Skip to main content

2. Requirements

In order to implement the mechanism described in this document:

  • The system MUST be able to validate every signed record in a zone with DNSSEC [RFC4033].

  • The system MUST have an up-to-date copy of the public part of the Key Signing Key (KSK) [RFC4033] used to sign the DNS root.

  • The system MUST be able to retrieve a copy of the entire root zone (including all DNSSEC-related records).

  • The system MUST be able to run an authoritative service for the root zone on the same host.

A corollary of the above list is that authoritative data in the root zone used on the local authoritative server MUST be identical to the same data in the root zone for the DNS. It is possible to change the unsigned data (the glue records) in the copy of the root zone, but such changes could cause problems for the recursive server that accesses the local root zone, and therefore any changes to the glue records SHOULD NOT be made.

Last updated on