Internet DRAFT - draft-toorop-dnsop-ranking-dns-data

draft-toorop-dnsop-ranking-dns-data







Domain Name System Operations                                 P. Hoffman
Internet-Draft                                                     ICANN
Updates: 2181 (if approved)                                     S. Huque
Intended status: Standards Track                              Salesforce
Expires: 5 September 2024                                      W. Toorop
                                                              NLnet Labs
                                                            4 March 2024


                    Ranking Domain Name System data
                 draft-toorop-dnsop-ranking-dns-data-00

Abstract

   This document extends the list ranking the trustworthiness of domain
   name system (DNS) data (see Section 5.4.1 of [RFC2181]).  The list is
   extended with entries for root server names and addresses built-in
   resolvers, and provided via a root hints file with the lowest
   trustworthiness, as wel as an entry for data which is verifiable
   DNSSEC secure with the highest trustworthiness.  This document
   furthermore assigns ranked values to the positions of the list for
   easier reference and comparison of trustworthiness of DNS data.

About This Document

   This note is to be removed before publishing as an RFC.

   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-toorop-dnsop-ranking-dns-
   data/.

   Discussion of this document takes place on the DNSOP Working Group
   mailing list (mailto:dnsop@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/dnsop/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/dnsop/.

   Source for this draft and an issue tracker can be found at
   https://github.com/NLnetLabs/draft-toorop-dnsop-ranking-dns-data.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.



Hoffman, et al.         Expires 5 September 2024                [Page 1]

Internet-Draft              Ranking DNS data                  March 2024


   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 5 September 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Trustworthiness values  . . . . . . . . . . . . . . . . . . .   2
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   5.  Normative References  . . . . . . . . . . . . . . . . . . . .   3
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   4
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   4

1.  Introduction

   This draft's intention is currently just to start re-evaluation and
   re-thinking of [RFC2181], Section 5.4.1 about ranking trustworthiness
   of DNS data.

2.  Trustworthiness values

   +=======+===========================================================+
   | Value | Data                                                      |
   +=======+===========================================================+
   | AAA   | Data from a primary zone file other than                  |
   |       | occluded data, and all data that is verifiable            |
   |       | DNSSEC secure regardless off were it came from            |
   +-------+-----------------------------------------------------------+
   | AA    | Data from a zone transfer other than occluded             |
   |       | data                                                      |



Hoffman, et al.         Expires 5 September 2024                [Page 2]

Internet-Draft              Ranking DNS data                  March 2024


   +-------+-----------------------------------------------------------+
   | A     | The authoritative data included in the answer             |
   |       | section of an authoritative reply                         |
   +-------+-----------------------------------------------------------+
   | A-    | Data from the authority section of an                     |
   |       | authoritative answer                                      |
   +-------+-----------------------------------------------------------+
   | BBB   | Occluded data from a primary zone, or occluded            |
   |       | data from a zone transfer                                 |
   +-------+-----------------------------------------------------------+
   | BB    | Data from the answer section of a non-                    |
   |       | authoritative answer, and non-authoritative data          |
   |       | from the answer section of authoritative answers          |
   +-------+-----------------------------------------------------------+
   | B     | Additional information from an authoritative              |
   |       | answer, Data from the authority section of a              |
   |       | non-authoritative answer, Additional information          |
   |       | from non-authoritative answers.                           |
   +-------+-----------------------------------------------------------+
   | CCC   | Names and addresses for the root servers from a           |
   |       | hints file                                                |
   +-------+-----------------------------------------------------------+
   | CC    | Names and addresses for the root servers built            |
   |       | into resolver software                                    |
   +-------+-----------------------------------------------------------+

                                  Table 1

3.  IANA Considerations

   This document does not require any IANA actions.

4.  Security Considerations

   The process of replacing RRsets in a resolvers cache with the RRsets
   with a higher trustworthiness ranking, either passively or pro-
   actively by explicit querying, is crucial to the security of the DNS.

5.  Normative References

   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
              Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
              <https://www.rfc-editor.org/info/rfc2181>.








Hoffman, et al.         Expires 5 September 2024                [Page 3]

Internet-Draft              Ranking DNS data                  March 2024


Appendix A.  Acknowledgements

   Thanks to all the people that contributed to the discussion
   surrounding the re-evaluation of how the trustworthiness of DNS data
   should be ranked.

Authors' Addresses

   Paul Hoffman
   ICANN
   Email: paul.hoffman@icann.org


   Shumon Huque
   Salesforce
   Email: shuque@gmail.com


   Willem Toorop
   NLnet Labs
   Science Park 400
   1098 XH Amsterdam
   Netherlands
   Email: willem@nlnetlabs.nl



























Hoffman, et al.         Expires 5 September 2024                [Page 4]