Internet-Draft DNSSEC NOTIFY May 2023
Levine Expires 30 November 2023 [Page]
Network Working Group
1996 (if approved)
Intended Status:
Standards Track
J. Levine
Standcore LLC

NOTIFY for DNSSEC updates


This document specifes a new usage of DNS NOTIFY to install and update DNSSEC key information.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 30 November 2023.

Table of Contents

1. Introduction

[RFC1996] defines the NOTIFY opcode for DNS and its use to alert secondary name servers that the contents of a zone has changed.

[RFC7344] specifies the method to pass DNSSEC key changes from child to parent zones using CDS and CDNSKEY records. [RFC8078] describes a method to pass initial DNSSEC key records from child to parent using CDS and CDNSKEY records, while [I-D.ietf-dnsop-dnssec-bootstrapping] describes a more secure alternative.

All three of these methods currently depend on a parent zone periodically scanning child zones to check for updates, which limits the speed of DNSSEC updates and potentially puts a large load on parent zones with many child zones. A new usage of DNS NOTIFY allows a child zone to tell the parent zone that DNSSEC key information has changed, so the parent can promptly scan the child zone and perform updates.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. NOTIFY usage for key updates

In Section 2 of [RFC1996], the server sending the NOTIFY queries is called the Master and the one receiving and answering them is called the Slave. In this application, a server for a child zone sends the queries, and a server for the parent zone receives and answers them.

The format of a NOTIFY query and answer is unchanged from that in Section 3 of [RFC1996]. The QTYPE of the request MUST be CDS or CDNSKEY, to indicate that CDS or CDNSKEY records in the child zone have been added or updated. The answer section SHOULD contain copies of the new CDS or CDNSKEY records, which the parent can use to disregard duplicate requests, as in Section 3.7 of [RFC1996].

When the parent receives a non-duplicate request, if it already has DNSSEC key records for the child zone, it scans for updates as in [RFC7344]. If it does not, it uses the process from [RFC8078] or [I-D.ietf-dnsop-dnssec-bootstrapping] to possibly install new key records.

A parent MUST ignore DNSSEC NOTIFY messages that are not for zones that are immediate children of the parent, other than optionally logging an error message.

In some cases a zone may have multiple signers. The multiple signers have to coordinate CDS and CDNSKEY updates as described in Section 8 of [RFC8901] and it is up to them to coordinate which of them sends NOTIFY queries, or whether they both can do so.

3. Identifying the parent to notify

In some cases, NOTIFY messages are sent to one of the DNS servers for the parent zone, but in other cases they may be sent to a different host that manages the parent zone, analogous to Stealth servers in Section 2.1 of [RFC1996].

This specification does not describe how to select or find the correct target of the NOTIFY.

4. Security considerations

The NOTIFY messages are only a hint to do a scan that the parent would eventually have done anyway, so they introduce no new DNSSEC security issues.

Large numbers of NOTIFY messages could cause a denial of service attack, just like any other unwanted traffic. Child servers MUST limit the number of NOTIFY queries they send and parents MUST limit the number of answers they send to avoid direct or reflection DoS attacks.

5. Normative References

Vixie, P., "A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996, , <>.
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <>.
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <>.

6. Informative References

Thomassen, P. and N. Wisiol, "Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator", Work in Progress, Internet-Draft, draft-ietf-dnsop-dnssec-bootstrapping-04, , <>.
Kumari, W., Gudmundsson, O., and G. Barwood, "Automating DNSSEC Delegation Trust Maintenance", RFC 7344, DOI 10.17487/RFC7344, , <>.
Gudmundsson, O. and P. Wouters, "Managing DS Records from the Parent via CDS/CDNSKEY", RFC 8078, DOI 10.17487/RFC8078, , <>.
Huque, S., Aras, P., Dickinson, J., Vcelak, J., and D. Blacka, "Multi-Signer DNSSEC Models", RFC 8901, DOI 10.17487/RFC8901, , <>.

Author's Address

John Levine
Standcore LLC