[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-08.txt
Internet-Draft draft-ietf-dnsop-dnssec-bootstrapping-08.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator Authors: Peter Thomassen Nils Wisiol Name:draft-ietf-dnsop-dnssec-bootstrapping-08.txt Pages: 17 Dates: 2024-04-11 Abstract: This document introduces an in-band method for DNS operators to publish arbitrary information about the zones they are authoritative for, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated. Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay". This document deprecates the DS enrollment methods described in Section 3 of RFC 8078 in favor of Section 4 of this document, and also updates RFC 7344. [ Ed note: This document is being collaborated on at https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/). The authors gratefully accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-bootstrapping-08.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-bootstrapping-08 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-06.txt
Internet-Draft draft-ietf-dnsop-ns-revalidation-06.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Delegation Revalidation by DNS Resolvers Authors: Shumon Huque Paul Vixie Willem Toorop Name:draft-ietf-dnsop-ns-revalidation-06.txt Pages: 10 Dates: 2024-03-17 Abstract: This document recommends improved DNS [RFC1034] [RFC1035] resolver behavior with respect to the processing of Name Server (NS) resource record sets (RRset) during iterative resolution. When following a referral response from an authoritative server to a child zone, DNS resolvers should explicitly query the authoritative NS RRset at the apex of the child zone and cache this in preference to the NS RRset on the parent side of the zone cut. The (A and ) address RRsets in the additional section from referral responses and authoritative NS answers for the names of the NS RRset, should similarly be re- queried and used to replace the entries with the lower trustworthiness ranking in cache. Resolvers should also periodically revalidate the child delegation by re-querying the parent zone at the expiration of the TTL of the parent side NS RRset. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-ns-revalidation-06 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-ns-revalidation-06 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-03.txt
Internet-Draft draft-ietf-dnsop-compact-denial-of-existence-03.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Compact Denial of Existence in DNSSEC Authors: Shumon Huque Christian Elmerot Olafur Gudmundsson Name:draft-ietf-dnsop-compact-denial-of-existence-03.txt Pages: 12 Dates: 2024-03-04 Abstract: This document describes a technique to generate a signed DNS response on demand for a non-existent name by claiming that the name exists but doesn't have any data for the queried record type. Such answers require only one minimal NSEC record, allow online signing servers to minimize signing operations and response sizes, and prevent zone content disclosure. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/shuque/id-dnssec-compact-lies. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-compact-denial-of-existence-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-compact-denial-of-existence-03 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-05.txt
Internet-Draft draft-ietf-dnsop-ns-revalidation-05.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Delegation Revalidation by DNS Resolvers Authors: Shumon Huque Paul Vixie Willem Toorop Name:draft-ietf-dnsop-ns-revalidation-05.txt Pages: 9 Dates: 2024-03-04 Abstract: This document recommends improved DNS [RFC1034] [RFC1035] resolver behavior with respect to the processing of Name Server (NS) resource record sets (RRset) during iterative resolution. When following a referral response from an authoritative server to a child zone, DNS resolvers should explicitly query the authoritative NS RRset at the apex of the child zone and cache this in preference to the NS RRset on the parent side of the zone cut. The (A and ) address RRsets in the additional section from referral responses and authoritative NS answers for the names of the NS RRset, should similarly be requeried and used to replace the entries with the lower trustworthiness ranking in cache. Resolvers should also periodically revalidate the child delegation by re-quering the parent zone at the expiration of the TTL of the parent side NS RRset. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-ns-revalidation-05 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-ns-revalidation-05 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-qdcount-is-one-02.txt
Internet-Draft draft-ietf-dnsop-qdcount-is-one-02.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: In the DNS, QDCOUNT is (usually) One Authors: Ray Bellis Joe Abley Name:draft-ietf-dnsop-qdcount-is-one-02.txt Pages: 7 Dates: 2024-03-04 Abstract: This document clarifies the allowable values of the QDCOUNT parameter in DNS messages with OPCODE = 0 (QUERY) and specifies the required behaviour when values that are not allowed are encountered. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-qdcount-is-one/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-qdcount-is-one-02 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-qdcount-is-one-02 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc7958bis-01.txt
Internet-Draft draft-ietf-dnsop-rfc7958bis-01.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: DNSSEC Trust Anchor Publication for the Root Zone Authors: Joe Abley Jakob Schlyter Guillaume Bailey Paul Hoffman Name:draft-ietf-dnsop-rfc7958bis-01.txt Pages: 12 Dates: 2024-03-04 Abstract: The root zone of the Domain Name System (DNS) has been cryptographically signed using DNS Security Extensions (DNSSEC). In order to obtain secure answers from the root zone of the DNS using DNSSEC, a client must configure a suitable trust anchor. This document describes the format and publication mechanisms IANA uses to distribute the DNSSEC trust anchors. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-rfc7958bis-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc7958bis-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-generalized-notify-01.txt
Internet-Draft draft-ietf-dnsop-generalized-notify-01.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Generalized DNS Notifications Authors: Johan Stenstam Peter Thomassen John Levine Name:draft-ietf-dnsop-generalized-notify-01.txt Pages: 16 Dates: 2024-03-04 Abstract: This document extends the use of DNS NOTIFY ([RFC1996] beyond conventional zone transfer hints, bringing the benefits of ad-hoc notifications to DNS delegation maintenance in general. Use cases include DNSSEC key rollovers hints, and quicker changes to a delegation's NS record set. To enable this functionality, a method for discovering the receiver endpoint for such notification message is introduced, via the new NOTIFY record type. TO BE REMOVED: This document is being collaborated on in Github at: https://github.com/peterthomassen/draft-ietf-dnsop-generalized-notify (https://github.com/peterthomassen/draft-ietf-dnsop-generalized- notify). The most recent working version of the document, open issues, etc. should all be available there. The authors (gratefully) accept pull requests. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-generalized-notify/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-generalized-notify-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-generalized-notify-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-08.txt
Internet-Draft draft-ietf-dnsop-dns-error-reporting-08.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: DNS Error Reporting Authors: Roy Arends Matt Larson Name:draft-ietf-dnsop-dns-error-reporting-08.txt Pages: 12 Dates: 2024-03-04 Abstract: DNS error reporting is a lightweight reporting mechanism that provides the operator of an authoritative server with reports on DNS resource records that fail to resolve or validate. A domain owner or DNS hosting organization can use these reports to improve domain hosting. The reports are based on extended DNS errors as described in [RFC8914]. When a domain name fails to resolve or validate due to a misconfiguration or an attack, the operator of the authoritative server may be unaware of this. To mitigate this lack of feedback, this document describes a method for a validating resolver to automatically signal an error to a monitoring agent specified by the authoritative server. The error is encoded in the QNAME, thus the very act of sending the query is to report the error. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-error-reporting-08 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dns-error-reporting-08 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-04.txt
Internet-Draft draft-ietf-dnsop-domain-verification-techniques-04.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Domain Control Validation using DNS Authors: Shivan Sahib Shumon Huque Paul Wouters Erik Nygren Name:draft-ietf-dnsop-domain-verification-techniques-04.txt Pages: 21 Dates: 2024-03-03 Abstract: Many application services on the Internet need to verify ownership or control of a domain in the Domain Name System (DNS). The general term for this process is "Domain Control Validation", and can be done using a variety of methods such as email, HTTP/HTTPS, or the DNS itself. This document focuses only on DNS-based methods, which typically involve the application service provider requesting a DNS record with a specific format and content to be visible in the requester's domain. There is wide variation in the details of these methods today. This document proposes some best practices to avoid known problems. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-04.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-domain-verification-techniques-04 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-17.txt
Internet-Draft draft-ietf-dnsop-avoid-fragmentation-17.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: IP Fragmentation Avoidance in DNS over UDP Authors: Kazunori Fujiwara Paul Vixie Name:draft-ietf-dnsop-avoid-fragmentation-17.txt Pages: 14 Dates: 2024-02-29 Abstract: The widely deployed EDNS0 feature in the DNS enables a DNS receiver to indicate its received UDP message size capacity, which supports the sending of large UDP responses by a DNS server. Large DNS/UDP messages are more likely to be fragmented and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting the response size where possible, and signaling the need to upgrade from UDP to TCP transport where necessary. This document specifies techniques to avoid IP fragmentation in DNS. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-avoid-fragmentation-17 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-avoid-fragmentation-17 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-02.txt
Internet-Draft draft-ietf-dnsop-compact-denial-of-existence-02.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Compact Denial of Existence in DNSSEC Authors: Shumon Huque Christian Elmerot Olafur Gudmundsson Name:draft-ietf-dnsop-compact-denial-of-existence-02.txt Pages: 12 Dates: 2024-02-28 Abstract: This document describes a technique to generate a signed DNS response on demand for a non-existent name by claiming that the name exists but doesn't have any data for the queried record type. Such answers require only one minimal NSEC record, allow online signing servers to minimize signing operations and response sizes, and prevent zone content disclosure. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/shuque/id-dnssec-compact-lies. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-compact-denial-of-existence-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-compact-denial-of-existence-02 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8109bis-04.txt
Internet-Draft draft-ietf-dnsop-rfc8109bis-04.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Initializing a DNS Resolver with Priming Queries Authors: Peter Koch Matt Larson Paul Hoffman Name:draft-ietf-dnsop-rfc8109bis-04.txt Pages: 11 Dates: 2024-02-14 Abstract: This document describes the queries that a DNS resolver should emit to initialize its cache. The result is that the resolver gets both a current NS Resource Record Set (RRset) for the root zone and the necessary address information for reaching the root servers. This document, when published, obsoletes RFC 8109. See Section 1.1 for the list of changes from RFC 8109. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8109bis/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8109bis-04 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-04 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8109bis-03.txt
Internet-Draft draft-ietf-dnsop-rfc8109bis-03.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Initializing a DNS Resolver with Priming Queries Authors: Peter Koch Matt Larson Paul Hoffman Name:draft-ietf-dnsop-rfc8109bis-03.txt Pages: 11 Dates: 2024-02-06 Abstract: This document describes the queries that a DNS resolver should emit to initialize its cache. The result is that the resolver gets both a current NS Resource Record Set (RRset) for the root zone and the necessary address information for reaching the root servers. This document, when published, obsoletes RFC 8109. See Section 1.1 for the list of changes from RFC 8109. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8109bis/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8109bis-03 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-03 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-08.txt
Internet-Draft draft-ietf-dnsop-structured-dns-error-08.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Structured Error Data for Filtered DNS Authors: Dan Wing Tirumaleswar Reddy Neil Cook Mohamed Boucadair Name:draft-ietf-dnsop-structured-dns-error-08.txt Pages: 23 Dates: 2024-01-31 Abstract: DNS filtering is widely deployed for various reasons, including network security. However, filtered DNS responses lack structured information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is for HTTPS resources. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-08.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-structured-dns-error-08 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8109bis-02.txt
Internet-Draft draft-ietf-dnsop-rfc8109bis-02.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Initializing a DNS Resolver with Priming Queries Authors: Peter Koch Matt Larson Paul Hoffman Name:draft-ietf-dnsop-rfc8109bis-02.txt Pages: 11 Dates: 2024-01-22 Abstract: This document describes the queries that a DNS resolver should emit to initialize its cache. The result is that the resolver gets both a current NS Resource Record Set (RRset) for the root zone and the necessary address information for reaching the root servers. This document, when published, obsoletes RFC 8109. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8109bis/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8109bis-02 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-02 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-07.txt
Internet-Draft draft-ietf-dnsop-dnssec-bootstrapping-07.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator Authors: Peter Thomassen Nils Wisiol Name:draft-ietf-dnsop-dnssec-bootstrapping-07.txt Pages: 17 Dates: 2024-01-19 Abstract: This document introduces an in-band method for DNS operators to publish arbitrary information about the zones they are authoritative for, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated. Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay". This document deprecates the DS enrollment methods described in Section 3 of RFC 8078 in favor of Section 4 of this document, and also updates RFC 7344. [ Ed note: This document is being collaborated on at https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/). The authors gratefully accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-bootstrapping-07.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-bootstrapping-07 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-zoneversion-05.txt
Internet-Draft draft-ietf-dnsop-zoneversion-05.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: The DNS Zone Version (ZONEVERSION) Option Authors: Hugo Salgado Mauricio Vergara Ereche Duane Wessels Name:draft-ietf-dnsop-zoneversion-05.txt Pages: 13 Dates: 2024-01-15 Abstract: The DNS ZONEVERSION option is a way for DNS clients to request, and for authoritative DNS servers to provide, information regarding the version of the zone from which a response is generated. The Serial field from the Start Of Authority (SOA) resource record is a good example of a zone's version, and the only one defined by this specification. Additional version types may be defined by future specifications. Including zone version data in a response simplifies and improves the quality of debugging and and diagnostics since the version and the data are provided atomically. This can be especially useful for zones and DNS providers that leverage IP anycast or multiple backend systems. It functions similarly to the NSID option. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-zoneversion/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-zoneversion-05.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-zoneversion-05 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc7958bis-00.txt
Internet-Draft draft-ietf-dnsop-rfc7958bis-00.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: DNSSEC Trust Anchor Publication for the Root Zone Authors: Joe Abley Jakob Schlyter Guillaume Bailey Paul Hoffman Name:draft-ietf-dnsop-rfc7958bis-00.txt Pages: 11 Dates: 2023-12-30 Abstract: The root zone of the Domain Name System (DNS) has been cryptographically signed using DNS Security Extensions (DNSSEC). In order to obtain secure answers from the root zone of the DNS using DNSSEC, a client must configure a suitable trust anchor. This document describes the format and publication mechanisms IANA intends to use to distribute the DNSSEC trust anchors. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-rfc7958bis-00.html Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc5933-bis-14.txt
Internet-Draft draft-ietf-dnsop-rfc5933-bis-14.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Use of GOST 2012 Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC Authors: Boris Makarenko Vasily Dolmatov Name:draft-ietf-dnsop-rfc5933-bis-14.txt Pages: 11 Dates: 2023-12-12 Abstract: This document describes how to produce digital signatures and hash functions using the GOST R 34.10-2012 and GOST R 34.11-2012 algorithms for DNSKEY, RRSIG, and DS resource records, for use in the Domain Name System Security Extensions (DNSSEC). This document obsoletes RFC 5933 and updates RFC 8624. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5933-bis/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5933-bis-14 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc5933-bis-14 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-16.txt
Internet-Draft draft-ietf-dnsop-avoid-fragmentation-16.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: IP Fragmentation Avoidance in DNS Authors: Kazunori Fujiwara Paul Vixie Name:draft-ietf-dnsop-avoid-fragmentation-16.txt Pages: 13 Dates: 2023-12-12 Abstract: The widely deployed EDNS0 feature in the DNS enables a DNS receiver to indicate its received UDP message size capacity which supports the sending of large UDP responses by a DNS server. Large DNS/UDP responses are fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting response size where possible, and signaling the need to upgrade from UDP to TCP transport where necessary. This document specifies techniques to avoid IP fragmentation in DNS. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-avoid-fragmentation-16 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-avoid-fragmentation-16 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-svcb-dane-03.txt
Internet-Draft draft-ietf-dnsop-svcb-dane-03.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Using DNSSEC Authentication of Named Entities (DANE) with DNS Service Bindings (SVCB) and QUIC Authors: Benjamin M. Schwartz Robert Evans Name:draft-ietf-dnsop-svcb-dane-03.txt Pages: 13 Dates: 2023-11-29 Abstract: Service Binding (SVCB) records introduce a new form of name indirection in DNS. They also convey information about the endpoint's supported protocols, such as whether QUIC transport is available. This document specifies how DNS-Based Authentication of Named Entities (DANE) interacts with Service Bindings to secure connections, including use of port numbers and transport protocols discovered via SVCB queries. The "_quic" transport name label is introduced to distinguish TLSA records for DTLS and QUIC. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-dane/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-dane-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-svcb-dane-03 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-07.txt
Internet-Draft draft-ietf-dnsop-dns-error-reporting-07.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: DNS Error Reporting Authors: Roy Arends Matt Larson Name:draft-ietf-dnsop-dns-error-reporting-07.txt Pages: 11 Dates: 2023-11-17 Abstract: DNS error reporting is a lightweight reporting mechanism that provides the operator of an authoritative server with reports on DNS resource records that fail to resolve or validate. A domain owner or DNS hosting organization can use these reports to improve domain hosting. The reports are based on extended DNS errors as described in RFC 8914. When a domain name fails to resolve or validate due to a misconfiguration or an attack, the operator of the authoritative server may be unaware of this. To mitigate this lack of feedback, this document describes a method for a validating resolver to automatically signal an error to a monitoring agent specified by the authoritative server. The error is encoded in the QNAME, thus the very act of sending the query is to report the error. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-error-reporting-07 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dns-error-reporting-07 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-bellis-dnsext-multi-qtypes-08.txt
Internet-Draft draft-bellis-dnsext-multi-qtypes-08.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: DNS Multiple QTYPEs Author: Ray Bellis Name:draft-bellis-dnsext-multi-qtypes-08.txt Pages: 7 Dates: 2023-11-14 Abstract: This document specifies a method for a DNS client to request additional DNS record types to be delivered alongside the primary record type specified in the question section of a DNS query. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-bellis-dnsext-multi-qtypes/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-bellis-dnsext-multi-qtypes-08.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-bellis-dnsext-multi-qtypes-08 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt
Internet-Draft draft-ietf-dnsop-structured-dns-error-07.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Structured Error Data for Filtered DNS Authors: Dan Wing Tirumaleswar Reddy Neil Cook Mohamed Boucadair Name:draft-ietf-dnsop-structured-dns-error-07.txt Pages: 23 Dates: 2023-11-05 Abstract: DNS filtering is widely deployed for various reasons, including network security. However, filtered DNS responses lack structured information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is for HTTPS resources. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-07.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-structured-dns-error-07 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-svcb-dane-02.txt
Internet-Draft draft-ietf-dnsop-svcb-dane-02.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Using DNSSEC Authentication of Named Entities (DANE) with DNS Service Bindings (SVCB) and QUIC Authors: Benjamin M. Schwartz Robert Evans Name:draft-ietf-dnsop-svcb-dane-02.txt Pages: 12 Dates: 2023-10-23 Abstract: Service Binding (SVCB) records introduce a new form of name indirection in DNS. They also convey information about the endpoint's supported protocols, such as whether QUIC transport is available. This document specifies how DNS-Based Authentication of Named Entities (DANE) interacts with Service Bindings to secure connections, including use of port numbers and transport protocols discovered via SVCB queries. The "_quic" transport name label is introduced to distinguish TLSA records for DTLS and QUIC. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-dane/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-dane-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-svcb-dane-02 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-01.txt
Internet-Draft draft-ietf-dnsop-compact-denial-of-existence-01.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Compact Denial of Existence in DNSSEC Authors: Shumon Huque Christian Elmerot Olafur Gudmundsson Name:draft-ietf-dnsop-compact-denial-of-existence-01.txt Pages: 9 Dates: 2023-10-23 Abstract: This document describes a technique to generate a signed DNS response on demand for a non-existent name by claiming that the name exists but doesn't have any data for the queried record type. Such answers require only one minimal NSEC record, allow online signing servers to minimize signing operations and response sizes, and prevent zone content disclosure. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/shuque/id-dnssec-compact-lies. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-compact-denial-of-existence-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-compact-denial-of-existence-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-qdcount-is-one-01.txt
Internet-Draft draft-ietf-dnsop-qdcount-is-one-01.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: In the DNS, QDCOUNT is (usually) One Authors: Ray Bellis Joe Abley Name:draft-ietf-dnsop-qdcount-is-one-01.txt Pages: 7 Dates: 2023-10-23 Abstract: This document clarifies the allowable values of the QDCOUNT parameter in DNS messages with OPCODE = 0 (QUERY) and specifies the required behaviour when values that are not allowed are encountered. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-qdcount-is-one/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-qdcount-is-one-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-qdcount-is-one-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-automation-02.txt
Internet-Draft draft-ietf-dnsop-dnssec-automation-02.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: DNSSEC automation Authors: Ulrich Wisser Shumon Huque Johan Stenstam Name:draft-ietf-dnsop-dnssec-automation-02.txt Pages: 11 Dates: 2023-10-22 Abstract: This document describes an algorithm and protocol to automate the setup, operations, and decomissioning of Multi-Signer DNSSEC [RFC8901] configurations. It employs Model 2 of the Multi-Signer specification, where each operator has their own distinct KSK and ZSK sets (or CSK sets), Managing DS Records from the Parent via CDS/ CDNSKEY [RFC8078], and Child-to-Parent Synchronization in DNS [RFC7477] to accomplish this. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-automation/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-automation-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-automation-02 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-03.txt
Internet-Draft draft-ietf-dnsop-domain-verification-techniques-03.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Domain Control Validation using DNS Authors: Shivan Sahib Shumon Huque Paul Wouters Erik Nygren Name:draft-ietf-dnsop-domain-verification-techniques-03.txt Pages: 21 Dates: 2023-10-17 Abstract: Many application services on the Internet need to verify ownership or control of a domain in the Domain Name System (DNS). The general term for this process is "Domain Control Validation", and can be done using a variety of methods such as email, HTTP/HTTPS, or the DNS itself. This document focuses only on DNS-based methods, which typically involve the application service provider requesting a DNS record with a specific format and content to be visible in the requester's domain. There is wide variation in the details of these methods today. This document proposes some best practices to avoid known problems. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-domain-verification-techniques-03 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-qdcount-is-one-00.txt
Internet-Draft draft-ietf-dnsop-qdcount-is-one-00.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: In the DNS, QDCOUNT is (usually) One Authors: Ray Bellis Joe Abley Name:draft-ietf-dnsop-qdcount-is-one-00.txt Pages: 7 Dates: 2023-10-13 Abstract: This document clarifies the allowable values of the QDCOUNT parameter in DNS messages with OPCODE = 0 (QUERY) and specifies the required behaviour when values that are not allowed are encountered. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-qdcount-is-one/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-qdcount-is-one-00.html Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-06.txt
Internet-Draft draft-ietf-dnsop-dns-error-reporting-06.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: DNS Error Reporting Authors: Roy Arends Matt Larson Name:draft-ietf-dnsop-dns-error-reporting-06.txt Pages: 11 Dates: 2023-10-11 Abstract: DNS error reporting is a lightweight reporting mechanism that provides the operator of an authoritative server with reports on DNS resource records that fail to resolve or validate. A domain owner or DNS hosting organization can use these reports to improve domain hosting. The reports are based on extended DNS errors as described in RFC 8914. When a domain name fails to resolve or validate due to a misconfiguration or an attack, the operator of the authoritative server may be unaware of this. To mitigate this lack of feedback, this document describes a method for a validating recursive resolver to automatically signal an error to a monitoring agent specified by the authoritative server. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-error-reporting-06 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dns-error-reporting-06 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8109bis-01.txt
Internet-Draft draft-ietf-dnsop-rfc8109bis-01.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Initializing a DNS Resolver with Priming Queries Authors: Peter Koch Matt Larson Paul Hoffman Name:draft-ietf-dnsop-rfc8109bis-01.txt Pages: 10 Dates: 2023-10-05 Abstract: This document describes the queries that a DNS resolver should emit to initialize its cache. The result is that the resolver gets both a current NS Resource Record Set (RRset) for the root zone and the necessary address information for reaching the root servers. This document, when published, obsoletes RFC 8109. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8109bis/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8109bis-01 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-06.txt
Internet-Draft draft-ietf-dnsop-dnssec-bootstrapping-06.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator Authors: Peter Thomassen Nils Wisiol Name:draft-ietf-dnsop-dnssec-bootstrapping-06.txt Pages: 17 Dates: 2023-10-02 Abstract: This document introduces an in-band method for DNS operators to publish arbitrary information about the zones they are authoritative for, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated. Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay". This document deprecates the DS enrollment methods described in Section 3 of RFC 8078 in favor of Section 4 of this document, and also updates RFC 7344. [ Ed note: This document is being collaborated on at https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/). The authors gratefully accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-bootstrapping-06.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-bootstrapping-06 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-cds-consistency-04.txt
Internet-Draft draft-ietf-dnsop-cds-consistency-04.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Consistency for CDS/CDNSKEY and CSYNC is Mandatory Author: Peter Thomassen Name:draft-ietf-dnsop-cds-consistency-04.txt Pages: 13 Dates: 2023-10-02 Abstract: Maintenance of DNS delegations requires occasional changes of the DS and NS record sets on the parent side of the delegation. RFC 7344 automates this for DS records by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Similarly, RFC 7477 specifies CSYNC records to indicate a desired update of the delegation's NS (and glue) records. Parent-side entities (e.g. Registries, Registrars) typically discover these records by querying them from the child, and then use them to update the parent-side RRsets of the delegation accordingly. This document specifies that when performing such queries, parent- side entities MUST ensure that updates triggered via CDS/CDNSKEY and CSYNC records are consistent across the child's authoritative nameservers, before taking any action based on these records. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-cds-consistency/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-cds-consistency-04.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-cds-consistency-04 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-generalized-notify-00.txt
Internet-Draft draft-ietf-dnsop-generalized-notify-00.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Generalized DNS Notifications Authors: Johan Stenstam Peter Thomassen John Levine Name:draft-ietf-dnsop-generalized-notify-00.txt Pages: 17 Dates: 2023-09-29 Abstract: Changes in CDS/CDNSKEY, CSYNC, and other records related to delegation maintenance are usually detected through scheduled scans run by the consuming party (e.g. top-level domain registry), incurring an uncomfortable trade-off between scanning cost and update latency. A similar problem exists when scheduling zone transfers, and has been solved using the well-known DNS NOTIFY mechanism ([RFC1996]). This mechanism enables a primary nameserver to proactively inform secondaries about zone changes, allowing the secondary to initiate an ad-hoc transfer independently of when the next SOA check would be due. This document extends the use of DNS NOTIFY beyond conventional zone transfer hints, bringing the benefits of ad-hoc notifications to DNS delegation maintenance in general. Use cases include DNSSEC key rollovers hints via NOTIFY(CDS) and NOTIFY(DNSKEY) messages, and quicker changes to a delegation's NS record set via NOTIFY(CSYNC) messages. Furthermore, this document proposes a new DNS record type, tentatively referred to as "NOTIFY record", which is used to publish details about where generalized notifications should be sent. TO BE REMOVED: This document is being collaborated on in Github at: https://github.com/peterthomassen/draft-ietf-dnsop-generalized-notify (https://github.com/peterthomassen/draft-ietf-dnsop-generalized- notify). The most recent working version of the document, open issues, etc. should all be available there. The authors (gratefully) accept pull requests. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-generalized-notify/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-generalized-notify-00.html Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-bellis-dnsop-qdcount-is-one-01.txt
Internet-Draft draft-bellis-dnsop-qdcount-is-one-01.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: In the DNS, QDCOUNT is (usually) One Authors: Ray Bellis Joe Abley Name:draft-bellis-dnsop-qdcount-is-one-01.txt Pages: 7 Dates: 2023-09-28 Abstract: This document clarifies the allowable values of the QDCOUNT parameter in DNS messages with OPCODE = 0 (QUERY) and specifies the required behaviour when values that are not allowed are encountered. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-bellis-dnsop-qdcount-is-one/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-bellis-dnsop-qdcount-is-one-01 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-bellis-dnsop-qdcount-is-one-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8499bis-10.txt
Internet-Draft draft-ietf-dnsop-rfc8499bis-10.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: DNS Terminology Authors: Paul Hoffman Kazunori Fujiwara Name:draft-ietf-dnsop-rfc8499bis-10.txt Pages: 57 Dates: 2023-09-25 Abstract: The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8499bis/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8499bis-10 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8499bis-10 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-caching-resolution-failures-08.txt
Internet-Draft draft-ietf-dnsop-caching-resolution-failures-08.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Negative Caching of DNS Resolution Failures Authors: Duane Wessels William Carroll Matthew Thomas Name:draft-ietf-dnsop-caching-resolution-failures-08.txt Pages: 19 Dates: 2023-09-21 Abstract: In the DNS, resolvers employ caching to reduce both latency for end users and load on authoritative name servers. The process of resolution may result in one of three types of responses: (1) a response containing the requested data; (2) a response indicating the requested data does not exist; or (3) a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data's existence. This document concerns itself only with the third type. RFC 2308 specifies requirements for DNS negative caching. There, caching of type (2) responses is mandatory and caching of type (3) responses is optional. This document updates RFC 2308 to require negative caching for DNS resolution failures. RFC 4035 allows DNSSEC validation failure caching. This document updates RFC 4035 to require caching for DNSSEC validation failures. RFC 4697 prohibits aggressive requerying for NS records at a failed zone's parent zone. This document updates RFC 4697 to expand this requirement to all query types and to all ancestor zones. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-caching-resolution-failures/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-caching-resolution-failures-08 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-caching-resolution-failures-08 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-15.txt
Internet-Draft draft-ietf-dnsop-avoid-fragmentation-15.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: Fragmentation Avoidance in DNS Authors: Kazunori Fujiwara Paul Vixie Name:draft-ietf-dnsop-avoid-fragmentation-15.txt Pages: 13 Dates: 2023-09-14 Abstract: EDNS0 enables a DNS server to send large responses using UDP and is widely deployed. Large DNS/UDP responses are fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting response size where possible, and signaling the need to upgrade from UDP to TCP transport where necessary. This document proposes techniques to avoid IP fragmentation in DNS. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-avoid-fragmentation-15 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-avoid-fragmentation-15 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-bash-rfc7958bis-01.txt
Internet-Draft draft-bash-rfc7958bis-01.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: DNSSEC Trust Anchor Publication for the Root Zone Authors: Joe Abley Jakob Schlyter Guillaume Bailey Paul Hoffman Name:draft-bash-rfc7958bis-01.txt Pages: 11 Dates: 2023-09-07 Abstract: The root zone of the Domain Name System (DNS) has been cryptographically signed using DNS Security Extensions (DNSSEC). In order to obtain secure answers from the root zone of the DNS using DNSSEC, a client must configure a suitable trust anchor. This document describes the format and publication mechanisms IANA has used to distribute the DNSSEC trust anchors. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-bash-rfc7958bis/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-bash-rfc7958bis-01 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-bash-rfc7958bis-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-caching-resolution-failures-07.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Negative Caching of DNS Resolution Failures Authors : Duane Wessels William Carroll Matthew Thomas Filename: draft-ietf-dnsop-caching-resolution-failures-07.txt Pages : 19 Date: 2023-08-22 Abstract: In the DNS, resolvers employ caching to reduce both latency for end users and load on authoritative name servers. The process of resolution may result in one of three types of responses: (1) a response containing the requested data; (2) a response indicating the requested data does not exist; or (3) a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data's existence. This document concerns itself only with the third type. RFC 2308 specifies requirements for DNS negative caching. There, caching of type (1) and (2) responses is mandatory and caching of type (3) responses is optional. This document updates RFC 2308 to require negative caching for DNS resolution failures. RFC 4035 allows DNSSEC validation failure caching. This document updates RFC 4035 to require caching for DNSSEC validation failures. RFC 4697 prohibits aggressive requerying for NS records at a failed zone's parent zone. This document updates RFC 4697 to expand this requirement to all query types and to all ancestor zones. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-caching-resolution-failures/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-caching-resolution-failures-07 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-caching-resolution-failures-07 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8499bis-09.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : DNS Terminology Authors : Paul Hoffman Kazunori Fujiwara Filename: draft-ietf-dnsop-rfc8499bis-09.txt Pages : 57 Date: 2023-08-22 Abstract: The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendicies A and B. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8499bis/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8499bis-09 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8499bis-09 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-thomassen-dnsop-generalized-dns-notify-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Generalized DNS Notifications Authors : Johan Stenstam Peter Thomassen John Levine Filename: draft-thomassen-dnsop-generalized-dns-notify-02.txt Pages : 17 Date: 2023-08-07 Abstract: Changes in CDS/CDNSKEY, CSYNC, and other records related to delegation maintenance are usually detected through scheduled scans run by the consuming party (e.g. top-level domain registry), incurring an uncomfortable trade-off between scanning cost and update latency. A similar problem exists when scheduling zone transfers, and has been solved using the well-known DNS NOTIFY mechanism ([RFC1996]). This mechanism enables a primary nameserver to proactively inform secondaries about zone changes, allowing the secondary to initiate an ad-hoc transfer independently of when the next SOA check would be due. This document extends the use of DNS NOTIFY beyond conventional zone transfer hints, bringing the benefits of ad-hoc notifications to DNS delegation maintenance in general. Use cases include DNSSEC key rollovers hints via NOTIFY(CDS) and NOTIFY(DNSKEY) messages, and quicker changes to a delegation's NS record set via NOTIFY(CSYNC) messages. Furthermore, this document proposes a new DNS record type, tentatively referred to as "NOTIFY record", which is used to publish details about where generalized notifications should be sent. TO BE REMOVED: This document is being collaborated on in Github at: https://github.com/peterthomassen/draft-thomassen-dnsop-generalized- dns-notify (https://github.com/peterthomassen/draft-thomassen-dnsop- generalized-dns-notify). The most recent working version of the document, open issues, etc. should all be available there. The authors (gratefully) accept pull requests. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-thomassen-dnsop-generalized-dns-notify/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-thomassen-dnsop-generalized-dns-notify-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-thomassen-dnsop-generalized-dns-notify-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-zoneversion-04.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : The "ZONEVERSION" EDNS option for the version token of a Resource Record's zone Authors : Hugo Salgado Mauricio Vergara Ereche Filename: draft-ietf-dnsop-zoneversion-04.txt Pages : 11 Date: 2023-08-03 Abstract: The "ZONEVERSION" EDNS option allows a DNS querier to request a DNS authoritative server to add an EDNS option in the answer of such query with a token field representing the version of the zone which contains the answered Resource Record ("RR"), such as the Start Of Authority ("SOA") serial field in zones when this number corresponds to the zone version. This "ZONEVERSION" data allows to debug and diagnose problems by helping to recognize the data source of an answer in an atomic single DNS query, by associating the response with a respective zone version of such domain name. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-zoneversion/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-zoneversion-04.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-zoneversion-04 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-cds-consistency-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Consistency for CDS/CDNSKEY and CSYNC is Mandatory Author : Peter Thomassen Filename: draft-ietf-dnsop-cds-consistency-03.txt Pages : 12 Date: 2023-08-01 Abstract: Maintenance of DNS delegations requires occasional changes of the DS and NS record sets on the parent side of the delegation. RFC 7344 automates this for DS records by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Similarly, RFC 7477 specifies CSYNC records to indicate a desired update of the delegation's NS (and glue) records. Parent-side entities (e.g. Registries, Registrars) typically discover these records by querying them from the child, and then use them to update the delegation's DS RRset accordingly. This document specifies that when performing such queries, parent- side entities MUST ensure that updates triggered via CDS/CDNSKEY and CSYNC records are consistent across the child's authoritative nameservers, before taking any action based on these records. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-cds-consistency/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-cds-consistency-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-cds-consistency-03 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-zoneversion-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : The "ZONEVERSION" EDNS option for the version token of a Resource Record's zone Authors : Hugo Salgado Mauricio Vergara Ereche Filename: draft-ietf-dnsop-zoneversion-03.txt Pages : 11 Date: 2023-07-30 Abstract: The "ZONEVERSION" EDNS option allows a DNS querier to request a DNS authoritative server to add an EDNS option in the answer of such query with a token field representing the version of the zone which contains the answered Resource Record, such as the Star Of Authority ("SOA") serial field in zones when this number corresponds to the zone version. This "ZONEVERSION" data allows to debug and diagnose problems by helping to recognize the data source of an answer in an atomic single query, by associating the response with a respective zone version. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-zoneversion/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-zoneversion-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-zoneversion-03 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-caching-resolution-failures-06.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Negative Caching of DNS Resolution Failures Authors : Duane Wessels William Carroll Matthew Thomas Filename: draft-ietf-dnsop-caching-resolution-failures-06.txt Pages : 18 Date: 2023-07-27 Abstract: In the DNS, resolvers employ caching to reduce both latency for end users and load on authoritative name servers. The process of resolution may result in one of three types of responses: (1) a response containing the requested data; (2) a response indicating the requested data does not exist; or (3) a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data's existence. This document concerns itself only with the third type. RFC 2308 specifies requirements for DNS negative caching. There, caching of type (1) and (2) responses is mandatory and caching of type (3) responses is optional. This document updates RFC 2308 to require negative caching for DNS resolution failures. RFC 4035 allows DNSSEC validation failure caching. This document updates RFC 4035 to require caching for DNSSEC validation failures. RFC 4697 prohibits aggressive requerying for NS records at a failed zone's parent zone. This document updates RFC 4697 to expand this requirement to all query types and to all ancestor zones. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-caching-resolution-failures/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-caching-resolution-failures-06 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-caching-resolution-failures-06 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Structured Error Data for Filtered DNS Authors : Dan Wing Tirumaleswar Reddy Neil Cook Mohamed Boucadair Filename: draft-ietf-dnsop-structured-dns-error-06.txt Pages : 22 Date: 2023-07-26 Abstract: DNS filtering is widely deployed for various reasons, including network security. However, filtered DNS responses lack structured information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is for HTTPS resources. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-06.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-structured-dns-error-06 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-05.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : DNS Error Reporting Authors : Roy Arends Matt Larson Filename: draft-ietf-dnsop-dns-error-reporting-05.txt Pages : 11 Date: 2023-07-10 Abstract: DNS error reporting is a lightweight reporting mechanism that provides the operator of an authoritative server with reports on DNS resource records that fail to resolve or validate. A domain owner or DNS hosting organization can use these reports to improve domain hosting. The reports are based on extended DNS errors as described in RFC 8914. When a domain name fails to resolve or validate due to a misconfiguration or an attack, the operator of the authoritative server may be unaware of this. To mitigate this lack of feedback, this document describes a method for a validating recursive resolver to automatically signal an error to a monitoring agent specified by the authoritative server. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-error-reporting-05 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dns-error-reporting-05 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-cds-consistency-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Consistency for CDS/CDNSKEY and CSYNC is Mandatory Author : Peter Thomassen Filename: draft-ietf-dnsop-cds-consistency-02.txt Pages : 11 Date: 2023-07-10 Abstract: Maintenance of DNS delegations requires occasional changes of the DS and NS record sets on the parent side of the delegation. RFC 7344 automates this for DS records by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Similarly, RFC 7477 specifies CSYNC records to indicate a desired update of the delegation's NS (and glue) records. Parent-side entities (e.g. Registries, Registrars) typically discover these records by querying them from the child, and then use them to update the delegation's DS RRset accordingly. This document specifies that when performing such queries, parent- side entities MUST ensure that updates triggered via CDS/CDNSKEY and CSYNC records are consistent across the child's authoritative nameservers, before taking any action based on these records. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-cds-consistency/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-cds-consistency-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-cds-consistency-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-caching-resolution-failures-05.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Negative Caching of DNS Resolution Failures Authors : Duane Wessels William Carroll Matthew Thomas Filename: draft-ietf-dnsop-caching-resolution-failures-05.txt Pages : 17 Date: 2023-07-10 Abstract: In the DNS, resolvers employ caching to reduce both latency for end users and load on authoritative name servers. The process of resolution may result in one of three types of responses: (1) a response containing the requested data; (2) a response indicating the requested data does not exist; or (3) a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data's existence. This document concerns itself only with the third type. RFC 2308 specifies requirements for DNS negative caching. There, caching of type (1) and (2) responses is mandatory and caching of type (3) responses is optional. This document updates RFC 2308 to require negative caching for DNS resolution failures. RFC 4035 allows DNSSEC validation failure caching. This document updates RFC 4035 to require caching for DNSSEC validation failures. RFC 4697 prohibits aggressive requerying for NS records at a failed zone's parent zone. This document updates RFC 4697 to expand this requirement to all query types and to all ancestor zones. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-caching-resolution-failures/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-caching-resolution-failures-05 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-caching-resolution-failures-05 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-05.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator Authors : Peter Thomassen Nils Wisiol Filename: draft-ietf-dnsop-dnssec-bootstrapping-05.txt Pages : 16 Date: 2023-07-10 Abstract: This document introduces an in-band method for DNS operators to publish arbitrary information about the zones they are authoritative for, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated. Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay" ([RFC8078]). This document deprecates the DS enrollment methods described in Section 3 of [RFC8078] in favor of Section 3 of this document. [ Ed note: This document is being collaborated on at https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/). The authors gratefully accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-bootstrapping-05.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-bootstrapping-05 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Domain Control Validation using DNS Authors : Shivan Sahib Shumon Huque Paul Wouters Filename: draft-ietf-dnsop-domain-verification-techniques-02.txt Pages : 15 Date: 2023-07-10 Abstract: Many application services on the Internet need to verify ownership or control of a domain in the Domain Name System (DNS). The general term for this process is "Domain Control Validation", and can be done using a variety of methods such as email, HTTP/HTTPS, or the DNS itself. This document focuses only on DNS-based methods, which typically involve the application service provider requesting a DNS record with a specific format and content to be visible in the requester's domain. There is wide variation in the details of these methods today. This document proposes some best practices to avoid known problems. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-domain-verification-techniques-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-14.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Fragmentation Avoidance in DNS Authors : Kazunori Fujiwara Paul Vixie Filename: draft-ietf-dnsop-avoid-fragmentation-14.txt Pages : 13 Date: 2023-07-10 Abstract: EDNS0 enables a DNS server to send large responses using UDP and is widely deployed. Large DNS/UDP responses are fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting response size where possible, and signaling the need to upgrade from UDP to TCP transport where necessary. This document proposes techniques to avoid IP fragmentation in DNS. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-avoid-fragmentation-14 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-avoid-fragmentation-14 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-05.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Structured Error Data for Filtered DNS Authors : Dan Wing Tirumaleswar Reddy Neil Cook Mohamed Boucadair Filename: draft-ietf-dnsop-structured-dns-error-05.txt Pages : 22 Date: 2023-07-07 Abstract: DNS filtering is widely deployed for various reasons, including network security. However, filtered DNS responses lack structured information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is for HTTPS resources. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-05.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-structured-dns-error-05 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-04.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Structured Error Data for Filtered DNS Authors : Dan Wing Tirumaleswar Reddy Neil Cook Mohamed Boucadair Filename: draft-ietf-dnsop-structured-dns-error-04.txt Pages : 22 Date: 2023-07-05 Abstract: DNS filtering is widely deployed for various reasons, including network security. However, filtered DNS responses lack information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is to an HTTPS server. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-04.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-structured-dns-error-04 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-13.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Fragmentation Avoidance in DNS Authors : Kazunori Fujiwara Paul Vixie Filename: draft-ietf-dnsop-avoid-fragmentation-13.txt Pages : 12 Date: 2023-07-05 Abstract: EDNS0 enables a DNS server to send large responses using UDP and is widely deployed. Large DNS/UDP responses are fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting response size where possible, and signaling the need to upgrade from UDP to TCP transport where necessary. This document proposes techniques to avoid IP fragmentation in DNS. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-avoid-fragmentation-13 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-avoid-fragmentation-13 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8499bis-08.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : DNS Terminology Authors : Paul Hoffman Kazunori Fujiwara Filename: draft-ietf-dnsop-rfc8499bis-08.txt Pages : 57 Date: 2023-07-04 Abstract: The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document obsoletes RFC 8499 and updates RFC 2308. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8499bis/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8499bis-08 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8499bis-08 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-caching-resolution-failures-04.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Negative Caching of DNS Resolution Failures Authors : Duane Wessels William Carroll Matthew Thomas Filename: draft-ietf-dnsop-caching-resolution-failures-04.txt Pages : 16 Date: 2023-06-30 Abstract: In the DNS, resolvers employ caching to reduce both latency for end users and load on authoritative name servers. The process of resolution may result in one of three types of responses: (1) a response containing the requested data; (2) a response indicating the requested data does not exist; or (3) a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data's existence. This document concerns itself only with the third type. RFC 2308 specifies requirements for DNS negative caching. There, caching of type (1) and (2) responses is mandatory and caching of type (3) responses is optional. This document updates RFC 2308 to require negative caching for DNS resolution failures. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-caching-resolution-failures/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-caching-resolution-failures-04 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-caching-resolution-failures-04 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-06.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Recommendations for DNSSEC Resolvers Operators Authors : Daniel Migault Edward Lewis Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-06.txt Pages : 18 Date: 2023-06-28 Abstract: The DNS Security Extensions (DNSSEC) defines a process for validating received data and assert them authentic and complete as opposed to forged. This document provides recommendations for DNSSEC Resolver Operators (DRO) to operate a DNSSEC resolver. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dnssec-validator-requirements-06 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-validator-requirements-06 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-cds-consistency-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Consistency for CDS/CDNSKEY and CSYNC is Mandatory Author : Peter Thomassen Filename: draft-ietf-dnsop-cds-consistency-01.txt Pages : 11 Date: 2023-06-26 Abstract: Maintenance of DNS delegations requires occasional changes of the DS and NS record sets on the parent side of the delegation. RFC 7344 automates this for DS records by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Similarly, RFC 7477 specifies CSYNC records to indicate a desired update of the delegation's NS (and glue) records. Parent-side entities (e.g. Registries, Registrars) typically discover these records by querying them from the child, and then use them to update the delegation's DS RRset accordingly. This document specifies that when performing such queries, parent- side entities MUST ensure that updates triggered via CDS/CDNSKEY and CSYNC records are consistent across the child's authoritative nameservers, before taking any action based on these records. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-cds-consistency/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-cds-consistency-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-cds-consistency-01 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-cds-consistency-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Consistency for CDS/CDNSKEY and CSYNC is Mandatory Author : Peter Thomassen Filename: draft-ietf-dnsop-cds-consistency-00.txt Pages : 10 Date: 2023-06-22 Abstract: Maintenance of DNS delegations requires occasional changes of the DS and NS record sets on the parent side of the delegation. [RFC7344] automates this for DS records by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Similarly, CSYNC records indicate a desired update of the delegation's NS records [RFC7477]. Parent-side entities (e.g. Registries, Registrars) typically discover these records by periodically querying them from the child ("polling"), before using them to update the delegation's parameters. This document specifies that if polling is used, parent-side entities MUST ensure that updates triggered via CDS/CDNSKEY and CSYNC records are consistent across the child's authoritative nameservers, before taking any action based on these records. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-cds-consistency/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-cds-consistency-00.html Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-svcb-dane-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Using Service Bindings with DANE Authors : Benjamin M. Schwartz Robert Evans Filename: draft-ietf-dnsop-svcb-dane-01.txt Pages : 9 Date: 2023-06-21 Abstract: Service Binding records introduce a new form of name indirection in DNS. This document specifies DNS-Based Authentication of Named Entities (DANE) interaction with Service Bindings to secure endpoints including use of ports and transports discovered via Service Parameters. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/bemasc/svcb-dane. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-dane/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-dane-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-svcb-dane-01 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-caching-resolution-failures-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Negative Caching of DNS Resolution Failures Authors : Duane Wessels William Carroll Matthew Thomas Filename: draft-ietf-dnsop-caching-resolution-failures-03.txt Pages : 15 Date: 2023-06-21 Abstract: In the DNS, resolvers employ caching to reduce both latency for end users and load on authoritative name servers. The process of resolution may result in one of three types of responses: (1) a response containing the requested data; (2) a response indicating the requested data does not exist; or (3) a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data's existence. This document concerns itself only with the third type. RFC 2308 specifies requirements for DNS negative caching. There, caching of type (1) and (2) responses is mandatory and caching of type (3) responses is optional. This document updates RFC 2308 to require negative caching for DNS resolution failures. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-caching-resolution-failures/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-caching-resolution-failures-03 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-caching-resolution-failures-03 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-09.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : DNS Glue Requirements in Referral Responses Authors : M. Andrews Shumon Huque Paul Wouters Duane Wessels Filename: draft-ietf-dnsop-glue-is-not-optional-09.txt Pages : 12 Date: 2023-06-14 Abstract: The DNS uses glue records to allow iterative clients to find the addresses of name servers that are contained within a delegated zone. Authoritative Servers are expected to return all available glue records for in-domain name servers in a referral response. If message size constraints prevent the inclusion of all glue records for in-domain name servers, the server must set the TC flag to inform the client that the response is incomplete, and that the client should use another transport to retrieve the full response. This document updates RFC 1034 to clarify correct server behavior. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-glue-is-not-optional/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-glue-is-not-optional-09.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-glue-is-not-optional-09 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-05.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Recommendations for DNSSEC Resolvers Operators Authors : Daniel Migault Edward Lewis Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-05.txt Pages : 14 Date: 2023-06-10 Abstract: The DNS Security Extensions (DNSSEC) defines a process for validating received data and assert them authentic and complete as opposed to forged. This document provides recommendations for DNSSEC Resolver Operators (DRO) to operate a DNSSEC resolver. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dnssec-validator-requirements-05 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-validator-requirements-05 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8109bis-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Initializing a DNS Resolver with Priming Queries Authors : Peter Koch Matt Larson Paul Hoffman Filename: draft-ietf-dnsop-rfc8109bis-00.txt Pages : 10 Date: 2023-06-07 Abstract: This document describes the queries that a DNS resolver should emit to initialize its cache. The result is that the resolver gets both a current NS Resource Record Set (RRset) for the root zone and the necessary address information for reaching the root servers. This document, when published, obsoletes RFC 8109. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8109bis/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8109bis-00 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Structured Error Data for Filtered DNS Authors : Dan Wing Tirumaleswar Reddy Neil Cook Mohamed Boucadair Filename: draft-ietf-dnsop-structured-dns-error-03.txt Pages : 21 Date: 2023-05-26 Abstract: DNS filtering is widely deployed for various reasons, including network security. However, filtered DNS responses lack information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is to an HTTPS server. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-structured-dns-error-03 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Compact Denial of Existence in DNSSEC Authors : Shumon Huque Christian Elmerot Olafur Gudmundsson Filename: draft-ietf-dnsop-compact-denial-of-existence-00.txt Pages : 8 Date: 2023-05-09 Abstract: This document describes a technique to generate a signed DNS response on demand for a non-existent name by claiming that the name exists but doesn't have any data for the queried record type. Such answers require only one minimal NSEC record, allow online signing servers to minimize signing operations and response sizes, and prevent zone content disclosure. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-compact-denial-of-existence-00.html Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-alt-tld-25.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : The ALT Special Use Top Level Domain Authors : Warren Kumari Paul Hoffman Filename: draft-ietf-dnsop-alt-tld-25.txt Pages : 13 Date: 2023-05-04 Abstract: This document reserves a TLD label, "alt" to be used in non-DNS contexts. It also provides advice and guidance to developers developing alternative namespaces. [ This document is being collaborated on in Github at <https://github.com/wkumari/draft-wkumari-dnsop-alt-tld>. The most recent version of the document, open issues, etc should all be available here. The authors (gratefully) accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-alt-tld/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-alt-tld-25 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-alt-tld-25 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-alt-tld-24.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : The ALT Special Use Top Level Domain Authors : Warren Kumari Paul Hoffman Filename: draft-ietf-dnsop-alt-tld-24.txt Pages : 13 Date: 2023-05-01 Abstract: This document reserves a TLD label, "alt" to be used in non-DNS contexts. It also provides advice and guidance to developers developing alternative namespaces. [ This document is being collaborated on in Github at <https://github.com/wkumari/draft-wkumari-dnsop-alt-tld>. The most recent version of the document, open issues, etc should all be available here. The authors (gratefully) accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-alt-tld/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-alt-tld-24 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-alt-tld-24 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-04.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator Authors : Peter Thomassen Nils Wisiol Filename: draft-ietf-dnsop-dnssec-bootstrapping-04.txt Pages : 16 Date: 2023-05-01 Abstract: This document introduces an in-band method for DNS operators to publish arbitrary information about the zones they are authoritative for, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated. Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay" ([RFC8078]). This document deprecates the DS enrollment methods described in Section 3 of [RFC8078] in favor of Section 3 of this document. [ Ed note: This document is being collaborated on at https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/). The authors gratefully accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-bootstrapping-04.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-bootstrapping-04 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Structured Error Data for Filtered DNS Authors : Dan Wing Tirumaleswar Reddy Neil Cook Mohamed Boucadair Filename: draft-ietf-dnsop-structured-dns-error-02.txt Pages : 21 Date: 2023-04-29 Abstract: DNS filtering is widely deployed for various reasons, including network security. However, filtered DNS responses lack information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is to an HTTPS server. This document updates RFC 8914 by structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. Other than that, this document does not change any thing written in RFC 8914. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-structured-dns-error-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8499bis-07.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : DNS Terminology Authors : Paul Hoffman Kazunori Fujiwara Filename: draft-ietf-dnsop-rfc8499bis-07.txt Pages : 56 Date: 2023-04-15 Abstract: The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document obsoletes RFC 8499 and updates RFC 2308. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8499bis/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8499bis-07 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8499bis-07 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-alt-tld-23.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : The ALT Special Use Top Level Domain Authors : Warren Kumari Paul Hoffman Filename: draft-ietf-dnsop-alt-tld-23.txt Pages : 13 Date: 2023-04-10 Abstract: This document reserves a TLD label, "alt" to be used in non-DNS contexts. It also provides advice and guidance to developers developing alternative namespaces. [ This document is being collaborated on in Github at <https://github.com/wkumari/draft-wkumari-dnsop-alt-tld>. The most recent version of the document, open issues, etc should all be available here. The authors (gratefully) accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-alt-tld/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-alt-tld-23 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-alt-tld-23 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-12.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Fragmentation Avoidance in DNS Authors : Kazunori Fujiwara Paul Vixie Filename: draft-ietf-dnsop-avoid-fragmentation-12.txt Pages : 12 Date: 2023-03-29 Abstract: EDNS0 enables a DNS server to send large responses using UDP and is widely deployed. Large DNS/UDP responses are fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting response size where possible, and signaling the need to upgrade from UDP to TCP transport where necessary. This document proposes techniques to avoid IP fragmentation in DNS. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-avoid-fragmentation-12 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-avoid-fragmentation-12 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Structured Error Data for Filtered DNS Authors : Dan Wing Tirumaleswar Reddy Neil Cook Mohamed Boucadair Filename: draft-ietf-dnsop-structured-dns-error-01.txt Pages : 18 Date: 2023-03-26 Abstract: DNS filtering is widely deployed for network security, but filtered DNS responses lack information for the end user to understand the reason for the filtering. Existing mechanisms to provide detail to end users cause harm especially if the blocked DNS response is to an HTTPS website. This document updates RFC 8914 by structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. Other than that, this document does not change any thing written in RFC 8914. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-structured-dns-error-01 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-04.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Delegation Revalidation by DNS Resolvers Authors : Shumon Huque Paul Vixie Ralph Dolmans Filename: draft-ietf-dnsop-ns-revalidation-04.txt Pages : 7 Date: 2023-03-13 Abstract: This document recommends improved DNS [RFC1034] [RFC1035] resolver behavior with respect to the processing of Name Server (NS) resource record sets (RRset) during iterative resolution. When following a referral response from an authoritative server to a child zone, DNS resolvers should explicitly query the authoritative NS RRset at the apex of the child zone and cache this in preference to the NS RRset on the parent side of the zone cut. Resolvers should also periodically revalidate the child delegation by re-quering the parent zone at the expiration of the TTL of the parent side NS RRset. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-ns-revalidation-04.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-ns-revalidation-04 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-svcb-https-12.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs) Authors : Ben Schwartz Mike Bishop Erik Nygren Filename: draft-ietf-dnsop-svcb-https-12.txt Pages : 61 Date: 2023-03-11 Abstract: This document specifies the "SVCB" and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP [HTTP]. By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy. TO BE REMOVED: This document is being collaborated on in Github at: https://github.com/MikeBishop/dns-alt-svc (https://github.com/MikeBishop/dns-alt-svc). The most recent working version of the document, open issues, etc. should all be available there. The authors (gratefully) accept pull requests. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-12.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-svcb-https-12 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8499bis-06.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : DNS Terminology Authors : Paul Hoffman Kazunori Fujiwara Filename: draft-ietf-dnsop-rfc8499bis-06.txt Pages : 56 Date: 2023-03-10 Abstract: The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document obsoletes RFC 8499 and updates RFC 2308. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8499bis/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8499bis-06 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8499bis-06 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-caching-resolution-failures-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title : Negative Caching of DNS Resolution Failures Authors : Duane Wessels William Carroll Matthew Thomas Filename: draft-ietf-dnsop-caching-resolution-failures-02.txt Pages : 15 Date: 2023-03-09 Abstract: In the DNS, resolvers employ caching to reduce both latency for end users and load on authoritative name servers. The process of resolution may result in one of three types of responses: (1) a response containing the requested data; (2) a response indicating the requested data does not exist; or (3) a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data's existence. This document concerns itself only with the third type. RFC 2308 specifies requirements for DNS negative caching. There, caching of type (1) and (2) responses is mandatory and caching of type (3) responses is optional. This document updates RFC 2308 to require negative caching for DNS resolution failures. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-caching-resolution-failures/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-caching-resolution-failures-02 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-caching-resolution-failures-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-alt-tld-22.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations WG of the IETF. Title : The ALT Special Use Top Level Domain Authors : Warren Kumari Paul Hoffman Filename: draft-ietf-dnsop-alt-tld-22.txt Pages : 13 Date: 2023-03-03 Abstract: This document reserves a TLD label, "alt" to be used in non-DNS contexts. It also provides advice and guidance to developers developing alternative namespaces. [ This document is being collaborated on in Github at <https://github.com/wkumari/draft-wkumari-dnsop-alt-tld>. The most recent version of the document, open issues, etc should all be available here. The authors (gratefully) accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-alt-tld/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-alt-tld-22 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-alt-tld-22 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-alt-tld-21.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations WG of the IETF. Title : The ALT Special Use Top Level Domain Authors : Warren Kumari Paul Hoffman Filename: draft-ietf-dnsop-alt-tld-21.txt Pages : 12 Date: 2023-02-24 Abstract: This document reserves a TLD label, "alt" to be used in non-DNS contexts. It also provides advice and guidance to developers developing alternative namespaces. [ This document is being collaborated on in Github at <https://github.com/wkumari/draft-wkumari-dnsop-alt-tld>. The most recent version of the document, open issues, etc should all be available here. The authors (gratefully) accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-alt-tld/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-alt-tld-21 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-alt-tld-21 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-zoneversion-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations WG of the IETF. Title : The "ZONEVERSION" EDNS option for the version token of a RR's zone Authors : Hugo Salgado Mauricio Vergara Ereche Filename: draft-ietf-dnsop-zoneversion-02.txt Pages : 10 Date: 2023-02-21 Abstract: The "ZONEVERSION" EDNS option allows a DNS querier to request a DNS authoritative server to add an EDNS option in the answer of such query with a token field representing the version of the zone which contains the answered Resource Record, such as the SOA serial field in zones when this number corresponds to the zone version. This "ZONEVERSION" data allows to debug and diagnose problems by helping to recognize the data source of an answer in an atomic single query, by associating the response with a respective zone version. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-zoneversion/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-zoneversion-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-zoneversion-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bootstrapping-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations WG of the IETF. Title : Automatic DNSSEC Bootstrapping using Authenticated Signals from the Zone's Operator Authors : Peter Thomassen Nils Wisiol Filename: draft-ietf-dnsop-dnssec-bootstrapping-03.txt Pages : 16 Date: 2023-02-17 Abstract: This document introduces an in-band method for DNS operators to publish arbitrary information about the zones they are authoritative for, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated. Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay" ([RFC8078]). This document deprecates the DS enrollment methods described in Section 3 of [RFC8078] in favor of Section 3 of this document. [ Ed note: This document is being collaborated on at https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/ (https://github.com/desec-io/draft-ietf-dnsop-dnssec-bootstrapping/). The authors gratefully accept pull requests. ] The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-bootstrapping-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-bootstrapping-03 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-08.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Domain Name System Operations WG of the IETF. Title : DNS Glue Requirements in Referral Responses Authors : M. Andrews Shumon Huque Paul Wouters Duane Wessels Filename: draft-ietf-dnsop-glue-is-not-optional-08.txt Pages : 12 Date: 2023-02-17 Abstract: The DNS uses glue records to allow iterative clients to find the addresses of name servers that are contained within a delegated zone. Authoritative Servers are expected to return all available glue records for in-domain name servers in a referral response. If message size constraints prevent the inclusion of all glue records for in-domain name servers, the server MUST set the TC flag to inform the client that the response is incomplete, and that the client SHOULD use another transport to retrieve the full response. This document updates RFC 1034 to clarify correct server behavior. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-glue-is-not-optional/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-glue-is-not-optional-08.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-glue-is-not-optional-08 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Domain Verification Techniques using DNS Authors : Shivan Sahib Shumon Huque Paul Wouters Filename: draft-ietf-dnsop-domain-verification-techniques-01.txt Pages : 11 Date: 2023-02-16 Abstract: Many services on the Internet need to verify ownership or control of a domain in the Domain Name System (DNS). This verification is often done by requesting a specific DNS record to be visible in the domain. There are a variety of techniques in use today, with different pros and cons. This document proposes some practices to avoid known problems. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-domain-verification-techniques-01 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-bellis-dnsext-multi-qtypes-07.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : DNS Multiple QTYPEs Author : Ray Bellis Filename: draft-bellis-dnsext-multi-qtypes-07.txt Pages : 7 Date: 2023-02-16 Abstract: This document specifies a method for a DNS client to request additional DNS record types to be delivered alongside the primary record type specified in the question section of a DNS query. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-bellis-dnsext-multi-qtypes/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-bellis-dnsext-multi-qtypes-07.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-bellis-dnsext-multi-qtypes-07 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Structured Error Data for Filtered DNS Authors : Dan Wing Tirumaleswar Reddy Neil Cook Mohamed Boucadair Filename: draft-ietf-dnsop-structured-dns-error-00.txt Pages : 19 Date: 2023-02-13 Abstract: DNS filtering is widely deployed for network security, but filtered DNS responses lack information for the end user to understand the reason for the filtering. Existing mechanisms to provide detail to end users cause harm especially if the blocked DNS response is to an HTTPS website. This document updates RFC 8914 by structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes. Other than that, this document does not change any thing written in RFC 8914. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-00.html Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dns-catalog-zones-09.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : DNS Catalog Zones Authors : Peter van Dijk Libor Peltan Ondrej Sury Willem Toorop Kees Monshouwer Peter Thomassen Aram Sargsyan Filename: draft-ietf-dnsop-dns-catalog-zones-09.txt Pages : 24 Date: 2023-02-07 Abstract: This document describes a method for automatic DNS zone provisioning among DNS primary and secondary nameservers by storing and transferring the catalog of zones to be provisioned as one or more regular DNS zones. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-catalog-zones/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-dns-catalog-zones-09.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dns-catalog-zones-09 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-automation-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : DNSSEC automation Authors : Ulrich Wisser Shumon Huque Filename: draft-ietf-dnsop-dnssec-automation-01.txt Pages : 12 Date: 2023-02-06 Abstract: This document describes an algorithm and a protocol to automate DNSSEC Multi-Signer [RFC8901] "Multi-Signer DNSSEC Models" setup, operations and decomissioning. Using Model 2 of the Multi-Signer specification, where each operator has their own distinct KSK and ZSK sets (or CSK sets), [RFC8078] "Managing DS Records from the Parent via CDS/CDNSKEY" and [RFC7477] "Child-to-Parent Synchronization in DNS" to accomplish this. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-automation/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-automation-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-automation-01 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-04.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : DNS Error Reporting Authors : Roy Arends Matt Larson Filename: draft-ietf-dnsop-dns-error-reporting-04.txt Pages : 10 Date: 2023-02-03 Abstract: DNS error reporting is a lightweight reporting mechanism that provides the operator of an authoritative server with reports on DNS resource records that fail to resolve or validate. A domain owner or DNS hosting organization can use these reports to improve domain hosting. The reports are based on extended DNS errors as described in RFC 8914. When a domain name fails to resolve or validate due to a misconfiguration or an attack, the operator of the authoritative server may be unaware of this. To mitigate this lack of feedback, this document describes a method for a validating recursive resolver to automatically signal an error to a monitoring agent specified by the authoritative server. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-error-reporting-04 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dns-error-reporting-04 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-alt-tld-20.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : The ALT Special Use Top Level Domain Authors : Warren Kumari Paul Hoffman Filename: draft-ietf-dnsop-alt-tld-20.txt Pages : 11 Date: 2023-01-31 Abstract: This document reserves a TLD label, "alt" to be used in non-DNS contexts. It also provides advice and guidance to developers developing alternative namespaces. [ This document is being collaborated on in Github at <https://github.com/wkumari/draft-wkumari-dnsop-alt-tld>. The most recent version of the document, open issues, etc should all be available here. The authors (gratefully) accept pull requests. ] The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-alt-tld/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-alt-tld-20 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-alt-tld-20 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-04.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Recommendations for DNSSEC Resolvers Operators Authors : Daniel Migault Edward Lewis Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-04.txt Pages : 26 Date: 2023-01-25 Abstract: The DNS Security Extensions (DNSSEC) define a process for validating received data and assert them authentic and complete as opposed to forged. This document clarifies the scope and responsibilities of DNSSEC Resolver Operators (DRO) as well as operational recommendations that DNSSEC validators operators SHOULD put in place in order to implement sufficient trust that makes DNSSEC validation output accurate. The recommendations described in this document include, provisioning mechanisms as well as monitoring and management mechanisms. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dnssec-validator-requirements-04 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-validator-requirements-04 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Recommendations for DNSSEC Resolvers Operators Authors : Daniel Migault Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-03.txt Pages : 26 Date: 2023-01-24 Abstract: The DNS Security Extensions (DNSSEC) define a process for validating received data and assert them authentic and complete as opposed to forged. This document clarifies the scope and responsibilities of DNSSEC Resolver Operators (DRO) as well as operational recommendations that DNSSEC validators operators SHOULD put in place in order to implement sufficient trust that makes DNSSEC validation output accurate. The recommendations described in this document include, provisioning mechanisms as well as monitoring and management mechanisms. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dnssec-validator-requirements-03 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-validator-requirements-03 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-dnssec-validator-requirements-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Recommendations for DNSSEC Resolvers Operators Authors : Daniel Migault Dan York Filename: draft-ietf-dnsop-dnssec-validator-requirements-02.txt Pages : 26 Date: 2023-01-24 Abstract: The DNS Security Extensions (DNSSEC) define a process for validating received data and assert them authentic and complete as opposed to forged. This document clarifies the scope and responsibilities of DNSSEC Resolver Operators (DRO) as well as operational recommendations that DNSSEC validators operators SHOULD put in place in order to implement sufficient trust that makes DNSSEC validation output accurate. The recommendations described in this document include, provisioning mechanisms as well as monitoring and management mechanisms. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dnssec-validator-requirements-02 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-validator-requirements-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-rfc8499bis-05.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : DNS Terminology Authors : Paul Hoffman Kazunori Fujiwara Filename: draft-ietf-dnsop-rfc8499bis-05.txt Pages : 56 Date: 2023-01-20 Abstract: The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document obsoletes RFC 8499 and updates RFC 2308. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8499bis/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8499bis-05 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8499bis-05 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-11.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Fragmentation Avoidance in DNS Authors : Kazunori Fujiwara Paul Vixie Filename: draft-ietf-dnsop-avoid-fragmentation-11.txt Pages : 10 Date: 2023-01-19 Abstract: EDNS0 enables a DNS server to send large responses using UDP and is widely deployed. Large DNS/UDP responses are fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting response size where possible, and signaling the need to upgrade from UDP to TCP transport where necessary. This document proposes techniques to avoid IP fragmentation in DNS. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-avoid-fragmentation-11 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-avoid-fragmentation-11 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-svcb-dane-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Using Service Bindings with DANE Authors : Benjamin M. Schwartz Robert Evans Filename: draft-ietf-dnsop-svcb-dane-00.txt Pages : 9 Date: 2022-12-22 Abstract: Service Binding records introduce a new form of name indirection in DNS. This document specifies DNS-Based Authentication of Named Entities (DANE) interaction with Service Bindings to secure endpoints including use of ports and transports discovered via Service Parameters. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/bemasc/svcb-dane. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-dane/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-dane-00.html Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-10.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Fragmentation Avoidance in DNS Authors : Kazunori Fujiwara Paul Vixie Filename: draft-ietf-dnsop-avoid-fragmentation-10.txt Pages : 10 Date: 2022-12-21 Abstract: EDNS0 enables a DNS server to send large responses using UDP and is widely deployed. Large DNS/UDP responses are fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting response size where possible, and signaling the need to upgrade from UDP to TCP transport where necessary. This document proposes to avoid IP fragmentation in DNS. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-avoid-fragmentation-10 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-avoid-fragmentation-10 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop