Document ID: ripe-359
Date: October 2005
The RIPE NCC is committed to supporting the deployment of DNS Security
Extensions (DNSSEC) [1,2,3].
DNSSEC is a set of security extensions to the DNS that allows validating
DNS resolvers to establish 'chains of trust' from known public keys
to the data being validated. A full explanation of DNSSEC is out
of the scope of this document. If you want this sort of information,
please see [1,2,3,4 and 5].
During the resolution process, DNSSEC aware nameservers will provide
secure delegations. These consist of a regular delegation (the NS
record) to the nameservers that are authoritative for the child
zone, as well as a signed pointer (the DS record) to a key that
is authorised to sign the child zone. When the child and parent
zone have exchanged keys, we can provide a secure delegation.
This document describes our policy for serving secured DNS data
and key exchange. It does not cover deployment of DNSSEC by Local
Internet Registries (LIRs) or others in our service region.
You should read this document alongside the Policy
for Reverse Address Delegation of IPv4 and IPv6 Address Space in
the RIPE NCC Service Region.
It is possible to secure delegations from the RIPE NCC under the
Policy for Reverse Address Delegation
of IPv4 and IPv6 Address Space in the RIPE NCC Service Region.
Our operational staff will deploy DNSSEC zone by zone. We will
only exchange keys when parent domains are being signed. This will
keep information current.
Key exchange between parent and child is based on the same authorisation
and authentication mechanisms as the exchange of nameserver delegation
We will sign any announcements about secured DNS, such as changes
in RIPE NCC procedures, with our PGP key. We will publish procedures
and announcements on our secure website (https://www.ripe.net/reverse/dnssec/)
and also post these to an announcement mailing list (firstname.lastname@example.org).
Key Procedure explains the procedure that we will follow
with our keys. You will need this document if you plan to configure
the RIPE NCC as a 'trust anchor' or if you receive a secure
delegation from us.
Procedure explains how you can get a secure delegation.
This policy and the related procedure are tailored towards the
operation of a secured Domain Name System. They are not in any way
tailored to the establishment of a certification authority similar
to CAs used for X509 PKIs.
 DNS Security Introduction and Requirements,
Arends et al, RFC4033, http://www.ietf.org/rfc/rfc4033.txt
 Resource Records for the DNS Security
Extensions, Arends et al, RFC4034, http://www.ietf.org/rfc/rfc4034.txt
 Protocol Modifications for the DNS Security
Extensions, Arends et al, RFC4035, http://www.ietf.org/rfc/rfc4035.txt
 DNSSEC HOWTO, O.M. Kolkman, RIPE NCC,
a DNSSEC information portal