Domain Name System Operations (dnsop) Internet Drafts


      
 Delegation Revalidation by DNS Resolvers
 
 draft-ietf-dnsop-ns-revalidation-10.txt
 Date: 25/06/2025
 Authors: Shumon Huque, Paul Vixie, Willem Toorop
 Working Group: Domain Name System Operations (dnsop)
This document describes an optional algorithm for the processing of Name Server (NS) resource record (RR) sets (RRsets) during iterative resolution, and describes the benefits and considerations of using this approach. When following a referral response from an authoritative server to a child zone, DNS resolvers should explicitly query the authoritative NS RRset at the apex of the child zone and cache this in preference to the NS RRset on the parent side of the zone cut. The (A and AAAA) address RRsets in the additional section from referral responses and authoritative NS answers for the names of the NS RRset, should similarly be re-queried and used to replace the entries with the lower trustworthiness ranking in cache. Resolvers should also periodically revalidate the delegation by re-querying the parent zone at the expiration of the TTL of either the parent or child NS RRset, whichever comes first.
 Domain Control Validation using DNS
 
 draft-ietf-dnsop-domain-verification-techniques-09.txt
 Date: 07/07/2025
 Authors: Shivan Sahib, Shumon Huque, Paul Wouters, Erik Nygren, Tim Wicinski
 Working Group: Domain Name System Operations (dnsop)
Many application services on the Internet need to verify ownership or control of a domain in the Domain Name System (DNS). The general term for this process is "Domain Control Validation", and can be done using a variety of methods such as email, HTTP/HTTPS, or the DNS itself. This document focuses only on DNS-based methods, which typically involve the Application Service Provider requesting a DNS record with a specific format and content to be visible in the domain to be verified. There is wide variation in the details of these methods today. This document provides some best practices to avoid known problems.
 Structured Error Data for Filtered DNS
 
 draft-ietf-dnsop-structured-dns-error-15.txt
 Date: 05/05/2025
 Authors: Dan Wing, Tirumaleswar Reddy.K, Neil Cook, Mohamed Boucadair
 Working Group: Domain Name System Operations (dnsop)
DNS filtering is widely deployed for various reasons, including network security. However, filtered DNS responses lack structured information for end users to understand the reason for the filtering. Existing mechanisms to provide explanatory details to end users cause harm especially if the blocked DNS response is for HTTPS resources. This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of the Extended DNS Error to provide details on the DNS filtering. Such details can be parsed by the client and displayed, logged, or used for other purposes.
 Compact Denial of Existence in DNSSEC
 
 draft-ietf-dnsop-compact-denial-of-existence-07.txt
 Date: 27/02/2025
 Authors: Shumon Huque, Christian Elmerot, Olafur Gudmundsson
 Working Group: Domain Name System Operations (dnsop)
This document describes a technique to generate a signed DNS response on demand for a non-existent name by claiming that the name exists but doesn't have any data for the queried record type. Such answers require only one minimally covering NSEC or NSEC3 record, allow online signing servers to minimize signing operations and response sizes, and prevent zone content disclosure. This document updates RFC 4034 and 4035.
 Clarifications on CDS/CDNSKEY and CSYNC Consistency
 
 draft-ietf-dnsop-cds-consistency-08.txt
 Date: 01/08/2025
 Authors: Peter Thomassen
 Working Group: Domain Name System Operations (dnsop)
Maintenance of DNS delegations requires occasional changes of the DS and NS record sets on the parent side of the delegation. For the case of DS records, RFC 7344 provides automation by allowing the child to publish CDS and/or CDNSKEY records holding the prospective DS parameters which the parent can ingest. Similarly, RFC 7477 specifies CSYNC records to indicate a desired update of the delegation's NS (and glue) records. Parent-side entities (e.g. Registries, Registrars) can query these records from the child and, after validation, use them to update the parent-side RRsets of the delegation. This document specifies that when performing such queries, parent- side entities MUST ensure that updates triggered via CDS/CDNSKEY and CSYNC records are consistent across the child's authoritative nameservers, before taking any action based on these records.
 Generalized DNS Notifications
 
 draft-ietf-dnsop-generalized-notify-09.txt
 Date: 19/03/2025
 Authors: Johan Stenstam, Peter Thomassen, John Levine
 Working Group: Domain Name System Operations (dnsop)
This document generalizes and extends the use of DNS NOTIFY (RFC 1996) beyond conventional zone transfer hints, to allow triggering other types of actions via the DNS that were previously lacking a trigger mechanism. Notifications merely nudge the receiver to initiate a predefined action promptly (instead of on a schedule); they do not alter the action itself (including any security checks it might employ). To enable this functionality, a method for discovering the receiver endpoint for such notification messages is introduced, via the new DSYNC record type. Notification types are recorded in a new registry, with initial support for parental NS and DS record updates including DNSSEC bootstrapping. TO BE REMOVED: This document is being collaborated on in Github at: https://github.com/peterthomassen/draft-ietf-dnsop-generalized-notify (https://github.com/peterthomassen/draft-ietf-dnsop-generalized- notify). The most recent working version of the document, open issues, etc. should all be available there. The authors (gratefully) accept pull requests.
 Deprecate usage of ECC-GOST within DNSSEC
 
 draft-ietf-dnsop-must-not-ecc-gost-07.txt
 Date: 03/06/2025
 Authors: Wes Hardaker, Warren Kumari
 Working Group: Domain Name System Operations (dnsop)
This document retires the use of GOST R 34.10-2001 (mnemonic "ECC- GOST") within DNSSEC. RFC5933 (now historic) defined the use of GOST R 34.10-2001 and GOST R 34.11-94 algorithms with DNS Security Extensions (DNSSEC). This document updates RFC5933 by deprecating the use of ECC-GOST.
 DNSSEC Cryptographic Algorithm Recommendation Update Process
 
 draft-ietf-dnsop-rfc8624-bis-13.txt
 Date: 04/06/2025
 Authors: Wes Hardaker, Warren Kumari
 Working Group: Domain Name System Operations (dnsop)
The DNSSEC protocol makes use of various cryptographic algorithms to provide authentication of DNS data and proof of non-existence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify both a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document replaces and obsoletes RFC8624 and moves the canonical source of algorithm implementation requirements and usage guidance for DNSSEC from RFC8624 to an IANA registry. This is done both to allow the list of requirements to be more easily updated, and to allow the list to be more easily referenced. Future extensions to this registry can be made under new, incremental update RFCs. This document also incorporates the revised IANA DNSSEC considerations from RFC9157. The document does not change the status (MUST, MAY, RECOMMENDED, etc.) of the algorithms listed in RFC8624; that is the work of future documents.
 Deprecating the use of SHA-1 in DNSSEC signature algorithms
 
 draft-ietf-dnsop-must-not-sha1-10.txt
 Date: 10/09/2025
 Authors: Wes Hardaker, Warren Kumari
 Working Group: Domain Name System Operations (dnsop)
This document deprecates the use of the RSASHA1 and RSASHA1-NSEC3-SHA1 algorithms for the creation of DNS Public Key (DNSKEY) and Resource Record Signature (RRSIG) records. It updates RFC4034 and RFC5155 as it deprecates the use of these algorithms.
 DNS IPv6 Transport Operational Guidelines
 
 draft-ietf-dnsop-3901bis-04.txt
 Date: 11/08/2025
 Authors: Momoka Yamamoto, Tobias Fiebig
 Working Group: Domain Name System Operations (dnsop)
This memo provides guidelines and documents Best Current Practice for operating authoritative DNS servers as well as recursive and stub DNS resolvers, given that queries and responses are carried in a mixed environment of IPv4 and IPv6 networks. This document expands on RFC 3901 by recommending that authoritative DNS servers as well as recursive DNS resolvers support both IPv4 and IPv6. It furthermore provides guidance for how recursive DNS resolver should select upstream DNS servers, if synthesized and non-synthesized IPv6 addresses are available. This document obsoletes RFC3901. (if approved)
 Integration of DNS Domain Names into Application Environments: Motivations and Considerations
 
 draft-ietf-dnsop-integration-00.txt
 Date: 26/06/2025
 Authors: Swapneel Sheth, Andrew Kaizer, Bryan Newbold, N. Johnson
 Working Group: Domain Name System Operations (dnsop)
This document reviews the motivations and considerations for integrating DNS domain names into an application environment and provides terminology to establish a shared understanding of what a DNS integration may entail.
 Operational Recommendations for DS Automation
 
 draft-ietf-dnsop-ds-automation-00.txt
 Date: 08/09/2025
 Authors: Steve Sheng, Peter Thomassen
 Working Group: Domain Name System Operations (dnsop)
Enabling support for automatic acceptance of DS parameters from the Child DNS operator (via RFCs 7344, 8078, 9615) requires the parent operator, often a registry or registrar, to make a number of technical decisions. This document describes recommendations for new deployments of such DS automation.


data-group-menu-data-url="/group/groupmenu.json">

Skip to main content

Domain Name System Operations (dnsop)

WG Name Domain Name System Operations
Acronym dnsop
Area Operations and Management Area (ops)
State Active
Charter charter-ietf-dnsop-05 Approved
Document dependencies
Additional resources GitHub Organization
Legacy Jabber Logs
Wiki
Zulip stream
bsky
github
mastodon
twitter
Personnel Chairs Benno Overeinder, Ondřej Surý
Area Director Mohamed Boucadair
Tech Advisor Jim Reid
Secretaries Peter Thomassen, Shumon Huque
Mailing list Address dnsop@ietf.org
To subscribe http://www.ietf.org/mailman/listinfo/dnsop
Archive https://mailarchive.ietf.org/arch/browse/dnsop/
Chat Room address https://zulip.ietf.org/#narrow/stream/dnsop

Charter for Working Group

The Domain Name System Operations (DNSOP) WG defines and documents the deployment and operational considerations for the DNS protocol. The WG also provides guidance and elaborates best current practices for DNS deployment. DNS topics which are being developed in other IETF WGs are out of scope for the DNSOP WG. These will be published as BCP or Informational RFCs.

DNSOP provides a venue for DNS operators and other interested parties to engage in discussions around the operational requirements of DNS and publish documents. Specifically, the WG welcomes insights from those who wish to share operational experience and challenges as well as discuss other DNS-related matters that are within scope of the WG.

The DNSOP WG is also responsible for maintenance, updates and extensions to the DNS protocol. These will be published as Standard Track or Experimental RFCs.

DNS-related I-Ds that don't have an obvious WG which could adopt them can be submitted to the DNSOP WG for consideration. The DNSOP WG will advise on the appropriate way to progress these I-Ds, for instance by suggesting the most suitable WG or recommending the chartering of a new WG.

The WG will engage with relevant WGs and other appropriate organizations whenever collaboration is needed, especially for WG adoption and Last Calls. DNSOP will liaise with IANA on the management of IANA's DNS-related registries.

Whether the DNS protocol maintenance is better handled by a new WG or be kept in DNSOP will be open for community discussion in 2 years. The WG will recharter in 2 years to take into account the outcome of that discussion.

Milestones

Date Milestone Associated documents
Mar 2026 Submit DNS IPv6 Transport Operational Guidelines to the IESG for Publication as BCP draft-ietf-dnsop-3901bis
Dec 2025 Submit Structured Error Data for Filtered DNS to the IESG for Publication as Proposed Standard draft-ietf-dnsop-structured-dns-error
Nov 2025 Submit Domain Control Validation using DNS to the IESG for Publication as BCP draft-ietf-dnsop-domain-verification-techniques
Oct 2025 Submit Clarifications on CDS/CDNSKEY and CSYNC Consistency to the IESG for Publication as Proposed Standard draft-ietf-dnsop-cds-consistency
Oct 2025 Submit Delegation Revalidation by DNS Resolvers to the IESG for Publication as Proposed Standard draft-ietf-dnsop-ns-revalidation