1. Introduction

   The DNS Security Extensions (DNSSEC) are a collection of new resource
   records and protocol modifications that add data origin
   authentication and data integrity to the DNS.  This document defines
   the DNSSEC protocol modifications.  Section 2 of this document
   defines the concept of a signed zone and lists the requirements for
   zone signing.  Section 3 describes the modifications to authoritative
   name server behavior necessary for handling signed zones.  Section 4
   describes the behavior of entities that include security-aware
   resolver functions.  Finally, Section 5 defines how to use DNSSEC RRs
   to authenticate a response.

1.1. Background and Related Documents

   This document is part of a family of documents defining DNSSEC that
   should be read together as a set.

   [RFC4033] contains an introduction to DNSSEC and definitions of
   common terms; the reader is assumed to be familiar with this
   document.  [RFC4033] also contains a list of other documents updated
   by and obsoleted by this document set.

   [RFC4034] defines the DNSSEC resource records.

   The reader is also assumed to be familiar with the basic DNS concepts
   described in [RFC1034], [RFC1035], and the subsequent documents that
   update them; particularly, [RFC2181] and [RFC2308].

   This document defines the DNSSEC protocol operations.

1.2. Reserved Words

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].