Key Assurance With DNSSec

A new mailing list has been created for the discussion about key assurance with DNSSec

List address:
To subscribe:

Description: This list is for discussion relating to using DNSSEC-protected DNS queries to get greater assurance for keys and certificates that are passed in existing IETF protocols. The main idea  is that a relying party can get additional information about a domain name to eliminate the need for using a certificate in a protocol, to eliminate the need for sending certificates in the protocol if they are optional, and/or to assure that the certificate given in a protocol is associated with the domain name used by the application. In all three cases, the application associates the key or key fingerprint securely retrieved from the DNS with the domain name that was used in the DNS query.

In his announcement Ondřej Surý provides further background information:
You may want to read:

The problem statement I and Warren wrote:

New I-D by Jakob, Paul, Warren and Adam:

Slightly older CERT RR (which we already have):

And various older proposals which didn’t make it:


(RR TYPE request I did)

Leave a Reply

Your email address will not be published. Required fields are marked *