<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="4"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="yes"?>
<?rfc comments="yes" ?>
<?rfc inline="yes" ?>
<rfc
  xmlns:xi="http://www.w3.org/2001/XInclude"
  category="std"
  docName="draft-ietf-dnsop-dnssec-automation-05"
  ipr="trust200902"
  obsoletes=""
  updates=""
  submissionType="IETF"
  xml:lang="en"
  tocInclude="true"
  tocDepth="4"
  symRefs="true"
  sortRefs="true"
  version="3">

  <!-- ***** FRONT MATTER ***** -->

  <front>
    <title abbrev="DNSSEC automation">DNSSEC automation</title>

    <author fullname="Ulrich Wisser" initials="U" surname="Wisser">
      <organization>ICANN</organization>
      <address>
        <email>ulrich@wisser.se</email>
      </address>
    </author>

    <author fullname="Shumon Huque" initials="S" surname="Huque">
      <organization>Salesforce</organization>
      <address>
        <email>shuque@gmail.com</email>
      </address>
    </author>

    <author fullname="Johan Stenstam" initials="J" surname="Stenstam">
      <organization>The Swedish Internet Foundation</organization>
      <address>
        <email>johan.stenstam@internetstiftelsen.se</email>
      </address>
    </author>

    <date day="5" month="7" year="2026"/>

    <area>Operations and Management Area</area>
    <workgroup>Domain Name System Operations (dnsop)</workgroup>

    <keyword>DNS</keyword>
    <keyword>DNSSEC</keyword>
    <keyword>Multi-Signer</keyword>
    <keyword>Automation</keyword>

    <abstract>
      <t>
        This document describes an algorithm and protocol to
        automate the setup, operations, and decommissioning of
        <xref target="RFC8901">Multi-Signer DNSSEC</xref>
        configurations. To accomplish this, it employs Model 2 of
        the multi-signer specification (where each operator has
        their own distinct KSK and ZSK sets, or CSK sets), management
        of DS records from the parent via
        <xref target="RFC8078">CDS/CDNSKEY</xref>, and
        <xref target="RFC7477">Child-to-Parent Synchronization in
        DNS</xref>.
      </t>
    </abstract>

    <note removeInRFC="true">
    <name>Discussion Venues</name>
    <t>
      Source for this draft and an issue tracker can be found at
      <eref target="https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-dnssec-automation"/>.
    </t>
    </note>

  </front>
  <middle>
    <section numbered="true" toc="default">
      <name>Introduction</name>
      <t>
        <xref target="RFC8901" /> describes the necessary steps and API for a
        multi-signer DNSSEC configuration. In this document we will combine
        Model 2 of <xref target="RFC8901" /> with <xref target="RFC8078" /> and
        <xref target="RFC7477" /> to define an automatable algorithm for
        setting up, operating, and decommissioning a multi-signer
        DNSSEC configuration. Besides steady state multi-signer operation, one
        of the special use cases of this protocol is to enable non-disruptive
        migration of a signed DNS zone from one provider to another, which
        employs a transitory state of a multi-signer configuration.
      </t>
      <section numbered="true" toc="default">
        <name>Out-Of-Scope</name>
        <t>
          In order for any multi-signer group to give consistent answers
          across all nameservers, the data contents of the zone also have to
          be synchronized (in addition to infrastructure records like NS,
          DNSKEY, CDS etc). This content synchronization is out-of-scope
          for this document.
        </t>
      </section>
    </section>
    <section numbered="true" toc="default">
      <name>Terminology</name>
      <t>
        The key words "<strong>MUST</strong>", "<strong>MUST NOT</strong>",
        "<strong>REQUIRED</strong>", "<strong>SHALL</strong>", "<strong>SHALL NOT</strong>",
        "<strong>SHOULD</strong>", "<strong>SHOULD NOT</strong>",
        "<strong>RECOMMENDED</strong>", "<strong>MAY</strong>", and
        "<strong>OPTIONAL</strong>" in this document are to be interpreted as
        described in BCP 14 <xref target="RFC2119" /> <xref target="RFC8174" /> when,
        and only when, they appear in all capitals, as shown here.
      </t>
      <t><strong>KSK</strong></t>
      <t>Key Signing Key: a DNSSEC key used to sign the DNSKEY RRset.</t>
      <t><strong>ZSK</strong></t>
      <t>Zone Signing Key: a DNSSEC key used to sign the other RRsets in a zone.</t>
      <t><strong>CSK</strong></t>
      <t>Combined Signing Key: a single key serving both the KSK and ZSK roles.</t>
      <t><strong>DNSKEY</strong></t>
      <t>The DNS public key record (<xref target="RFC4034" />).</t>
      <t><strong>DS</strong></t>
      <t>The Delegation Signer record published by the parent (<xref target="RFC4034" />).</t>
      <t><strong>CDS/CDNSKEY</strong></t>
      <t>Child-published records signaling the desired DS state to the parent (<xref target="RFC7344" />, <xref target="RFC8078" />).</t>
      <t><strong>CSYNC</strong></t>
      <t>The Child-to-Parent Synchronization record (<xref target="RFC7477" />).</t>
      <t><strong>Signer</strong></t>
      <t>An entity signing a zone</t>
      <t><strong>Multi-signer Group</strong></t>
      <t>A group of signers that sign the same zone</t>
      <t><strong>Controller</strong></t>
      <t>
        An entity controlling the multi-signer group. Used in
        the centralized model.
      </t>
      <t><strong>Parent</strong></t>
      <t>See <xref target="RFC8499" /></t>
      <t><strong>Trust mechanism</strong></t>
      <t>
        An authenticated channel used to apply control-plane changes
        (DNSKEY, CDS/CDNSKEY, CSYNC, NS) on each signer, possibly
        mediated by the zone owner or a controller. The detailed
        mechanism is out of scope for this document.
      </t>
      <t><strong>DS-Wait-Time</strong></t>
      <t>
        Once the parent has picked up and published the new DS record
        set, any further changes MUST be delayed until the
        new DS set has propagated.
      </t>
      <t>
        The minimum DS-Wait-Time is the TTL of the DS RRset.
      </t>
      <t><strong>DNSKEY-Wait-Time</strong></t>
      <t>
        Once the DNSKEY sets of all signers are updated, any further changes
        MUST be delayed until the new DNSKEY set has propagated.
      </t>
      <t>
        The minimum DNSKEY-Wait-Time is the maximum of all DNSKEY TTL
        values from all signers plus the time it takes to publish the zone on
        all secondaries.
      </t>
      <t><strong>NS-Wait-Time</strong></t>
      <t>
        Once the parent has picked up and published the new NS record set,
        any further changes MUST be delayed until the new NS set has
        propagated.
      </t>
      <t>
        The minimum NS-Wait-Time is the maximum of the TTL value of the
        NS set in the parent zone and all NS sets from all signers.
      </t>
      <t><strong>RRSIG-Wait-Time</strong></t>
      <t>
        Once a signer stops signing zone data with a key, that key MUST
        remain published in the DNSKEY RRsets of all signers until the
        signatures it generated have expired from resolver caches. Only
        then can the key be removed.
      </t>
      <t>
        The minimum RRSIG-Wait-Time is the time it takes to publish the
        zone on all secondaries plus the maximum TTL of any zone data
        signed by that key.
      </t>
    </section>
    <section numbered="true" toc="default">
      <name>Use Cases</name>
      <t>
        In this document we describe, except for the initial trust, how
        the steps in the multi-signer DNSSEC setup can be automated.
      </t>
      <t>
        The following two use cases are in the scope of this document.
      </t>
      <section numbered="true" toc="default">
        <name>Permanent Multi-Signer Operation</name>
        <t>
          This is the typical use case described in <xref target="RFC8901"/>,
          where multiple DNS providers are used to cooperatively serve a DNS
          zone, each signing independently with their own keys, in a steady
          state configuration to increase availability.
        </t>
      </section>
      <section numbered="true" toc="default">
        <name>Secure DNS Operator Transition</name>
        <t>
          Changing the nameserver operator of a DNSSEC signed zone can be
          challenging. Currently the most common method is temporarily
          "going insecure". This is poor for security, and for users
          relying on the security of the zone. Furthermore, when DNSSEC
          is being used for application security functions like DANE
          <xref target="RFC6698" />, it is critical that the DNSSEC chain
          of trust remain unbroken during the transfer.
        </t>
        <t>
          Multi-signer DNSSEC Model 2 provides a mechanism for transitioning
          from one nameserver operator to another without "going insecure".
          A new operator joins the current operator in a temporary
          multi-signer group. Once that is accomplished and stable, the old
          operator leaves the multi-signer group, completing the transition.
        </t>
      </section>
    </section>
    <section anchor="automation" numbered="true" toc="default">
      <name>Automation Models</name>
      <t>
        Automation of the necessary steps
        can be categorized into two main models, centralized and decentralized.
        Both have pros and cons, and a zone owner should carefully choose
        the model that works best.
      </t>
      <section anchor="centralized" numbered="true" toc="default">
        <name>Centralized</name>
        <t>
          In a centralized model a controller executes all steps necessary
          and controls all signers.
        </t>
        <t>
          The controller needs to have authorized access to all signers.
          This can be achieved in a variety of different ways. For example, many
          service providers offer access through a REST API. Another possibility
          is access through Dynamic Update <xref target="RFC2136" /> with TSIG authentication.
        </t>
      </section>
      <section anchor="decentralized" numbered="true" toc="default">
        <name>Decentralized</name>
        <t>
          In the decentralized model all signers communicate with
          each other and execute the necessary steps on their own
          instance. For this, signers need a specialized protocol to
          communicate configuration details that are not part of
          the zone data.
        </t>
      </section>
      <section anchor="capabilities" numbered="true" toc="default">
        <name>Capabilities</name>
        <t>
          In order for any of the models to work, the signer must
          support the following capabilities.
        </t>
        <ol>
          <li>Add DNSKEY records (without the private key)</li>
          <li>Remove (previously added) DNSKEY record(s)</li>
          <li>Add CDS and CDNSKEY records for keys not in the DNSKEY set</li>
          <li>Remove (previously added) CDS and CDNSKEY records</li>
          <li>Add CSYNC record</li>
          <li>Remove CSYNC record</li>
        </ol>
      </section>

    </section>
    <section anchor="algo" numbered="true" toc="default">
      <name>Algorithms</name>
      <t>
        In a centralized model it is the controller's task to compute all waiting times and
        control the zone in a way that all timing restrictions are met.
      </t>
      <t>
        In the decentralized model every signer must compute all waiting times and adhere to
        all timing restrictions.
      </t>
      <t>
        In both methods, some of the timing restrictions must be specified
        as part of the configuration data.
      </t>
      <section numbered="true" toc="default">
        <name>Prerequisites</name>
        <t>Each signer to be added, including the initial signer, must
          meet the following prerequisites before joining the multi-signer
          group:
        </t>
        <ol>
          <li>
            A working setup of the zone, including DNSSEC signing.
          </li>
          <li>
            Uses the same algorithms for DNSSEC signing as the multi-signer
            group uses or will use.
          </li>
          <li>
            Signer or controller must be able to differentiate between its own keys and
            keys from other signers.
          </li>
          <li>
            Signer or controller must be able to differentiate between NS records that
            are updated by itself and NS
            records that receive updates from other signers.
          </li>
          <li>
            Typically automated updates to the DS and NS records in the
            parent zone require the parent zone to employ scanning of the
            CDS/CDNSKEY/CSYNC records in its child zones. Alternatively, the
            use of the <xref target="RFC9859">Generalized NOTIFY</xref>
            mechanism could be employed. If neither of these options is
            available, updates to the parent zone need to be made manually.
          </li>
        </ol>
      </section>
      <section numbered="true" toc="default">
        <name>Setting up a new multi-signer group</name>
        <t>
          The zone is already authoritatively served by one DNS operator and is DNSSEC signed.
          For full automation, both the KSK and ZSK (or CSK) must be online.
        </t>
        <t>
          This can be viewed as an initial state where the multi-signer group has only one signer.
          The group is then grown to its intended size by applying the
          procedure in <xref target="join" /> to add each additional signer.
        </t>
      </section>
      <section anchor="join" numbered="true" toc="default">
        <name>A signer joins the multi-signer group</name>
        <ol spacing="normal">
          <li>
            Confirm that the incoming signer meets the prerequisites.
          </li>
          <li>
            Establish a trust mechanism between the multi-signer group
            and the signer.
          </li>
          <li>
            Add the zone-data-signing key (ZSK, or CSK) of each signer to
            the DNSKEY RRsets of all the other signers.
          </li>
          <li>
            Calculate CDS/CDNSKEY Records for all KSKs/CSKs represented
            in the multi-signer group.
          </li>
          <li>
            Configure all signers with the compiled CDS/CDNSKEY RRset.
          </li>
          <li>
            Wait for Parent to publish the combined DS RRset, based on observation of the CDS/CDNSKEY RRsets.
          </li>
          <li>
            Remove CDS/CDNSKEY Records from all signers. (optional)
          </li>
          <li>
            Wait for the maximum of DS-Wait-Time and DNSKEY-Wait-Time.
          </li>
          <li>
            Compile NS RRset including all NS records from all
            signers.
          </li>
          <li>
            Configure all signers with the compiled NS RRset.
          </li>
          <li>
            Compare NS RRset of the signers to the Parent. If there is a
            difference, publish a CSYNC record with the NS bit set on all
            signers. The A and AAAA bits are also set if any of the
            nameservers are in-domain and thus require glue address records
            at the Parent.
          </li>
          <li>
            Wait for Parent to publish updates to the delegating NS RRset based on observation of the CSYNC RRsets.
          </li>
          <li>
            Remove CSYNC record from all signers. (optional)
          </li>
        </ol>
      </section>
      <section numbered="true" toc="default">
        <name>A signer leaves the multi-signer group</name>
        <ol spacing="normal">
          <li>
            Remove exiting signer's NS records from remaining signers
          </li>
          <li>
            Compare NS RRset of the signers to the Parent. If there
            is a difference, publish a CSYNC record with the NS bit set on
            the remaining signers. The A and AAAA bits are also set if any
            of the nameservers are in-domain and thus require glue address
            records at the Parent.
          </li>
          <li>
            Wait for Parent to publish NS RRset.
          </li>
          <li>
            Remove CSYNC record from all signers. (optional)
          </li>
          <li>
            Wait for NS-Wait-Time.
          </li>
          <li>
            Stop the exiting signer from answering queries.
          </li>
          <li>
            Calculate CDS/CDNSKEY Records for KSKs/CSKs published by
            the remaining signers.
          </li>
          <li>
            Configure remaining signers with the compiled
            CDS/CDNSKEY RRset.
          </li>
          <li>
            Wait for RRSIG-Wait-Time, measured from when the exiting signer
            stopped answering queries, so that any zone data it signed has
            expired from resolver caches.
          </li>
          <li>
            Remove ZSK/CSK of the exiting signer from remaining signers.
          </li>
          <li>
            Wait for Parent to publish the updated DS RRset.
          </li>
          <li>
            Remove CDS/CDNSKEY set from all signers. (Optional)
          </li>
        </ol>
      </section>
      <section>
        <name>A signer performs a ZSK rollover</name>
        <ol>
          <li>
            The signer introduces the new ZSK in its own DNSKEY RRset.
          </li>
          <li>
            Update all signers with the new ZSK.
          </li>
          <li>
            Wait for DNSKEY-Wait-Time.
          </li>
          <li>
            Signer can start using the new ZSK, and stops signing with the
            old ZSK.
          </li>
          <li>
            Wait for RRSIG-Wait-Time, so that data signed with the old ZSK
            has expired from resolver caches. The old ZSK MUST remain
            published in the DNSKEY RRsets of all signers until then.
          </li>
          <li>
            Remove the old ZSK from the signer's own DNSKEY RRset, and from
            the DNSKEY RRsets of all other signers.
          </li>
        </ol>
      </section>
      <section>
        <name>A signer performs a CSK or KSK rollover</name>
        <ol>
          <li>
            Signer publishes new CSK / KSK in its own DNSKEY RRset.
          </li>
          <li>
            In the case of a CSK, add CSK to DNSKEY set of all other signers.
          </li>
          <li>
            Signer signs DNSKEY RRset with old and new CSK / KSK.
          </li>
          <li>
            Calculate new CDS/CDNSKEY RRset and publish on all signers.
          </li>
          <li>
            Wait for Parent to pick up and publish the new DS RRset.
          </li>
          <li>
            Wait for DS-Wait-Time + DNSKEY-Wait-Time.
          </li>
          <li>
            In the case of a CSK, additionally wait for RRSIG-Wait-Time, so
            that zone data signed with the old CSK has expired from resolver
            caches. (This is not required for a KSK-only rollover, since a
            KSK signs only the DNSKEY RRset, which is covered by
            DNSKEY-Wait-Time.)
          </li>
          <li>
            Signer removes old CSK/KSK from its DNSKEY RRset, and removes all
            signatures made with this key.
          </li>
          <li>
            In the case of a CSK, remove old CSK from DNSKEY set of all other signers.
          </li>
          <li>
            Calculate new CDS/CDNSKEY RRset and publish on all signers.
          </li>
          <li>
            Wait for Parent to pick up and publish the new DS RRset.
          </li>
          <li>
            Remove CDS/CDNSKEY RRsets from all signers.
          </li>
        </ol>
      </section>
      <section>
        <name>Algorithm rollover for the whole multi-signer group</name>
        <ol>
          <li>All signers publish KSK and ZSK or CSK using the new algorithm.</li>
          <li>
            All signers sign all zone data with the new keys, while retaining
            the signatures made with the old-algorithm keys, so that the zone
            data is signed with both algorithms throughout the rollover (as
            required by <xref target="RFC4035" section="2.2"/>).
          </li>
          <li>Wait until all signers have signed all data with the new key(s).</li>
          <li>
            Add new ZSK of each signer to all other signers.
          </li>
          <li>
            Calculate new CDS/CDNSKEY RRset and publish on all signers.
          </li>
          <li>
            Wait for Parent to pick up and publish the new DS RRset.
          </li>
          <li>
            Wait for DS-Wait-Time + DNSKEY-Wait-Time.
          </li>
          <li>
            Wait for RRSIG-Wait-Time, so that any data signed only with the
            old-algorithm keys has expired from resolver caches.
          </li>
          <li>
            Remove all keys and signatures that use the old algorithm.
          </li>
          <li>
            Calculate new CDS/CDNSKEY RRset and publish on all signers.
          </li>
          <li>
            Wait for Parent to pick up and publish the new DS RRset.
          </li>
          <li>
            Remove CDS/CDNSKEY RRsets from all signers.
          </li>
        </ol>
      </section>
    </section>
    <section>
      <name>Signers with different algorithms in a multi-signer group</name>
      <t>
        Only when all signers use the same algorithm(s) can all resolvers
        validate zone data with consistency.
      </t>
      <t>
        This section tries to summarize why that is the case and what trade-offs can be
        made in situations where using the same algorithm isn't possible.
      </t>
      <t>
        <xref target="RFC4035" section="2.2"/> requires that there be an
        RRSIG for each RRset using at least one DNSKEY of each algorithm in
        the zone apex DNSKEY RRset, and that the apex DNSKEY RRset itself be
        signed by each algorithm appearing in the DS RRset at the delegating
        parent. A setup where different signers use different key algorithms,
        each signing only with its own algorithm, therefore violates
        <xref target="RFC4035" />.
      </t>
      <t>
        According to <xref target="RFC6840" section="5.11" />
        validators SHOULD NOT insist that all algorithms signaled in the
        DS RRset work, and they MUST NOT insist that all algorithms signaled
        in the DNSKEY RRset work.
      </t>
      <t>
        So a multi-signer setup where different signers use different key
        algorithms should still validate.
      </t>
      <t>
        This could be an acceptable risk in situations where going insecure
        is undesirable or impossible, and nameservers must be changed
        between operators that only support disjoint sets of key algorithms.
      </t>
      <t>
        We have to consider the following scenarios:
      </t>
      <t><strong>Validator supports both algorithms</strong></t>
      <t>
        Validation should be stable through all stages of the multi-signer
        algorithms.
      </t>
      <t><strong>Validator supports none of the algorithms</strong></t>
      <t>
        The validator will treat the zone as unsigned. Resolution should
        work through all stages of the multi-signer algorithms.
      </t>
      <t><strong>Validator supports only one of the algorithms</strong></t>
      <t>
        The validator will not be able to validate the DNSKEY RRset or
        any data from one of the signers, and will typically retry other
        nameservers for the zone until it can find another signer that it
        does recognize, or return a SERVFAIL response code otherwise.
      </t>
      <t>
        The latter scenario can be mitigated by selecting only well-supported
        algorithms. <xref target="MULTI-ALG-RULES" /> proposes to formally define
        such "universal" algorithms and sanction such configurations.
      </t>
    </section>
    <section anchor="operational" numbered="true" toc="default">
      <name>Operational Considerations</name>
      <t>
        Full automation of the procedures described in this document depends
        on all of the relevant parties -- the signers, the zone owner or
        controller, and the Parent -- supporting the protocol mechanisms
        these procedures rely on. Several of these mechanisms are not yet
        universally implemented or deployed. On the Parent side, automated
        management of DS records requires the Parent to perform CDS/CDNSKEY
        scanning (or to accept
        <xref target="RFC9859">Generalized NOTIFY</xref> signaling), and
        automated updates of the delegation's NS records require CSYNC
        scanning; neither is offered by every registry or registrar today.
        On the signer side, not all DNS providers support the ability to
        import and publish the DNSKEY and CDS/CDNSKEY records of the other
        signers in the group, as required by the capabilities in
        <xref target="capabilities" />. Where a required mechanism is
        unavailable, the corresponding step must be performed by other
        means, typically a manual update, until support becomes available.
        A multi-signer group can still operate in such an environment, but
        with manual steps interposed where automation is not yet possible.
      </t>
      <t>
        Several steps require waiting for the Parent to publish updated DS
        or NS RRsets in response to CDS/CDNSKEY or CSYNC records (or
        Generalized NOTIFY signaling). The
        timing of this publication is controlled by the Parent, not by the
        multi-signer group, and depends on the Parent's scanning cadence or
        notification handling. The Parent MAY also decline to act, for
        example if the CDS/CDNSKEY records do not satisfy the Parent's
        acceptance policy (see <xref target="RFC8078" />). Implementations
        MUST NOT proceed to subsequent steps until the expected DS or NS
        RRset change is observed at the Parent, and SHOULD bound each such
        wait with a timeout after which the operation is flagged for
        operator attention rather than continuing. A premature transition
        to a later step, particularly one that removes a key or signature,
        while the Parent still publishes the old delegation can break the
        chain of trust and cause resolution failures.
      </t>
    </section>
    <section anchor="IANA" numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
    <section anchor="Security" numbered="true" toc="default">
      <name>Security Considerations</name>
      <t>
        Multi-signer DNSSEC inherits the security considerations of <xref target="RFC7477" />, <xref target="RFC8078" /> and <xref target="RFC8901"/>.
      </t>
      <t>
        Every step of the multi-signer algorithms has to be carefully executed at the right time.
        Failures could result in the loss of resolution for the domain.
      </t>
      <t>
        Independent of the chosen model, it is crucial that only authorized entities
        are able to change the zone data. Some providers or software installations allow
        finer-grained configuration of which changes are permitted. Access to modify
        zone data should be restricted as much as possible.
      </t>
      <t>
        Multi-signer configurations can strengthen DNS security
        by avoiding a DNS zone "going insecure" during a DNS operator transition. A steady state multi-signer configuration can also greatly strengthen availability by having multiple distinct DNS providers cooperatively serving the same signed zone. A catastrophic failure of any single provider then cannot take down the zone.
      </t>
    </section>
    <section anchor="implementation" numbered="true" toc="default">
      <name>Implementation Status</name>
      <t>
        The Swedish Internet Foundation has implemented a centralized
        controller that supports updates via Dynamic DNS or the REST APIs
        of several vendors.
      </t>
      <t>
        The code can be found as part of the multi-signer project on GitHub
        <eref target="https://github.com/DNSSEC-Provisioning/multi-signer-controller" />
      </t>
    </section>
  </middle>
  <back>
    <references title="Normative References">
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4034.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4035.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6840.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7344.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7477.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8078.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8499.xml"/>
    </references>
    <references title="Informative References">
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2136.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6698.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8901.xml"/>
      <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9859.xml"/>
      <reference anchor="MULTI-ALG-RULES"
                 target="https://datatracker.ietf.org/doc/html/draft-huque-dnsop-multi-alg-rules">
        <front>
          <title>Multiple Algorithm Rules in DNSSEC</title>
          <author fullname="Shumon Huque" initials="S" surname="Huque" />
          <author fullname="Peter Thomassen" initials="P" surname="Thomassen" />
          <author fullname="Viktor Dukhovni" initials="V" surname="Dukhovni" />
          <author fullname="Duane Wessels" initials="D" surname="Wessels" />
          <author fullname="Christian Elmerot" initials="C" surname="Elmerot" />
          <date />
        </front>
      </reference>
    </references>

    <section anchor="Acknowledgements" numbered="true" toc="default">
      <name>Acknowledgements</name>
      <t>
        The authors would like to thank the following for their review of
        this work and their valuable comments: Steve Crocker, Eric Osterweil,
        Roger Murray, Jonas Andersson, Peter Thomassen.
      </t>
    </section>

  </back>
</rfc>
