Domain Name System Operations (dnsop) U. Wisser Internet-Draft ICANN Intended status: Standards Track S. Huque Expires: 14 December 2026 Salesforce J. Stenstam The Swedish Internet Foundation 12 June 2026 DNSSEC automation draft-ietf-dnsop-dnssec-automation-04 Abstract This document describes an algorithm and protocol to automate the setup, operations, and decommissioning of Multi-Signer DNSSEC [RFC8901] configurations. To accomplish this, it employs Model 2 of the multi-signer specification (where each operator has their own distinct KSK and ZSK sets, or CSK sets), management of DS records from the parent via CDS/CDNSKEY [RFC8078], and Child-to-Parent Synchronization in DNS [RFC7477]. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-dnssec-automation. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 14 December 2026. Wisser, et al. Expires 14 December 2026 [Page 1] Internet-Draft DNSSEC automation June 2026 Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Out-Of-Scope . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Permanent Multi-Signer Operation . . . . . . . . . . . . 4 3.2. Secure DNS Operator Transition . . . . . . . . . . . . . 5 4. Automation Models . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Centralized . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Decentralized . . . . . . . . . . . . . . . . . . . . . . 5 4.3. Capabilities . . . . . . . . . . . . . . . . . . . . . . 5 5. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . 6 5.2. Setting up a new multi-signer group . . . . . . . . . . . 7 5.3. A signer joins the multi-signer group . . . . . . . . . . 7 5.4. A signer leaves the multi-signer group . . . . . . . . . 7 5.5. A signer performs a ZSK rollover . . . . . . . . . . . . 8 5.6. A signer performs a CSK or KSK rollover . . . . . . . . . 8 5.7. Algorithm rollover for the whole multi-signer group . . . 9 6. Signers with different algorithms in a multi-signer group . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 9. Implementation Status . . . . . . . . . . . . . . . . . . . . 11 10. Normative References . . . . . . . . . . . . . . . . . . . . 11 11. Informative References . . . . . . . . . . . . . . . . . . . 12 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Wisser, et al. Expires 14 December 2026 [Page 2] Internet-Draft DNSSEC automation June 2026 1. Introduction [RFC8901] describes the necessary steps and API for a multi-signer DNSSEC configuration. In this document we will combine Model 2 of [RFC8901] with [RFC8078] and [RFC7477] to define an automatable algorithm for setting up, operating, and decommissioning a multi- signer DNSSEC configuration. Besides steady state multi-signer operation, one of the special use cases of this protocol is to enable non-disruptive migration of a signed DNS zone from one provider to another, which employs a transitory state of a multi-signer configuration. 1.1. Out-Of-Scope In order for any multi-signer group to give consistent answers across all nameservers, the data contents of the zone also have to be synchronized (in addition to infrastructure records like NS, DNSKEY, CDS etc). This content synchronization is out-of-scope for this document. 2. Terminology The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*", "*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*MAY*", and "*OPTIONAL*" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. *Signer* An entity signing a zone *Multi-signer Group* A group of signers that sign the same zone *Controller* An entity controlling the multi-signer group. Used in the decentralized model. *Parent* See [RFC8499] *Trust mechanism* Wisser, et al. Expires 14 December 2026 [Page 3] Internet-Draft DNSSEC automation June 2026 An authenticated channel used to apply control-plane changes (DNSKEY, CDS/CDNSKEY, CSYNC, NS) on each signer, possibly mediated by the zone owner or a controller. The detailed mechanism is out of scope for this document. *DS-Wait-Time* Once the parent has picked up and published the new DS record set, any further changes MUST be delayed until the new DS set has propagated. The minimum DS-Wait-Time is the TTL of the DS RRset. *DNSKEY-Wait-Time* Once the DNSKEY sets of all signers are updated, any further changes MUST be delayed until the new DNSKEY set has propagated. The minimum DNSKEY-Wait-Time is the maximum of all DNSKEY TTL values from all signers plus the time it takes to publish the zone on all secondaries. *NS-Wait-Time* Once the parent has picked up and published the new NS record set, any further changes MUST be delayed until the new NS set has propagated. The minimum NS-Wait-Time is the maximum of the TTL value of the NS set in the parent zone and all NS sets from all signers. 3. Use Cases In this document we describe, except for the initial trust, how the steps in the multi-signer DNSSEC setup can be automated. The following two use cases are in the scope of this document. 3.1. Permanent Multi-Signer Operation This is the typical use case described in [RFC8901], where multiple DNS providers are used to cooperatively serve a DNS zone, each signing independently with their own keys, in a steady state configuration to increase availability. Wisser, et al. Expires 14 December 2026 [Page 4] Internet-Draft DNSSEC automation June 2026 3.2. Secure DNS Operator Transition Changing the nameserver operator of a DNSSEC signed zone can be challenging. Currently the most common method is temporarily "going insecure". This is poor for security, and for users relying on the security of the zone. Furthermore, when DNSSEC is being used for application security functions like DANE [RFC6698], it is critical that the DNSSEC chain of trust remain unbroken during the transfer. Multi-signer DNSSEC Model 2 provides a mechanism for transitioning from one nameserver operator to another without "going insecure". A new operator joins the current operator in a temporary multi-signer group. Once that is accomplished and stable, the old operator leaves the multi-signer group, completing the transition. 4. Automation Models Automation of the necessary steps can be categorized into two main models, centralized and decentralized. Both have pros and cons, and a zone owner should carefully choose the model that works best. 4.1. Centralized In a centralized model a controller executes all steps necessary and controls all signers. The controller needs to have authorized access to all signers. This can be achieved in a variety of different ways. For example, many service providers offer access through a REST API. Another possibility is access through Dynamic Update [RFC2136] with TSIG authentication. 4.2. Decentralized In the decentralized model all signers communicate with each other and execute the necessary steps on their own instance. For this, signers need a specialized protocol to communicate configuration details that are not part of the zone data. 4.3. Capabilities In order for any of the models to work, the signer must support the following capabilities. 1. Add DNSKEY records (without the private key) 2. Remove (previously added) DNSKEY record(s) Wisser, et al. Expires 14 December 2026 [Page 5] Internet-Draft DNSSEC automation June 2026 3. Add CDS and CDNSKEY records for keys not in the DNSKEY set 4. Remove (previously added) CDS and CDNSKEY records 5. Add CSYNC record 6. Remove CSYNC record 5. Algorithms In a centralized model it is the controller's task to compute all waiting times and control the zone in a way that all timing restrictions are met. In the decentralized model every signer must compute all waiting times and adhere to all timing restrictions. In both methods, some of the timing restrictions must be specified as part of the configuration data. 5.1. Prerequisites Each signer to be added, including the initial signer, must meet the following prerequisites before joining the multi-signer group: 1. A working setup of the zone, including DNSSEC signing. 2. Uses the same algorithms for DNSSEC signing as the multi-signer group uses or will use. 3. Signer or controller must be able to differentiate between its own keys and keys from other signers. 4. Signer or controller must be able to differentiate between NS records that are updated by itself and NS records that receive updates from other signers. 5. Typically automated updates to the DS and NS records in the parent zone require the parent zone to employ scanning of the CDS/CDNSKEY/CSYNC records in its child zones. Alternatively, the use of the Generalized NOTIFY [RFC9859] mechanism could be employed. If neither of these options is available, updates to the parent zone need to be made manually. Wisser, et al. Expires 14 December 2026 [Page 6] Internet-Draft DNSSEC automation June 2026 5.2. Setting up a new multi-signer group The zone is already authoritatively served by one DNS operator and is DNSSEC signed. For full automation, both the KSK and ZSK (or CSK) must be online. This can be viewed as an initial state where the multi-signer group has only one signer. 5.3. A signer joins the multi-signer group 1. Confirm that the incoming signer meets the prerequisites. 2. Establish a trust mechanism between the multi-signer group and the signer. 3. Add ZSK for each signer to the DNSKEY RRsets of all the other signers. 4. Calculate CDS/CDNSKEY Records for all KSKs/CSKs represented in the multi-signer group. 5. Configure all signers with the compiled CDS/CDNSKEY RRset. 6. Wait for Parent to publish the combined DS RRset, based on observation of the CDS/CDNSKEY RRsets. 7. Remove CDS/CDNSKEY Records from all signers. (optional) 8. Wait for the maximum of DS-Wait-Time and DNSKEY-Wait-Time. 9. Compile NS RRset including all NS records from all signers. 10. Configure all signers with the compiled NS RRset. 11. Compare NS RRset of the signers to the Parent. If there is a difference, publish a CSYNC record with the NS, A, and AAAA bits set on all signers. 12. Wait for Parent to publish updates to the delegating NS RRset based on observation of the CSYNC RRsets. 13. Remove CSYNC record from all signers. (optional) 5.4. A signer leaves the multi-signer group 1. Remove exiting signer's NS records from remaining signers Wisser, et al. Expires 14 December 2026 [Page 7] Internet-Draft DNSSEC automation June 2026 2. Compare NS RRset of the signers to the Parent. If there is a difference, publish a CSYNC record with the NS, A, and AAAA bits set on the remaining signers. 3. Wait for Parent to publish NS RRset. 4. Remove CSYNC record from all signers. (optional) 5. Wait for NS-Wait-Time. 6. Stop the exiting signer from answering queries. 7. Calculate CDS/CDNSKEY Records for KSKs/CSKs published by the remaining signers. 8. Configure remaining signers with the compiled CDS/CDNSKEY RRset. 9. Remove ZSK/CSK of the exiting signer from remaining signers. 10. Wait for Parent to publish the updated DS RRset. 11. Remove CDS/CDNSKEY set from all signers. (Optional) 5.5. A signer performs a ZSK rollover 1. The signer introduces the new ZSK in its own DNSKEY RRset. 2. Update all signers with the new ZSK. 3. Wait for DNSKEY-Wait-Time. 4. Signer can start using the new ZSK. 5. When the old ZSK is not used in any signatures by the signer, the signer can remove the old ZSK from its DNSKEY RRset. 6. Remove ZSK from DNSKEY RRset of all signers. 5.6. A signer performs a CSK or KSK rollover 1. Signer publishes new CSK / KSK in its own DNSKEY RRset. 2. In the case of a CSK, add CSK to DNSKEY set of all other signers. 3. Signer signs DNSKEY RRset with old and new CSK / KSK. 4. Calculate new CDS/CDNSKEY RRset and publish on all signers. Wisser, et al. Expires 14 December 2026 [Page 8] Internet-Draft DNSSEC automation June 2026 5. Wait for Parent to pick up and publish the new DS RRset. 6. Wait for DS-Wait-Time + DNSKEY-Wait-Time. 7. Signer removes old CSK/KSK from its DNSKEY RRset, and removes all signatures made with this key. 8. In the case of a CSK, remove old CSK from DNSKEY set of all other signers. 9. Calculate new CDS/CDNSKEY RRset and publish on all signers. 10. Wait for Parent to pick up and publish the new DS RRset. 11. Remove CDS/CDNSKEY RRsets from all signers. 5.7. Algorithm rollover for the whole multi-signer group 1. All signers publish KSK and ZSK or CSK using the new algorithm. 2. All signers sign all zone data with the new keys. 3. Wait until all signers have signed all data with the new key(s). 4. Add new ZSK of each signer to all other signers. 5. Calculate new CDS/CDNSKEY RRset and publish on all signers. 6. Wait for Parent to pick up and publish the new DS RRset. 7. Wait for DS-Wait-Time + DNSKEY-Wait-Time. 8. Remove all keys and signatures that use the old algorithm. 9. Calculate new CDS/CDNSKEY RRset and publish on all signers. 10. Wait for Parent to pick up and publish the new DS RRset. 11. Remove CDS/CDNSKEY RRsets from all signers. 6. Signers with different algorithms in a multi-signer group Only when all signers use the same algorithm(s) can all resolvers validate zone data with consistency. This section tries to summarize why that is the case and what trade- offs can be made in situations where using the same algorithm isn't possible. Wisser, et al. Expires 14 December 2026 [Page 9] Internet-Draft DNSSEC automation June 2026 Section 2.2 of [RFC4035] states that a signed zone MUST include a DNSKEY for each algorithm present in the zone's DS RRset and expected trust anchors for the zone. A setup where different signers use different key algorithms therefore violates [RFC4035]. According to Section 5.11 of [RFC6840] validators SHOULD NOT insist that all algorithms signaled in the DS RRset work, and they MUST NOT insist that all algorithms signaled in the DNSKEY RRset work. So a multi-signer setup where different signers use different key algorithms should still validate. This could be an acceptable risk in situations where going insecure is undesirable or impossible, and nameservers must be changed between operators that only support disjoint sets of key algorithms. We have to consider the following scenarios: *Validator supports both algorithms* Validation should be stable through all stages of the multi-signer algorithms. *Validator supports none of the algorithms* The validator will treat the zone as unsigned. Resolution should work through all stages of the multi-signer algorithms. *Validator supports only one of the algorithms* The validator will not be able to validate the DNSKEY RRset or any data from one of the signers, and will typically retry other nameservers for the zone until it can find another signer that it does recognize, or return a SERVFAIL response code otherwise. The latter scenario can be mitigated by selecting only well-supported algorithms. [MULTI-ALG-RULES] proposes to formally define such "universal" algorithms and sanction such configurations. 7. IANA Considerations This document has no IANA actions. 8. Security Considerations Multi-signer DNSSEC inherits the security considerations of [RFC7477], [RFC8078] and [RFC8901]. Wisser, et al. Expires 14 December 2026 [Page 10] Internet-Draft DNSSEC automation June 2026 Every step of the multi-signer algorithms has to be carefully executed at the right time. Failures could result in the loss of resolution for the domain. Independent of the chosen model, it is crucial that only authorized entities are able to change the zone data. Some providers or software installations allow finer-grained configuration of which changes are permitted. Access to modify zone data should be restricted as much as possible. Multi-signer configurations can strengthen DNS security by avoiding a DNS zone "going insecure" during a DNS operator transition. A steady state multi-signer configuration can also greatly strengthen availability by having multiple distinct DNS providers cooperatively serving the same signed zone. A catastrophic failure of any single provider then cannot take down the zone. 9. Implementation Status The Swedish Internet Foundation has implemented a centralized controller that supports updates via Dynamic DNS or the REST APIs of several vendors. The code can be found as part of the multi-signer project on GitHub https://github.com/DNSSEC-Provisioning/multi-signer-controller 10. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136, DOI 10.17487/RFC2136, April 1997, . [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, . [RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and Implementation Notes for DNS Security (DNSSEC)", RFC 6840, DOI 10.17487/RFC6840, February 2013, . Wisser, et al. Expires 14 December 2026 [Page 11] Internet-Draft DNSSEC automation June 2026 [RFC7477] Hardaker, W., "Child-to-Parent Synchronization in DNS", RFC 7477, DOI 10.17487/RFC7477, March 2015, . [RFC8078] Gudmundsson, O. and P. Wouters, "Managing DS Records from the Parent via CDS/CDNSKEY", RFC 8078, DOI 10.17487/RFC8078, March 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS Terminology", RFC 8499, DOI 10.17487/RFC8499, January 2019, . 11. Informative References [MULTI-ALG-RULES] Huque, S., Thomassen, P., Dukhovni, V., Wessels, D., and C. Elmerot, "Multiple Algorithm Rules in DNSSEC", . [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2012, . [RFC8901] Huque, S., Aras, P., Dickinson, J., Vcelak, J., and D. Blacka, "Multi-Signer DNSSEC Models", RFC 8901, DOI 10.17487/RFC8901, September 2020, . [RFC9859] Stenstam, J., Thomassen, P., and J. Levine, "Generalized DNS Notifications", RFC 9859, DOI 10.17487/RFC9859, September 2025, . Appendix A. Acknowledgements The authors would like to thank the following for their review of this work and their valuable comments: Steve Crocker, Eric Osterweil, Roger Murray, Jonas Andersson, Peter Thomassen. Authors' Addresses Wisser, et al. Expires 14 December 2026 [Page 12] Internet-Draft DNSSEC automation June 2026 Ulrich Wisser ICANN Email: ulrich@wisser.se Shumon Huque Salesforce Email: shuque@gmail.com Johan Stenstam The Swedish Internet Foundation Email: johan.stenstam@internetstiftelsen.se Wisser, et al. Expires 14 December 2026 [Page 13]