026-07-12"
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
document: rfc-9615
2+
kind: normative-requirement
3+
summary: It is RECOMMENDED that QNAME minimization (RFC 9156) be used when resolving queries for signaling records, to guard against forgery attacks where an upstream parent of a signaling domain intercepts CDS/CDNSKEY queries and responds with a fraudulent authoritative answer.
4+
section: "5.2"
5+
rfc2119_level: RECOMMENDED
6+
topics:
7+
- dns
8+
- security
9+
- privacy
10+
extracted_by: claude-sonnet-4-6
11+
extracted_at: "2026-07-12"

0 commit comments

Comments
 (0)